Author Archives: www.infosecurity-magazine.com

Marriott Fined £18.4m Over Data Breach

Marriott Fined £18.4m Over Data Breach

The Information Commissioner's Office (ICO) has fined hotel chain Marriott International £18.4m over a data breach that exposed the information of millions of guests worldwide. 

The UK's independent body set up to uphold information rights imposed the financial penalty on Marriott for "failing to keep millions of customers' personal data secure."

In November 2018, Marriott reported a data breach that saw an estimated 339 million guest records exposed globally, of which around seven million related to UK residents. An investigation into the incident revealed that an unauthorized party had been accessing the network of Starwood Hotels and Resorts Worldwide Inc. since 2014, copying and encrypting information.

The attack remained undetected until September 2018, by which time Starwood had been acquired by Marriott. 

The personal data involved in the breach differed between individuals, but the ICO said that it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.

An investigation into the incident by the ICO found that Marriott "failed to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR)."

However, the ICO recognized that Marriott was swift to act once the breach had been discovered, contacting customers and the ICO promptly. 

"It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems," said the commissioner's office.

In July last year, the ICO announced an intention to fine Marriott £99m over the data breach for “infringements of the GDPR.”

In a statement released yesterday, the ICO said: "As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty."

Although the breach dates back to 2014, the GDPR regulations only came into effect in May 2018, two years before the UK left the European Union.

US Sanctions Russian Institute Linked to TRITON

US Sanctions Russian Institute Linked to TRITON

The United States Treasury has imposed sanctions on a Russian state-funded research institute that was linked to malware used in an attack on a Middle East petrochemical facility.

In October 2018, researchers at FireEye attributed industrial control system (ICS) intrusion activity known as TRITON to a professor at the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM). The malware is known also as TRISIS and HatMan in open source reporting.

TRITON was deployed against a Saudi Arabian petrochemical facility in August 2017, where it was observed targeting emergency shutdown capabilities for industrial processes. 

Researchers who investigated the cyber-attack reported that the malware was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life. 

The Treasury Department said that CNIIHM built customized tools that enabled the assault, producing malware designed to tamper with the facility's critical safety mechanisms.  

"The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

In a designation released October 23, the department said that the institute is "connected to the destructive TRITON malware" which "was designed specifically to target and manipulate industrial safety systems."

According to the department, TRITON's operators had turned their attention to targets in the United States. 

"In 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities," said the department.

As a result of the sanctions on CNIIHM, people in the United States are prohibited from engaging in transactions with the institute. 

"While the Russian government claims to be a responsible actor in cyberspace, it continues to engage in dangerous and malicious activities that threaten the security of the United States and our allies," said US Secretary of State Mike Pompeo.

"We will not relent in our efforts to respond to these activities using all the tools at our disposal, including sanctions."

Montreal Metro Hacker Demands $2.8m Ransom

Montreal Metro Hacker Demands $2.8m Ransom

A malicious hacker that attacked Montreal's transit agency with malware has demanded a ransom of US $2.8m to restore normal network operations.

The Société de transport de Montréal (STM) was targeted with ransomware on October 19. The attack knocked the agency’s reservation system for adapted transit offline and caused an outage that affected around 1,000 of STM's 1,600 servers, 624 of which are considered operationally sensitive.  

No data was exfiltrated by the hacker, and the incident did not impact the city's bus and metro services. 

After more than a week of silence, the hacker finally contacted STM to issue a ransom demand that the agency says it will not comply with.

In a statement published Thursday, STM said: "Following communication with the hacker, a ransom demand of US $2.8 million was made. The STM maintains its decision not to act on this request."

STM's paratransit reservation system was restored on October 25. The agency said that as of yesterday, around 77% of servers impacted by the attack had been restored. 

Payments to STM's 11,000 employees were completed in what the agency described as an "almost normal manner." Payments to suppliers were not affected by the incident. 

An investigation into the incident is ongoing. Details revealed so far indicate that the attacker used a phishing email to gain access to STM's network. While describing the attack as similar to RansomExx, STM said it would not share any further details until the investigation had been completed. 

A week after the cyber-strike on Montreal's transit agency, a second attack was carried out on a health agency in the city's west end. 

The CIUSSS du Centre-Ouest-de-l'Île-de-Montréal blocked remote access and disconnected from the internet after the attack in an attempt to minimize any damage. 

Dr. Lawrence Rosenberg, head of the CIUSSS, said that no personal information belonging to staff or patients had been compromised as a result of the security incident.

The CIUSSS run the city's Jewish General Hospital and several long-term care facilities. Rosenberg said that while problems had been experienced with the telephone system, patient care had not been affected by the attack.

ICO Slaps £250,000 Fine on Another Nuisance Call Company

ICO Slaps £250,000 Fine on Another Nuisance Call Company

The Information Commissioner’s Office (ICO) has fined yet another company for making nuisance calls, as doubts grow over the regulator’s ability to actually collect the money owed to it.

Over a six-month period from the beginning of 2019, Bury-based Reliance Advisory Limited (RAL) made over 15 million calls to individuals who had not requested them. They included mis-sold PPI and other claims management issues.

Scores of victims complained to the ICO, many of them having been called several times a day by the company. Some noted that RAL staff were rude and aggressive on the phone.

Unsolicited calls for marketing purposes have been banned for over two years under the Privacy and Electronic Communications Regulations 2003. However, RAL told the ICO it was unaware of its legal responsibilities.

As a result of this, and its inability to provide evidence of consent for the majority of calls it made, the firm was fined £250,000.

Andy Curry, head of investigations at the ICO, encouraged members of the public to report nuisance calls like these, as well as unsolicited texts and emails, to the regulator.

“Nuisance calls continue to be a matter of great distress, annoyance and significant concern for the public and we will continue to find and take action against the worst offenders,” he said.

“The law exists for a reason, and that is to protect people from this high degree of intrusion into their private lives. Businesses must respect the law and the onus is on them to be aware of their responsibilities. Pleading ignorance of the rules, as was put forward in this case, will never be a valid argument.”

However, as reported by Infosecurity yesterday, there are increasing concerns that the ICO is failing to hold such companies to account. A Freedom of Information (FOI) request revealed that since 2015, £6.6m, or over 39% of total fines, are still outstanding.

Of the 21 fines handed out between Jan 2019 and August 2020, only nine have been paid, meaning that 68% of their monetary value remains outstanding. Just 13% of fines related to nuisance calls have been collected.

Experts argue that it’s still too easy for company directors to find ways to avoid paying, such as by declaring bankruptcy.

Number of “Breached” Records Hits 36 Billion in 2020

Number of “Breached” Records Hits 36 Billion in 2020

The number of publicly reported data breaches fell in the third quarter of 2020, but billions more records were exposed globally to bring the total this year to 36 billion, according to Risk Based Security.

The security vendor’s 2020 Q3 Data Breach QuickView Report was compiled from human and automated analysis of publicly available reports, FOI requests and news reports.

It claimed 2020 was already the worst year ever recorded, even before the extra 8.3 billion records that were exposed in Q3. However, these figures include not only stolen data but also cloud-based misconfigurations that may imperil information but not result in a malicious actor getting hold of it.

The number of data breach reports in the first three quarters of the year dropped 51% year-on-year to 2953.

The vendor’s executive vice-president, Inga Goddijn, argued that this could be explained by the rise in ransomware attacks. Although these accounted for 21% of reported breaches in the first three quarters, it may be that many more are not being recorded.

“While many of these attacks are now clearly breach events, the nature of the data compromised can give some victim organizations a reprieve from reporting the incident to regulators and the public,” she argued.

“After all, while the compromised data may be sensitive to the target organization, unless it contains a sufficient amount of personal data to trigger a notification obligation, the event can go unreported.”

Elsewhere in the report, healthcare was the sector most affected by breach incidents, accounting for 11.5% of events.

Interestingly, two breaches in Q3 exposed over one billion records each and four breaches exposed over 100 million records. So these six breaches cumulatively accounted for around eight billion exposed records, or over 22% of the total.

The findings chime somewhat with those of the Identity Theft Resource Center, which records publicly reported breaches in the US. It said recently that the volume of those incidents is on track for its lowest figure since 2015.

Scammers Spoof MAGA Hat Vendors to Steal $2.3m from Republicans

Scammers Spoof MAGA Hat Vendors to Steal $2.3m from Republicans

The Wisconsin Republican Party (WisGOP) has been left red-faced after a suspected Business Email Compromise (BEC) attack stole millions of dollars intended to support Donald Trump’s re-election bid.

The party issued a statement on Thursday revealing that it discovered a phishing attack a week previously, on October 22, and promptly notified the FBI.

According to the statement, attackers had forged invoices and sent them to the party under the names of legitimate WisGOP vendors.

This sounds like a classic BEC attack, in which cyber-criminals hijack a target’s inbox via phishing to monitor emails sent back and forth with vendors. They’re then able to spoof those vendors, sending invoices to the targeted organization with their own bank details at the bottom.

“Cyber-criminals, using a sophisticated phishing attack, stole funds intended for the re-election of President Trump, altered invoices and committed wire fraud. These criminals exhibited a level of familiarity with state party operations at the end of the campaign to commit this crime,” said state party chairman, Andrew Hitt.

“While a large sum of money was stolen, our operation is running at full capacity with all the resources deployed to ensure President Donald Trump carries Wisconsin on November 3.”

The attack has extra significance given that Wisconsin is a key swing state which Trump won by only around 20,000 votes last time, so every last penny will be needed as both parties step up their campaigning.

According to reports, the vendors in question sold the party pro-Trump hats and other items to be handed out at rallies, as well as direct mail services.

DomainTools senior security advisor, Chad Anderson, explained that BEC is on the rise.

“Cyber-criminals appear to be discovering the reality that as opposed to engaging with ‘wide-net’ phishing campaigns, they can save time and energy in researching one individual within a business and sending them a targeted email,” he continued.

“Sites such as LinkedIn make this incredibly easy to achieve, allowing a threat actor to research members of staff in an organization with a few clicks. In order to avoid the exponential growth of these scams continuing, businesses need to engage in robust training and awareness campaigns with staff, as well as investing in an email filtering system which is regularly audited and updated.”

BEC was responsible for over half of all cybercrime losses reported to the FBI last year, standing at nearly $1.8bn.

BEC Attacks Targeting Energy and Infrastructure Rise by 93%

BEC Attacks Targeting Energy and Infrastructure Rise by 93%

Business email compromise attacks (BEC) have continued to grow in Q3 of 2020, rising by 15% overall compared to Q2, according to Abnormal Security’s Quarterly BEC Report.

The average weekly volume of BEC attacks increased quarter-by-quarter in six out of eight industries, with the biggest rise observed in the energy/infrastructure sector, at 93%. The industries which had the highest number of weekly BEC attacks were retail/consumer goods and manufacturing and technology, which were tied for the volume of campaigns received per 1000 emails.

Cyber-criminals had a particularly strong focus on BEC campaigns that had a goal of invoice and payment fraud in this period, with a 155% increase from Q2 to Q3 recorded. A corresponding decline in social engineering BEC attacks aiming to impersonate internal employees and VIPs or external partners was also seen.

In regard to the types of employees targeted, Abnormal Security reported that attacks on C-suite executives stayed flat compared to Q2, while campaigns targeting employees in finance departments fell by 53%. However, email attacks to group mailboxes surged by 212%, denoting a shift in tactics.

Credential-phishing COVID-19 related attacks declined 82% quarter-by-quarter, although invoice and payment fraud that leveraged the fear, uncertainty and doubt of the pandemic increased by 81%.

Evan Reiser, CEO of Abnormal Security, commented: “As the industry’s only measure of BEC attack volume by industry, our quarterly BEC research is important for CISOs to prepare and stay ahead of attackers. Not only are BEC campaigns continuing to increase overall, they are rising in 75% of industries that we track. Since these attacks are targeted and sophisticated, these increases could indicate an ability for threat actors to scale that may overwhelm some businesses.”

In the report Abnormal Security added: “It’s important to note that the highest rates of invoice and payment fraud BEC attacks targeting employees in finance observed thus far by Abnormal occurred during Q4 2019. This may indicate a seasonality to these types of attacks. If this is the case, we should see a significant spike in such attacks in Q4 of this year.”

US: Collaboration Needed to Combat Online Child Exploitation

US: Collaboration Needed to Combat Online Child Exploitation

United States Assistant Attorney General Beth Williams has called for people to come together to protect children from being exploited. 

Speaking yesterday at a Columbia Law School virtual event, Williams said: "Addressing the problem of online child exploitation requires that all of civil society work collaboratively—including law enforcement, non-governmental organizations, private industry, and individual citizens."

Williams warned that abuse carried out in one sphere may result in further abuse occurring in another. 

"Exploitation and abuse that begins online in the virtual world often leads to abuse in the real world. In an all-too-common scenario, a predator can use social media to make contact with a child, spend time grooming her to build trust, and then attempt to meet in person to engage in abuse," said Williams.

She added that sextortion cases, in which predators use social media and other platforms to coerce victims into sharing explicit images of themselves, and then blackmail the victims into paying money, producing more explicit content, or engaging in sexual acts, are on the rise and "occurring in our communities throughout the country on a daily basis."

Last year, the National Center for Missing & Exploited Children (NCMEC) received 16.9 million reports of suspected abuse that included over 69 million photos, videos, and other files related to child sexual exploitation, said Williams. 

She added that by causing children to become familiar with webcams and spend more time online, often unsupervised, COVID-19 "is making an ongoing crisis worse."

"We are fortunate to have advanced technology that provides us the means to stay connected," said Williams. "However, that same technology also provides predators with pathways into our homes that can be used to target children for sexual exploitation."

Williams then spoke in opposition to the deployment of end-to-end encryption technology in everyday consumer devices and software, arguing that it will make child exploitation harder to detect and report.

"This has real-life consequences," said Williams. "Law enforcement will be less able to act in thousands of cases where they might have otherwise been able to stop the spread of child sexual abuse material, arrest a predator, or rescue a child from abuse."        

The NCMEC has received over 65 million cyber-tips relating to online child exploitation. The organization estimates that more than half of its CyberTipline reports will vanish with end-to-end encryption.  

Triple Data Breach Earns Insurer $1m Fine

Triple Data Breach Earns Insurer $1m Fine

An American insurance company has been fined $1m over three data breaches that occurred over a six-month period in 2017.

Aetna agreed to the fine and to the adoption of a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The payment will go to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS).

On April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members had allowed documents to be accessible without login credentials. As a result of this breach, the sensitive data of 5,002 individuals was exposed.

Protected health information (PHI) disclosed in the incident included names, insurance identification numbers, claim payment amounts, procedure service codes, and dates of service.

Aetna experienced a second data breach on July 28, 2017, when benefit notices mailed out to members in window envelopes displayed the words "HIV medication" next to the member's name and address. A breach report submitted to OCR in August stated that 11,887 individuals were affected by this disclosure.

The third 2017 breach that hit Aetna happened on September 25, when a research study mailing sent to members displayed the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating on the envelope. Aetna reported in November 2017 that 1,600 individuals were affected by this breach.

OCR's investigation into the breaches found that in addition to the impermissible disclosures, Aetna "failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI."

"Unfortunately, on numerous occasions where it would have cost the organization several thousands of dollars for technology or training, the decision was made not to purchase the product or service," James McQuiggan, security awareness advocate at KnowBe4, told Infosecurity Magazine.

"These decisions come back around later after a data breach that costs millions in lost productivity, revenue, and fines. Organizations need to have a robust security awareness training program to help employees make smarter security decisions to protect an organization from various attacks.”

Taiwanese Company Admits Stealing US Trade Secrets

Taiwanese Company Admits Stealing US Trade Secrets

A company in Taiwan has been fined $60m after pleading guilty to stealing trade secrets from an American semiconductor company.

United Microelectronics Corporation (UMC), a semiconductor foundry based in Hsinchu that turned 40 this year, admitted to swiping secrets from Micron Technology, a leading producer of computer memory and computer data storage that is headquartered in Boise, Idaho.

UMC was indicted by a United States federal grand jury in September 2018 for conspiracy to steal, convey, and possess trade secrets stolen from Micron for the benefit of the Fujian Jinhua Integrated Circuit Company. 

Fujian, a state-owned enterprise of the People's Republic of China, was also indicted on the same charges, along with three individuals UMC says it hired from Micron's Taiwan subsidiary. The company denies any wrongdoing.

Yesterday the United States Justice Department announced that UMC had admitted stealing the secrets and had agreed to cooperate with the US government in the investigation and prosecution of its Chinese co-defendant.

In a statement released on October 28, the Department of Justice said: "As a result of today’s guilty plea, and in accordance with an accompanying plea agreement, UMC, whose American Depository Receipts are publicly traded on the New York Stock Exchange, will pay the fine—the second largest ever in a criminal trade secret prosecution, be subject to a three-year term of probation, and cooperate with the United States."

Under the plea agreement, UMC pleaded guilty to one count of criminal trade secret theft. Other criminal charges and a parallel civil suit by the United States against the Taiwanese company will be dismissed. 

The criminal prosecution of Fujian and the three individual defendants will continue, with a trial US Attorney David Anderson deemed likely to occur next year.

Continuing also is a civil action that seeks to prohibit Fujian from the further transfer of stolen trade secrets and from the export to the United States of products manufactured by the PRC-owned company using trade secrets stolen from Micron.

“UMC stole the trade secrets of an American leader in computer memory to enable China to achieve a strategic priority: self-sufficiency in computer memory production without spending its own time or money to earn it,” said Deputy Attorney General Jeffrey Rosen.

Education Sector Facing Disproportionate Level of Spear-Phishing Attacks

Education Sector Facing Disproportionate Level of Spear-Phishing Attacks

Educational institutions are being disproportionately targeted by spear-phishing attacks, according to a new study by Barracuda Networks.

The security firm’s latest Threat Spotlight analysis found that in the period from June to September 2020, over 1000 schools, colleges and universities faced more than 3.5 million spear-phishing attacks.

More than a quarter of these were business email compromise (BEC) attacks, a method which is over twice as likely to be used against educational institutions compared with an average organization across all sectors.

More than four in 10 (41%) of all attacks targeting education were spear-phishing, according to the analysis, with 28% scamming attempts and 3% related to extortion.

Spear-phishing attacks dropped off in July and August when schools were closed, and were at their highest in June and September: 11% and 13% higher than average, respectively.

Cyber-criminals increasingly used the topic of COVID-19 as a lure for these phishing attacks, with subject headings including ‘COVID19 NEW UPDATES’; ‘Covid-19 Update Follow Up Right Now’; ‘COVID-19 SCHOOL MEETING’ and ‘Re: Stay Safe’.

Barracuda also highlighted examples the potentially devastating costs of these types of attacks, including the Manor Independent School District in Texas reporting that a seemingly normal school-vendor transaction resulted in a loss of $2.3 million.

Michael Flouton, VP email protection for Barracuda Networks, commented: “Cyber-attackers have come to understand that education institutions don’t often have the same level of security sophistication as in other organizations, and therefore, they will send carefully crafted email messages designed to trick unknowing and untrained victims into leaking personal or confidential information, such as login credentials, student records, or payment information.

“In light of COVID-19 and the transition to remote learning environments, the quantity of data stored on school and university servers has surged, and thus, so too has the quantity of cyber-attacks facing them.

“Therefore, schools and universities must combat this threat by investing in email security that leverages artificial intelligence to help identify unusual senders, intercept suspicious requests and block spear-phishing attacks. Additionally, account takeover protection, security awareness education for staff and students, and a reconstruction of internal policies, are all imperative to preventing human error from leading to costly mistakes in the future.”

Employee Awareness Recognized as Biggest Lockdown Security Failing

Employee Awareness Recognized as Biggest Lockdown Security Failing

Employee awareness is seen as the biggest area of weakness for firms’ cybersecurity strategies over the past few months of mass remote working during COVID-19, according to a new study.

Secure storage firm Apricorn received over 23,500 responses from a poll of its Twitter followers in October exploring business preparedness during the pandemic.

Over 30% said that employee education was the area most in need of improvement at their organization. Home workers may be more distracted than they would otherwise be in the office, IT support feels more remote and devices or PCs may be less well secured, presenting increased cyber-risk to organizations.

New Mimecast research out this week revealed that nearly half (45%) of remote workers open emails they consider to be suspicious while 73% use their corporate devices for personal matters, potentially exposing it to cyber-threats.

“IT and security teams had to scramble to respond to this crisis and in doing so, left a lot of companies wide open to breach. Nine months into employees working remotely, some know already that they have been attacked. Others think they may have been but can’t be sure,” argued Apricorn’s EMEA managing director, Jon Fielding.

“In the same way that we had to learn how to protect ourselves from illness and modify our behavior, we had to also learn how to protect our data outside of the firewall and more importantly, to remain vigilant about it.”  

However, improving staff security awareness and education may not be that easy.

Trend Micro research from earlier this year revealed that remote workers continue with their bad habits whilst claiming that: they feel more conscious of their organization’s cybersecurity policies (72% ) since lockdown began; they take IT instructions seriously now (85%); and that cybersecurity is partly their responsibility (81%).

According to Apricorn, 40% of employees felt that they were not fully prepared to work at home securely and productively, with 18% claiming they lacked the right technology and 16% saying they were not sure how to. A fifth (20%) said they were still not able to work remotely. 

Red Alert as US Hospitals Are Flooded with Ryuk Ransomware

Red Alert as US Hospitals Are Flooded with Ryuk Ransomware

The US government has been forced to issue an alert to healthcare providers of a major new ransomware campaign that may impair their ability to treat COVID-19 patients.

The joint alert, issued by the FBI and Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), claimed that attackers using the Ryuk variant were targeting the sector with TrickBot malware.

Originally designed as a banking Trojan, TrickBot is now one of the most prolific pieces of malware around, offering a suite of functionality for various use cases including crypto-mining and POS data harvesting.

The alert warned of a relatively new Anchor_DNS module added by its authors which helps attackers use DNS tunnelling to keep C&C comms hidden and exfiltrate data seamlessly from high-profile targets. Anchor has already been used by North Korea’s Lazarus Group to steal data from victims.

The Ryuk variant has been around since 2018 and often threat actors deploy off-the-shelf tools such as Cobalt Strike and PowerShell Empire to steal credentials and maintain persistence. They also deploy “living off the land” techniques such as use of PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move laterally, the CISA warned.

According to reports, an Eastern European cybercrime gang known as “Wizard Spider” is likely behind this latest campaign, which hit six hospitals in the same day including incidents in Oregon, New York and California. Some patients are apparently being forced to divert to other facilities as a result.

Mandiant CTO, Charles Carmakal, branded the gang, also known as UNC1878, “one of the most brazen, heartless, and disruptive threat actors” he’s ever seen.

"Ransomware attacks on our healthcare system may be the most dangerous cyber security threat we’ve ever seen in the United States. Patients may experience prolonged wait time to receive critical care,” he added.

“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase.”

New data from SonicWall released today claimed that Ryuk now represents a third of all ransomware attacks so far this year, with detections soaring from around 5000 up to Q3 2019 to over 67 million over the past year.

The threat to healthcare is nothing new: Microsoft warned of an uptick in targeted APT-style ransomware attacks during the early days of the COVID-19 crisis.

FireEye has more on the technical details of the current campaign here.

ICO Still Failing to Collect Fines from Unlawful Companies

ICO Still Failing to Collect Fines from Unlawful Companies

The Information Commissioner’s Office (ICO) is struggling to collect the monetary fines it issues, effectively allowing companies in breach of the law off the hook, according to new Freedom of Information (FOI) data.

API company The SMS Works has been tracking the progress of the UK’s privacy and information rights regulator since 2018. Last year it revealed that, since 2015, around £7 million, or 42% of the monetary total, remained unpaid.

The latest findings reveal that the ICO has only managed to collect one more of the 47 outstanding fines issued up to July 2019 — related to Facebook’s Cambridge Analytica scandal. This means £6.6 million, or over 39% of total fines, are still outstanding.

What’s more, the regulator hasn’t been much good at collecting more recent fines, despite telling The SMS Works last year that it would be stepping up its efforts with the help of debt collection agencies.

Of the 21 fines handed out between Jan 2019 and August 2020, only nine have been paid, the FOI data revealed. That means 68% of the monetary value of fines issued during this time remains outstanding.

Of these, the ICO does best at collecting data breach fines, managing to bring in money for 54% during the period. However, just 13% of nuisance call fines were collected.

The ICO should also have benefitted from a long-awaited change in the law which made company directors responsible for paying fines. Previously, many would simply declare bankruptcy to avoid the fine, and start a new company.

However, this process, known as “phoenixing,” is still rife: one company, previously known as Black Lion Marketing, was fined £171,000 in March 2020 but its owner pheonixed the business and is thought to have invented new trading names to escape scrutiny.

The ICO has already been criticized by some for reducing an initial intent to fine BA for a serious data breach from £183 million to just £20 million. In fact, according to the FOI data, the number of fines it has levied for breaches since the GDPR came into force fell from 89 in 2017-18 to just 29 in 2019-20.

Henry Cazalet, director of The SMS Works, told Infosecurity  that resources weren’t the issue for the ICO.

“The ICO does, after all, employ over 500 staff in four offices across the UK, so its not short of manpower,” he continued.

“I believe the main issue it faces is that despite changes in the law, it's still too easy for companies and individuals that break the rules to find ways to avoid paying. In many cases the fines issued have been way in excess of the organization's ability to pay.”

The answer may therefore lie with levying smaller fines for breaches and spam offenses, which the ICO has a better chance of successfully paying, he argued.

The irony is that the privacy experts that drafted the GDPR, including many at the ICO, recommended the large upper fine limit of £20 million or 4% of global turnover as a deterrent to would-be offenders. If the fines can’t be collected, the idea of such a deterrent would seem pointless.

UK Recruiting Youths for “Digital Army”

UK Recruiting Youths for "Digital Army"

An urban regeneration project is seeking to train a "digital army" of young people to protect the United Kingdom's businesses and organizations from cyber-attackers. 

The HALO project is seeking to recruit people aged 16-24 under its #RockStars program and train them "in the latest digital and cyber skills and techniques" from a new site in Kilmarnock, Scotland. 

Training will commence in May next year, and young people that complete the program will earn a HALO-accredited qualification to support future employment opportunities in the tech and cybersecurity industries.

On-site learning will take place at The HALO Kilmarnock's Enterprise and Innovation Hub, which is currently being constructed on a 23-acre site that was formerly the home of internationally renowned Scotch whisky maker Johnnie Walker. Regeneration of the brownfield site came with a price tag of £63m.

A spokesperson for The HALO Kilmarnock said: "A 200-strong 'digital army' of young people will be established at The HALO Kilmarnock when it opens its doors in May 2021 following the commitment of £1.5 million of funding by the UK Government under its Kickstart Scheme."

The decision to open the scheme to 200 people is a nod to 2020's being the year that Johnnie Walker celebrates its 200th anniversary. 

The HALO has appointed Business Resilience International Management, founded by Mandy Haeburn-Little, former CEO of the Scottish Business Resilience Centre, to design the HALO cyber-course. 

Under the scheme, all the members of the "digital army" will be paid for a minimum of 25 hours per week. The plan is that after six months of e-learning and on-site training, the recruits will enter a six-month work placement. 

"These placements are expected to be with a range of different companies, from The HALO’s corporate partners, such as ScottishPower, Barclays PLC and Anderson Strathern, to start-up companies based at The HALO and beyond. It is hoped that these work placements will, in time, become full-time opportunities," said a spokesperson for The HALO Kilmarnock.

Recruits may potentially be housed within a number of The HALO’s 210 net-zero-carbon-emission smart homes that will be built in the second phase of the Kilmarnock project's development.

Scammers “Seize” Trump Campaign Site

Scammers "Seize" Trump Campaign Site

A cyber-attack has been carried out against the campaign website of President Donald Trump a week before America's presidential election.

Malicious hackers defaced the site's "About" page on Tuesday with a message that spoofed the domain seizure notices deployed by the United States Department of Justice. 

After displaying the logos of the Federal Bureau of Investigation and the DOJ, the attackers announced, "This site was seized."

The attackers then claimed to have obtained classified information about America's 45th president by compromising devices belonging to Trump and to members of his family. Among this data was information "proving that the trump-gov is involved in the origin of the corona virus," according to the hackers.

Visitors to the site were then informed that the attackers "have evidence that completely discredits Mr Trump as a president, proving his criminal involvement with foreign actors manipulating the 2020 elections."

The motivation for the attack appeared to be purely financial and not an attempt to defend democracy or expose an alleged crime.

After making claims about possessing evidence, the attackers invited visitors to the site to pay money into one of two Monero cryptocurrency accounts. One digital pot was titled "Yes, share the data," while the other was named "No, do not share the data."

No evidence was given to back up any of the claims made by the attackers. 

Trump campaign spokesperson Tim Murtaugh said in a statement that no data had been stolen in the attack, which lasted fewer than 30 minutes.

"Earlier this evening, the Trump campaign website was defaced, and we are working with law enforcement authorities to investigate the source of the attack," said Murtaugh on Twitter on Tuesday. 

"There was no exposure to sensitive data because none of it is actually stored on the site. The website has been restored."

News of the hack and money-making scams follows a warning issued by the FBI on October 22 that a Russian state-sponsored APT actor, known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting, has targeted dozens of SLTT government networks.

Hackers Leak Swedish Security Firm’s Data

Hackers Leak Swedish Security Firm's Data

A Swedish security firm that suffered a cyber-attack is warning customers that their data has been leaked online.

Malicious hackers compromised the servers of Gunnebo in August 2020 in a highly organized attack that was reported to the Swedish Security Service, Säpo. 

Gunnebo’s CEO, Stefan Syrén, said hackers uploaded 38,000 files to a public server after management refused to give in to demands for a ransom.

On Tuesday, Swedish daily newspaper Dagens Nyheter (DN) reported that large amounts of sensitive data belonging to Gunnebo customers had been released on the dark web. 

News service Reuters reported that three security experts had confirmed an 18-gigabyte file containing Gunnebo customer data was available for download.

Data breached in the leak included security arrangements for the Swedish parliament, alarm systems, and detailed floor plans for bank vaults in at least two German banks.

Other data exposed by the hackers included documents containing information on alarm systems and surveillance cameras in use at a branch of the SEB bank in Sweden.

"Of course, we have been aware that files that originate from us are available on Darknet, and we naturally regret that this is the case," said Syrén in a statement yesterday. "Unfortunately, this is exactly how computer criminals work." 

"Therefore, I would like to emphasize that it has never been an alternative for Gunnebo to pay a ransom to have the files deleted. The only way to curb this kind of crime is that the affected organizations do not fall short and pay out ransoms."

Gunnebo is a multinational company headquartered in Gothenburg, Sweden, that counts airports, nuclear power plants, banks, and hospitals among its clients. The company specializes in security products, services, and solutions mainly in the areas of cash management, entrance control, safe storage, and integrated security.

In a statement released just after the attack occurred, Syrén said: "We can only speculate on what the target of the attack was, but as we cannot rule out that it was an attempt at industrial espionage, it has been important to follow the regulations and we have therefore decided to inform Säpo."

Joint Network Established to Combat E-Commerce Fraud

Joint Network Established to Combat E-Commerce Fraud

Forter has announced a new collaboration with e-commerce platform FreedomPay in a bid to combat growing levels of fraud as well as reduce false decline rates.

The partnership represents the first joint network for online merchants and banks to instantly block fraud attempts and allow legitimate customers to operate freely.

Online shopping has grown substantially during the COVID-19 pandemic following the closure of shops and with people being forced to spend more time indoors. This has led to fraudsters increasingly moving online to take advantage of this shift in consumer behavior.

Forter said that online transaction volumes for new users had more than doubled since the start of the crisis, and this has led to much higher false decline rates, as these customers are five- to seven-times more likely to be declined due to lack of data with legacy fraud prevention systems. This can damage customer experiences, leading to lost revenue for retailers.

The new partnership seeks to overcome the issue of multiple players involved in each online transactions, e.g. the online merchant, the credit card issuer and the bank, using different fraud solutions. It is hoped Forter and FreedomPay’s global network will allow merchants to confidently accept users they have never seen before.

Forter added that its fraud prevention capabilities available from the network meet regional and country specific compliance requirements for merchants, including 3D secure and other SCA methods for PSD2.

Liron Damri, co-founder and president of Forter, commented: “Our coalition of merchants, payment providers and banks fighting fraud together is a huge step forward in global fraud prevention. With over $200bn in online transactions and over 800 million trusted users, we enable our coalition members to be way more effective in fighting fraud and growing the business with confidence.

“Partnering with an industry leading payment organization, like FreedomPay, allows us to provide its merchants with the most optimal user experience and with a trusted environment that allows them to grow with confidence.”

SHe CISO Exec. to Host Second Virtual Cybersecurity Boot Camp This Year

SHe CISO Exec. to Host Second Virtual Cybersecurity Boot Camp This Year

SHe CISO Exec. has announced that it is hosting its boot camp on cybersecurity and leadership virtually for the second time this year, taking place December 7-11 2020.

The SHe CISO Exec. team has elected to lay on the extra program in light of the socio-economic damage caused by the COVID-19 pandemic, which has heightened the need for young people to learn skills for employment. Its giveback training and mentoring platform aims to help develop a new generation of diverse and emotionally intelligent cybersecurity leaders in the face of the growing threat of cybercrime.

Over the five-day course, qualified and internationally recognized industry leaders will provide participants with insights into security domains and industry best practices as well as outline ethical leadership and self-development skills to enable them to reach their full potential.

Applicants who demonstrate their eligibility will be offered up to 100% scholarships to attend the virtual boot camp.

The announcement has come amid the ongoing global cybersecurity skills shortage, and SHe CISO Exec. believes its program can help bridge the gaps and enable CISOs to identify the right security talent. It added that companies can also reduce their recruitment costs by upskilling existing security staff through sponsoring them on the course.

SHe CISO Exec. commented: “The five-day boot camp offers its participants an engaging learning experience capturing the quintessential blend of information security training, leadership skill development, speed mentoring, coaching, networking opportunities and much more. The program has been receiving great feedback from the participants so far and will continue to create value for the participants and the industry.”

Founder of the program Chani Simms, who is also managing director of Meta Defence Labs UK and Sri Lanka, said: “I founded SHe CISO Exec. to focus on bridging the skill, diversity and leadership gaps in the cybersecurity industry to create emotionally intelligent cybersecurity leaders. This is my give back to the community and what I would give my younger self.”

Those interested in applying for December’s boot camp can do so via the SHe CISO Exec. website

Akamai Boosts Mobile Security Offering with Asavie Acqusition

Akamai Boosts Mobile Security Offering with Asavie Acqusition

Akamai has announced the acquisition of Asavie, a global platform for managing the security, performance and access policies for mobile and internet enabled devices.

Intended to enhance and advance Akamai’s security offering, particularly when protecting mobile devices in an increasingly office anywhere environment, the acquisition will see Asavie’s mobile, IoT and security solutions become part of Akamai’s Security and Personalization Services (SPS) product line.

According to Dublin-based Asavie, it delivers secure and frictionless access to business resources for a fully mobile workforce. This is done by automating the creation of self-serve, private, network-based services that secure access from mobile and internet-connected devices to applications and data without requiring installation and management of client software.

“We believe the addition of Asavie will help Akamai’s carrier partners address enterprise and mid-market customer demand for IoT and mobile device security and management services,” said Dr Tom Leighton, chief executive officer and co-founder, Akamai Technologies. “What’s notable about the Asavie solution is that, as more IoT devices connect over cellular and 5G, it has been shown to be very easy to scale and protect them.”

Ralph Shaw, CEO of Asavie, said he expected COVID-19 to have a lasting impact on how employees work and how businesses operate. “Network security needs will be required to evolve in a 5G era where the office needs to go wherever employees happen to work,” he said.

“The Asavie suite of software-defined solutions is designed to enable enterprises to provide access to business resources while continuously protecting the business in a world of evolving cyber threats targeting mobile devices, users and applications.”

Financial details were not disclosed, but Akamai said the all-cash transaction is not expected to have a material impact on its 2020 financial results, nor on its previously stated operating margin goal.

Report: Application Flaws Being Fixed Faster Although Bugs Persist

Report: Application Flaws Being Fixed Faster Although Bugs Persist

The majority of applications still contain at least one security flaw, but the time to fix has massively declined.

According to Veracode‘s latest State of Software Security report, fixing those flaws can typically take months, with this year’s analysis of 130,000 applications finding it takes about six months for teams to close half the security flaws they find. It said its scan of those 130,000 applications found 76% had at least one security flaw, but only 24% have high-severity flaws.

Speaking to Infosecurity, Veracode EMEA CTO Paul Farrington said the minority of that 24% were the “most severe flaws.” He added: “What has changed is, compared to 2018, where 52% of flaws were fixed, and 56% were fixed in 2019, in 2020 the fix rate is up to 73%. In security we often talk doom and gloom but this is great, and shows developer teams are stepping up and improving.”

Farrington also claimed that the most prominent flaws, as featured in the OWASP Top 10, “remain persistent and seem prevalent.” Asked why those flaws are still prevalent, Farrington said newer frameworks “make it less easy to do bad stuff” but not every company and developer team has “the choice of bleeding edge framework and tens and thousands of apps still need to be maintained.”

The report also found that while 70% of applications inherit at least one security flaw from their open source libraries, 30% of applications have more flaws in their open source libraries than in the code written in-house.

Farrington said: “There is a reliance on apps using open source code, and this is a good thing as organizations are not paying to reinvent the wheel, but the challenge is that if you use open source software, you’re basically importing a security risk into the organization.”

Veracode also promoted the concept of automating code scanning, finding that those companies doing a combination of dynamic and static analysis simultaneously can fix half of the flaws 24 days faster. Farrington said if you are able to implement frequent weekly scanning processes into your software, you can remove 22 days from the time to fix, than when doing a scan on an ad hoc basis.

Asked if he felt the lockdown had impacted application security fix times, Farrington said, if you consider “what has been thrown at them [dev teams] this year, they can be forgiven for taking their eye off the ball” so they have found companies are scanning and automating more, “and not relying on the old customs that worked in the past.”

Chris Eng, chief research officer at Veracode, said: “The goal of software security isn’t to write applications perfectly the first time, but to find and fix the flaws in a comprehensive and timely manner. Even when faced with the most challenging environments, developers can take specific actions to improve the overall security of the application with the right training and tools.”

Isentia Reeling After Suspected Ransomware Attack

Isentia Reeling After Suspected Ransomware Attack

Media monitoring giant Isentia has revealed that it is currently dealing with a major security incident disrupting some online services.

The Sydney-headquartered firm, which has operations in eight markets, revealed the news in a regulatory filing with the Australian Securities Exchange (ASX) yesterday.

Although ransomware wasn’t mentioned by name, reports suggest it is the cause of the incident, which Isentia admitted is disrupting services in its SaaS Mediaportal platform.

“Isentia is taking urgent steps to contain the incident and conduct a full investigation into what happened and how to avoid a repeat occurrence in the future,” said CEO, Ed Harrison in a statement to the ASX. “Our priority is to restore full service as soon as possible but until that occurs, we have put processes in place to support our customers.”

Many of those customers are in federal government, as well as the wider private sector.

Steve Forbes, government cybersecurity expert at Nominet, argued that the attack therefore highlights the “interconnected world of national cyber-defense.

“While a media monitoring firm wouldn’t typically be considered part of critical infrastructure, its work with many government departments and large organizations has now been put on hold due to the cyber-attack,” he added.

“This incident also reminds us of the importance of vetting third parties in terms of their cyber-resilience. While the full details of this particular security breach are yet to emerge, best practice advice is to ensure third parties have at least similar practices and procedures as your own to keep sensitive data safe.”

Isentia has notified the Australian Cyber Security Center (ACSC) about the incident and said it is currently working with “leading external cybersecurity specialists” to determine its extent and the impact on key systems.

That would seem to suggest that the firm was caught off-guard by the attack and that it is still struggling to contain the incident.

Furniture Giant Steelcase Hit by Suspected Ransomware Attack

Furniture Giant Steelcase Hit by Suspected Ransomware Attack

A multibillion-dollar furniture maker has become the latest big name apparently hit by a major ransomware attack.

Steelcase, the world’s largest maker of office furniture, revealed the attack in a filing with the Securities and Exchange Commission (SEC).

The firm claimed to have detected a cyber-attack on its IT systems last Thursday, October 22.

“The company promptly implemented a series of containment measures to address this situation including temporarily shutting down the affected systems and related operations,” it continued. “The company is actively engaged in restoring the affected systems and returning to normal levels of operations.”

At this stage it’s unclear which variant was responsible for the attack, although Steelcase said it is not aware of any data being stolen from its systems “or any other loss of assets as a result of this attack.

“Although cyber-attacks can be unpredictable, the company does not currently expect this incident will have a material impact on its business operations or its financial results,” it added.

That puts it in stark contrast with many recent victims of ransomware, which have suffered major financial losses as a result. IT services giant Cognizant, for example, claimed in May that an attack a month earlier may end up costing it $70m in Q2 2020 alone.

Steelcase certainly fits the bill as a target for “big game hunting” ransomware groups like Ryuk, Maze and REvil. The Grand Rapids-headquartered business made $3.7bn in revenue for fiscal 2020 and has nearly 13,000 employees, which means plenty of endpoints and users to target.

Compromised RDP endpoints and phishing emails are still the top threat vectors for such groups, with a brisk dark web trade in stolen and brute-forced RDP credentials ensuring a steady supply of targets.

The Steelcase attack came in the same week that French IT services giant Sopra Steria fell victim to what it claimed to be a new variant of the prolific Ryuk family.

Experian Threatened With Massive GDPR Fine After Acting Unlawfully

Experian Threatened With Massive GDPR Fine After Acting Unlawfully

The UK’s privacy regulator has warned Experian that it has nine months to comply with an enforcement notice or face a potentially huge GDPR fine for illegally using customer data for marketing purposes.

The Information Commissioner’s Office (ICO) revealed in a new report that its action resulted from a two-year investigation into the activities of the three big credit reference agencies (CRAs): Experian, TransUnion and Equifax.

The three companies were found to be “trading, enriching and enhancing” the data of consumers data without their knowledge, and selling it in products designed for businesses, political parties and charities to target specific individuals and build profiles on them.

They were also using the information collected for credit referencing in their own direct marketing, and generating new information via profiling, the ICO said.

This “invisible” data processing is said to have affected millions of UK adults: not only were they not informed about how their data was being used, but the CRAs also misread the law to apply lawful bases incorrectly for processing people’s data.

Both Equifax and TransUnion made improvements to their data practices whilst withdrawing some products, however, Experian refused, which is why it is now facing the enforcement notice.

By July 2021, the firm needs only to inform customers that it holds their data and how it intends to use it for marketing purposes. By January 2021 it must also stop using data derived from its credit checks for direct marketing, according to the regulator.

Other conditions of the notice include: stopping the processing of data collected unlawfully, deleting any data collected with consent but which is now being used under a lawful basis of “legitimate interests” and clarifying to customers what data it holds, where it’s come from and what it’s being used for.

“The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as a data broker, with poor regard for what people might want or expect,” said information commissioner Elizabeth Denham.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

Under the terms of the GDPR, Experian faces a fine of up to £20m or 4% of total annual worldwide turnover if it refuses to comply.

Amazon Warns Users of Insider Disclosing Details to Third Party

Amazon Warns Users of Insider Disclosing Details to Third Party

Amazon has sent emails to users warning of a rogue insider who has been fired after disclosing customer details to a third party.

As detailed in a tweet posted by user Zain Jaffer, the email read: “We are writing to let you know your email address was disclosed by an Amazon employee to a third party in violation of our policies.” The email goes on to claim the employee has been fired, referred to law enforcement and stated that no other information related to the recipient’s account was shared.

“This is not a result of anything you have done and there is no need for you to take any action, we apologize for this incident,” it continued.

In a statement published by Vice Motherboard, an Amazon spokesperson said the company had fired multiple people. "The individuals responsible for this incident have been fired. We have referred the bad actors to law enforcement and are supporting their criminal prosecution,” the statement read.

Chad Anderson, senior security researcher at DomainTools, said: “Defenders worry most about insider threats because so many companies build this hard outer layer, but have complete trust for employees inside. They have access to all of the data, networks and information that attackers want to get a hold of.

“As we have seen with the recent foiled Tesla ransomware attempt, threat actors are now bribing with upwards of a million dollars to sway an employee. That is a hard threat to combat as you can do everything in your power to defend your network, but it just takes one employee to circumvent all of those defenses. Even with a zero-trust model insider threats remain the most dangerous ones for security teams.”

Joe Payne, president and CEO of Code42, predicted that we are going to see more and more of this type of activity, as employees are working outside of the office and organizations are relying on makeshift approaches, including company and employee-owned technology, to enable worker productivity.

“In fact, Code42’s own telemetry data shows that a typical employee causes 20 file exposure events per day,” he said. “Even for organizations that have safeguards and controls in place, employees will be tempted to leak sensitive information for their own gain, simply because they think they will get away with it. Organizations need visibility into risky data behavior in order to identify employees who may be a threat, before they become one.”

Schools Admit Security Gaps

Schools Admit Security Gaps

Schools have admitted to creating gaps in their security by rapidly transitioning to remote education in an attempt to slow the spread of COVID-19.

The admission was announced today by cybersecurity company Netwrix, as one of several additional findings from its "2020 Cyber Threats Report" that examined how the coronavirus pandemic and remote learning initiatives have changed the IT risk landscape. 

The report is based on a survey of 937 professionals around the world, 66 of whom worked in educational institutions.

An overwhelming majority of educational institutions (89%) admitted to having new holes in their security as a result of the swift shift to remote education. A third (33%) said that they are more vulnerable to cyber-threats now than they were before the global health pandemic. 

Both of these results were higher in educational institutions than they were in any other vertical analyzed, including banking and finance, healthcare, government, and technology. 

Nearly all (92%) educational institutions said that they consider improper data sharing to be a top security risk. This thinking is logical since 41% of respondents reported becoming victims of this type of security incident in the first few months of the pandemic, making it one of the most common threat scenarios experienced. 

Other types of incidents reported by educational establishments included phishing (50%) and administrator mistakes (31%). Every fourth educational organization had experienced misconfiguration of cloud services in the first few months of the pandemic.

Concern about malicious actions by rogue admins had dropped from 92% before COVID-19 hit to 9% afterward. While only 12% of educational institutions had experienced such incidents, they had resulted in the longest dwell time with 43% of respondents saying that it took weeks or months to detect the issue.

“To minimize the risk and impact of human errors, we recommend investing in security training and easy-to-use collaboration tools," said Ilia Sotnikov, VP of product management at Netwrix.

"The latter will eliminate the temptation to share sensitive records through unsanctioned solutions, while giving the IT team enough control and auditability. Also look for ways to leverage automation to augment the IT team’s efforts."

Ping Identity Appoints Emma Maslen to Lead EMEA and APAC Growth

Ping Identity Appoints Emma Maslen to Lead EMEA and APAC Growth

Identity security firm Ping Identity has announced the appointment of Emma Maslen as its vice-president and general manager for EMEA and APAC. In this role, she will focus on opening new markets and Ping’s continued international growth.

Maslen has over 20 years of experience working in senior leadership roles in the IT industry, including at Sun Microsystems and BMC Software. Her most recent role was managing director at SAP Concur.

She is also likely to promote employee engagement at Ping, holding a position on the advisory board at ImproveWell, a digital employee engagement platform for healthcare. She is additionally a passionate advocate of talent development and inclusion, and holds further advisory board positions at Phoenix51, a talent lifecycle platform, and Maiden Voyage, a champion for female and LGBTQ traveller safety.

Dave Packer, senior vice-president of field operations at Ping Identity, commented: “Emma brings a wealth of experience in driving business growth, and a demonstrated ability to bring the best out of people. Her expertise will be vital in helping Ping Identity advance our position amongst our enterprise customers and key alliance partners across Europe and APAC as we continue our international expansion.”

Speaking about her appointment, Maslen said: “Managing identity is one of the biggest societal challenges of the next decade. Ping is ready to grow rapidly to meet this need and key to that success is attracting the best talent in the industry and building the right culture to deliver on our vision. I’m looking forward to helping Ping achieve these goals and working closely with our channel and technology partners to deliver on our next phase of international growth.”

Floridian Arrested for Hacking Home Camera System

Floridian Arrested for Hacking Home Camera System

A woman from Florida has been arrested after allegedly hacking into the home camera system of a family member as part of an extortion attempt.

Agents with the Florida Department of Law Enforcement arrested Jennifer Lenell Small on October 26 and charged the 44-year-old with a third-degree felony cybercrime. 

Agents say that Small accessed the home camera system of a male family member as part of an extortion attempt that involved a contested will. Her alleged victim was a former employee of her husband's construction company. 

"Small gained access to the camera and stored recordings after her husband’s construction company fired the victim and he turned the cell phone back into the company," said a spokesperson for the Florida Department of Law Enforcement. 

The company cell phone that the victim had returned to his employer had an app installed on it that allowed the victim to view footage from his home security camera system. Small allegedly used that app to access video belonging to the victim without his authorization. 

A FDLE spokesperson said: "Small sent a short video clip to the victim telling him she had hours of videos that she would use against him in court if the victim did not agree to mediation."

Small was arrested and booked into Collier County Jail on a $7,500 bond. The investigation will be prosecuted by the Office of the State Attorney, 20th Judicial Circuit.

The cybercrime with which she is charged is defined as "using electronic means to stalk a victim, engaging video surveillance by accessing any inherent feature or component of a computer, computer system, computer network, or electronic device, including accessing the data or information of a computer, computer system, computer network, or electronic device that is stored by a third party."

"To make work-issued devices more palatable for users, most corporate-issued devices still allow users to download apps from the legitimate app stores for personal use," commented Lookout's Hank Schless.

"Wiping the mobile device and removing any access to cloud resources for an employee or a specific device should be the first steps in the deprovisioning process. Not executing a factory reset can be very risky if the device falls into the wrong hands."

Student Teacher Jailed for Sexting Children

Student Teacher Jailed for Sexting Children

A former student teacher at an American middle school has been sent to prison for sending nude pictures of herself to children. 

Emily Edson, a 39-year-old former student teacher at Lamar Middle School in Lamar, Missouri, admitted sending indecent images to three male children. Police say that the victims were all aged 13 at the time. 

An investigation into Edson was launched in May 2017 after the mother of one of the victims learned of an inappropriate conversation that had occurred between her son and the student teacher and reported it to the police. 

Rusty Rives, Lamar's police chief at the time, said that the mother's report prompted police to interview her son and two other eighth-grade boys at the Children's Center in Nevada. 

According to a report by the Joplin Globe, Rives described the conversation that had occurred between the student teacher and one of her victims as "sexually provocative." 

A search warrant was obtained for Edson's cell phone, which was seized by police on May 26, 2017. The phone was found to contain nude photographs of two students. 

Edson was arrested on June 4, 2017. Three days later, a search warrant was executed on her residence in which police seized a computer, CDs, and an electronic tablet. 

In June 2017, Edson was charged with possessing child sexual abuse material. New charges filed against her in February 2019 alleged that Edson sent nude images of herself to three male minors. 

According to affidavits filed with the 2019 charges, Edson regularly spoke to one of the boys in a sexual manner and asked him on multiple occasions to have sex with her.

The Barton County prosecutor's office charged Edson with one count of sexual enticement of a child in addition to the three counts of sexual misconduct and two counts of possession of child sexual abuse material. As part of a plea agreement, the enticement count was dropped and the possession charge was swapped to one of promotion.

In Vernon County Circuit Court on Thursday, Judge David Munton sentenced Edson to concurrent terms of four years on each of the four counts.

#NCSAM: Organizations at Higher Risk of Cyber-Attacks Due to IoT Expansion

#NCSAM: Organizations at Higher Risk of Cyber-Attacks Due to IoT Expansion

Organizations are at much higher risk of cyber-attack due to the expansion of IoT devices in their networks over the past year, according to new research by Palo Alto Networks' threat intelligence arm, Unit 42.

The analysis, which looked at the multi-layer threats and weakness impacting current IoT supply chain ecosystems, has been published during National Cybersecurity Awareness Month, which is this year focusing on the role individual users can play in enhancing the security of IoT devices.

The researchers firstly highlighted a recent survey showing that 89% of organizations had seen an increase in the number of IoT devices on their network over the last year, significantly expanding the attack surface area.

They highlighted that supply chain attacks in IoT can both come in two forms: from software installed in a certain device that has been compromised to hide malware, and from a piece of hardware implanted or modified to change a device’s behavior. They added that supply chain vulnerabilities, in which third-party software with vulnerabilities is installed or is part of certain components, such as an app or firmware, should also be considered.

A common malpractice was the incorporation of third-party and hardware components without listing the components that had been added to the device, according to the research. This makes it difficult to know how many products from the same vendor are affected when a vulnerability is discovered on one of these components.

In addition, the authors said that it is hard for users to be aware of which components are operating inside any IoT device, each of which have their own intrinsic security properties that are dependent on other components with their own security properties. This means an entire device can be compromised if just one of these components are vulnerable.

They also noted that users managing networks with IoT devices often do not keep inventories of how many are connected to a corporate network. This makes the tracking of potentially vulnerable devices difficult and increases the chances of a cyber-attack being successful.

Co-authors Anna Chung, principal researcher and Asher Davila, senior security researcher at Palo Alto Networks, advised: “It is critical to maintain a list of devices connected to the network in order to identify devices, and the vendors or manufacturers of those devices, which make use of a vulnerable component so the administrator can patch them, monitor them or disconnect them if needed.”

They added: “Having complete visibility of the devices connected to the network and getting notified when a device is generating anomalous traffic is critical to defending your infrastructure.”

Remote Workers Ignore Training to Open Suspicious Emails

Remote Workers Ignore Training to Open Suspicious Emails

Remote workers are increasingly putting corporate data and systems at risk by failing to follow best practice security, according to new research from Mimecast.

The email security vendor polled over 1000 global respondents working from corporate machines to compile its latest report, Company-issued computers: What are employees really doing with them?

It found a litany of risky behavior: for example, 73% of respondents frequently use their company-issued device for personal matters such as checking webmail (47%), carrying out financial transactions (38%) and online shopping (35%).

It also revealed that, although most (96%) of the respondents said they were aware of the repercussions of clicking through on malicious phishing links, nearly half (45%) open emails they consider to be suspicious.

This is despite the fact that 64% claimed to have received special security training to equip them better for the new normal of working from home.

Nearly half (45%) also admitted to not reporting such emails to their IT security teams.

Michael Madon, senior vice president of awareness training and threat intelligence at Mimecast, argued that corporate efforts to change behaviors are failing.

“With everyone’s home becoming their new office, classroom and place of residence, it’s not really a surprise that employees are using their company-issued devices for personal use. However, better training is crucial to avoid putting the company at risk,” he added.

“Employees need to be engaged, and training needs to be short, visual, relevant and include humor to make the message resonate. Awareness training can’t be just another check-the-box activity if you want a security conscious organization.”

The report’s findings chime with one from Trend Micro earlier this year which found that 39% of remote workers access corporate data on personal devices, and 36% of these devices do not even have basic password protection. It also revealed that half (52%) have IoT devices connected to their home network, which could expose it to additional security risks.

Government Threatened with Legal Action Over Track and Trace

Government Threatened with Legal Action Over Track and Trace

UK privacy campaigners have urged the government to take responsibility for ensuring its Test and Trace program is not abused or face legal action under data protection laws.

Big Brother Watch and the Open Rights Group (ORG) have told data rights agency AWO to send a pre-action letter to the government following multiple reports that data collected by hospitality venues is being misused.

ORG executive director, Jim Killock, clarified on Twitter that he wants the government to take ownership of the problem, as required by the GDPR.

“Government needs to take responsibility for the way that pubs and restaurants collect and use data. They need to make it safe for us and simple and easy for venues,” he argued.

“We believe that GDPR requires government to take responsibility, assess the risks and mitigate the risks. They are, we believe, a ‘Joint Controller.’ This means they are legally obliged to take joint responsibility for the data they compelled businesses to collect.”

Over the past few months several stories have circulated in the media about women suffering harassment by individuals who have obtained their contact details from lists maintained by pubs and bars as part of their Track and Trace obligations.

Other reports suggest that data gathered by venues for the scheme is being subsequently sold on to third parties for marketing purposes, without the data subject’s knowledge or informed consent—a key pillar of the GDPR.

Tom Chivers, digital privacy expert at ProPrivacy, welcomed the rights groups’ efforts to hold the government to account on this.

“We're delighted to see the government finally being held to account for the short-sighted decision to pass the burden of track and trace data collection onto pubs, bars, and restaurants - an industry that effectively had to learn the ins and outs of GDPR overnight,” he argued.

“While some of the blame for these issues does indeed rest with the businesses, we have to ask who is ultimately accountable for this? The government has failed to provide proper help… for these businesses.”

Experts Slam Perp and Clinic at Center of Extortion Scandal

Experts Slam Perp and Clinic at Center of Extortion Scandal

Security experts and politicians have reacted with anger and dismay at news that tens of thousands of patients at a Finnish psychotherapy clinic may be at risk of online extortion, after a cyber-criminal started leaking their records on the dark web.

As Infosecurity reported yesterday, the data was stolen from the public health sub-contractor in two raids between November 2018 and March 2019.

At least 300 records containing names and contact information have been published on a dark web site, presumably to show the hackers mean business.

Individuals are also being sent extortion messages demanding €200 in Bitcoin to keep the data private, with the amount increasing to €500 unless paid within 24 hours. The clinic itself has apparently also been on the receiving end of a ransom demand of €450,000.

“The attacker calls himself ’ransom_man’, and is running a Tor site on which he has already leaked the therapist session notes of 300 patients. This is a very sad case for the victims, some of which are underage. The attacker has no shame,” said F-Secure chief research officer (CRO), Mikko Hyppönen on Twitter.

“I’m aware of only one other patient blackmail case that would be even remotely similar: the Center for Facial Restoration incident in Florida in 2019. This was a different medical area and had a smaller number of victims, but the basic idea was the same.”

The Finnish security expert added in a statement sent to Infosecurity  that he’d like to see not only the culprit arrested but also the clinic investigated.

“I’d also like to see the Vastaamo clinic to be held responsible for failing to protect critical patient data,” he said. “The patients and the therapists did nothing wrong. They are innocent but they pay the highest price.”

Politicians queued up to slam the attacks. Interior minister Maria Ohisalo described the incident as “shocking and very serious” and said government support would be expedited to help those affected, while President Sauli Niinisto labelled it “cruel” and “repulsive.”

Warren Poschman, senior solutions architect with comforte AG, argued that the incident highlights the need for data-centric security policies backed by use of tokenization and format-preserving encryption.

“The reliance on firewalls, strong authentication, and passive database encryption to protect data is simply not enough — the data itself must be protected to ensure that when attackers gain access, customer and patient data will remain secure and privacy upheld,” he said.

Comparitech security specialist, Brian Higgins, described the perpetrator as “morally bankrupt.”

“This incident offers a sober lesson indeed that it is so very important to understand how your personal information will be used, stored and retained by any and all organizations you choose to share it with,” he added.

“The Finnish authorities are right to call this situation ‘exceptional’ and one can only hope Vastaamo will be suitably called to account once the full circumstances are established."

FBI Supports US Cyber Camp

FBI Supports US Cyber Camp

The US Space and Rocket Center and the Federal Bureau of Investigation have entered into a joint agreement in support of US Cyber Camp.

The camp is the newest of four STEM (science, technology, engineering, and mathematics) camp programs to be launched by the Rocket Center, a museum in Alabama that showcases the rockets, achievements, and artifacts of the United States program.

A memorandum of understanding (MOU) in support of the camp was jointly signed on October 21 by FBI Associate Deputy Director Paul Abbate and USSRC Executive Director and CEO Louie Ramirez.

The Rocket Center laid on its first US Cyber Camp session in July 2017 with assistance from Cyber Huntsville and the University of Alabama in Huntsville. Engaging American students in the fields of computer science and cybersecurity is the camp's mission.

Under the terms of the MOU, the FBI has agreed to assist the Rocket Center to develop a new curriculum that will feature realistic cyber-attack scenarios and real-life responses. 

Students of the US Cyber Camp will also be given the opportunity to tour the FBI facilities at Redstone Arsenal and learn directly from subject matter experts.

As part of the MOU, the FBI will share information about its cyber programs with Cyber Camp students and let them know about cyber-focused career opportunities at the bureau. The Rocket Center has agreed to support the FBI in its public outreach project and youth cyber-educational initiatives. 

"This memorandum of understanding is formalizing the FBI’s interest in Cyber Camp,” said Ramirez. “Just as our Space Camp students learn about space exploration and the careers that support it, with the FBI’s help, our cyber program will educate students about the exciting and important field of cyber security and what it takes to be part of our nation’s top cyber-crime fighting agency.”

“In today’s complex cyber environment, partnerships at every level are absolutely essential,” said Abbate. “We’re in the fight against cyber threats together and we won’t succeed without each other. We’re very pleased at this opportunity to partner with the USSRC to cultivate a new generation of cyber talent.”

Finnish Patients Blackmailed After Clinic Data Breach

Finnish Patients Blackmailed After Clinic Data Breach

Patients whose data was stolen in a cyber-attack on a Finnish psychotherapy clinic are being individually blackmailed.

An attack on the Vastaamo practice in November 2018 resulted in the theft of a customer database, with a second potential breach occurring in March 2019. Vastaamo serves thousands of patients from around 20 branches at locations across Finland.

The data breach came to light in September 2020 when a blackmailer approached three Vastaamo employees. 

Patient data that was compromised appears to have included therapy session notes detailing what was discussed along with personal identification records. 

According to the Associated Press news agency, the records of around 300 Vastaamo patients have been published on the dark web. 

Vastaamo has stated that it is cooperating fully with law enforcement and has advised any patients who have been contacted individually by a blackmailer to go to the police. The clinic described the incident as "a great crisis."

A helpline has been set up by the clinic for victims, who are also being offered a free unrecorded therapy session.  

News site Yle reported that the Finnish government held an emergency meeting about the situation on Sunday night in which Interior Minister Maria Ohisalo dubbed the security incident and subsequent blackmailing as "exceptional."

A Vastaamo patient who was contacted by the blackmailer told the BBC that he didn't think handing over a ransom would guarantee the safety of his data. 

The victim, who asked to be referred to only by his first name, Jere, said that someone describing themselves as "the ransom guy" had contacted him to demand a payment of €200 ($236) in Bitcoin. Jere was told that he was being contacted after Vastaamo had refused to pay a ransom of 40 Bitcoin ($515,632).

The blackmailer told Jere that if he didn't pay within 24 hours, the ransom would increase to €500 ($590). If no payment had been received within 72 hours, notes from psychotherapy sessions Jere completed as a teenager would be published. 

"Those notes contain things I'm not ready to share with the world," said Jere. "And having someone threaten me with said notes certainly makes me extremely uncomfortable."

Jere, who said he could not afford to pay the ransom, added: "I feel like paying won't guarantee that my data will remain safe."

Harvest Finance Places Bounty on Hacker

Harvest Finance Places Bounty on Hacker

A decentralized finance (DeFi) protocol is offering a $100k reward for help in contacting its alleged cyber-attacker.

Reports emerged a week ago that Harvest Finance had allegedly been targeted by an unknown cyber-criminal who drained $24m in value from its pools in seven minutes. The malicious hacker allegedly cashed out the cryptocurrency into a virtual wallet via renBTC and Tornado. 

The anonymous team behind Harvest Finance said that the attacker had drained the pools by manipulating Stablecoin prices on Curve Finance, a DeFi protocol that interacts with Harvest Finance contracts.

Following the alleged attack, Harvest Finance tweeted: “We are working actively on the issue of mitigating the economic attack on the Stablecoin and BTC pools, and will update in this thread in realtime (sic) as soon as additional details are available.”

Bizarrely, the attacker returned about $2.5m to the deployer in the form of Tether (USDT) and USD Coin (USDC). 

Harvest Finance tweeted that the money that had been sent back "will be distributed to the affected depositors pro-rata using a snapshot."

Earlier today, Harvest Finance tweeted 10 BTC addresses used by the alleged hacker and asked major cryptocurrency exchanges, including Finance and Coinbase, to blacklist them. 

After claiming to have discovered some clues as to the alleged hacker's identity, the DeFi protocol then put a bounty out on them via Twitter.

The message posted earlier today via @harvest_finance read: "In addition to the BTC addresses which hold the funds, there is now a significant amount of personally identifiable information on the attacker, who is well-known in the crypto community.

"We are putting out a 100k bounty for the first person or team to reach out to the attacker and help the attacker return the funds to the deployer address."

The protocol said it was not interested in taking any kind of revenge against the alleged hacker.

In an October 26 tweet apparently directed at their digital assailant, Harvest Finance wrote: "We are not interested in doxxing the attacker, your skill and ingenuity is respected, just return the funds to the users."

HackerOne Integrates Platform Through New Agreements

HackerOne Integrates Platform Through New Agreements

Security firm HackerOne has announced a range of new partnerships and integrations to enable its platform to fit better with existing security and development workflows.

These include agreements with ServiceNow and PagerDuty to provide real-time updates of critical vulnerabilities, enabling their customers to respond rapidly to threats.

A new class data and log aggregation tool is provided through integrations with Splunk and Sumo Logic, while customers that leverage Kenna Security and Brinqa can import their data from HackerOne into these applications.

In addition, a collaboration with interactive cybersecurity training organization HackEDU enables their developer training to be automatically adapted to the vulnerabilities found by hackers in customer programs.

HackerOne also outlined a number of further integrations in the pipeline. These include a new GitHub addition and Microsoft products such as Azure DevOps and Microsoft Teams.

Co-founder of HackerOne, Michiel Prins, said: “Our mission is to empower the world to build a safer internet. While this may start with knowing where you’re vulnerable, what happens next is vital. With best-in-class integrations, HackerOne empowers customers to increase efficiency, collaboration and scalability by bringing industry-leading tools into the HackerOne ecosystem and creating seamless workflows within those tools.”

Discussing its integration with HackerOne’s platform, Steve Gross, senior director of strategic business development at PagerDuty, commented: “Notification and communication of a vulnerability is one of the most important aspects of security teams’ workflows. The sooner the right team members are notified that a high or critical bug has been reported, the sooner they will be able to start the remediation process.

“With the potential of a delayed or missed notification being a data breach, the stakes are high. To meet these challenges, PagerDuty is excited to work with HackerOne to provide real-time updates of critical vulnerabilities being reported so customers can optimize response times and begin remediation as soon as possible.”

Attacks Exploiting Digital Certs Soar by 700% in Five Years

Attacks Exploiting Digital Certs Soar by 700% in Five Years

The number of cyber-attacks exploiting “machine identities” has soared by more than 700% over the past five years, according to new data from Venafi.

The security vendor made the claims in its latest report, Machine Identities Drive Rapid Expansion of Enterprise Attack Surface.

It also revealed that this type of attack has surged by 433% from 2018 to 2019 alone, whilst the use of commodity malware that abuses machine identities doubled.

Machine identity refers to the use of digital certificates and cryptographic keys (ie SSL/TLS, SSH) to authenticate and secure computers and devices that connect with each other.

While IoT and digital transformation have led to an explosion in the use of such machines in the enterprise over recent years, security has failed to catch-up.

As many CISOs are unaware how many machines they have to manage, they’re unclear about the size of the attack surface, which could lead to unplanned outages as certificates expire. Attackers are increasingly also adding machine identity components to commodity malware so that attackers can hide in encrypted traffic, Venafi has warned in the past.

From 2015 to 2019, the number of vulnerabilities involving machine identities grew by 260%, while the number of reported advanced persistent threats (APTs) using these techniques grew by 400%, Venafi claimed.

“As our use of cloud, hybrid, open source and microservices use increases, there are many more machine identities on enterprise networks—and this rising number correlates with the accelerated number of threats,” said Yana Blachman, threat intelligence researcher at Venafi.

“As a result, every organization’s machine identity attack surface is getting much bigger. Although many threats or security incidents frequently involve a machine identity component, too often these details do not receive enough attention and aren’t highlighted in public reports.”

Sopra Steria Hit by New Ryuk Variant

Sopra Steria Hit by New Ryuk Variant

French IT services giant Sopra Steria has said it will take weeks to return to normal after a serious ransomware attack forced key systems offline.

The group posted a very brief message on its website last week claiming to have discovered the attack on Tuesday evening.

However, its fintech business Sopra Banking Software confirmed in an update today that the incident was a ransomware attack.

“The virus has been identified: it is a new version of the Ryuk ransomware, previously unknown to anti-virus software providers and security agencies,” it claimed.

“Sopra Steria’s investigation teams immediately provided the competent authorities with all information required. The group was able to quickly make this new version’s virus signature available to all anti-virus software providers, in order for them to update their anti-virus software.”

The statement claimed that Sopra Steria had managed to catch the attack after a “few days” and confine it to “a limited part” of its IT infrastructure.

“At this stage, and following in-depth investigation, Sopra Steria has not identified any leaked data or damage caused to its customers’ information systems,” it added.

“Having analyzed the attack and established a remediation plan, the group is starting to reboot its information system and operations progressively and securely, as of today.”

However, it will take “a few weeks for a return to normal” across the business, it warned.

Ryuk is one of the most prolific ransomware strains out there, having targeted organizations as diverse as US defense contractor EWA and Spanish logistics firm Prosegur.

Sopra Steria, which operates the NHS Shared Business Service joint venture, is certainly not the first IT services company to be caught out by ransomware. After being hit by the Maze group earlier this year, Cognizant admitted that the incident may end up costing it as much as $70m in Q2 alone.

Nando’s Customers Hit by Credential Stuffing Attacks

Nando’s Customers Hit by Credential Stuffing Attacks

Some customers of popular high street eatery Nando’s have been left hundreds of pounds poorer after cyber-attackers hijacked their online accounts to place large orders.

Reports in UK media revealed that multiple customers of the peri-peri chicken chain have had their accounts compromised. Due to COVID-19 restrictions, customers must now scan a QR code in store and order online to get their food.

However, that has left the door open to attackers trying previously breached log-ins from other sites to hijack their accounts, when those credentials are reused by the victims.

According to one report, a group of young people fraudulently placed two large orders in-store, after trying and failing several times to use hijacked accounts.

Nando’s said it would reimburse any customers scammed in this way, and promised to get better at spotting fraudulent account activity.

“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called ‘credential-stuffing,’ whereby the customer's email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” it added in a statement.

There were 64 billion such credential stuffing attempts between July 2018 and June 2020, in the retail, hospitality and travel sectors, according to Akamai data released last week.

Brian Higgins, security specialist at Comparitech, argued that this kind of fraud has become more common during the pandemic as hospitality venues implement online ordering platforms to help protect staff and customers.

“The security of these platforms is always going to be questionable and it is absolutely vital that customers take their own security measures seriously. Never use the same password for more than one application, whether it’s your bank account, your Facebook page, your Deliveroo account or anything else,” he continued.

“If attackers, as in this case, can steal the password to one app, they will have access to them all. Password management is a pain but feeding someone else’s friends at Nando’s is worse."

US Army Base’s Twitter Account Hacked

US Army Base's Twitter Account Hacked

A malicious hacker has been blamed for a series of lewd messages that emanated from the social media account of a US military base on Wednesday.

Followers of Fort Bragg's official Twitter account were surprised by the sexual content of a number of tweets that began to appear at around 4:30pm ET. 

The tweets were posted in response to messages featuring adult content that were shared by another Twitter user. 

When @Quinnfinite10 posted a tweet about someone who had complained about the display of pubic hair on her OnlyFans page, Fort Bragg's account replied to her post with a message in support of the user and her decision to show her body hair.

Referencing the individual who wasn't in favor of the image, Fort Bragg's alleged hacker stated: "He's lost and doesn't know a good thing when it's staring him in the eyes or tickling his nose in this case."

Other messages shared by the North Carolina army base's Twitter account included a sexually explicit comment on a topless photo that had been shared on the Twitter page of @Quinnfinite10. 

The comment posted from @FtBraggNC read: "My face's, then my boner's and then my face's again before I come up to give you a deep long kiss."

Responding to the base's racy messages, one Twitter user said: "Doesn't surprise me that military bases out here advocating for pro Bush stances."

Shortly after the lewd tweets were posted, the army base’s account appeared to be deleted.

The 18th Airborne Corps, whose commander commands Fort Bragg, then tweeted: "As many of you may know, there were a string of explicit Tweets from our account this afternoon. This was not the work of our admins. Our account was hacked."

"We apologize to our followers. We have secured our account and [sic] looking into the matter."

Fort Bragg spokesperson Tom McCollum told the Fayetteville Observer that the base's account had been hacked and that an investigation into the security incident had been launched by the Army Criminal Investigation Division.

"We’ve deleted those images, reset our password and reset the two-cycle authentication process," said McCollum. "We apologize to anyone who follows us on Twitter and don't know how this happened."

Systems Admin Arrested for Hacking Former Employer

Systems Admin Arrested for Hacking Former Employer

The former systems administrator of an American department store has been arrested after allegedly hacking into his ex-employer’s private network to give his former colleagues paid holidays. 

New Yorker Hector Navarro is accused of creating a "superuser" account that allowed him to access a computer system of Century 21 after he resigned from his position at the company.

Navarro worked as a human resources systems administrator at the Manhattan branch of the department store from 2012 to October 2019. Through his role, the defendant had access to the company's data management and timekeeping system. 

The 30-year-old is accused of accessing a network of his former employer from his Brooklyn apartment to tamper with data. It is further alleged that Navarro deleted data to prevent consultants hired to replace him from accessing Century 21's computer network.

The Manhattan District Attorney's Office stated: "Prior to his last day, he stole employee data from the company and created an unauthorized 'superuser' account on the company’s network—which allowed him access to the network after his resignation." 

The department store discovered the security breach after Navarro's replacements were unable to get into the system. An investigation by the company determined that changes had been made to Century 21's holiday payroll policy.

As a result of the changes, certain employees would have been paid for holidays even if they had not worked on those particular dates. Century 21 spent thousands of dollars to correct the changes and deletions allegedly made by Navarro. 

“If left undetected, this former employee’s alleged tampering could have cost Century 21 more than $50,000,” said District Attorney Cy Vance.

“Unauthorized access to computer networks and the theft of valuable proprietary data are serious threats to the Manhattan business community."

A New York Supreme Court indictment has charged Navarro with attempted grand larceny in the second degree, criminal mischief in the second degree, computer tampering in the third degree, computer trespass, petit larceny, and the criminal possession of stolen property.

Judge Signs Off on $7.75m Equifax Settlement

Judge Signs Off on $7.75m Equifax Settlement

A federal judge has approved a multi-million-dollar settlement to resolve claims made by financial institutions against Equifax following a data breach three years ago. 

Between May and June 2017, cyber-criminals gained access to around 150 million records of Atlanta-based credit monitoring service Equifax by exploiting an unpatched Apache Struts vulnerability. 

The breach impacted roughly 56% of America's population and millions of consumers in the UK, costing Equifax over $1.35bn in losses.

Information exposed included names, Social Security numbers, dates of birth, addresses, and in some cases, driver license numbers.

A suit brought against Equifax by financial institutions after they were forced to absorb the expense of the breach has now been settled. 

Chief Judge Thomas Thrash of the Northern District of Georgia gave final approval to the $7.75m settlement yesterday during a hearing held via Zoom. Legal fees of $2m were included in the resolution. 

As part of the agreement, Equifax has committed to investing an additional $25m to enhance data security measures tailored to financial institutions. The investment is scheduled to occur over the next two years. 

Thrash described the settlement as “an excellent one” and said that the class lawyers' request for $2m in legal fees was "appropriate."

"The fact there were no objections from class members weighs in favor of approving the settlement," stated Thrash.

Equifax has ring-fenced $5.5m to pay up to $5,000 to each financial institution for costs associated with the theft of customers’ personal information or fraud losses. 

Each of the 21 financial institutions listed as plaintiffs in the multi-district litigation will be paid $1,500 from the fund.

The settlement with the financial institutions is separate from a $1.4bn settlement reached by Equifax in December 2019 with legal representatives of roughly 147 million consumers whose data was exposed in the 2017 breach. Included in that settlement was $77.5m in legal fees and over $1.4m in expenses for class-action lawyers.

In April this year, Equifax agreed to pay $19.5m to settle a separate class-action lawsuit brought by the State of Indiana over the 2017 data breach. 

#SecTorCa: How One Malicious Message Could Exploit an Enterprise

#SecTorCa: How One Malicious Message Could Exploit an Enterprise

Following the global transition to remote working that began in March of this year due to the COVID-19 pandemic, Omer Tsarfati, cybersecurity researcher at CyberArk Labs, found himself using Microsoft Teams more than ever before.

Being a security researcher, Tsarfati wanted to make sure the software he was using was actually secure – which it wasn’t. In fact, he and his teams discovered a critical flaw that could have potentially enabled an attacker to intercept messages across a company and possibly even launch broader attacks. The flaw was patched by Microsoft in April with few concrete details, however, Tsarfati explained the whole incident with new information in a session at the SecTor security conference.

Tsarfati explained that Microsoft Teams is a deeply integrated technology that connects with both Microsoft and non-Microsoft technologies. The integration with different technologies includes the use of access credentials known as OAuth tokens that authenticate the user with the given technology.

What Tsarfati and his team were able to discover was that Microsoft was using an authentication configuration approach that created a source of vulnerability, such that one malicious message could enable an attacker to gain access to multiple systems and user information.

How the Exploit Works

Tsarfati explained that one way to trigger the exploit would be to send a victim an email with a malicious link, which would then drop a cookie on the user’s system. That cookie could then read improperly configured information in Microsoft Teams to gain access to connected systems, including Outlook and Sharepoint.

He noted that organizations train employees not to click on links, as phishing is a known risk, so instead his team came up with a non-invasive approach to get the malicious cookie onto a victim’s system. That’s part of what was disclosed in Apri; a malicious GIF image that could be used to exploit Microsoft Teams.

Tsarfati said that simply by visiting a page in a web browser that has a malicious GIF image embedded in it, an attacker could pass the bad cookies to an endpoint and gain unauthorized access to other services. Adding further insult to injury, he noted that an attacker could also then further weaponize the vulnerability by spreading it to other users and across an organization’s network.

While Microsoft has patched the issue, Tsarfati was asked if other collaboration tools beyond Teams might have similar risks. He noted that it’s highly likely that is possible, if researchers take the time to look.

Though Microsoft has patched the issue, Tsarfati recommended that users remain vigilant. When sharing any confidential information, he suggested not sharing in the open in an email or in a document. According to Tsarfati, any sensitive and confidential information should always be encrypted to help prevent unauthorized access and limit risk.

#SecTorCa: Tech for Good, and Bad

#SecTorCa: Tech for Good, and Bad

According to Tracy Ann Kosa, staff privacy engineer at Google, all technology comes with both promises and un-intended consequences.

Kosa detailed the challenges and opportunities that technology can bring to society at large during a keynote session at the virtual SecTor security conference. She added that the notion that technology always helps to improve human life is slowly beginning to fade away.

“Social media was supposed to bring us all together and it definitely has, but we see positive and negative consequences of that,” she said.

Where Tech Excels and Where it Fails

Kosa noted that computers are exceptionally good at well-defined tasks with accurately and well-labeled data. Technology is also powerful for image recognition at a level that, in some cases, surpasses human abilities, but there are limitations.

In her view, computing systems still struggle with the physical world and lack common sense. When it comes to machine learning and automation, there are some particular risks as systems that are based on data that lacks diversity, both in terms of source and participation, lead to inaccurate outcomes.

 

Whenever a new technology is introduced, there is a cycle of panic that tends to follow, Kosa said. For example, she noted that there was a significant decline in youth mental health in the United States in 2010 that was rather compellingly blamed on smartphone usage.

“That kind of panic becomes a widespread popular moral panic, and we see questions such as: what does it mean to be human and how is this technology changing that for humanity?” she said.

What tends to follow the initial moral panic are politicians that will issue public declarations against a certain emerging technology. The next phase in the cycle of panic is some form of reinvention where the issues that caused the panic are somehow addressed. In some cases, no real progress happens and the panic about the technology continues.

Technology Ethics

Kosa said that there are increasing calls today to have ethics integrated into technology services so they can be more beneficial to human society.

“What does that mean, do we want our engineers to become philosophers, or do we want our philosophers to become engineers?” Kosa asked.

In answering her own question, Kosa emphasized that individuals make ethical decisions all the time and most people don’t need special training to become ethical. That said, for software developers and technology engineers, it can be useful to have a framework within which to consider the ethical implications of a given technology.

One such approach to considering the impact of technology is the reasonable person test that emerged out of a Supreme Court decision in Canada. Kasa explained that the reasonable person model for technology ethics is to consider how an average layperson expects technology to work and what kind of information is required by the service in order to work as expected.

Technology for Good

While much of Kasa’s keynote addressed the negative impacts of technology, she was careful to also note that technology has many positive impacts as well. Contact tracing efforts, which are critical during the COVID-19 pandemic, are one such example of helpful technology she cited.

Kasa also noted that financial services technology has been a major benefit for good in recent years, with online mortgage platforms helping to enable more people from diverse communities to get a loan and own a home.

“Reducing and, in some cases, removing entirely human brokers from the mortgage underwriting process does in fact seem to be democratizing the industry,” she said.

There is more that can be done to enable technology for good and to that end Kasa concluded her keynote with a call to action for developers and technology builders. Every time there is a new release of software, service or hardware, she wants there to be a consideration about three key questions: who is in the story, who is not in the story and who benefits?

#SecTorCa: The Paramedic’s Guide to Surviving Cybersecurity

#SecTorCa: The Paramedic’s Guide to Surviving Cybersecurity

As a trained paramedic, Rich Mogull has helped to save lives. Mogull is also a cybersecurity professional and he sees a number of parallels between his two professions.

Mogull is the CEO of security analyst firm Securosis and provided his insights in a session at the virtual SecTor security conference. Mogull noted that he’s led parallel lives, one in emergency services and the other in cybersecurity and the lessons he has learned from one profession have helped in the other. In particular, he noted that there are many similarities between the two professions in terms of burnout and mental health challenges.

“I think the reason these two fields are so similar is that they share one really core aspect – the job is never done,” Mogull said. “We are pushing the rock uphill; we’re always treating the next patient, solving the next incident or securing the next technology."

Both Professions Start with Enthusiasm

The initial phase in both emergency services and cybersecurity is a period where individuals are enthusiastic about the job. People are eager and excited to learn new skills, typically have a flexible mindset and are task-focused.

The big challenge during the initial enthusiasm phase is that individuals often learn skills without context. There are new tools that both professions get to use and new entrants into the profession are eager to use those tools.

“When I got out of paramedic school I couldn’t wait to start IVs (intravenous drip feeds) and when you come out of security training you can’t wait to use those latest tools and run a penetration test against your organization,” he said.

The other challenge during the enthusiasm phase is that people tend to pick the wrong role models to emulate and that can lead to bad outcomes in the future.

“People who are burnt out and cynical, they have a particular magnetism to them,” Mogull explained. “They come across as the old crusty seen it all, done it all, they are the Han Solo characters that we try to emulate.”

When Burnout Sets In

Mogull said that it typically takes three to five years to mature as a paramedic and then burnout will often set in during the five to seven year period. The burnout happens for a number of reasons in both professions, including the fact that the same types of incidents keep recurring time after time.

“You’re just caught in this endless cycle, seeing the same things over and over and responding the same way,” he added.

Avoiding the risk of burnout requires a combination of mindset and process, Mogull continued. There is a need to eat healthy, exercise and sleep. There is also a need for peer support, so colleagues help each other out. Having the right peers is critical for that process to work.

“If you hang out with the cynical and burned out crowd, you’re going to be cynical and burnt out,” he said.

Towards a Just Culture

There is also a need to compartmentalize the different aspects of life to enable some form of work-life balance. Having the ability to do context shifting to keep work at work is how Mogull said he’s able to have some balance.

Beyond just having a life outside of work, it’s important to have a positive environment, that Mogull referred to as a Just Culture. He explained that Just Culture is the opposite of blame culture and it’s important for both emergency services and cybersecurity. Rather than looking for someone to blame for a given issue, the basic idea behind Just Culture is to figure out how to improve the system and not necessarily to always be looking for someone to blame.

“If you use the term shadow IT, you don’t have a Just Culture, you’re blaming users for using technologies they think they need to get their job done,” Mogull argued. “In some cases it could be recklessness, but in other cases maybe we’re just not giving them the right tools or understanding their needs.”

US and UK Issue Sanctions to Iran and Russia

US and UK Issue Sanctions to Iran and Russia

The US and UK governments have both issues sanctions in response to recent cyber-attacks.

Yesterday, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that five Iranian entities have been “designated” for attempting to influence elections in the United States. The OFAC said the Iranian regime “has targeted the United States’ electoral process with brazen attempts to sow discord among the voting populace by spreading disinformation online and executing malign influence operations aimed at misleading US voters.”

This involved components of the government of Iran, including the Islamic Revolutionary Guard Corps (IRGC), the IRGC-Qods Force (IRGC-QF) and Bayan Rasaneh Gostar Institute (Bayan Gostar), disguising itself as news organizations or media outlets in order to subvert US democratic processes. Also, the Iranian Islamic Radio and Television Union (IRTVU) and International Union of Virtual Media (IUVM) were designated as being owned or controlled by the IRGC-QF.

The disinformation campaigns “focus on sowing discord among readers via social media platforms and messaging applications, and frequently involve mischaracterizing information” it claimed. This included influencing the election by exploiting social issues within the United States, including the COVID-19 pandemic and denigrating US political figures.

As recently as summer 2020, Bayan Gostar was prepared to execute a series of influence operations directed at the US populace ahead of the presidential election.

Also, IRTVU, said to be a propaganda arm of the IRGC-QF, and IUVM, aided Bayan Gostar in efforts to reach US audiences by amplifying false narratives in English, and posting disparaging propaganda articles and other US-oriented content, with the intent to sow discord among US audiences. IUVM is also alleged to have posted conspiracy theories and disinformation related to the COVID-19 pandemic.

The statement came in the same week as the UK enforced new sanctions against Russia after a cyber-attack hit the German parliament in 2015. The UK said it will enforce asset freezes and travel bans against two Russian GRU officers and the GRU’s military intelligence unit 26165 – codenamed APT28 and Fancy Bear – which it said were responsible for the attacks.

In the attack, it is alleged unit 26165 targeted information systems, stole significant amounts of data and affected email accounts belonging to German MPs and the vice-chancellor.

The National Cyber Security Centre (NCSC) supported the attribution of the attack to Russia, and welcomed the sanctions and the multi-national and joint approach being taken with allies standing in solidarity against the attacks.

Paul Chichester, director of operations at the NCSC, said: “We fully support these sanctions, which send a strong message that that there will be consequences for those who target us or our allies in cyberspace. We will continue to work closely with our allies to counter malicious cyber-activity from the GRU and others who would seek to do us harm.”

Commenting, Ben Read, senior manager of analysis at Mandiant Threat Intelligence, said the EU and UK sanctions demonstrate the increased international willingness to hold countries accountable for the cyber-intrusions carried out by their security services. “The GRU (which we believe is linked to the threat group APT28) has compromised European governments including Germany for years, and shows no sign of slowing down,” he said. “While the technical features of its operations will continue to evolve, the strategic goal of gathering information for the Russian Government and projecting Russian power have remained consistent.”

Infected IoT Device Numbers Surge 100% in a Year

Infected IoT Device Numbers Surge 100% in a Year

The volume of infected Internet of Things (IoT) devices globally has soared by 100% over the past year, according to new data from Nokia.

The telecoms equipment maker’s Threat Intelligence Report 2020 is compiled from data processed by service providers using its NetGuard Endpoint Security tool.

It revealed that infected IoT devices now comprise nearly a third (32.7%) of the total, up from 16.2% in the 2019 report.

Nokia argued that infection rates for connected devices depend dramatically upon the visibility of the devices on the internet.

“In networks where devices are routinely assigned public facing internet IP addresses, we find a high IoT infection rate. In networks where carrier grade NAT is used, the infection rate is considerably reduced, because the vulnerable devices are not visible to network scanning,” it explained.

“With the introduction of 5G well underway, it is expected that not only the number of IoT devices will increase dramatically, but also the share of IoT devices accessible directly from the internet will increase as well.”

Nokia warned that other aspects of 5G will also present major new security challenges to telcos: specifically Network Function Virtualization (NFV) and Software-defined Networking (SDN).

“For CSPs, it is a major challenge to provide a fully dependable, secure NFV environment. SDN bears the threat that control applications may wreak havoc on a large scale by erroneously or maliciously interacting with a central network controller,” the report explained.

“The network infrastructure of CSPs becomes more accessible to the attackers, so CSPs are increasingly targeted by sophisticated malicious actors.”

New use cases from the 5G subscriber side will also expand the potential attack surface for cyber-criminals, Nokia warned.

Security must therefore be baked into networks from the start, spanning all components of the ecosystem but managed from a central point of control. Automated orchestration and management and predictive security controls will also be key, Nokia said.

The firm will be hoping to differentiate on security as it competes for contracts formerly held by Chinese giant Huawei, which many governments are forcing CSPs to replace.

#SecTorCa: Defining the Security Metrics that Matter

#SecTorCa: Defining the Security Metrics that Matter

According to security trainer Tanya Janca, not all metrics actually matter for cybersecurity and there are some that can have significantly more impact than others.

Janca, the founder of training firm We Hack Purple, detailed her views on metrics during a session at the virtual SecTor security conference.

She began by stating that most people simply define metrics as a method of measuring something. The reality though is that there is more to metrics than just measurement. When done properly, metrics provide a way to spot patterns and trends that can help improve cybersecurity outcomes.

“We measure things and gather metrics specifically so that we can report and so that we can improve,” she said. “We report up to management and other teams on what we’re up to and then we use metrics so that we can improve ourselves.”

Why Reports Matter

As cybersecurity professionals, Janca said that generating reports for management is critical for a number of reasons. Reports are used to help get budget for tools and are typically also necessary for regulatory compliance. She added that reports also make management happy.

“If you don’t write reports, your boss doesn’t know what you’re doing,” Janca added. “You can’t have a security program that costs hundreds of thousands or millions of dollars and then not tell them [management] how you’re doing, that’s not going to go on for very long.”

However, while it’s important to keep management informed with reports, it’s equally important to have useful metrics that are tracked, Janca said. For example, some companies will count the number of vulnerabilities they have as a metric. She doesn’t see counting vulnerabilities as anything more than a “vanity metric” as it’s not particularly helpful. Having more software vulnerabilities could just mean that the organization has done a better job of testing and not that the organization is any more, or less, secure.

Metrics that Matter

Among the metrics that Janca does see as having meaning for cybersecurity professionals and the organizations that employ them is time to detection for a given security issue or vulnerability. Equally important is time to remediation of the issue as it’s critical to understand what the capabilities of the organizations are for fixing or patching a given issue.

Looking at vulnerabilities, understanding if the organization is detecting the same vulnerabilities time and again, or if it is finding different new vulnerabilities, is also important to measure. It’s also important to identify if there is a decline, or a rise, in a particular type of vulnerability. By identifying trends in vulnerabilities as opposed to just generically counting them, it’s possible to target categories of issues for training to help reduce them over time.

When looking at measuring the impact of an incident Janca said that it’s important to identify if established best practices were followed or not and if the various teams within the company worked together.

“If we aren’t measuring, we don’t know where to start,” she concluded.

Researcher Guesses Password to Access Trump Twitter Account

Researcher Guesses Password to Access Trump Twitter Account

A security researcher claims to have been able to access Donald Trump’s Twitter account after guessing his password.

Victor Gevers, a researcher at the non-profit GDI Foundation and chair of the Dutch Institute for Vulnerability Disclosure, revealed his findings on the social media site.

He posted the following, referencing an incident four years ago when the same thing happened:

“Dear @realDonaldTrump, I've tried to notify multiple times because of your passwords for Twitter are too weak. Last Friday, I contacted @CISAgov, @TeamTrump, @WhiteHouse, @DonaldJTrumpJr, and @twittersecurity, just like in Oct 2016. But no one responds. Please keep 2FA enabled!”

Back in 2016, Gevers and two others managed to access Trump’s account after guessing the password, “yourefired.” This time he claims it was “maga2020!” with no two-factor authentication enabled.

Although a Twitter spokesperson said it had “seen no evidence to corroborate this claim” and that it “proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States,” an article in Dutch paper De Volksrant, says different.

According to the report, Gevers took screenshots to document his steps, which included four failed attempts before he hit upon the magic password. Although he reached out to the Twitter accounts listed above, none replied.

However, the next day, Gevers noticed two-factor authentication had been activated on the account and two days after that he reportedly received an email from the Secret Service requesting more info on the account takeover and thanking him for highlighting the security snafu.

“Given the President’s near-constant activity on Twitter, his 87 million followers and the sheer power that he holds as the leader of the free world, Trump’s ‘maga2020!’ password is incomprehensibly dangerous,” argued ProPrivacy researcher, Andreas Theodorou.

“In fact, any other year I would be inclined to believe that this was fake news.”

Earlier this week, Trump drew ridicule from the cybersecurity community with comments he made at a rally in Arizona.

"Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15% of your password," he claimed.

#COVID19 Vaccine-Maker Shuts Global Plants After Cyber-Attack

#COVID19 Vaccine-Maker Shuts Global Plants After Cyber-Attack

An Indian pharmaceutical giant has been forced to shut operations at several global facilities after suffering an unspecified cyber-attack.

Dr Reddy’s, which produces COVID-19 treatments remdesivir and favipiravir and has just signed a deal to manufacture Russia’s Sputnik-V vaccine, saw shares plummet by over 4% following the announcement.

A statement from CIO Mukesh Rathi sought to calm investors after the news was first reported on Indian channel ET Now.

“We are anticipating all services to be up within 24 hours and we do not foresee any major impact on our operations due to this incident,” he reportedly said in a statement.

There’s little publicly available information on the attack, except that the pharma giant has been forced to “isolate” all of its data centers and shut down plants in the United States, UK, Brazil, India and Russia.

It’s therefore unclear whether the intent of the attackers was to spread ransomware, steal data, or both.

Bill Conner, UK government advisor and CEO of SonicWall, argued that research and pharmaceutical facilities are home to some of the most valuable IP in the world today.

"If seized, it could grant a significant advantage to the party who holds it, and indeed catapult a whole economy,” he added. “Given this, whoever holds this research can claim a high price for it. Hostile actors who wish to influence or control global healthcare at this time of great need, to gain either monetary or geopolitical advantage, will be willing to pay this bounty."

The Hyderabad-headquartered firm, which also produces medicines for the NHS, announced last week that it had received approval from the Drugs Controller General of India to begin an adaptive phase 2/3 human clinical trial for Sputnik-V in India.

#SecTorCa: A Hacker’s Perspective on Your Infrastructure

#SecTorCa: A Hacker’s Perspective on Your Infrastructure

Being aware of potential risks can help organizations to mitigate those risks, but first they really need to understand what hackers are looking at. That’s the view of IT security auditor Paula Januszkiewicz, founder of CQURE.

Januszkiewicz delivered her message during a keynote session at the virtual SecTor security conference. Januszkiewicz noted that during the pandemic there has been an increase in cybersecurity attacks as attackers aim to exploit weaknesses for their own benefit. In her view, defenders should take a hacker viewpoint to gain better situational awareness.

“So awareness means we know what’s going on with cybersecurity, we know, different cases and examples, and we are educated in cybersecurity,” Januszkiewicz said.

Hacker Confidence

To help highlight what awareness means from her perspective, she gave an example of how she was able to get into a company that she was doing a penetration test for in Switzerland.

Simply by following an authorized employee into the building then making small talk with another in an elevator, she was able to gain access to an employee area. When employees were out at lunch, she found her way to a desktop that was unlocked and inserted a digispark USB device to steal information.

“That is the beauty of social engineering; people expect that, when you do things with confidence, they are the things that you were supposed to be doing,” she said.

Seven Security Issues That Shouldnt Happen

In Januszkiewicz’s view there are seven key security issues that defenders need to be aware of, that hackers love to exploit.

The first issue is weak passwords. She noted that in one case her company was conducting an audit of an oil and gas company and executed a password spraying attack. She explained that her firm simply took a list of the company’s 6000 employees and attempted to access user accounts with the employees’ name as the username and a password of {CompanyName}2020. She was able to access 29 accounts with that method.

The second key issue she identified as “Peeping ROM,” which is where workers are able to sneak a peak at a co-worker or stranger’s workstation in the workplace or in a public place. She suggested that organizations have a policy for locking desktops, so when an employee is not active, the desktop is locked. The third key issue she called “USB Stick Up,” which is when victims pick up a random USB stick and plug it into their system to see what’s on it. That’s an activity that can lead to exploitation.

Januszkiewicz said that there are a lot of phishing messages today that get past spam filters which leads to the fourth key issue that she called “Phish Biting.” The unfortunate reality is that untrained users still click on phishing emails, especially when they get past spam filters. “Reckless Abandon” is the fifth issue, which is when users simply do not take basic precautions to secure their devices, such as not putting a passcode on a smartphone.

Using someone else’s Wi-Fi connection is also a bad practice that Januszkiewicz advocated against, as an attacker can potentially see all your traffic. The last key issue that she discussed was being too social. Some people have a tendency to share too much information on social media. The hacker perspective on that is that it can provide information that might be useful to help exploit the user.

“We had a case where there was a guy on LinkedIn from a certain company, and he liked Tesla cars, and for one of his personal emails he was using, there was a recovery question of what’s your favorite car and we typed in Tesla,” Januszkiewicz recounted. “That worked and that was so much fun because this information was super easy to find.”

Oregon Retailer Suffers Sustained Data Breach

Oregon Retailer Suffers Sustained Data Breach

Customers of an Oregon retailer have become victims of fraud after their financial information was exposed in a sustained data breach.

Data belonging to thousands of customers of Made in Oregon was compromised in a breach that lasted six months. Made in Oregon is a regional vendor with five stores in the Portland area.

According to the gift retailer, an unauthorized party gained access to its e-commerce site between the first week of February 2020 and the last week of August 2020. 

Last week, Made in Oregon sent letters to 7,800 customers who purchased gifts from its online store during the period when the breach occurred. 

Customers were warned that their name, billing address, shipping address, email address, and credit card information may have been compromised.

Made in Oregon is aware of a small number of customers who have become victims of fraud after their credit card data was exposed in the breach and is working with law enforcement to investigate the security incident.

“We think the actual number of people who had their cards used fraudulently was very, very small," company owner Verne Naito told OregonLive. "But having said that, anybody who (made a purchase) on our site was potentially compromised, which is why we immediately came forward.”

Naito said that customers who made purchases over the phone during the breach period had not been affected by the security incident.

The breach has been reported to law enforcement, and Made in Oregon have launched an internal investigation to ascertain exactly what happened and how many customers were affected. Customers have been offered complimentary credit monitoring services for a year. 

Since the breach, Made in Oregon said it has "implemented additional security measures designed to prevent a recurrence of this incident." 

"With consumers around the world increasing the amount of shopping they do online, attackers have naturally gone after online shoppers with sophisticated fraud campaigns," commented Brendan O'Conner, CEO and co-founder of https://appomni.com/. "These trends are unlikely to slow down anytime soon, and I expect that we will continue to see more attacks targeting cloud applications for business and e-commerce sites for consumers.”

Attackers Spoof Microsoft Teams

Attackers Spoof Microsoft Teams

Cyber-criminals are impersonating a popular Microsoft messaging service to steal employees' Office 365 login credentials in a newly detected attack that has hit up to 50,000 mailboxes. 

The campaign, discovered by researchers at Abnormal Security, targets Office users with an automated message that appears to be sent from communication tool Microsoft Teams. 

"The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams," said researchers.

"It appears to notify the recipient that their teammates are trying to reach them and urges the recipient to click on ‘Reply in Teams’."

Victims who take the bait and click on any of the three links included in the message are directed to a malicious phishing page where they are asked to enter their email and password.

"The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence," noted researchers.

Victims who enter their credentials risk exposing sensitive information stored on their account and giving attackers a foothold into the company's corporate network for more sophisticated BEC attacks. 

"Should recipients fall victim to this attack, their login credentials as well as any other information stored on their account will be compromised," wrote researchers.

The attack exploits both the instantaneous nature of the communication tool and its rise in popularity triggered by the outbreak of COVID-19.

"Because Microsoft Teams is an instant messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification," noted researchers. 

News of this new attack follows the discovery of two other similar campaigns by Abnormal Security in May 2020, in which threat actors spoofed Microsoft Teams to steal credentials. 

Describing the earlier campaigns, researchers noted: "These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams. The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider."

#InfosecurityOnline: Adapting Security Strategies to Growing Digitalization

#InfosecurityOnline: Adapting Security Strategies to Growing Digitalization

The significant challenges around ensuring cybersecurity adapts to the rapid digitalization of organizations was the topic of discussion during a panel at the Infosecurity Online event.

The panel speakers first highlighted how digitalization has fundamentally changed the ways companies operate over recent years, such as the greater use of data and offering digital products as well as the shift to remote working brought about by COVID-19. “The journey to digital transformation has been happening for quite some time now,” noted Amitabh Singh, chief information security officer and chief data officer at Swisscard AECS GmbH.

Ledum Maeba, head of information security, Avanti Communications, said that it is important to have a very cautious security approach when it comes to digitalization. “We are digitalizing everything we do, but we are very cautious in what we do; we take every process very seriously and we make sure all security concerns are addressed before we do anything.” 

Before specific digital projects begin, Simon Cole, global security architecture and solutions director at Dentsu, outlined how security should become one of the key considerations: “You have to define what success looks like and that’s with many lenses, so what it means for the business, but also what it means from a security perspective.”

Very often this is not the case. Singh said: “So far when we’ve been working on security, it comes as a retrofit requirement, so we build certain things into digital transformation then security comes later on,” adding that “security needs to come by design as a de facto thing that has to be considered when we are thinking about digitalization.” He noted this should be the goal in the financial industry where he works.

Such an approach clearly requires strong collaboration between security teams and other areas of the organization. “My risk posture is going to be totally different than the executive who is about to launch a new product. What we have to do is have that honest conversation and decide what the acceptable risks are, what are the guardrails,” said Cole.

In this new environment of home working, third party sharing and use of cloud applications traditional perimeter security structures are insufficient, according to the panel. Instead, security must become tailored to the specific business needs of individual organizations and what level of risk is acceptable. Singh commented: “Security professionals have a much larger challenge of first trying to understand the environment. Once you have understood the environment you need to define exactly what security means for that, and define what is good for us.” He added the approach must be fluid, adapting to changing digitalization.

With increasing reliance on third party suppliers, including greater levels of data sharing, undertaking extra due diligence regarding their security is important. This includes assessing the chances of a data risk occurring. Maeba stated: “You need to be really sure they are able to meet your security requirements.”

The panel then discussed how organizations’ increasing shift to the cloud to facilitate digital transformation is impacting security. Singh explained there are two main elements to this, the first of which is user access and the need for a zero-trust model. “Never trust, always verify and contextualize,” he said.

The second is the overall management of the environment, where security professionals are too often caught up in the latest “fads” and simply using new patches to solve issues. This leads to the integration of the technologies becoming more challenging. Again, understanding an organization’s goal in moving to the cloud is vital for the right approach to be taken. Based on this, security professionals should “articulate what the products available in the market are that can give you a seamless picture.”

Fraud Analysts Miss Dark Web Data

Fraud Analysts Miss Dark Web Data

New research into how financial crimes are investigated has found that the majority of fraud analysts at financial organizations do not gather evidence from the dark web. 

Web isolation platform provider Authentic8 today released the results of its 2020 Global Financial Crimes Survey, conducted in partnership with the Association of Certified Financial Crime Specialists (ACFCS).

The survey questioned 175 fraud analysts from 150 financial organizations about how financial corporations are handling increasing risks and exposure to losses as they battle against online adversaries.

When asked “Are you / your team researching and collecting evidence from the dark web?” 75% of fraud analysts answered "no." Nearly half (46%) said that they are not able to follow leads into the dark web but would collect more intelligence from the dark web and other toxic sources “if it could be done securely and with an audit trail.”

The need for zero exposure was recognized by 74% of fraud analysts, who agreed with the statement "We need to protect our IT infrastructure while browsing unsafe sites / malicious content." Nearly all (91%) of respondents said that anonymity while carrying out online investigations and research was "desirable or critical."

Over a quarter of respondents (28%) said that their biggest challenge in online investigations is completing training to keep up with evolving criminal threats and technological advances.

A key finding of the survey was that caseload productivity was an issue for many fraud analysts. Over half (57%) of those surveyed said that their productivity is the same or worse in 2020 compared to 2019. 

Almost all (90%) fraud analysts said that more investment in OSINT (open source intelligence) gathering capabilities was needed "to accelerate time-to-insight" for investigations.

“Adversaries are growing in both sophistication and number, but the surveyed firms are telling us the productivity of their fraud analysts is not improving at the same rate,” said Scott Petry, co-founder and CEO of Authentic8 Inc. 

“The imbalance leads to more risk exposure for financial firms and other regulated industries. They risk write-downs, legal penalties, damage to their brand reputations, and more."

#InfosecurityOnline: Tactics for Defending Against Credential Stuffing

#InfosecurityOnline: Tactics for Defending Against Credential Stuffing

A combination of password management, bot detection and traffic visibility can aid in spotting and defeating credential stuffing attacks.

Speaking during the Infosecurity Online event, Jamie Hughes, solutions engineer at Auth0, said credential stuffing attacks are a huge industry problem at the moment and are commonly enabled by single-factor authentication, breached credential lists, password reuse, attack tools and darknet market availability.

He explained that, on many websites and applications, he is typically only offered a choice of a password to authenticate to gain access. “There are some improvements, and some do offer MFA, and I always implement it where I can” but he said someone who is less security savvy may not, and the account can be left vulnerable.

A breached credential list can contain many credentials, which may be out-of-date, and Hughes flagged one website which had over seven billion records from 370 databases. He also said some lists charge a fee to download, and this is where the credentials are more likely to be successful. He said credentials can be collected via multiple means, such as via phishing attacks or via insecure databases, while password reuse is all too common where the average user has 26 accounts and five passwords.

Hughes added: “Targets of these attacks are typically subscription services, as the attacks gain access to the accounts but are typically sold at a lower cost on dark markets.”

As for impact on a company, Hughes said a company’s reputation could be damaged, and the “negative association can last for years” leading to media coverage as well as loss of trust from your users. There can also be a financial impact of the cost to investigate, the suspension of services and the computational costs of handling attacks.

In order to mitigate credential stuffing attacks, Hughes recommended looking at the analytics of your traffic, and also to benchmark your traffic, so you know what the normal patterns are and are able to spot a spike in failed login attempts. He also recommended looking for failed logins from IP addresses, to understand where an attack comes from.

“The main way to defend is through layers,” he said, focusing on three features: multi-factor authentication, breached password detection and bot detection. “We assess all of this traffic, and feed into our engine and see attempts against a user and IP address,” he said. “You can determine in real time if something is suspicious.”

With bot detection, Hughes said you’re looking to block, or challenge, requests, and recommended adding a Captcha as with bot detection you’re looking to slow down those requests before they are processed.

With regards to breached password detection, Hughes said Auth0 keeps a database of common passwords and warns the user if they are using something that is known to be commonly used. For MFA, Hughes said this can be added as an additional step for the user to prevent the attack takeover and prevents the account value from being sold on a darknet marketplace.

KashmirBlack Botnet Uses DevOps to Stay Agile

KashmirBlack Botnet Uses DevOps to Stay Agile

Security researchers have lifted the lid on a highly sophisticated global botnet operation performing millions of attacks per day, including cryptocurrency mining, spamming and defacements.

Dubbed “KashmirBlack” by a team at Imperva, hundreds of thousands of compromised machines are controlled by a single command and control (C&C) server.

Active since around November 2019, it spreads by targeting an almost decade-old PHPUnit RCE vulnerability in popular content management system (CMS) software. Imperva warned that the pandemic has arguably created more potential victims for the botnet, given that many businesses have been scrambling to create an online presence via such platforms.

The botnet’s infrastructure is apparently more sophisticated than most, using DevOps techniques to drive agility and ensure new payloads and exploits can be added fairly easily.

This agility also means the botnet can rapidly change the repositories such as GitHub where it stores malicious code, as well as its C&C infrastructure, which Imperva claimed recently migrated to Dropbox to hide its tracks.

In a sign of how alert the botherders are to potential outside disruption, Imperva claimed that they blocked access to its honeypot servers in just three days after growing suspicious.

Indonesian web defacement cybercrime group PhantomGhost has been linked to the botnet, the security vendor claimed.

“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said Ofir Shaty, Imperva security researcher and research co-author.

“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”

#InfosecurityOnline: The Three Key Elements of Zero-Trust

#InfosecurityOnline: The Three Key Elements of Zero-Trust

Speaking during the Infosecurity Online event Manja Kuchel, senior product marketing manager at SolarWinds, outlined the three key elements of an effective zero-trust approach to security within organizations.

The first is risk assessment, Kuchel said, which involves defining where your sensitive data is located and who should have access to what.

“This is something that no tool can do for you, because this is an internal ‘home work’ type of process,” she explained. “You really need to sit down and analyze your sensitive data; this can be done on a personal, identity or departmental level, depending on the size of the company or title structure.

“This should bring executive-level managers and IT administration together – this needs to be a cross-company approach.”

Once that has element is established, the next step in the zero-trust process focuses on risk management, explained Kuchel. This includes defining access rights, taking into account identities and profiles, the types of resources being accessed and levels of access privilege.

“There are various tools that can help here – but the aim is to manage your risk situation and look into what you can do to limit access rights and limit access to information.”

The third and final step centers around risk containment: detecting, monitoring and responding to incidents.

“You should detect unusual security events; whenever something is happening, a user plugging in a USB stick that is against company policy [for example], you and the user should be alerted. Administrators should then be able to respond to such actions or even block or allow those actions – so not only seeing it, but being able to prevent things from happening.”

This three-step zero-trust cycle is one that never really stops, Kuchel said, and “you should be assessing the risk once a year – that is really something that the organizations should be doing as a regular drill.

“Also, the management of risk should be regularly adjusted in order to ensure people only ever have the correct access rights, as they might change and it needs to be revisited.”

Risk containment is very continuous too, she added, so that should always be up and running.

Retail, Hospitality and Travel Hit by 64 Billion Credential Stuffing Attacks

Retail, Hospitality and Travel Hit by 64 Billion Credential Stuffing Attacks

Over 60% of credential stuffing attacks detected over the past two years have been targeted at retail, travel and hospitality businesses, according to Akamai.

The security vendor’s latest report, Loyalty for Sale, is compiled from internet traffic flowing through its extensive global content delivery network.

It revealed that, during the period July 1 2018 to June 30 2020, it detected over 100 billion credential stuffing attempts. Almost 64 billion of these were aimed at cracking open user accounts in the retail, travel and hospitality sectors.

Further, retail accounted for the vast majority (90%+) of the attacks aimed at these verticals.

Such attacks remain popular given the continuous surge of breached log-ins onto underground sites and the potentially rich pickings to be found inside cracked accounts.

“Criminals are not picky — anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and report author.

“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold and traded, or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Akamai also claimed that during the early days of the COVID-19 crisis as consumers flooded online sites to purchase goods, cyber-criminals began recirculating old credential lists in an attempt to identity new vulnerable accounts.

The report identified not just credential stuffing activity but also attempts to compromise sites directly via SQL Injection (SQLi) and Local File Inclusion (LFI) attacks.

Akamai detected nearly 4.4 billion web attacks against the retail, hospitality and travel sectors, comprising 41% of the total across all verticals. Once again, retail (83%) was the most popular target, while SQLi attacks (79%) were the number one choice of cyber-criminals across the three verticals.

US: Iran Was Behind Proud Boys Email Campaign

US: Iran Was Behind Proud Boys Email Campaign

US officials have blamed Iranian hackers for a clumsy attempt to intimidate registered Democrat voters via spoofed emails, ahead of the upcoming Presidential election.

The campaign impersonated the far-right Proud Boys group in two waves of emails sent out this week, according to Proofpoint. Some emails included the recipient’s home address in a bid to turn up the pressure.

One message titled “Vote Trump or else” is typical. It noted: “You are currently registered as a Democrat and we know this because we have gained access into the entire voting infrastructure. You will vote for Trump on election day or we will come after you.”

In fact, such contact information is relatively easy to obtain in the US from public voter records.

The first set of emails used a compromised infrastructure traced back to a Saudi Arabian insurance company while the second used an Estonian IP address.

In the latter, an embedded video also purported to show mail-in voting fraud in action.

However, at a hastily arranged press conference on Wednesday evening, director of national intelligence, John Ratcliffe, debunked the emails as state-sponsored misinformation.

“We have confirmed that some voter registration information has been obtained by Iran and separately by Russia. This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion sow chaos and undermine your confidence in American democracy,” he said.

“To that end, we have already seen Iran sending spoofed emails designed to intimidate voters, incite social unrest and damage President Trump.”

Ratcliffe also described the video and any claims about fraudulent ballots as “not true.

“Know that our election systems are resilient and you can be confident your votes are secure,” he added.

Ratcliffe also warned that Russian disinformation efforts may pick up over the final week before the election as state actors have obtained voter registration data.

#InfosecurityOnline: Are the Cloud and Automation Driving or Hindering Your Business?

#InfosecurityOnline: Are the Cloud and Automation Driving or Hindering Your Business?

Consider where you can add automation and where your point solutions are not supporting your business. 

Speaking during the Infosecurity Online event Palo Alto Networks vice-president Matt Poulton said 2020 has been the year when automation has been accelerated by companies who are looking for what they can automate to be more efficient.

Poulton said COVID-19 has added “more pressure in terms of resource, or more pressure on you because of a distributed workforce,” and companies go through huge changes because of digital transformation. He said that, if digital transformation is done well, it “can shape the way you work” as multi-cloud environments become the norm, and apps are developed to be more agile, but this comes with the dilemma of whether security hinders or supports the introduction of cloud.

“We see that transformation creates a lot of risk,” he said. “More devices mean more data, as my home office is now a device sitting on the corporate network, and we’re seeing the number of endpoints increase dramatically, and this will continue to rise.”

Poulton explained that the advent of containers and Kubernetes has seen a rapid rise in the number of cloud deployments, and this is often done faster than security deployments. “Cloud is the biggest challenge organizations are facing, and the migration of data centers into cloud environments is huge.

“We at Palo Alto Networks need to create solutions to meet your challenges, as you have a lot of point solutions,” Poulton said. “We see that data is now everywhere and it is like water, how do you contain it, do you let it flow, how do you ensure it is not polluted?”

He said that innovation cannot be slowed down, and staying ahead of the increased complexity becomes harder as cloud and remote working become the norm, “and you have hundreds of mini VPNs and a huge VDI network, the perimeter is gone.”

In order to feel confident, Poulton said there is still a desire for better visibility, and for analysts to know what is “normal” and what trusted intelligence is within the organization. He added, with multi-cloud use, it is common to use 25 tools, “so how do you get simplicity, how do you get flexibility?”

He went on to say that the concept of “best of breed” is not enough anymore, as this leaves analysts looking at multiple screens in order to do an investigation, “as point solutions don’t communicate.”

He said: “You simply don’t have a 360 degree picture of your threats. So we challenge you to think, are best in breed point solutions good enough for you, as they do not scale.

“It is not about the data, it is not about good data, it is about all the data. Better decisions must come from better data. We need to give you the visibility to act quickly, so automation in terms of data intelligence as data enrichment is key.”

Poulton said cloud provides an opportunity to put a solution in place to eradicate point solutions, move into a structured format and provide visibility in one place.

“The best defense is an AI-led defense, but there are lots of things we can use clever computing power for; to automate for you and give you better visibility and detection,” he said.

Deep Instinct Appoints Goldman Sachs Partner as CFO

Deep Instinct Appoints Goldman Sachs Partner as CFO

Deep Instinct has appointed former managing director and partner at Goldman Sachs Heather Bellini as its new chief financial officer. 

The deep learning cybersecurity company, which was founded in 2015 and is headquartered in New York, announced the appointment today. 

While at Goldman Sachs, Bellini led the research diligence and investor education initial public offering (IPO) process for over 20 companies, including Atlassian, Crowdstrike, Dropbox, Facebook, MongoDB, Slack Technologies, VMware, and Zoom Video Communications. 

In addition to carrying out equity research analysis of the software sector and select internet-related companies, Bellini also headed the company's Technology Research Group that covered Alphabet and Microsoft among others. 

Bellini is a founding member of the Women's Circle at Columbia Business School and a member of the steering committee for the Jacobs Technion-Cornell Institute at Cornell Tech. In 2020, she was named to the inaugural Barron’s 100 Most Influential Women in Finance list.

“Heather established a phenomenal track record at Goldman Sachs, is highly regarded and well known and joins us as we’re on a strong path to becoming the most comprehensive, integrated and innovative deep neural network cybersecurity company in the world,” said Guy Caspi, CEO and co-founder of Deep Instinct.

Bellini, who has been a partner at Goldman Sachs since 2012, told Bloomberg that her first priorities at Deep Instinct will be to put the financial and operational infrastructure in place to scale the business globally and set the company on the path to the public markets.

"As the world increasingly migrates to all things cloud and digital transformation takes center stage, the need for best in class cybersecurity prediction, prevention, and protection has never been more important,” said Bellini. “I am excited to be joining the team and look forward to building out the financial and operational infrastructures that will be critical in our ongoing global expansion and success.”

Prior to working for Goldman, technology analyst Bellini held roles at Oppenheimer, Lehman Brothers, and International Strategy & Investment Group. She will assume her new role on January 1.

US Files Antitrust Lawsuit Against Google

US Files Antitrust Lawsuit Against Google

A civil antitrust lawsuit has been filed against American multinational technology company Google by the United States Department of Justice and eleven state attorneys general.

The complaint alleges that Google unlawfully maintained monopolies in search and search advertising through anticompetitive and exclusionary practices that harmed competitors and consumers and suppressed competition in advertising.

The tactics allegedly used by Google to maintain its monopoly include establishing long-term agreements with Apple that require Google to be the default—and de facto exclusive—general search engine on Apple’s popular Safari browser and other Apple search tools.

Google is further accused of entering into arrangements that force pre-installation of its search applications in prime locations on mobile devices and make them undeletable, regardless of consumer preference.

Another accusation leveled at the tech giant is that it used monopoly profits to buy preferential treatment for its search engine on devices, web browsers, and other search access points, "creating a continuous and self-reinforcing cycle of monopolization." 

"Google has entered into a series of exclusionary agreements that collectively lock up the primary avenues through which users access search engines, and thus the internet, by requiring that Google be set as the preset default general search engine on billions of mobile devices and computers worldwide and, in many cases, prohibiting preinstallation of a competitor," wrote the DoJ in a statement released yesterday.

Google’s alleged anticompetitive practices have harmed competitors by preventing them from gaining vital distribution and scale. The company is further accused of suppressing competition in advertising so it can charge advertisers more than it could in a competitive market without having to increase the quality of the services it provides to them.

"Google’s conduct has harmed consumers by reducing the quality of search (including on dimensions such as privacy, data protection, and use of consumer data), lessening choice in search, and impeding innovation," stated the DoJ. 

“As with its historic antitrust actions against AT&T in 1974 and Microsoft in 1998, the Department is again enforcing the Sherman Act to restore the role of competition and open the door to the next wave of innovation—this time in vital digital markets,” said Deputy Attorney General Jeffrey Rosen.

Rosen said that the Antitrust Division has been looking at Google and its competitive practices for more than a year.

M&S Boss Spoofed in Gift Voucher Scam

M&S Boss Spoofed in Gift Voucher Scam

Criminals are impersonating the boss of a major British multinational retailer to trick victims into sharing their bank account details.

Posing as Marks & Spencer CEO Steve Rowe, the scammers have posted fraudulent adverts online that promise victims the chance to win a gift voucher as part of a fictitious prize draw promotion. 

When victims click on the link in the ad, they are taken to an M&S-branded portal and asked to provide their name, address, mobile phone number, and bank details including SORT code and account number.

The fraudulent adverts, uncovered by the Parliament Street think tank’s cyber-research team, have been uploaded to social networking site Facebook from an unverified page entitled “Marks and Spencer Store.”

The adverts depict a man who bears no resemblance to the real Steve Rowe clutching M&S-branded shopping bags accompanied by the message, “Hello everyone, my name is Steve Rowe and I am the CEO of Marks and Spencer! I’ve an announcement to make – To celebrate our 135th Anniversary, We are giving EVERYONE who shares & then comments by 11.59pm tonight one of these mystery bags containing a £35 M&S voucher plus goodies! Make sure you enter here [URL].”

Those who know their retail history will easily be able to spot that the advert is fake as Marks and Spencer was in fact formed in 1884 when Michael Marks, a Polish refugee, opened a market stall in Leeds, with the slogan "Don't ask the price, it's a penny." In 1894, Marks went into partnership with Thomas Spencer, a former cashier from the wholesale company Dewhirst.

"As we head into the busy shopping season, we can only expect to see more of these types of 'sale' scams emerge online," commented Tessian CEO Tim Sadler. "Treat these posts just like you would any phishing email; ask yourself if this deal seems legitimate and verify the identity of the person requesting you to take an action, before clicking on any links. 

"And if you're still unsure, visit the retailer's website and official social media channels to cross-check that the deal has been mentioned elsewhere."

#GlobalEthicsDay2020: New Security Incident Response Ethics Guidelines Released

#GlobalEthicsDay2020: New Security Incident Response Ethics Guidelines Released

New ethics guidelines for incident response and security teams have been released by the Forum of Incident Response and Security Teams (FIRST) to coincide with Global Ethics Day today. The document offers advice and recommendations for cybersecurity professionals on how they should conduct themselves in a professional and ethical manner when dealing with incidents.

Created by ethicsFirst, a special interest group within FIRST, the framework outlines a number of principles with an accompanying explanation of how they can be applied. Each serve as a reminder that the primary focus of security personnel during an incident should be the public interest. FIRST added that each principle has been reviewed by senior practitioners and that they are based on real-life scenarios.  

It is hoped the guidance will reinforce the importance of principles such as trustworthiness, coordinated vulnerability disclosure, authorization, team health and recognition of jurisdictional boundaries when cybersecurity teams handle these difficult situations.

Jeroen van der Ham and Shawn Richardson, Ethics SIG co-chairs of FIRST, commented: “Integrity and professionalism are paramount in our industry. The new ethicsFirst principles were developed and examined by some of the world’s most senior cybersecurity experts with the aim of providing a universal language of how to deal with incidents and make the internet safe for everyone.”

#InfosecurityOnline: Utilizing Automation in New Security Architecture

#InfosecurityOnline: Utilizing Automation in New Security Architecture

The shift to cloud networks and a wider attack surface brought about by new working practices during the COVID-19 pandemic have made traditional security strategies unfit for purpose, according to Steven Tee, principal solutions architect at Infoblox, speaking during a session at the Infosecurity Online event.

He made the case that there needs to be much greater use of automated tools such as machine learning to effectively detect and combat cyber-attacks in the current age.

Tee began by outlining the alarming increase and impact of cybercrime over recent years. “Cybercrime is a problem that either directly or indirectly affects everyone,” he said. He noted that the average cost of a data breach in 2019 was almost $4m.

This is linked to substantial changes in network architectures, which have been heavily exacerbated by the shift to remote working during COVID-19. These include the growing implementation of cloud systems and use of IoT devices, which are expanding the attack surface area and largely rendering the traditional perimeter security model redundant.

Tee said: “With the adoption of cloud, SD-WAN, work from home and the massively increased attack surface, we’re ever more reliant on next-generation technologies such as analytics and machine learning that can study behavior over time and make decisions in real time.”

In Tee’s view, the main barrier to implementing such measures on a widescale basis is not a lack of tools and technologies, but rather a shortage of skilled personnel and resources to use them effectively. “In conjunction with a global skills shortage, it’s not uncommon for enterprises to own tools without the in-house knowledge required to effectively use them,” he added.

Another issue is that personnel involved in an organization’s cybersecurity often work in silos, such as between tech and network teams and vendors. Tee commented: “All of this makes security and incident response efforts harder due to manual, inefficient and untimely data sharing, wasting time and resources.”

In order to address these kinds of issues, especially at a time where budgets are being reduced, Tee firstly recommended the use of security frameworks. “Frameworks allow teams to follow a tried and trusted process of securing their networks and dealing with threats using a common language,” he explained.

Ensuring visibility across all security frameworks through automated technology is also critical across teams. Tee said: “Quite simply, if you don’t know what’s on a network, then you can’t effectively decide policy and tools to adequately protect them.” In addition, security alerts and threat intelligence are insufficient without this visibility being in place.

Tee then went on to discuss the importance of organizations adequately protecting DNS protocols. He noted that most malware relies on DNS to launch attacks “using it at every stage, from penetration to infection to exfiltration. He added that “it’s one of the only protocols in widespread use today that has not been secured.”

Organizations should therefore focus on technology that mitigates the DNS layer to prevent these bad connections, before automatically sharing this information with other security tools such as next generation firewalls.

Protecting against data exfiltration over DNS is also critical, according to Tee, as they “can be used as a covert communication channel to bypass firewalls.” To do so, again machine learning and analytics must be utilized in order to discover whether lookups are legitimate or not.

Tee concluded by saying how effective use of machine learning and data analytics “leads to the ability to detect, contain and remediate threats faster.”   

Trust in Remote Working Tools Declines as Need for Security Increases

Trust in Remote Working Tools Declines as Need for Security Increases

The longer spell of remote working has led to more concerns about the capability of tools along with an acceptance of the importance of cybersecurity to the business.

According to the research of 2600 businesses by Cisco, two-thirds (62%) of respondents said more than half of their workforce were working remotely, with 85% saying that cybersecurity is now extremely important or more important than it was before the pandemic.

Secure access was determined as the top cybersecurity challenge faced by the largest proportion of organizations (62%) when supporting remote workers. Other concerns raised by organizations globally included data privacy (55%) and maintaining control and enforcing policies (50%).

Oliver Tavakoli, CTO at Vectra, said the initial flurry of adding security in to cover remote working use cases in March/April when employees were first sent home was when “many of those changes were held together with duct tape and bailing wire and were not intended for the long haul.”

He added: “As it becomes evident that the WFH model is going to be with us well into 2021 and there is a sense that many companies will not return to a pre-pandemic models of almost everyone working from an office all the time, longer-term and more sustainable investments into how employees connect to applications are being undertaken. Zero-trust and a bias toward cloud-native delivery of applications have become central to that direction.”

Daniel Norman, senior solutions analyst at the Information Security Forum, said the COVID-19 pandemic has highlighted particular shortcomings across the technical responses for many organizations. “Many multi-nationals’ technical crisis management and business continuity plans were inadequately positioned to enable a secure remote working environment for a global workforce, and those that have made the adaptations have been rushed and ad hoc,” he said.

“Many organizations prioritized productivity and operational success over security and privacy. At the start of the pandemic “keeping the lights on” was a frequently used strategy – however, over time, overdependency on untested technologies, new vulnerabilities in systems, poorly constructed policies and a lack of training for a remote workforce has meant that organizations are facing a deluge of cyber-threats, alongside an emergence of cyber-risks from their own workforce.”

The Cisco research also found that 61% of respondents stated their organizations experienced a jump of 25% or more in cyber-threats and alerts since the start of COVID-19. Norman said: “Training a remote workforce to manage emerging cyber-risks is also a challenge to do well. Remote working will likely never go away now, with many individuals preferring remote work to office work, so organizations face a choice – invest now and secure the crumbling infrastructure and fatigued workforce, or risk compromise.”

Commenting on why he felt cybersecurity is “more important” to businesses now than before the pandemic, Hank Schless, senior manager, security solutions at Lookout, said: “Everyone’s approach to cybersecurity architecture has changed forever. When every employee started working from home, organizations had to quickly scale their security to protect each home as a remote office. When this change first happened, many IT and security teams relied heavily on VPN to ensure secure access to corporate resources. However, what they soon realized was that creating a secure connection wasn’t enough in case the device itself was compromised.”

Tavakoli said it was important before, it is important now and will be important in the future. “The main thing to keep in mind is that when the way in which you utilize IT undergoes a dramatic shift, your cybersecurity strategy needs to follow.”

The Cisco survey found 60% of respondents are moderately or very concerned about the privacy protections associated with the tools they are using to support remote interactions, while half of the respondents do not feel that businesses can effectively protect their data today.

Schless said: “Without the visibility and conditional access capabilities of a modern endpoint protection tool, this could lead to a threat actor mistakenly being introduced into the corporate infrastructure. As a result, the security perimeter needs to be extended to every endpoint including iOS, Android and Chrome OS devices.”

#InfosecurityOnline: Consider Flexible Training for Different Skill Sets

#InfosecurityOnline: Consider Flexible Training for Different Skill Sets

An employee improvement strategy should include scalable and practical training, an understanding of the employee’s skill set and certifications to validate that practical training.

Speaking as part of the Infosecurity Online event, Hack the Box technical account manager Sam Nye, and business development manager Katerina Tasiopoulou, said there are “major shifts rippling through the cybersecurity training sector,” especially as training has forced a move to online learning. Nye said some businesses and users are “suited to handle this” and while online training is not new, the way in which content is presented and interacted with has changed.

“Also the way we deliver training is important,” added Tasiopoulou. “In our industry, experience is useful in hardening skill set and learning skills like coding.”

Both speakers agreed that the pace of change of cybersecurity, especially in how exploits and vulnerabilities are introduced, demonstrates the need for adaptability, and that comes from ongoing training and for practical skills “throughout the year, and not just on a short course,” said Nye.

Tasiopoulou said there can be no such thing as “one size fits all” training, as all businesses have diverse skill sets and experience among their employees. “How can training be the same? It cannot, so understand that you need to give appropriate training to get the most out of your employees,” she stated.

“Although security can be consistent as a topic and some organizations have hundreds of employees and some have a handful, some are defensive, some offensive and some more consultative “so there is no training that can be beneficial to all of these use cases simultaneously.”

Tasiopoulou said training needs to be tailored, and also that certifications are important as a baseline for validating skills and for employees. However, the speakers acknowledged that certifications can become outdated. Therefore, the ideal scenario is to implement training that combines hands-on experience, acknowledges the varied skill set of your workforce and recognizes their certifications “to validate practical training.”

DarkSide Ransomware Group Donates $10,000 to Charities

DarkSide Ransomware Group Donates $10,000 to Charities

A ransomware group has reportedly donated thousands of dollars stolen from corporate victims to charities.

The DarkSide group claimed to have made a $10,000 donation in Bitcoins to two charities: The Water Project and Children International. The latter has already said it will not be keeping the money, which by law it has to do as the funds are technically the proceeds of crime.

Ironically, if the ransomware group had kept quiet about the donation then the organizations would likely have been none the wiser. Instead, it wrote a press release on its dark web site crowing that “no matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” according to The Guardian.

The group, which is said also to steal victims’ data in order to force them to pay up, apparently used legitimate US-based digital donation platform The Giving Block to channel the funds to the charities.

Brian Higgins, a Comparitech security specialist, argued that the group may be trying to test out a new method of laundering funds.

“However, it's more probable that DarkSide clearly has too much time on its hands and too much stolen money knocking about in its Bitcoin wallets,” he added. “If they were really serious about ‘making the world a better place’ they'd all sell their laptops and stay off the internet."

DarkSide claims not to attack schools, hospitals, governments or charities and to “carefully analyze” target organizations' accounts to ensure they have enough cash to pay.

However, Javvad Malik, security awareness advocate at KnowBe4, questioned its assertion that this is a victimless crime.

“Whenever an organization is extorted via ransomware or other means, that money impacts actual individuals. Many people have lost their jobs over the years and there have been organizations that have ceased to exist,” he argued. "Criminals need to understand that there is a very real impact of their actions, and simply giving an amount to charity cannot make up for that."

#InfosecurityOnline: Prepare for the Worst-Case Scenario to Build Resiliency

#InfosecurityOnline: Prepare for the Worst-Case Scenario to Build Resiliency

Speaking in the opening keynote session of day two of the Infosecurity Online event Lee Howard, head of IT security, risk and shared services at N Brown Group, discussed the current cyber-threat landscape and explained, in a world of unpredictable cyber-risks, organizations must be prepared for the worst-case scenario in order to be resilient.

“We can’t possibly know every single threat that’s going to affect us – it’s unpredictable. Therefore, we need to go through a mindset change; instead of trying to identify each and every threat methodically, we should be prepared for all threats, whenever they throw themselves at us.”

Most importantly, organizations must be prepared for the worst-case scenario from a cyber-threat perspective, Lee said.

If we can’t assess all the threats and we don’t know the frequency of threats, then organizations must take a “prescribed preparation” approach to the worst-case cyber-scenario.

“Being able to prepare allows you then to absorb the impact of a situation as it unfolds. Preparing for the worst-case scenario makes you really think about what’s valuable. What we do a lot in cybersecurity is focus on certain technologies, areas, initiatives, programs and projects to get things over the line. The reality is, we sometimes forget that we’ve been put in these positions to preserve operations, asses a situation and make ourselves as resilient as possible.”

We are moving into a new phase of technology now and a new era, and the likelihood of an event occurring is very high.

“We’re getting to a point in time where, in having a cyber-incident, we’re not measured in did it or did it not happen,” we’re measured in how we respond and how well the business is able to maintain operations as the incident unfolds.

“That’s the mindset we need to get to; to accept incidents are going to happen,” and respond effectively, Lee concluded.

NSA: Patch These 25 CVEs Exploited by Chinese Attackers

NSA: Patch These 25 CVEs Exploited by Chinese Attackers

The NSA has published a list of the top 25 vulnerabilities currently being exploited by Chinese state-backed hackers to target US organizations.

These attackers work as most cybercrime groups typically would: by identifying and gathering information on a target, identifying any vulnerabilities and then launching an exploitation operation using homegrown or reused exploits, the NSA explained.

The advisory urged organizations to apply publicly available patches as soon as possible to mitigate the threats.

“This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks,” it noted.

“Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133) or for external web services (T1190), and should be prioritized for immediate patching.”

Some of the most widely publicized CVEs in the list include Zerologon (CVE-2020-1472), Bluekeep (CVE-2019-0708), SIGRed (CVE-2020-1350), and flaws in Pulse Secure VPNS (CVE-2019-11510) and Citrix ADC and Gateway systems (CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, CVE-2020-8196).

Jake Moore, cybersecurity specialist at ESET, argued that some organizations find it operationally difficult to patch immediately, which might store up problems for later.

“This year’s increase in remote working has also brought additional difficulties with updating machines, highlighting certain problems that were not previously apparent,” he added.

“It is always worth patching at your earliest convenience to help protect each device. Although administrators now have a tougher task in protecting their devices, this list from the NSA could be used to highlight to directors just how important a proactive approach to cybersecurity is.”

The shift to mass remote working has indeed created new opportunities for cyber-atatckers to exploit. In research from Tanium earlier this year 43% of IT ops leaders reported patching problems on users’ personal devices.

#InfosecurityOnline: Beware of Malicious URLs and Rogue Redirects

#InfosecurityOnline: Beware of Malicious URLs and Rogue Redirects

Attackers are using techniques to alter URLs and send victims to rogue and potentially malicious domains.

Speaking at the Infosecurity Online event, Javvad Malik, security advocate at KnowBe4 recommended listeners to look for rogue URLs and “lookalike domains” in phishing messages as it is all too common for a URL to be changed.

Malik said: “A URL can be represented not in how we see it, but use IP addresses and special characters to hide what the real domain name is.” This can include percent encoding, and the URL can be directed elsewhere.

“One technique attackers use is to use a very long URL as people open on their phone and even if they try to expand it, they won’t expand whole thing and click on it anyway,” he said.

Some of the common tactics in phishing include a fake file attachment that is actually an image, which contains a URL, as well as open redirect URL attacks where you think you’re going to one site, “and it could be chain of redirects and it is quite scary.”

If you do need to open a URL, Malik recommended opening it in a safe virtual machine, or turn it over to a forensic expert who will have the right equipment and tools to do so. He also suggested researching the lifespan of the domain, as if it is younger it can be more risky. “Also see if it is on a blacklist,” he said, admitting that most bad domains have short lifespans as attackers remove them when they are detected as being bad.

Malik recommended the best defense for this issue as education, as if a user “hovers” over URLs they can see what the URL is. For business defenses, he also recommended the following:

  • Stay Patched
  • Don’t Knowingly Allow Code to Execute
  • Don’t Download Unexpected Files
  • Investigate or Ignore Suspicious URLs
  • Execute Suspicious URLs in a Virtual Machine
  • Submit to a Malware Inspection Service

Meanwhile for business defenses, he recommended the following:

  • Anti-Malware Defenses
  • Content Filtering
  • Reputation Services
  • Make sure Defenses Decode Encoding Before Inspecting
  • Make sure Defenses Expand Short URLs
  • Keep up to date on the Latest Malicious URL Trends

Pfizer Exposes Data on Hundreds of Prescription Drug Users

Pfizer Exposes Data on Hundreds of Prescription Drug Users

Pharma giant Pfizer exposed the personal information of hundreds of prescription drug takers for over two months due to a cloud misconfiguration, according to new research from vpnMentor.

A team led by Noam Rotem and Ran Locar discovered the Google Cloud Storage bucket containing the data as part of an ongoing web mapping project. It was completely unsecured and unencrypted when found on July 9, 2020.

The bucket apparently contained transcripts between users of Pfizer drugs and the firm’s interactive voice response (IVR) customer support software, as well as “escalations” to support agents.

Each transcript included full names, home and email addresses, phone numbers and partial health and medical status. The drugs in question included anti-cancer treatments, medication for epilepsy and hormone therapy, treatment for nicotine addiction and Viagra.

VpnMentor argued that any cyber-criminals able to get hold of this data could have used it to craft highly convincing phishing campaigns with victims referencing the call transcripts. Some customers were calling for prescription refills, which could have provided an opportunity for scammers to request credit card details, for example.

“At the time of the data breach, Coronavirus was still surging across the US,” vpnMentor added. “If cyber-criminals had successfully robbed from or defrauded someone taking medication for anxiety in any way, the potential impact on their mental health is immeasurable.”

Unfortunately, the pharmaceutical giant’s response to the findings wasn’t great. It apparently took over two months to respond, and then only with the following: “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).”

The researchers were then forced to share a file with a sample of customers’ personally identifiable information (PII) for the firm to take action, on September 23—although it never responded to them again.

Major Data Breach at Ohio School District

Major Data Breach at Ohio School District

Cyber-criminals have exfiltrated data from an Ohio school district and published personal information of faculty, staff, and students online.

According to 13abc news, nearly 9GB of sensitive data belonging to Toledo Public Schools (TPS) has been exposed. Information leaked by attackers includes names, addresses, dates of birth, phone numbers, and Social Security numbers. 

The data's appearance online follows a Distributed Denial of Service (DDoS) attack that was carried out against the TPS system at the beginning of September 2020. The attack on the district's system forced administrators to temporarily take it offline, disrupting virtual classes. 

Since data is not typically stolen in a DDoS attack, it seems that the TPS system was also the victim of another cyber-attack in which malware was introduced that exfiltrated data. Ransomware attacks have occurred at around 70 school districts and colleges this year, according to Emsisoft's Brett Callow. 

On September 14, ransomware gang Maze claimed to have attacked the Toledo Public School System, but the data dumped as proof of the hit related to a construction firm. However, a subsequent data dump carried out earlier this month by Maze has been confirmed to 13abc by several TPS staff members to contain data that belongs to TPS.

The full extent of the data breach is unclear, as Maze claims to have only published a small portion of the information it has exfiltrated from TPS. 

Deputy Superintendent Jim Gant said that TPS had not received any communication or ransom demand from cyber-criminals. The district said it was also not aware of any misuse of the data that it hadn't even realized had been swiped until contacted by several media outlets on Friday.

Representatives for TPS have pledged to notify and support those affected by the incident and provide credit monitoring services to those affected at some point in the near future. Gant said that administrators would be contacting impacted faculty and staff to notify them of the breach and advise them regarding next steps.

In an email sent to faculty and staff on Monday afternoon, employees were urged by district leaders to monitor their accounts and credit reports for suspicious or fraudulent activity.

#InfosecurityOnline: Tackling the Growing Scourge of Insider Threats

#InfosecurityOnline: Tackling the Growing Scourge of Insider Threats

Insider threats, both borne out of malicious intent and through mistakes, is a growing security problem for organizations, according to a panel speaking at the Infosecurity Online event.

This is due to a number of factors that have emerged in recent years, one of which is the sheer volume of data now filtering around organizations. Stuart Hirst, principal cloud security engineer at Just Eat, explained: “Most employees have got access to much more data than they might have had in years gone by and then the mechanisms for that data to either be maliciously taken or mistakes has grown as well.

Another factor is the fact that people tend to change jobs far more regularly, including to rival firms. Marina Krotofil, cybersecurity lead, energy industries at ABB, noted: “People tend to change jobs more frequently and try to get ahead so they take information that will be useful for them to advance their careers.”

Krotofil also highlighted how insider threats have become an especially big problem in the critical infrastructure sector, which she has spent a large portion of her career in. A major aspect of this is the growth of outsourcing, expanding an organization’s border. “We suddenly have so many subcontractors, who for the duration of the project become an internal part of the organization, and we share a lot of confidential proprietary information with them,” she commented.

The issue of insider threats has been further exacerbated by the shift to home working brought about by COVID-19 lockdown restrictions this year. Deryck Mitcheson, director of information security at NHS National Services Scotland, highlighted the dangers posed by common staff behaviors that take place whilst home working, such as screens being left unattended and personal devices being used for work purposes.

Having a robust approach to combatting insider threats is therefore critical for a modern organization, and the most important things is buildinf a strong internal cybersecurity culture, which in turn should lead to greater investment in this area. In Mitcheson’s view, the most effective way to achieve this is to clearly outline to board members the business impact of data breaches, such as on shareholder value and financial losses. “Try and speak in business terms to business people around the opportunity of getting good cyber-hygiene and cyber-awareness,” he advised. “When they see it in these terms, they’ll start to invest.”

Hirst agreed, adding: “If you’re going to very senior people, you need to articulate what’s at stake and almost need to scaremonger a little at that level.”

Another important element in building a strong cybersecurity culture is the willingness to communicate openly and transparently when incidents occur, a practice that is still not commonplace. Krotofil explained: “In the majority of organizations I’ve worked in, the incidents are kept secret. So it’s a very limited number of people who are aware of the incident."

She added: “As a result, it’s very difficult to raise awareness and levels of concern that we have to be careful or that we have a problem.”

The panel also discussed how to reduce the risk of insider errors by making user awareness training more engaging for all staff. Mitcheson highlighted how interactive exercises such as gamification and simulation can be highly effective in this regard. “Do it in a fun and engaging way,” he said.

Tailoring training to different teams, especially those that are non-technical is also recommended. Making security relatable to everyday life is something Hirst has found to be effective at Just Eat: “We always try and relate it to real life, so we don’t just want your security mindset to finish at 5 o’clock, we try to help you secure things in your personal life as well and when you take people on that journey and they understand that you get a lot of buy in.”

Iranian Millionaire Jailed for Violating US Sanctions

Iranian Millionaire Jailed for Violating US Sanctions

The United States has imprisoned the CEO of a financial services company that helped Iranian nationals conduct financial transactions in violation of US sanctions. 

Iranian millionaire Seyed Sajjad Shahidian, 33, pleaded guilty in June to one count of conspiracy to defraud and commit offenses against the United States. On Thursday, a district court in Minneapolis sentenced Shahidian to 23 months in prison. 

Shahidian founded and ran Payment24.ir, an online platform that helped Iranian nationals circumvent US sanctions prohibiting financial transactions with businesses based in the United States. Users of the platform paid a fee to get around American sanctions so they could purchase computer software, software licenses, and computer servers from US companies. 

Payment24 had offices in Tehran, Shiraz, and Isfahan, Iran, and employed approximately 40 people. To Iranian clients seeking to make online purchases from United States-based businesses, the company sold a package that included a PayPal account, a fraudulent “ID card and address receipt,” a remote IP address from the United Arab Emirates, and a Visa gift card. 

Clients were advised by Payment24 on how to create accounts with a foreign identity and were instructed "never attempt logging into a foreign website with an Iranian IP address."

To achieve the transactions, Shahidian obtained payment-processing accounts from United States-based companies like PayPal using fraudulent passports and other fake residency documentation to make it appear as though his clients resided outside of Iran. Shahidian admitted to opening hundreds of PayPal accounts on behalf of his resident Iranian customers and to unlawfully bringing millions of US dollars into the economy of Iran. 

Shahidian was arrested in London, UK, in November 2018 after being observed visiting a number of tourist spots, including the London Eye and Madame Tussauds. He was extradited to the US in May 2020.  

The UK's National Crime Agency cybercrime investigators stated that they believe Payment24 had previously been used "by international cyber-criminals seeking to target the UK."

“In Iran, based on his illegal business, Mr. Shahidian had been a high-profile executive and a millionaire," said US Attorney Erica MacDonald. "He is now a convicted felon who has lost everything."

Morgan Stanley Fined $60m Over Data Disposal

Morgan Stanley Fined $60m Over Data Disposal

American multinational investment bank and financial services company Morgan Stanley has been fined $60m for improperly disposing of personal data. 

The substantial fine was imposed on Morgan Stanley Bank, N.A., and Morgan Stanley Private Bank, N.A. by the US Office of the Comptroller of Currency (OCC), which discovered deficiencies in the banks' data decommissioning practices.  

The federal banking agency found that in 2016, the banks "failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the United States."

Among the issues flagged by the OCC were inadequate risk assessment and monitoring of third-party vendors and a failure to keep track of customer information. 

consent order for the assessment of a civil money penalty states that the banks "failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices."

Morgan Stanley, which is headquartered in New York City, was also found to have failed to exercise adequate due diligence in selecting the third-party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.

Three years on from the decommissioning of the two data centers, the OCC found data disposal at the banks was still not as it should be.

"In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data," stated the comptroller.

Morgan Stanley, at the OCC’s direction, notified potentially impacted customers of the 2016 incident, and voluntarily notified potentially impacted customers of the 2019 incident. The bank has undertaken initial corrective actions, and the OCC states that it "is committed to taking all necessary and appropriate steps to remedy the deficiencies."

The OCC found the noted deficiencies constitute "unsafe or unsound practices" and resulted in noncompliance with 12 CFR Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards."

The $60m civil money penalty will be paid to the United States Treasury.

#InfosecurityOnline: How to Implement Effective Cloud Security

#InfosecurityOnline: How to Implement Effective Cloud Security

A range of strategies and practices to address security in the cloud were outlined by Stuart Hirst, principal cloud security engineer at Just Eat during a session at the Infosecurity Online event.

Hirst began by outlining the increasing importance of the cloud, stating that all companies are in one of two camps: “you’re either thinking of going to cloud or you’re already there.”

This has become increasingly relevant this year due to the shift to remote working during the COVID-19 pandemic.

Yet, securing the cloud environment is currently proving problematic for many organizations. Hirst said: “If you are already in the cloud, you’ll likely be in one of two camps. They are either: it’s already really hard and there’s a lot to fix, or total chaos – lots of accounts, historic problems to fix, lots of behaviors to change and culture to embed.”

Hirst went on to outline the main threats to the cloud, highlighting that breaches caused by cloud misconfigurations in 2018/19 exposed nearly 33.4 billion records. One is crytojacking/Bitcoin mining, which has become one of the main threats in recent years. Hirst noted that this has largely been driven by bots trauling the internet constantly for IPs and credentials. “Gone are the days where we have days and weeks to respond – these kind of attacks are happening in seconds and they’re automated, so you can’t wait to deal with it. You’ve got to build protection in place,” he said.

Others include data breaches through open buckets and databases and Denial of Service (DDoS) attacks, the latter of which “have got much bigger over the last few years.”

Another major area of concern are insider threats that lead to data breaches, either through malicious intent or due to error.

Despite the vast range of threats, Hirst outlined practical steps to effectively protect against these that have emerged over the years.

First and foremost, it is critical to bring in strong protection for the cloud service’s root account. In particular, multi-factorial authentication (MFA) should be implemented and Hirst advised that the MFA token should be given to someone “non-technical” to store it. This is because, in the hands of someone with malicious intent and technical expertise, access to the root account can cause huge damage to a business.

Security groups, which act as a virtual firewall, are easy to misconfigure, according to Hirst. A few ways to avoid this occurring include restricting traffic to internal IPs for protocols such as SSH and using network access control lists (NACLs) to block ports.

Enhancing incident response strategies is another vital aspect in protecting the cloud environment. One basic step is to create playbooks to detail the stages of a response for staff. Hirst commented: “Even if they’re simple and tell you who to contact when something happens, then at least you have a repeatable process that you can build on.”

Ultimately though, Hirst said that the most important aspect of effective cloud security is getting the recruitment of security staff right. “I work with the most incredible team, they teach me things every day – it has been recruiting those people into the business that has really driven us to the point where we are at now,” he added.

IoT Security Foundation Launches Vulnerability Disclosure Platform

IoT Security Foundation Launches Vulnerability Disclosure Platform

A platform to allow IoT vendors to simplify the reporting and management of vulnerabilities has been launched by the Internet of Things Security Foundation (IoTSF).

With the ETSI EN 303 645 specification requiring IoT vendors to publish a clear and transparent vulnerability disclosure policy, establish an internal vulnerability management procedure, make contact information for vulnerability reporting publicly available and continually monitor for and identify security vulnerabilities within their products, the IoTSF has launched VulnerableThings.com in order to help IoT vendors comply with legislation.

Designed to help IoT vendors receive, assess, manage and mitigate vulnerability reports, VulnerableThings.com aims to provide a vulnerability management tool to help IoT manufacturers prepare for emerging regulations and to maintain compliance. Access to VulnerableThings.com is available free until January 31 2021 and manufacturers that subscribe will have access to a dashboard that will guide them through the vulnerability resolution process and facilitate communication with the reporter.

Where a vulnerability is reported in a product from a vendor that hasn’t registered with the service, an alert will be sent to a public email address of the manufacturer who will then have the opportunity to securely access the details of the vulnerability report.

Vulnerabilities can be reported by any individual anonymously, or by registering, they are provided with a dashboard which allows them to monitor the progress towards resolving vulnerabilities they have reported to different manufacturers. The IoTSF said the intention is to promote dialogue between vendors and security researchers as without mechanisms to report, manage and resolve vulnerabilities, the security of consumer IoT products diminishes over time and the risk of attack or abuse increases.

John Moor, managing director of the IoT Security Foundation, said: “Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement.

“We therefore see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete.”

Matt Warman, the UK Government’s digital infrastructure minister, said: “I welcome this new initiative to help industry improve the security of internet of things devices and boost our burgeoning digital economy while protecting people online. We want everyone to have confidence that the internet-connected products they are buying have stronger security and we are working on legislation in this field to help make this a reality.”

Orgs Struggling to Secure SaaS Applications Following Shift to the Cloud

Orgs Struggling to Secure SaaS Applications Following Shift to the Cloud

Two-thirds (66%) of organizations believe their enterprise SaaS application would cause the greatest amount of disruption to their business above all others in the event an outage, according to a new study by AppOmni.

The survey of over 200 IT professionals also found that 66% have less time to effectively manage and secure SaaS applications, with 93% stating they have recently received additional responsibilities in light of the shift to remote working during COVID-19.

The move to work from home has substantially increased cloud adoption and other remote work technologies. This has led to organizations growing their use of SaaS applications to help enable this transition. However, managing and securing these applications effectively is proving difficult, according to the report, which found that 68% of IT professionals rely solely on manual efforts to detect data exposures.

In addition, more than half (52%) of respondents said the biggest challenge with existing cloud security solutions is their reactive nature, only alerting them to a problem once an incident has already been detected.

Brendan O’Connor, CEO at AppOmni, commented: “Due to COVID-19, IT teams are struggling to keep up with massive changes to day-to-day operations and the accelerated rate of cloud adoption associated with a remote and virtual workforces. This highlights the need for companies to work to better secure their current SaaS applications given that 90% of the respondents we surveyed noted that their usage of SaaS applications has increased in adoption since the beginning of the pandemic.”

He added: “These days, more organizations are investing in preventative solutions and gaining visibility into their cloud attack surface than ever before. Even post COVID-19, businesses will need to offer remote work opportunities to stay competitive. Now is the time to implement a hybrid working strategy that includes mission-critical SaaS applications. Companies that wait until it’s too late are going to find themselves behind the curve, making them easy targets for attackers.”

Modern Attacks Include Supply Chain “Hopping” and Reversing Agile Environments

Modern Attacks Include Supply Chain "Hopping" and Reversing Agile Environments

Cybercrime groups are becoming more creative and using tactics such as supply chain attacks against digitally transformed and agile environments.

According to a new report by VMware Carbon Black, which included a survey of 83 incident response and cybersecurity professionals, 82% of attacks now involve instances of “counter incident response” where victims claim attackers have the resources to “colonize” victims’ networks.

Speaking to Infosecurity, Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black, said there has been a common “arrogance in how we conduct incident response” and this allows the adversary to know that the defender has spotted them, and attackers move into “a destructive attack mode” in response. This will involve them tampering with agents, dropping wiper malware and ransomware, and changing time stamps on logs whilst they are in the victim’s environment.

“We must do a better a job of how we react” Kellermann said, adding that there needs to be a “silent alarm” system on when an attacker is spotted in your environment, as we currently “make critically bad assumptions” on how to manage threat hunting and when reacting. “As we know, we are in a brave new world, and the greatest cybercrime crews are protected by regimes, and with a dramatic spike in social unrest, businesses have been forced to use digital transformation to exist in the pandemic,” he said. This means being less visible in the response and hunting efforts.

This has born the concept of “island hopping,” where an attacker infiltrates an organization’s network to launch attacks on other businesses along the supply chain. This is the concept of an attacker doing a series of compromises along a supply chain, hitting multiple victims. Kellermann said there has been a “dramatic escalation and punitive measures deployed from the adversary,” and this has resulted in 55% of attacks targeting the victim’s digital infrastructure for the purpose of island hopping. 

“Imagine when a corporate infrastructure pushes payloads to its constituency,” he said, stating that many businesses do not understand their supply chain, and attackers can “move from MSSP to cloud provider to marketing forum.” Kellermann said this concept of attack works in four steps:

  • The network is attacked and the attacker pushes malware code using your infrastructure and to all VPN tunnels
  • They add watering hole attacks, expand the attacks to mobile devices so common vulnerabilities are effective
  • Reverse access to Office 365 to scrape messages and use them to create context and for social engineering so fileless malware comes from you and your account
  • Target APIs

Kellermann said: “The rapid shift to a remote world combined with the power and scale of the dark web has fueled the expansion of e-crime groups. Now ahead of the election, we are at a cybersecurity tipping point, cyber-criminals have become dramatically more sophisticated and punitive focused on destructive attacks.”

Albion Online Forum Breach Exposes User Info

Albion Online Forum Breach Exposes User Info

A popular online role-playing game (MMORPG) has revealed its user forum has been breached, exposing email addresses and encrypted passwords for the site.

Albion Online is a popular medieval fantasy game produced by Berlin-based Sandbox Interactive and said to have around 2.5 million players.

Its user forum operations account posted a note over the weekend warning that “a malicious actor gained access to parts of our forum’s user database.”

Although no payment information was hacked, users may be at risk of account takeover if they share the same log-ins across other sites.

“The intruder was able to access forum user profiles, which include the e-mail addresses connected to those forum accounts,” the notice explained.

“On top of that, the attacker gained access to encrypted passwords (in technical terms: hashed and salted passwords). These can NOT be used to log in to Albion Online, the website or the forum, nor can they be used to learn the passwords themselves. However, there is a small possibility they could be used to identify accounts with particularly weak passwords.”

Although the site uses the fairly secure Bcrypt hashing method, its admins urged users to change their passwords as a precaution, and across any other accounts that they may use the same log-ins for.

It’s unclear how many users were affected, although the forum boasted nearly 300,000 members at the time of writing.

It appears as if the online intruder exploited a bug in the site’s forum software, WoltLab Suite, which has since been patched.

“What organizations must learn from this incident is that vulnerabilities exist in every platform, far too many for organizations to manage by themselves, even those that have in-house security teams,” argued Bugcrowd CEO, Ashish Gupta.

“What’s needed is a layered security approach to find security vulnerabilities faster and gather actionable insights to increase resistance to cyber-attacks.”

#InfosecurityOnline: The Role of Data in Predicting Human Behaviors

#InfosecurityOnline: The Role of Data in Predicting Human Behaviors

Speaking in the opening keynote of the Infosecurity Online event, mathematician and broadcaster Dr Hannah Fry discussed the use of data-driven models to better identify, understand and predict human behaviors.

“Data has the power to send us on the right path,” Dr Fry said. “The big lesson we’ve learned in the last five to 10 years is that there is meaning hiding in the deluge of data that we see all around us, and sometimes, it can be very subtle clues in the data that can open out into much bigger insights into the real world.”

Furthermore, there are occasions when more data, and more technology, can make us feel more human, Dr Fry explained.

However, there are some important caveats to that, she warned. “More data isn’t always necessarily the answer.

“Sometimes you cannot get rid of uncertainties; sometimes there is irreducible randomness in the world which ultimately limits how far data can take you in describing what is going on around us,” which includes the ability to accurately predict human behaviors.

For that reason, it is practically impossible – even with large amounts of data at your disposal – to fully predict the future. “Sometimes, it is a bit too easy to fall into the trap of thinking that data has all the answers.”

It must be remembered that humans “really hate uncertainty” Dr Fry said, and when it comes to designing data-driven systems, if you shield people from uncertainty, that is something that can end in disaster because algorithms do not understand context.

“We’ve got a perfect storm – humans are flawed, and algorithms are flawed, and it’s when those flaws come together that problems can arise.

“Long into the future, we will be stuck with algorithms that are inevitably going to make mistakes, and when you clash that with the flaws that humans have in avoiding uncertainty, you can end up in real trouble, particularly when you are designing systems.”

So what can be done about it? “I think there are some genuine changes that can be made when designing data-driven systems and data-driven decision making,” Dr Fry said.

“Part of that is about wearing uncertainty with pride; rather than shielding humans from uncertainty, instead make it much clearer and plainer. Another aspect is that we need more intellectual humility, and the people I see implementing data in the most powerful ways are the ones willing to change their path based on what the evidence tells them.”

US Indicts GRU Officers for NotPetya, Olympics Attacks and More

US Indicts GRU Officers for NotPetya, Olympics Attacks and More

The US government has indicted six Russian military officers accused of a slew of major cyber-attacks including NotPetya and attempted sabotage of the 2018 Winter Olympics, causing at least $1 billion in global losses.

The six Russian nationals are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), also known as Sandworm and VoodooBear, according to the Department of Justice (DoJ).

Released on the same day the UK government revealed the GRU was also behind attacks on Tokyo Olympics officials and organizations, the indictment blames the six for multiple high-profile campaigns.

These include attacks on: French elections in 2017 aimed at discrediting Emmanuel Macron; investigations into the Novichok poisonings in Salisbury a year later; Ukrainian critical infrastructure in 2015 and 2016; and the Pyeongchang Winter Games of 2018.

They’re also tied to the infamous destructive NotPetya campaign, which began by targeting Ukrainian organizations but quickly spread via multinational companies’ VPNs around the world. The DoJ claimed that $1 billion was lost through the attacks from just three of the many victim organizations.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said assistant attorney general for national security John Demers

“Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

Sam Curry, CSO at Cybereason, argued that the six would likely never face justice in a US courtroom.

“It's important to call out criminals and to set the groundwork for future diplomats, trade, foreign policy, and justice to finish the work. Finding a new geopolitical cyber norm is a multi-year and possibly multi-generational goal,” he continued.

“It's hard to believe that this behavior will lead to meaningful changes in Russian foreign policy, just as it hasn't with APT 10 and Chinese foreign policy; but the goal isn't just bringing the perpetrators to justice. The goal is to lay the building blocks for future work and a more peaceful, democratic, collaborative physical and cyber world one day."

UK: Russian GRU Hackers Targeted Tokyo Olympics

UK: Russian GRU Hackers Targeted Tokyo Olympics

The UK has unmasked Russian state-backed hackers as the perpetrators of cyber-attacks against officials and organizations connected with the postponed 2020 Tokyo Olympics.

The government blamed the attacks on military intelligence service the GRU’s Main Centre for Special Technologies (GTsST), also known by its field post number 74455 and more commonly as Sandworm, BlackEnergy and VoodooBear.

According to GCHQ’s National Cyber Security Centre (NCSC) the group targeted organizers, logistics services and sponsors.

Although the attacks only got to the reconnaissance stage, reports suggest the end goal was to disrupt the games — which Russia was excluded from due to a state-backed doping campaign — as happened with the 2018 Winter Olympic and Paralympic Games in Pyeongchang.

Designed to appear as if launched by state hackers from North Korea, those attacks two years ago deployed data deletion malware against IT systems at the games and targeted devices across South Korea using VPNFilter.

In the end, IT staff worked hard to contain the threat and replace affected computers, but the NCSC said that the intent was sabotage of the games.

As reported by Infosecurity at the time, the attackers still managed to cause some disruption, downing the official games website for around 12 hours ahead of the opening ceremony and interfering with Wi-Fi connectivity and TV pictures in the media center.

Foreign secretary, Dominic Raab, slammed Moscow for the attacks.

“The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms,” he said in a statement. “The UK will continue to work with our allies to call out and counter future malicious cyber-attacks.”

The NCSC revelations came on the same day a US indictment against six alleged GRU officers was published. The charges claim the group were responsible for attacks targeting Ukrainian power stations in 2015 and 2016, French elections in 2017, NotPetya, and investigations into the Salisbury Novichok poisonings.

Cyber-attack on Mississippi Schools Costs $300k

Cyber-attack on Mississippi Schools Costs $300k

A Mississippi school district has voted to pay $300,000 to recover files that were encrypted during a suspected ransomware attack.

A federal investigation was launched after threat actors accessed Yazoo County School District’s information technology system without authorization. 

Superintendent Dr. Ken Barron told WLBT news that the school became aware of the cyber-attack on Monday, October 12. Barron did not state how the attackers had gained access to the system or what information had been compromised as a result of the incident.

The superintendent said that individuals would be notified about the incident if required by law. He stated that he had been advised against revealing any further details of the attack in case it jeopardized the investigation being carried out by federal law enforcement. 

Following the attack, the school took its IT systems offline and engaged a cybersecurity firm to help recover data encrypted by threat actors. Classes at the school are operating as normally as possible under existing COVID-19 restrictions.

The school board voted to pay a company $300,000 to recover the data that was encrypted by malware. 

"Last week, the Yazoo County School District detected a potential cyber event impacting certain devices on our network. We took our IT systems offline to investigate and address. National cyber-security firms were engaged to assist. We also reported this to federal law enforcement," wrote Barron in a statement issued by the school

"In an abundance of caution, we are deploying advanced cyber-security tools throughout our environment to ensure devices can be used without issues and to allow us to resume normal IT operations as quickly as possible. We are also taking measures to unlock the encrypted files."

Barron said that staff payroll, cafeteria transactions, and the school's phone, fire alarm, and burglary systems were not impacted by the attack.

He added: "This is an ongoing investigation and as such, we have been advised by cyber-experts not to comment further at this time. We will notify individuals if and when needed in compliance with federal and state law."

Lincoln County Schools, another Mississippi school district, fell victim to a ransomware attack in November 2019.

Instagram’s Handling of Children’s Data Under Investigation

Instagram's Handling of Children's Data Under Investigation

Social media app Instagram is being investigated by the EU for allegedly failing to protect the privacy of children's data. 

Instagram's alleged data mishandling allowed the email addresses and phone numbers of children aged under 18 to become visible to other users of the platform. Facebook, which owns the social media app, has denied breaking any privacy laws. 

The investigation into the app is being led by Ireland's Data Protection Commissioner (DPC), the lead European Union regulator under the EU's General Data Protection Regulation (GDPR), which came into force in 2018.

A key role of the Irish regulator is to defend an individual's right to online privacy. The DPC can fine violators of this right large sums of money.

During the investigation, the DCP will determine whether Facebook has a legal basis for processing children's personal data. It will also probe the protections and restrictions put in place for children on Instagram to assuage if they are adequate.

Instagram requires users to be at least 13 years old before they can create an account. In some jurisdictions, the minimum age requirement is higher. 

The DCP is also looking at Facebook to check that the company has adhered with GDPR requirements regarding Instagram's profile and account settings. In this separate investigation, the commissioner will seek to determine whether Facebook is adequately safeguarding the data protection rights of children as vulnerable people.

Facebook has said it is cooperating fully with the DCP. 

"Instagram is a social media platform which is used widely by children in Ireland and across Europe," said DPC deputy commissioner Graham Doyle.

"The DPC has been actively monitoring complaints received from individuals in this area and has identified potential concerns in relation to the processing of children's personal data on Instagram which require further examination."

Research completed by US-based data scientist David Stier prompted the DCP to investigate Instagram. In 2019, Stier analyzed profiles of almost 200,000 Instagram users across the world and estimated that at least 60 million users under the age of 18 were offered the option to switch their personal profiles into business accounts.

Instagram users with business accounts are required to display their phone numbers and email addresses to other users of the platform.

Waze Vulnerability Lets Attackers Track and Identify Users

Waze Vulnerability Lets Attackers Track and Identify Users

A vulnerability has been discovered in Google's GPS navigation software app Waze that lets hackers identify and track users. 

Autoevolution.com reports that the flaw was discovered by security engineer Peter Gasper. When using the app's web interface, Gasper discovered that he could request the Waze API to display not only his coordinates, but also those of other drivers traveling nearby. 

The data returned by the API showed unique identification numbers for the icons on the map that represented other drivers. Those ID numbers did not change over time, making it possible for anyone who exploited the flaw to track a particular app user over their entire journey. 

“I decided to track one driver and after some time she really appeared in a different place on the same road," explained Gasper. "I have spawned code editor and built Chromium extension leveraging chrome.devtools component to capture JSON responses from the API. I was able to visualize how users broadly traveled between the city districts or even cities themselves."

Further investigation by Gasper revealed that a threat actor could access the actual names of users who had interacted with the app. 

“I found out that if a user acknowledges any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place," said Gasper. 

"The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged.”

In December, Gasper reported the vulnerability to the Google-owned company Waze, earning a $1,337 bug bounty for his discovery. The flaw has since been patched.

“Across any given enterprise, API-based vulnerabilities are rampant, creating easy opportunities for malicious actors to exploit. That’s why it’s so important for organizations to have runtime visibility into all APIs," commented Jason Kent, Cequence Security's hacker in residence.

"Enterprises need, at all times, to be able to answer simple questions like: how many APIs do we have and who owns them; have the appropriate levels of authentication and access controls been enabled; and what type of data are your APIs transmitting?"

DDoS Attacks Triple in Size as Ransom Demands Remerge

DDoS Attacks Triple in Size as Ransom Demands Remerge

The last quarter of 2020 has seen a wave of web application attacks which have used ransom letters to target businesses across a number of industries.

According to research from Akamai, the largest of these attacks sent over 200Gbps of traffic at their targets as part of a sustained campaign of higher Bits Per Second (BPS) and Packets Per Second (PPS) than similar attacks had displayed a few weeks prior.

“Prior to August, the signal vectors had been primarily used to target the gaming industry,” the company claimed. “Starting in August, these attacks abruptly swung to financial organizations, and later in the cycle, multiple other verticals.”

Akamai explained that none of the vectors involved in these series of attacks were new, as most of the traffic was generated by reflectors and systems that were used to amplify traffic. “Seeing a common set of protocols being used as amplifiers in a DDoS campaign is, by itself, an indicator of new tools, or configurations, being used by criminals, rather than an indicator of an extortion campaign,” it said.

However, multiple organizations began to receive targeted emails with threats of DDoS attacks, where this would be launched unless a ransom amount was paid. Richard Meeus, director of security technology and strategy at Akamai, said a small DDoS would be made against the company “to show that they [attackers] were serious, and then there was a threat of a 1Tbps attack if you didn’t pay.”

“Many extortion DDoS campaigns start as a threat letter, and never progress beyond that point,” Meeus said. “In contrast, this campaign has seen frequent ‘sample’ attacks that prove to the target that criminals have the capability to make life difficult.”

Whilst Akamai said many of the extortion emails end up caught by spam filters, not all targets are willing to admit they’ve received an email from the attackers

“This extortion DDoS campaign is not over,” Akamai said, “the criminals behind this campaign are changing and evolving their attacks in order to throw off defenders and the law enforcement agencies that are working to track them down.”

Speaking on a webinar last week, Richard Meeus, director of security technology and strategy at Akamai, said the company had seen the number of attacks per day increase from one million in January of this year to three million in September. “When we look at the specific data points, and look at the last two big spikes, they were both against financial services,” he said.

This campaign peaked in August and September, “and it reached its peak, perhaps when the attackers believed they had been mitigated and began to start changing their tactics.” This included a move to use layer three and four attacks, which are usually targeted at data centers, websites and APIs.

Meeus also said there had been a 200% increase in attacks against web application firewalls, which he was quite surprised by. Meanwhile, “DDoS attacks come in waves” and “ransom attacks have been going on for a number of years and we successfully take down the perpetrators, but they come back again as it is an extortion technique that works.”

Government Spooks Urge Firms to Patch SharePoint Bug

Government Spooks Urge Firms to Patch SharePoint Bug

Government experts are warning SharePoint customers to urgently patch a remote code execution (RCE) vulnerability fixed by Microsoft last week.

A National Cyber Security Centre (NCSC) alert on Friday claimed successful exploitation of CVE-2020-16952 could enable attackers to run arbitrary code and carry out security actions in the context of a local administrator, on affected installations.

“The NCSC always recommends applying security updates promptly to mitigate the exploitation of all vulnerabilities but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities, such as CVE-2019-0604, against UK organizations,” it continued.

“Two SharePoint CVEs also appear in the CISA Top 10 Routinely Exploited Vulnerabilities.”

The vulnerability itself affects Microsoft SharePoint Foundation 2013 Service Pack 1, SharePoint Enterprise Server 2016 and SharePoint Server 2019, but not SharePoint Online as part of Office 365.

It occurs because the software fails to check the source markup of an application package, according to Microsoft. Exploitation therefore requires a user to upload a specially crafted SharePoint application package to an affected version.

The NCSC’s warning comes despite Microsoft rating exploitation as “less likely.” The bug has a CVSS score of 8.6 on all affected versions for SharePoint.

However, although there are no reports of attackers leveraging this vulnerability at the moment, proof-of-concept code is already available.

Experts at Rapid7 also urged SharePoint administrators to prioritize patching.

“SharePoint is a high-value attack target and has seen a number of high-severity vulnerabilities patched in recent months,” the security vendor said. “It is likely that active exploitation will occur within a relatively short time frame; it was trivial for Rapid7 researchers to validate the vulnerability’s exploitability and weaponize [the] PoC.”

As well as this vulnerability, SharePoint accounted for just under a third of the 23 critical flaws patched by Microsoft in September.

US CEO Charged with $2bn Tax Evasion Scheme

US CEO Charged with $2bn Tax Evasion Scheme

The CEO of a US-based software firm has been charged with a decades-long tax evasion scheme said to have concealed as much as $2bn from the IRS.

Robert Brockman, who is boss of Ohio-based Reynolds and Reynolds, was charged in a 39-count indictment with tax evasion, wire fraud, money laundering and other offenses.

He is alleged to have hidden income earned from private equity investments from the US tax authorities by siphoning the funds to secret bank accounts in Bermuda and Switzerland.

The authorities alleged that Brockman did so between 1999 and 2019, with the help of a co-conspirator with whom he communicated via encrypted channels and using code words to cover his tracks.

Alongside the tax offenses, Brockman is charged with fraudulently obtaining almost $68m in his company’s debt securities. He is alleged to have used a third party to acquire the securities, circumventing strict laws restricting such purchases by a CEO without full disclosure and prior notice.

He is also said to have used insider information about the company to support his decision making in purchasing the debt, and to have persuaded an individual to destroy and alter documents and computer evidence to hide his tracks.

Brockman is charged with seven counts of tax evasion, 20 counts of wire fraud affecting a financial institution, various counts of money laundering, six counts of failing to file foreign bank account reports and evidence destruction and tampering.

Although Brockman is innocent until proven guilty, the Department of Justice warned that if convicted he potentially faces “a substantial period of incarceration.”

“As alleged, Mr Brockman is responsible for carrying out an approximately two-billion dollar tax evasion scheme,” said Jim Lee, chief of IRS Criminal Investigation.

“IRS Criminal Investigation aggressively pursues tax cheats domestically and abroad. No scheme is too complex or sophisticated for our investigators. Those hiding income or assets offshore are encouraged to come forward and voluntarily disclose their holdings.”

Google Reveals it Was Hit by 2.5Tbps DDoS

Google Reveals it Was Hit by 2.5Tbps DDoS

Google has revealed a nation state DDoS campaign against it originating from China, which may have been the biggest attack of its kind ever recorded.

The 2.5Tbps DDoS struck in September 2017 but was made public for the first time on Friday in a report designed to share best practices on cyber-defense and plug Google Cloud mitigations.

According to Google security reliability engineer, Damian Menscher, the attack topped a six-month campaign against the firm.

“Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact. The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us,” he explained.

“This demonstrates the volumes a well-resourced attacker can achieve: this was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier. It remains the highest-bandwidth attack reported to date, leading to reduced confidence in the extrapolation.”

A separate report on the same day from Shane Huntley of Google’s Threat Analysis Group revealed that this was a state-sponsored UDP amplification attack “sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394).”

“Addressing state-sponsored DDoS attacks requires a coordinated response from the internet community, and we work with others to identify and dismantle infrastructure used to conduct attacks,” he added.

Menscher also argued that collaboration and transparency is important to help reduce the opportunities for such attackers.

For example, Google reported thousands of servers exploited in the DDoS attack to their network providers, so that they could take action.

Neustar last month claimed to have neutralized the largest DDoS it has ever encountered, at just under 1.2Tbps — less than half the size of the attack on Google.

DDoS Attacks Disrupt Massachusetts Schools

DDoS Attacks Disrupt Massachusetts Schools

Students learning remotely in Massachusetts have had their lessons disrupted by distributed-denial-of-service, or DDoS, attacks.

Sandwich Public Schools suffered a week of connection issues after what was first identified as a firewall failure occurred on October 8. A new firewall put in place to resolve the issue subsequently crashed, prompting the technology department to source a firewall from a different vendor. 

After further connectivity issues were experienced with the schools' OpenCape Network despite the new firewall, the source of the problem was determined to be a DDoS attack. 

Superintendent Pamela Gould said the district has reported the attack to Sandwich police as well as to the FBI’s Cyber Crime Unit.

"This is not a capacity issue for the district," wrote Gould in an email to parents. “This is something that is happening to us."

Repeated internet outages have also been occurring this month at Tyngsboro's high school and middle school, interrupting the district's best efforts to deliver education remotely to their students.

Superintendent Dr. Michael Flanagan said the Tyngsboro district’s IT professionals and cybersecurity provider have determined that the outages were not caused by an internal hardware issue or an issue with the district’s internet provider, but instead were the result of a DDoS cyberattack, apparently from a device being brought into the Norris Road campus each morning,

“We are frustrated and disappointed that this outage has disrupted what has been a very successful and positive start to our school year here in Tyngsboro,” Flanagan said in a news release. 

“We have all pulled together and worked so hard to create a positive learning environment in spite of the challenges and disruptions of the COVID pandemic."

Tyngsboro's outage is currently under investigation by state education officials, an IT solutions company, and local police. It is not yet clear whether lessons were sabotaged deliberately or via a device that had been compromised unbeknownst to its owner.

"While we are confident that we will soon rectify this situation, I am upset for the difficulty and disruption this has caused our students, families, and staff,” said Flanagan.

Iran Reports Two Major Cyber-Attacks

Iran Reports Two Major Cyber-Attacks

Iran has reported falling victim to two large-scale cyber-attacks, one of which was leveled at the country's government institutions.

The Iranian government's Information Technology Organization on Thursday reported that two institutions had been compromised by attackers. No party has claimed responsibility for the attack, and Iranian government officials have not stated whether the attack was domestic or foreign.

The target of earlier attacks carried out on Monday and Tuesday has not yet been named. 

According to The Jerusalem Post, the Iranian government made an announcement concerning the attacks after news of the incidents began spreading on social media. 

An Iranian news agency reported on Friday that the cyber-attacks had impacted the electronic infrastructure of the country's ports. According to US-funded Radio Farda, unconfirmed reports in Iranian media named the country's banking system and Ports and Maritime Organization as among the targets. 

Quasi-official news agency Tasnim reported a spokesperson for the country's Ports and Maritime Organization as stating: "Sworn enemies have been trying for some time to carry out cyberattacks."

The statement went on to say that action had been taken to block further attacks and prevent any disruption of the "organization's missions."

Abolghasem Sadeghi, from the government’s Information Technology Organization, commented on the attacks on state TV on Thursday. Sadeghi said that the incidents had prompted several government bodies to temporarily shut down internet services as a precautionary measure. 

He described the attacks as "important and on a large scale," and said that an investigation into them had been launched. 

A previous attack carried out on Iran's Bandar Abbas port in May 2020 was blamed on Israel. The attack was supposedly a retaliation for an attack carried out against six Israel Water Authority facilities in April 2020.

Iran reported three cyber-attacks within a week in December last year, one of which the country said was sponsored by a foreign state. The country's telecommunications minister said at the time that a cybersecurity project known as the "Dejfa fortress" had repelled a cyber-onslaught involving the "well-known APT27" threat group that has been linked to Chinese-speaking hackers.

Senator Questions US Healthcare Giant Over Cyber-Attack

Senator Questions US Healthcare Giant Over Cyber-Attack

A major healthcare provider whose systems were knocked offline for three weeks by a ransomware attack has been asked by a US senator to answer questions about its cybersecurity practices. 

Universal Health Services announced on Monday that all 400 of its health system sites were back online after being hit by a cyber-attack in the early hours of September 27. 

UHS initially reported the attack as an "Information Technology security incident," but staff who took screenshots of the attack confirmed that ransomware was responsible for the disruption. 

As a result of the incident, UHS disconnected all systems and shut down the network to prevent further propagation. While some hospitals diverted ambulances and some lab test results were delayed, the company said that "patient care was delivered safely and effectively at our facilities across the country using established back-up processes, including offline documentation methods." 

Following the attack, former technology entrepreneur and vice chairman of the Senate Intelligence Committee, Senator Mark Warner, has written to UHS to express concerns regarding their cybersecurity measures.

Warner told the Fortune 500 company that with annual revenue of more than $11bn, it should have a cybersecurity posture "sufficiently mature and robust to prevent major interruptions to health care operations."

In his letter dated October 9, the senator questioned UHS over its vulnerability management process, third-party risk management, protection of clinical medical devices, and ability to isolate networks to prevent lateral movement by attackers.

Warner also asked UHS to state whether it had paid a ransom to its attackers and to confirm whether any patient medical records, HIPAA-protected data, or healthcare information has been affected or suffered a denial of access as a result of the attack. 

On October 12, UHS stated: "Throughout the IT remediation work we have had no indication that any patient or employee data was accessed, copied or misused."

UHS, which is headquartered in King of Prussia, Pennsylvania, operates facilities in Puerto Rico, the United Kingdom, and the United States. In a statement released on September 29, the company said that its UK operations were not impacted by the attack. 

BA GDPR Data Breach Fine Lowered to £20m Due to COVID-19

BA GDPR Data Breach Fine Lowered to £20m Due to COVID-19

The fine against British Airways for GDPR failings has been reduced to £20m from the original £183m intent to fine issued last July.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack during 2018, which it did not detect for more than two months. It said the amount to be fined (£20m) was considered with both representation from BA and the economic impact of COVID-19 on the business.

The ICO also said, as the breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

According to the penalty notice, a proposed penalty of £183.39m was issued on July 4 2019 with a extension till March 21 2020 agreed in December. On April 3 2020, the ICO wrote to BA requesting information regarding the impact of COVID-19 on its financial position, and having considered BA’s representations, both BA and the ICO “agreed to a series of further extensions of the statutory deadline to 30 September.

Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), said: “Brexit and coronavirus have put businesses under immense financial strain and a fine of this magnitude will get the attention of board members of organizations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO.

“This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.”

In the attack, an attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

The ICO said that since the attack BA has made considerable improvements to its IT security. Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

Piers Wilson, head of product management at Huntsman Security, said: “Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgement of the ravages of COVID-19 on the airline industry or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect.”

Vanessa Barnett, commercial and IP partner at Keystone Law, added: “In the grand scheme of things, it’s important that the punishment fits the wrongdoing: whilst the GDPR certainly has teeth and can really bite quite hard, it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR. Don’t forget that before GDPR the statutory limit was £500,000.

“£500,000 to £20m is a big jump and will still very much focus the (compliance) minds! The ICO may have felt some moral pressure not to whack BA even more in the midst of a global pandemic which is affecting it hugely and luckily, its enforcement framework allows that.”

Election Security and Confidence Can Be Enabled Through Public-Private Partnerships

Election Security and Confidence Can Be Enabled Through Public-Private Partnerships

The security of democracy can be better protected if there is trust from the public and improved collaboration between public/private sectors and governments.

Speaking on a virtual roundtable, Shawn Henry, Crowdstrike CISO and president of Crowdstrike Services, said this is a political and cybersecurity issue. Henry began by claiming that foreign interference in an election is the “ultimate hack, not just of democracy, but of peoples beliefs, what they think and why they think it.” This leads to questions about whether the election is secure and valid, and whether casted votes do count, calling it “a national security issue.”

William Evanina, director of the National Counterintelligence and Security Center (NCSC), said foreign interference is not new, but in the past year it has travelled across to the US and “we’ve seen our adversaries amplify and accentuate over social media.” He also said too many western governments do not understand what disinformation looks and feels like, so the opportunities presented by social media present a vulnerability.

Commenting, Sir Rob Wainwright, senior partner at Deloitte, said disinformation is “a problem around the world” as social media has the opportunity to “spread false narratives, but there is a side to this that is even more dangerous and insidious.” Wainwright also cited cyber-attacks as part of a campaign of disinformation, as this “is about more than just spreading propaganda.”

Wainwright explained the complexity and cycle of the threat between 2016 and 2020 elections and said “we need to up our game as a result.” Evanina said time had been spent over the past few years driving partnerships with government agencies and industry “so the local CISO understands the intent and the adversary, and how they can be compromised.”

Asked by Henry what role a collaboration between public and private sector can play in this situation, Wainwright said there is a role in society to get this right, particularly for social media, and those companies are working more intensively than four years ago. “The big point is that this is not about what role governments can play on one side and private sector companies on the other, it is very much about the collaboration and getting that public-private partnership in the right space so it is all hands on deck in a uniform way,” he added.

Wainwright said the collective responsibility should be about getting the hygiene right, about common standards across the election infrastructure, as well as knowing where the threats are coming from and what the intelligence looks like.

Evanina agreed that public-private partnerships has never been more important. “We have to be willing and able to partner, and that partnership starts not only with intelligence sharing, but we have to find a happy medium where we can provide due diligence on sharing information at the same time, some privacy protections and privacy sanctions after a company is victimized,” he said. “Being a victim is not something that can carry penalties, we have to find a happy medium.”

Wainwright concluded by citing the importance of this issue, particularly in embedding confidence in the public, saying regardless of if you work for a social media company, in intelligence or in government “you need to see everything through that lens to get it right and prioritize it in a collective and successful way.”

Evanina said as a democracy, we need to provide free and open elections, so the public has confidence in the voting systems. “If we cannot ensure that, we have a lot more problems than we think we do.”

Dickey’s PoS Breach Could Hit Three Million Cards

Dickey’s PoS Breach Could Hit Three Million Cards

Another popular US restaurant franchise appears to have been on the receiving end of a major point of sale (PoS) data breach, with dark web traders claiming to have three million cards to sell.

Threat intelligence firm Gemini Advisory analyzed data uploaded to infamous carding forum Joker’s Stash and revealed that Dickey’s Barbecue Pit is the affected restaurant chain.

It said that customers in around a third of locations, 156 of 469, across 30 states may have had their cards compromised between July 2019 and August 2020.

“Dickey’s operates on a franchise model, which often allows each location to dictate the type of PoS device and processors that they utilize,” said the vendor.

“However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”

The dark web seller advertising the cards, BlazingSun, has not uploaded the entire stash yet, and will likely continue to add compromised data over the next few months, Gemini Advisory said.

“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks,” it concluded. “It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s.”

After the shift to EMV, merchants which continue to process magstripe could face legal action and fines if breached. The practice is far more common in the US, which made the switch to more secure cards relatively late compared to much of Western Europe, which is why PoS breaches like this still occur.

Other big names compromised in this way over the past year include convenience store chain Wawa, Planet Hollywood parent company Earl Enterprises and Rutter’s, another convenience store brand.

Nearly 800,000 SonicWall VPNs Need Critical Flaw Patching

Nearly 800,000 SonicWall VPNs Need Critical Flaw Patching

Nearly 800,000 VPNs around the world need urgent patching after a vendor issued a security update for a critical flaw this week.

Researchers from Tripwire found the stack-based buffer overflow vulnerability in SonicWall’s Network Security Appliance (NSA), or more specifically, its underlying SonicOS software.

According to Tripwire security researcher Craig Young, who discovered the bug, the problem exists in the HTTP/HTTPS service used for product management and SSL VPN remote access. It can apparently be triggered by an unauthenticated HTTP request involving a custom protocol handler.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition,” Young continued.

“Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public internet.”

With over 795,000 SonicWall devices exposed according to a Shodan search made by Tripwire on Wednesday, the bug could be exploited to cause widespread damage.

According to SonicWall, the vulnerability has a CVSS score of 9.4, perhaps a reflection of the fact it could lead not only to denial of service but also arbitrary remote code execution.

The affected versions are: SonicOS 6.5.4.7-79n and earlier, SonicOS 6.5.1.11-4n and earlier, SonicOS 6.0.5.3-93o and earlier, SonicOSv 6.5.4.4-44v-21-794 and earlier and SonicOS 7.0.0.0-1.

The vendor released patches on Monday.

VPN systems are increasingly being targeted by attackers looking to find a way into corporate systems, given the large numbers of remote workers currently reliant on them.

In April it was confirmed that cyber-criminals were exploiting known bugs in Citrix and Pulse Secure VPNs to deploy ransomware in hospitals, while just this week it emerged that other attackers were chaining VPN exploits with Zerologon to compromise Active Directory (AD) identity services.

SonicWall sent Infosecurity a statement to confirm it takes every vulnerability disclosure seriously.

“Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis led to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring CVE listings based on CVSS,” it explained.

“The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”

VoIP Firm Broadvoice Leaks 350 Million Customer Records

VoIP Firm Broadvoice Leaks 350 Million Customer Records

A US-based VoiP provider has been found leaking over 350 million customer records, after a configuration error left several online databases exposed.

Researcher Bob Diachenko found the unprotected Elasticsearch database clusters belonging to Broadvoice on October 1.

The trove of 10 databases included one containing more than 275 million records. It featured full caller name, identification number, phone number, state and city.

Perhaps more dangerous from a privacy perspective was another collection of over two million records that included names, phone numbers and, for 200,000 records, call transcripts.

According to Comparitech, which worked with Diachenko on the case, some of these transcripts themselves contained sensitive details such as voicemails left at medical clinics and financial services firms.

Comparitech claimed most of the data belongs to Broadvoice XBP customers.

“The leaked database represents a wealth of information that could help facilitate targeted phishing attacks. In the hands of fraudsters, it would offer a ripe opportunity to dupe Broadvoice clients and their customers out of additional information and possibly into handing over money,” Comparitech argued.

“For example, criminals could pose as Broadvoice or one of its clients to convince customers to provide things like account login credentials or financial information.”

Some exposed data, such as insurance policy numbers and financial loan details, could even be used to attempt identity fraud without the need for further phishing, it added.

However, Broadvoice reacted relatively quickly to the notification on October 1, fixing the privacy snafu by October 4.

The firm’s CEO, Jim Murphy, claimed the data had been “inadvertently” stored in an unsecured database on September 28, and said that law enforcement has been informed and an investigation has been launched.

“At this point, we have no reason to believe that there has been any misuse of the data,” he continued.

“We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time. We sincerely regret any inconvenience this may cause.”

Twitter Locks Trump Campaign Account

Twitter Locks Trump Campaign Account

Twitter temporarily suspended the account of the president of the United States' election campaign for "posting private information."

The account @TeamTrump was locked for attempting to tweet a video referencing a recent article by the New York Post along with text describing presidential candidate Joe Biden as "a liar who has been ripping off our country for years."

The New York Post article published leaked emails that suggest that in 2015, while working for Ukrainian natural gas firm Burisma Holdings, Biden's son Hunter arranged for the then Vice President Joe Biden to meet with a top executive at the company.

The emails were found on a hard drive that was dropped off at a repair shop in 2019 and never collected. The drive was later placed into the hands of Robert Costello, a lawyer for Trump's personal attorney, Rudy Giuliani.

When the Trump campaign tried to post the tweet, Twitter suspended its account for “violating our rules against posting private information.” The suspension was carried out before the veracity of the article had been fact-checked. 

Joe Biden’s campaign has not ruled out the possibility that a meeting took place between Biden and an executive at Burisma Holdings, stating only that no record of the meeting could be found in Biden's "official schedules." 

The suspension occurred on the same day that the social media giant censored the Post's primary Twitter account for posting the Hunter Biden story.  Twitter also blocked numerous other user accounts for tweeting links to the Post’s Hunter Biden story for containing what it described as “hacked material.”

On Wednesday, Twitter CEO Jack Dorsey acknowledged “our communication around our actions on the @nypost article was not great. And blocking URL sharing via tweet or DM with zero context as to why we’re blocking: unacceptable.”

Twitter's enforcement of its policy to suspend accounts for posting an individual's leaked private information without their consent carries a distinct air of political partisanship. The social media platform took no steps to lock or suspend the account of Buzzfeed for its reporting of the Steele Dossier or the account of the New York Times when it tweeted an article referencing leaked tax-return data belonging to President Trump. 

US Indicts Money Launderers to Cyber-criminal Elite

US Indicts Money Launderers to Cyber-criminal Elite

The United States has indicted alleged members of a transnational gang that laundered millions of dollars for the cyber-criminal elite.

Fourteen alleged members of the criminal organization QQAAZZ were charged by a federal grand jury in the Western District of Pennsylvania in an indictment unsealed today. 

The QQAAZZ members are accused of conspiring with cyber-criminals all over the world to launder money stolen from victims of computer fraud in the United States and elsewhere. 

The indictment alleges that, since 2016, the gang has laundered, or attempted to launder, tens of millions of dollars’ worth of stolen funds. A related indictment unsealed in October 2019 charged five members of QQAAZZ.

Drawing from a network of members located in Latvia, Georgia, Bulgaria, Romania, and Belgium, among other countries, QQAAZZ opened and maintained hundreds of corporate and personal bank accounts at financial institutions in multiple countries to receive money stolen by cyber-criminals from bank accounts of victims.  

"The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using 'tumbling' services designed to hide the original source of the funds," stated the Department of Justice.

"After taking a fee of up to 40 to 50 percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele."  

QQAAZZ advertised its services as a “global, complicit bank drops service” on Russian-speaking online cyber-criminal forums. Among the threat actors that used QQAAZZ's services are the creators of Dridex, Trickbot, and GozNym.

In a closely coordinated international operation, more than 40 house searches were carried out in Latvia, Bulgaria, the United Kingdom, Spain, and Italy, with criminal prosecutions initiated in the United States, Portugal, Spain, and the United Kingdom.  

More searches and arrests were carried out in Latvia by the Latvian State Police than in any other country. Police in Bulgaria, conducting searches as part of the international operation, uncovered an extensive Bitcoin-mining operation associated with QQAAZZ.

American victims impacted by QQAAZZ include a Jewish Orthodox Synagogue in Brooklyn, New York, a technology company in Windsor, Connecticut, a medical device manufacturer in York, Pennsylvania, and an automotive parts manufacturer in Livonia, Michigan.

Cyber-Attack on Major US Bookseller

Cyber-Attack on Major US Bookseller

American bookseller Barnes & Noble has been hit by cyber-criminals the day after resolving a connection issue with its Nook e-reader service.

The beleaguered bookstore has been emailing customers since Monday to notify them of the attack and warn them that their data may have been compromised.

"It is with the greatest regret we inform you that we were made aware on October 10, 2020, that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems," states the notification email.

The company said that while some personal information belonging to customers may have been exposed, no evidence had been found so far to suggest that payment data had been impacted.

"Firstly, to reassure you, there has been no compromise of payment card or other such financial data," wrote the bookseller. "These are encrypted and tokenized and not accessible."

However, customers were warned that attackers may have accessed their email address, billing and shipping addresses, and telephone number and were advised that they may now receive unsolicited emails. Transaction details regarding what purchases customers had made may also have been compromised.

"We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility," acknowledged the company. 

News of the cyber-attack on Barnes & Noble follows a "system failure" experienced by the bookseller that interrupted e-reader content access for some of the store's users. According to PublishersLunch, difficulties were also experienced by some customers who were trying to access their online accounts.

Good E-Reader reported on Monday that some B&N branches struggled to process customer orders in-store as a result of the technical issue.

"We have a serious network issue and are in the process of restoring our server backups," said Barnes & Noble in a statement to Fast Company on Wednesday.

"Our systems are back online in our stores and on BN.com, and we are investigating the cause. Please be assured that there is no compromise of customer payment details, which are encrypted and tokenized.”

Government CIOs Praised for Pandemic Response, Better Collaboration Required

Government CIOs Praised for Pandemic Response, Better Collaboration Required

Collaboration with local governments and public higher education is critical to managing increasingly complex cyber-risk.

According to a new research document from Deloitte and the National Association of State Chief Information Officers (NASCIO), as US state and local governments are top targets for ransomware and other cyber-attacks, they can benefit by working together. The report claimed that they are often a target for ransomware and other attacks and that there is “a value to having states build a collaborative relationship with local governments and institutions of public higher education.”

This can enable all parties to benefit from sharing knowledge and resources, and coordinating approaches. “Such a collaborative approach may offer considerable advantages in terms of cost efficiencies, better cyber-hygiene and culture, and improved security of citizens’ data,” the report said.

Reflecting on 2020, the report claimed the pandemic forced state governments to “act quickly in response to public health and safety concerns” and this led CISOs and their staff to support the increased demands for technology, enabling remote work “despite being severely constrained by the lack of resources for cybersecurity.”

It claimed security teams “worked closely with IT departments to secure the government enterprise, the virtual work environment, technology infrastructure and the supply chain.” The top cybersecurity challenge barriers to overcome cited were the following:

  • Lack of sufficient cybersecurity budget
  • Inadequate cybersecurity staffing
  • Legacy infrastructure and solutions to support emerging threats
  • Lack of dedicated cybersecurity budget
  • Inadequate availability of cybersecurity professionals

“Reinventing statewide operations overnight, moving quickly at scale, relying on available resources amplified the importance of cybersecurity and highlighted shortcomings in the cybersecurity ecosystem,” the report said.

It also stated that some of the changes made in response to the COVID-19 pandemic are likely to remain, such as remote working, and “delivering citizen services without the need to visit government offices in person may become the norm as well.” This is because “states will need to adjust to this new reality, and CISOs will need to orient their strategies to meet the needs of this next normal.”

“The last six months have created new opportunities for cyber-threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”

Srini Subramanian, principal at Deloitte and Touche LLP, and state and local government advisory leader, said: “Continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber-threats.”