Author Archives: www.infosecurity-magazine.com

Thousands Warned Over Home Group Data Breach

Thousands Warned Over Home Group Data Breach

The Home Group – one of the biggest housing associations in the UK – has warned around 4000 customers that their personal details may have been stolen after the company suffered a data breach.

As reported by the BBC, Home Group said the breach involved customer names, addresses and contact information, but no financial data. The organization explained that the breach was identified by a third party cybersecurity expert and affected customers in properties in England, including those in the North East, North West and Yorkshire.

The issue was resolved within 90 minutes, according to Home Group spokespeople.

Chief financial officer, John Hudson, said: “We were made aware of a potential data vulnerability and immediately responded to and resolved the issue.

“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.

“We have contacted all customers affected and I want to reassure all our customers that their information is secure and that we follow strict guidelines and protocols when it comes to data sharing and cybersecurity.”

Commenting on the news, Javvad Malik, security awareness advocate at KnowBe4, said:“It’s unclear at this moment how the company was breached, but it is encouraging to see the company was able to quickly respond to the breach, and inform its affected customers once notified by a third party.”

However, he added, companies should be building their own detection capabilities so that they are not reliant on third parties to disclose any breaches.

“Similarly, while the company claimed to have resolved the issue within 90 minutes, that is still ample opportunity for records to be accessed and copied,” Malik argued.

Trend Micro Tackles Cloud Misconfigurations with Latest Acquisition

Trend Micro Tackles Cloud Misconfigurations with Latest Acquisition

Trend Micro has announced the acquisition of Australian start-up Cloud Conformity, in a deal which will see it expand its cloud security portfolio to include mitigations for customer misconfigurations.

Following the reported $70m deal, Trend Micro is offering the Cloud Security Posture Management (CSPM) company’s solution immediately to its global customers.

Cloud Conformity offers a single pane of glass via which companies can gain complete visibility into their AWS and Azure environments, receive alerts and prioritize remediation to improve security, governance and compliance efforts.

Crucially, this will help customers get on top of a common challenge facing many today: how to correctly configure cloud deployments so as not to expose the organization to possible cyber-risk.

Trend Micro cited Gartner findings that by 2023, 99% of cloud security failures will be the customer’s fault, and that “through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.”

Incidents of data leaks resulting from such misconfigurations hit the headlines virtually every week. Just today, Infosecurity reported on an exposed database hosted on AWS which leaked the travel and personal details of US military and government employees.

“We have been laser focused on building integrated security for the cloud since its birth over a decade ago, unlike other vendors who are now attempting to stitch together disparate cloud technologies,” said Trend Micro CEO, Eva Chen.

“As more enterprises move to the cloud, our customers feel they’re operating amid a wild-west approach to cloud implementations that leave them with unmanaged risk. As an AWS technology partner of the year for 2019, Cloud Conformity understands these implementations and the risks. Its offering perfectly complements our own portfolio and provides immediate value to customers. Both the people and technology are a great fit for Trend Micro.”

US Military Personnel Exposed in Latest Cloud Data Leak

US Military Personnel Exposed in Latest Cloud Data Leak

Researchers have discovered another unsecured Elasticsearch database, this time exposing data on thousands of travelers including US military and government employees.

The research team at vpnMentor discovered the online database hosted on AWS infrastructure, on September 13. It belonged to Autoclerk, a reservations management system now owned by hotel chain Best Western Hotels and Resorts Group.

The database contained over 179GB of data, often sourced from third party travel and hospitality platforms including OpenTravel, HAPI Cloud, and Synxis. Among these were hundreds of thousands of bookings and reservations, exposing personal details such as: full name, date of birth, home address, phone number, dates & costs of travel, and masked credit card details.

For ordinary travelers caught in leaks like this, there is the risk of follow-on phishing attacks and identify fraud attempts, as well as a chance that attackers could target their home while they are away.

However, there are even more concerning national security implications for the government personnel data exposed in the incident.

“One of the platforms exposed in the database was a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of US government and military personnel, as well as independent contractors working with American defense and security agencies,” explained vpnMentor.

“The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.”

The firm urged US government officials to urgently vet any third-party contractors to ensure they follow strict data security protocols when handling sensitive information of this kind.

The data in question was left exposed for nearly a month, until the database was closed on October 2.

Cloud database misconfigurations have become an Achilles’ heel for many organization, argued DivvyCloud CTO, Chris DeRamus.

“Companies must adopt robust security strategies that are appropriate and effective in the cloud, at the same time as adoption of cloud services — not weeks, months or years later,” he added.

“Automated cloud security solutions can detect misconfigurations such as an unprotected database in real time and trigger immediate remediation, so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.”

German Automation Giant Still Down After Ransomware Attack

German Automation Giant Still Down After Ransomware Attack

One of the world’s biggest producers of automation tools is still crippled over a week after it was hit by a ransomware attack.

German giant Pilz was forced to notify the prosecutor’s office and Federal Office for Security in Information Technology after suffering a targeted cyber-attack the Sunday before last.

However, despite setting up an incident response team to locate the source of the attack and resolve the disruption, it warned that outages will continue for several more days.

“Since Sunday, October 13, 2019, all server and PC workstations including the communication network of the automation company have been affected worldwide. The website is currently only partially functional,” it noted in a status update.

“As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network.”

The IT disruption appears to have affected delivery of shipments and communications, although email came back online around the world on Friday. The last update from the company yesterday claimed that deliveries had restarted in “certain areas.”

It’s unclear which these are, however: Pilz operates in over 70 countries around the world, across Europe, Asia Pacific and the Americas.

The firm offers a range of products vital to automate industrial environments, including: configurable safety controllers; programmable safety systems; safety sensors; operator and visualization systems; networks; system and application software; drive technology; integrated standard and safety automation systems.

Pilz is the latest in a long-line of large enterprises targeted by ransomware authors looking for a big ROI on attacks.

Back in March, Norsk Hydro, the world’s number one aluminium producer, was hit by the LockerGaga variant in an attack which is said to have cost the firm at least $41m. More recently, US mailing technology company Pitney Bowes and French media giant Groupe M6 were both caught out.

Ransomware detections grew 77% from the second half of 2018 to the first six months of this year, according to Trend Micro.

Ad Targeting Gamers Successfully Cuts Cybercrime

Ad Targeting Gamers Successfully Cuts Cybercrime

An advertising campaign warning that DoS attacks are illegal has proved successful in reducing cybercrime. 

In a new study, researchers from the University of Cambridge and the University of Strathclyde looked at four different cybercrime prevention methods employed by law enforcement agencies in the US and UK. 

The results showed that while high-profile arrests caused only a two-week reduction in the number of cyber-attacks taking place, targeted messaging campaigns and the takedown of infrastructure led to a sharper and longer-term reduction in cybercrime.

Sentencing was found to have no widespread effect on reducing crime, perhaps because attackers in one country weren’t affected by sentences meted out elsewhere.

The research, which was presented today at the ACM Internet Measurement Conference in Amsterdam, focused particularly on denial of service (DoS) attacks. These attacks generate a large amount of traffic that overwhelms end users or web services, taking them offline. 

DoS attacks can be purchased easily from so-called "booter" service websites for just a few dollars. This cheap and accessible form of attack is popular within the gaming community as a way of wreaking revenge on another user. 

"Law enforcement are concerned that DoS attacks purchased from a booter site might be like a ‘gateway drug’ to more serious cybercrime," said Ben Collier from Cambridge’s Department of Computer Science & Technology, the paper’s first author. 

Collier and his colleagues from the Cambridge Cybercrime Centre used two datasets with granular data about the attacks from booter sites, and then modeled how the data correlated with different intervention tactics from the National Crime Agency (NCA) in the UK, the Federal Bureau of Investigation (FBI) in the US, and other international law enforcement agencies.

From late December 2017 to June 2018, the NCA targeted young gamers in the UK with Google adverts explaining that DoS attacks are illegal. The adverts would appear when a user searched for booter services.

"It’s surprising, but it seems to work, like a type of digital guardianship," said Collier. "At the exact moment you get curious about getting involved in cybercrime, you get a little tap on the shoulder.

"It might not work for people who are already involved in this type of cybercrime, but it appeared to dramatically decrease the numbers of new people getting involved."

Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Avast has fended off a sophisticated cyber-espionage attack with the help of Czech intelligence.

The global manufacturer of antivirus products announced today that its network had been breached, in what is thought to be an attempt to gain information regarding the company's CCleaner software.

Avast identified suspicious behavior on its network on September 23. Together with the Czech police's cybersecurity division and the Czech intelligence agency Security Information Service (BIS), the company launched what they describe as "an immediate, extensive investigation." 

Evidence gathered by Avast over the ensuing weeks, and verified by an external forensics team, pointed to an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to the company's VPN address range. 

The incident, which took place on October 1, was originally dismissed as a false positive. However, a review found that a threat actor had compromised the credentials of an Avast user who was associated with the internal IP. 

The hacker then managed to complete a successful privilege escalation to obtain domain admin privileges and access the company's internal network, in an attack Avast has dubbed 'Abiss.' 

Avast researchers wrote: "The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider."

Analysis of the external IPs revealed seven attempts to gain access to Avast's network had been made between May 14 and October 4, 2019. 

Avast researchers wrote: "Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions."

To track the actor, Avast left a temporary VPN profile open while they took action to protect their software and their end users, including disabling and resetting all internal user credentials.

"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure," wrote Avast researchers.

Most Effective Phishing Tactic Is to Make People Think They’ve Been Hacked

Most Effective Phishing Tactic Is to Make People Think They've Been Hacked

New research into phishing attacks has shown that the most clicked on email subject lines are those that relate to online security concerns.

report released today by security awareness training company KnowBe4 revealed that emails with titles that trick people into believing that they've already been hacked are the most likely to be opened. 

To produce the Q3 2019 Top-Clicked Phishing Tests Report, KnowBe4 researchers sent out thousands of simulated phishing emails with various subject lines, then observed which ones drew clicks. The organization also examined "in-the-wild" email subject lines that include actual emails users received and reported to their IT departments as suspicious. 

The results found that simulated phishing test emails with the subject "Password Check Required Immediately" were the most clicked on, with 43% of users falling for this security-based ruse.

The next most clicked on subject titles, which each lured in 9% of users, were "A Delivery Attempt was made" and "Deactivation of [[email]] in Process."

Interestingly, subject lines promising vast riches or the spiciest of romances were not among the top ten most clicked. Instead, people were hooked by work-based subject lines offering basic information or the promise of relatively modest gains. 

The subject line "New Organizational Changes" hooked 4% of users, and 7% couldn't resist clicking on an email with the subject line "Updated Employee Benefits." While 4% of users gave in to the urge to open a message titled "Staff Review 2018," 6% were intrigued enough by a message called "Revised Vacation & Sick Time Policy" to give it a click. 

A further tactic that proved successful was using the universal lure of food. Researchers found that 8% of users opened a simulated phishing email with the subject line "New food trucks coming to [[company_name]]." 

"As cybersecurity threats persist, more and more end users are becoming security minded," said Stu Sjouwerman, CEO of KnowBe4. 

"They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so [users] need to remain vigilant."

Chartered Institute of Information Security Calls for Better Collaboration on Skills and Pathways

Chartered Institute of Information Security Calls for Better Collaboration on Skills and Pathways

Speaking four months after the IISP was renamed as the Charted Institute of Information Security (CIIS), CEO Amanda Finch said the re-branding was “great for us, as it puts on the map” after three and a half years of application.

Speaking at Plymouth University's Secure South West conference, she said that chartered status was important as it is “recognizing us as a proper profession” and that the CIIS is “the only pure play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security.”

She said that cybersecurity is still “badly defined” as a term, and work is needed to make it a profession. Admitting that we cannot be “renaissance people who do everything,” the profession has grown from when you needed to be generalist to consider multi-disciplined areas, taking in physical science, psychology, legal, compliance and different skill sets.

The CIIS determines that professionalism depends on:

  • An agreed body of knowledge and skills that professionals need to have to work effectively in the field
  • Ways to provide those skills through education and training programs
  • Ways to accredit this process (both those identifying the body of knowledge and those teaching it) and attest that the individual has acquired those skills
  • The mastery of certain defined skill sets through these processes
  • Ways to demonstrate that practitioners have acquired those skills and can apply them competently
  • Ways practitioners can refresh that knowledge through continuing education
  • Codes of Ethics to ensure that practitioners act professionally

Finch argued that we need to recognize what we do have, and what we need to be developing to attract the best people. “We’ve been helping organizations to develop capabilities using development methodologies and frameworks” and also accrediting for competencies as, she said.

“So we developed a methodology to look at existing capabilities and skills and developing teams in this environment,” Finch said.

While companies may not always get “people with 100% of skills,” they should look at a person’s potential, “what basic skills you want them to have and upskill them.”

There will still be a need for specialists though, and to bring in expertise where it is needed, she said, concluding that we need to work as a community to bring the best talent in, and find good pathways to “demonstrate we’re a profession and make sure people come to us.”

Chinese National Gets 40 Months for Exporting US Military Kit

Chinese National Gets 40 Months for Exporting US Military Kit

A Chinese national will spend over three years behind bars after pleading guilty to conspiring to illegally export US military technology back home.

Tao Li, 39, violated the International Emergency Economic Powers Act and was sentenced to 40 months behind bars last week.

Between December 2016 and January 2018, he’s said to have worked with others back in China to buy radiation-hardened power amplifiers and supervisory circuits — components used for military and space applications due to their ability to withstand extreme heat and high levels of radiation.

These components would ordinarily require a license to export out of the US, although the Commerce Department does not grant such licenses to China.

To try and circumvent the ban, Li used various aliases to contact individuals in US companies, seeking to obtain the parts, agreeing to pay a “risk fee” to the firms if they agreed to export the components to China.

Li wired funds from an account in China to a bank in Arizona to complete a deal, before undercover agents stepped in, lured him to the US and arrested him at Los Angeles International Airport in September 2018. Agents from Homeland Security Investigations (HSI) and the Office of Inspector General’s Defense Criminal Investigative Service (DCIS) led this operation.

“This case is one of many involving illegal attempts to take US technology to China. Li attempted to procure highly sensitive US military technology in violation of our export control laws,” said assistant attorney general John Demers

“Such laws are in place to protect our national security, and the Department of Justice will continue to vigorously enforce them. We don’t take these crimes lightly and we will continue to pursue them.”

The news comes just days after a new CrowdStrike report revealed the true extent of China’s efforts to gain a technological and military advantage over the US. It detailed a multi-year campaign involving forced technology transfer, joint ventures, physical theft of IP from insiders and cyber-enabled espionage which helped a state-run company build the C919 commercial airliner.

Trojanized Tor Browser Steals Users’ Digital Currency

Trojanized Tor Browser Steals Users’ Digital Currency

Researchers have discovered a Trojanized version of the popular Tor Browser, which has already stolen tens of thousands of dollars’ worth of digital currency from users.

Targeted at Russian users, the malicious variant is distributed via spam messages on local forums and in Pastebin posts which have been SEO-d to rank high for users searching for terms including drugs, cryptocurrency, censorship bypass, and Russian politicians, according to Eset.

Two domains registered in 2014 are used to spread the malware; tor-browser[.]org and torproect[.]org. In essence, the package is a version of the popular anonymizing tool from 2018 (v 7.5) with some of its default browser settings and extensions altered to disable updates and ensure the malware authors can modify the product.

The hackers also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed in every webpage.

“The only JavaScript payload we have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets,” explained Eset senior malware researcher, Anton Cherepanov.

“Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the Trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.”

At the time of writing, Eset had discovered at least 500,000 downloads of the Trojanized Tor browser and three bitcoin wallets under the control of the hackers filled with around 4.8 bitcoin ($40,000). However, they are also likely to have generated a pile of QIWI cash from victims.

The scheme takes advantage of the fact that the Putin regime is increasingly pushing Russia to adopt an online censorship apparatus akin to China’s. Earlier this year, Putin signed a new law that could allow the government to cut access to foreign servers.

US Lawmakers Call on Apple to Reverse Hong Kong App Ban

US Lawmakers Call on Apple to Reverse Hong Kong App Ban

A group of US lawmakers has criticized Apple’s decision to withdraw an app used by Hong Kong protesters at the behest of Beijing, branding it “deeply concerning.”

The tech giant pulled HKmaplive from the App Store last week, claiming that it was used by the demonstrators to target police officers, and was therefore endangering their physical security.

However, its decision to censor after pressure from the Chinese government has angered senators and representatives in the US, including Ron Wyden, Marco Rubio, Ted Cruz and Alexandria Ocasio-Cortez.

They argued in an open letter that the move contradicts Apple’s purported belief that “our values drive our curation decisions.”

“You have said publicly that you want to work with China’s leaders to effect change rather than sit on the sidelines and yell at them,” it read. “We, too, believe that diplomacy and trade can be democratizing forces. But when a repressive government refuses to evolve or, indeed, when it doubles down, cooperation can become complicity.”

The app is nothing more than a tool for law-abiding protesters “defending their promised autonomy” to avoid clashes with an increasingly aggressive local police force, they said. One teenage protester was shot point blank by an officer earlier this month, despite the latter carrying non-lethal deterrents to repel violent demonstrators.

“We urge you in the strongest terms to reverse course, to demonstrate that Apple puts values above market access, and to stand with the brave men and women fighting for basic rights and dignity in Hong Kong,” the letter concluded.

However, it’s unlikely to sway the Cupertino giant, which has already banned thousands of apps from its China App Store, including various VPNs and titles designed for use by ethnic Tibetan and Uyghur minorities.

The news comes as an emboldened Beijing grows increasingly intolerant of any views seen as critical of its repressive one-party regime.

An NBA team is facing substantial financial losses after a player came out in support of Hong Kongers, while game developer Blizzard said it was banning a player and taking his prize money after he expressed similar views. The group of lawmakers penned a separate letter to the latter company, which is part-owned by Chinese giant Tencent.

US Girl Scouts Launch First National Cybersecurity Challenge

US Girl Scouts Launch First National Cybersecurity Challenge

Girls across the United States of America will take part in the country's first ever National Girl Scouts Cyber Challenge tomorrow. 

Over 3,000 girls have signed up to practice their cybersecurity skills by solving a hypothetical ransomware attack on a moon base. Participants will form an incident response team that must find out who hacked the system and how they did it.

The adrenaline-filled simulation will incorporate both “plugged” stations that will require the girls to utilize traditional coding and hacking skills on laptops and tablets, as well as “unplugged” stations where they must solve written codes. 

The exciting event will allow girls to gain first-hand experience of how coding and cybersecurity are applied in the real world. No prior cybersecurity experience is necessary to take part, as organizers hope to inspire girls who haven't ever tried their hand at cybersecurity to give it a go and see if they like it. 

The challenge is being piloted at participating councils in Georgia, Colorado, Maryland, Texas, California, Arizona, Alabama, Ohio, Massachusetts, and Florida. If it proves successful, Girl Scouts of the USA (GSUSA) plans to roll the event out to all 111 of their councils.  

Presenting the challenge is US defense contractor Raytheon, which in November 2018 committed to a multi-year partnership with GSUSA to encourage girls to pursue computer science careers. Last year, with Raytheon's support, GSUSA launched its first ever national computer science program for middle and high school girls.

A spokesperson for Raytheon said: "Our future needs innovators, engineers and cybersecurity experts and we're finding them right here in today's Girl Scouts. They are cracking cyber challenges while fulfilling their potential. 

"Thanks to events like the Girl Scouts Cyber Challenge brought to you by Raytheon, more girls are seeing themselves as tomorrow’s innovators, engineers, cybersecurity experts and tech leaders."

A spokesperson for GSUSA said: "Raytheon is collaborating with Girl Scouts to help close the gender gap in STEM fields by helping prepare girls to pursue careers in fields like cybersecurity, computer science, artificial intelligence, and robotics. 

"Together, Raytheon and Girl Scouts are reaching girls during formative school years, where research shows peer pressure can sometimes deter girls from pursing their interest in STEM." 

Italians Rocked by Ransomware

Italians Rocked by Ransomware

Italy is experiencing a rash of ransomware attacks that play dark German rock music while encrypting victims' files. 

The musical ransomware, called FTCode, was detected by security analysts at AppRiver in malicious email campaigns directed at Italian Office 365 customers. 

Targeted inboxes have received emails with malicious content posing as resumes, invoices, or documents scans. The emails include a Visual Basic script (.vbs) file that downloads and blasts out Rammstein hits while encrypting files on the victim's computer. 

"The .vbs file initially launches PowerShell to download and play an mp3 file from archive.org. At first glance, we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix," wrote AppRiver researchers.

As victims are treated to rousing renditions of "Du Hast" and "Engel," the script reaches out to a different domain to pull down a Jasper malware loader. This .vbs file enables threat actors to load additional malware of their choosing.

Once the files on the user's computer have been encrypted, a note is left on the victim's desktop, directing the user to download, install, and visit an onion site for further instructions. 

In an attempt to establish trust with the user and show that decryption is actually possible, the onion site offers the visitor a chance to test file decryption with one file before they pay the full ransom. 

The cost of the ransom is set at $500 if paid within the first three days, after which it rapidly increases to $25,000. 

David Pickett, security analyst at AppRiver, warned users not to take risks on links sent by strangers and to be particularly wary of any content that asks to be enabled. 

He said: "Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with, such as script files (.vbs, .js, .ps1, .bat, etc.).  

"Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute."  

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Five months on from a ransomware attack that brought the city to its knees, Baltimore has purchased cyber-insurance for the first time.

On May 7, Baltimore became the second US city to fall victim to a new strain of ransomware called RobbinHood. The attack took all the city's servers offline with the exception of essential services. As a result, real estate transactions were suspended, water billing was disrupted, and city employees were unable to access key documents and email. 

While Baltimore's mayor, Bernard C. "Jack" Young, won praise for not paying hackers the $76,000 ransom they demanded to decrypt the files affected by the attack, the city now faces a massive recovery bill. So far, the attack is estimated to have cost the city $18m in direct costs and lost or delayed revenue, and the figure is expected to rise. 

In a bid to protect itself from future threats, on Wednesday Baltimore approved not one but two cyber-insurance policies, each of which offers $10m in liability coverage and has a $1m deductible. 

After a competitive bidding process involving 17 different carriers, Baltimore opted to purchase a plan from Chubb Insurance costing $500,103 in premiums and a second plan from AXA XL Insurance for $335,000. Each policy will provide the city with coverage against cyber-attacks for a period of one year. 

Lester Davis, a spokesman for Mayor Young, said: "The city is going to reassess every year. They will have to go through this process again when the terms are nearing maturity."

Mayor Young said that having cyber-insurance did not dictate how Baltimore would respond to future cyber-attacks. 

Asked whether the city was more likely to pay hackers now that it had coverage, Young said: "I would talk to my team and decide that way."

Frank Johnson, who was Baltimore's chief information officer at the time of the attack, stepped down permanently from the role earlier this month after being placed on unpaid leave in September. Todd Carter, who was acting as interim CIO for the city, has now taken on the CIO position full time. 

UK Government Announces Major New Cybersecurity Partnerships

UK Government Announces Major New Cybersecurity Partnerships

The UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors.

Although details are few and far between at this stage, the government claimed that the project could help to protect more UK businesses from remote cyber-attacks and breaches, while boosting new business opportunities and productivity.

According to the government’s own data, around 60% of mid-sized and 61% of large businesses in the UK have suffered a cyber-attack or breach over the past year.

The Arm tie-up is part of the government’s Digital Security by Design initiative, also backed by Microsoft and Google.

"Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyber-threats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite.

“Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.”

Alongside this push, the government announced a further £18m through its Strategic Priorities Fund, designed to help tackle online fraud, privacy abuses and misinformation online.

The government also announced six new “prosperity partnerships” — a £40m project designed to bring public and private sector bodies together with academia to develop emerging technologies. On board so far are Jaguar Land Rover, Eli Lilly and Company, Toshiba Research Europe, Microsoft, M Squared Lasers, Siemens and Nikon.

The first partnership, announced today, is between Toshiba Research Europe, University of Bristol, GCHQ and Roke Manor Research and will aim to develop more resilient wireless networks to tackle financial extortion, terrorism and destructive attacks.

“Secure Wireless Agile Networks (SWAN) and the wider Prosperity Partnership initiatives bring together a cadre of engineers from industry, government and academia with invaluable commercial insights and in-depth technical skills capable of delivering holistic solutions for a productive, healthy, resilient and connected nation,” said professor Mark Beach of the University of Bristol.

"This UKRI scheme uniquely brings together partnerships who are ideally positioned to deliver technology for the wider benefits of society."

New US Privacy Bill Would Intro Jail Time for CEOs

New US Privacy Bill Would Intro Jail Time for CEOs

A US senator has introduced a new privacy bill which he claims goes further than the EU’s GDPR, introducing prison sentences for culpable CEOs.

Introduced by Ron Wyden, the Mind Your Own Business Act would create a national “Do Not Track” system enabling consumers to stop companies from tracking them online, selling or sharing their data, or targeting ads based on personal information.

Like the GDPR, it would issue maximum fines of up to 4% of annual revenue to non-compliant firms, but unlike the EU law, could also levy 10-20 year criminal sentences for executives who knowingly lie to the FTC.

“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said.

“I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”

Other provisions in the bill include: the levying of new tax penalties on CEOs who lie about privacy protections; a requirement for firms to conduct privacy assessments on the algorithms that process consumer data; and the establishing of new privacy and cybersecurity standards.

However, it’s unlikely the legislation will become law. In the meantime, states are enacting their pwn privacy laws, with California leading the way.

DNC Russian Hacking Group Makes a Comeback

DNC Russian Hacking Group Makes a Comeback

Security researchers have uncovered new activity from the notorious Kremlin-backed APT29, or Cozy Bear, group, in an information-stealing campaign targeting foreign governments.

APT29 was pegged for the infamous cyber-attacks on the Democratic National Committee (DNC) in the run-up to the 2016 US Presidential election, which many believe helped to install Donald Trump in the White House.

However, up until now there had been little other evidence of activity from the group except from a phishing campaign in November last year.

Now ESET researchers claim to have uncovered a new operation from the group dating back to 2013, after it discovered three new malware families: PolyglotDuke, RegDuke and FatDuke.

Targets for Operation Ghost include foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country.

The vendor claimed to have discovered multiple attack techniques often used by the group, including use of Twitter and other social sites to host C&C URLs; steganography in images to hide payloads/C&C comms; and use of WMI for persistence.

In addition, the researchers found that some machines infected with PolyglotDuke and MiniDuke had been infected with CozyDuke just months earlier.

“We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known,” explained ESET.

“In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.”

The group’s MO is to steal credentials and move laterally through networks, sometimes using admin credentials to compromise machines. PolyglotDuke uses social sites for C&C as well as steganography; RegDuke uses Dropbox as a C&C server; MiniDuke is a second stage backdoor; and FatDuke represents the third stage, featuring functionality to steal logins and data.

A New Strain of Malware Is Terrorizing Docker Hosts

A New Strain of Malware Is Terrorizing Docker Hosts

For the first time in history, researchers have discovered a crypto-jacking worm that spreads via unsecured Docker hosts. 

Researchers at Unit 42 said that the new strain of malware has spread to more than 2,000 Docker hosts by using containers in the Docker Engine (Community Edition).

The new worm has been named Graboid after the fictional subterranean sandworms that made a fairly poor show of hunting humans in nineties flick Tremors. Just like its onscreen predecessors, the Graboid is quick but relatively incompetent. 

Graboid is designed to work in a randomized way that researchers said holds no obvious benefits. The malware carries out both worm-spreading and crypto-jacking inside containers, picking three targets at each iteration.

Researchers wrote: "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior. 

"If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts." 

Graboid doesn't hang around for long, mining cryptocurrency Monero for an average of just over four minutes before picking new vulnerable hosts to target. The worm works by gaining an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host. 

Researchers warned that Graboid's nip could potentially turn into a powerful bite and advised organizations to safeguard their Docker hosts. 

Researchers wrote: "While this crypto-jacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored." 

Tim Erlin, VP, product management and strategy at Tripwire, advised developers to tackle security sooner rather than later. 

He said: "DevOps tends to favor velocity over security, but when you have to stop what you’re doing to address an incident like this, you’re losing the velocity gains you might have experienced by leaving security out of the DevOps lifecycle. Addressing security through incident response is the most expensive method to employ."

Imposter Emails Plague Healthcare Industry

Imposter Emails Plague Healthcare Industry

A study looking at cyber-attacks on the healthcare industry has found that 95% of targeted companies encounter emails spoofing their own trusted domain. 

To create the Protecting Patients, Providers, and Payers 2019 Healthcare Threat Report, cybersecurity company Proofpoint analyzed nearly a year’s worth of cyber-attacks against care providers, pharmaceutical/life sciences organizations, and health insurers.

Hundreds of millions of malicious emails later, it was clear to researchers that cyber-criminals were not just attacking infrastructure, but were also using email to directly target people.

Analyzing data spanning the second quarter of 2018 to the first quarter of 2019, researchers found that at each healthcare organization attacked, an average of 65 staff members were targeted. 

Researchers observed a preference for certain keywords in the spoof emails attackers sent when attempting to con money or information out of the patients and business partners of healthcare organizations. When sending emails designed to look like they came from a healthcare provider, criminals commonly used the words "payment," "request," and "urgent" in the subject line.

Healthcare organizations targeted by impostor emails received 43 messages of this type in Q1 2019—a 300% jump from a year ago and more than five times the volume in Q1 2017. Not a single organization analyzed in the study saw a decrease in impostor attacks over that period, and more than half were attacked more often in Q1 2019 than they were in Q1 2017. 

The average impostor attack spoofed 15 healthcare staff members on average across multiple messages. 

According to researchers, threat actors were adept at knowing just what to put in an email to spur healthcare staff into transferring money or sharing sensitive information.

Researchers wrote: "Attackers have grown skilled at researching their targets and using social engineering to exploit human nature. Some lures are just too well researched, expertly crafted, and psychologically potent to resist every time.

"Social engineering works because it taps into the way the human brain works. It uses deep-rooted impulses—such as fear, desire, obedience, and empathy—and turns them against you. And it hijacks your normal thought process to spur you to act on attackers’ behalf."

Morning was the attackers' favorite time to strike, with the largest volume of imposter email sent between 7 a.m. and 1 p.m. in the time zone of the targeted organization. 

Recruitment Sites Expose Personal Data of 250k Jobseekers

Recruitment Sites Expose Personal Data of 250k Jobseekers

The personal details of 250,000 American and British jobs seekers have been exposed after two online recruitment companies failed to set their cloud storage folders as private. 

Names, addresses, contact information, and career histories were compromised as a result of the oversight by US jobs board Authentic Jobs and UK retail and restaurant jobs app Sonic Jobs.

Each company stored the resumes of hopeful job applicants in cloud storage folders known as buckets. The buckets were provided by the world's biggest cloud service, Amazon Web Services (AWS), which stores data in servers connected to the internet.

Applicants' data was exposed when both companies set the privacy settings on their buckets to public instead of private. This error meant that the resume of someone who applied for a job could be viewed and also downloaded by anyone who knew the location of the buckets.

Authentic Jobs, whose client list includes accounting firm EY and newspaper the New York Times, made at least 221,130 resumes publicly accessible. A further 29,202 resumes were exposed by app Sonic Jobs, which international hotel chains Marriott and InterContinental often use to recruit new staff. 

According to Sky News, which revealed the bucket-related breaches yesterday, the total number of resumes exposed may be higher. 

After being warned of the exposure by Sky News, both companies changed their bucket settings to private. 

"We take security and privacy very seriously and are looking into how this happened," Authentic Jobs said in an email.

Security researcher Gareth Llwellyn, who discovered the bucket breaches, said: "By finding and closing these buckets we can protect people who placed their trust in these businesses and—hopefully—start drawing attention to the dangers of storing personal data in a woefully insecure manner."

Authentic and Sonic will now join Verizon, Dow Jones, GoDaddy, and WWE on a growing list of organizations that have exposed data via publicly configured AWS buckets. 

Llewellyn said that the onus is on companies to ensure the data that they store in the cloud is being stored safely.  

"Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn't preclude them from ensuring the data entrusted to them is safe," he said.

Rogue Mobile App Fraud Soars 191% in 2019

Rogue Mobile App Fraud Soars 191% in 2019

Global fraud attacks soared by 63% from the second half of 2018 to the first six months of this year, with fake mobile applications a growing source of malicious activity, according to RSA Security.

The firm’s Quarterly Fraud Report for Q2 2019 is a useful snapshot of current trends based on detections by the vendor.

Phishing, including vishing and smishing, continues to be the biggest source of fraud — representing over a third (37%) of attacks in Q2, with attacks climbing 6% from 2H 2018 to 1H 2019.

Canada, Spain and India were the top three countries targeted by phishing, accounting for 61% of total attack volume.

However, it is attacks via rogue mobile applications that present the fastest-growing threat, soaring 191% over the same period. These attacks, which involve the spoofing of brands to trick users, now account for 29% of the total.

Elsewhere, there were also significant increases in detections of financial malware (up 80%) and social media attacks (37%).

In the e-commerce space, RSA noted that 57% of fraud transaction value in Q2 2019 came from a new device but trusted account. In online banking 88% of payment fraud attempts originated from the same combination: trusted account and new device. That is a significant increase from Q1 figures of just 20%.

This highlights the continuing popularity of account takeovers as a highly successful threat vector, RSA said.

Daniel Cohen, director of the Fraud and Risk Intelligence Unit at RSA Security, argued that digital transformation is introducing new risks that organizations must manage.

“From one-click payment buttons to mobile apps from our favorite retailers, spending our money has never been easier. However, while the growth of digital might be good for our busy schedules, it has also opened up numerous new avenues for fraudsters,” he added.

“The fact that fraud via fake mobile applications tripled in the first half of 2019 is testament to how perpetrators will constantly seek out weak points by exploiting consumers’ growing trust in mobile apps.”

Banks need to layer up protection, while consumers must play their part by understanding the tell-tale signs of phishing and taking time out to verify application publishers before downloading, Cohen advised.

World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

Global investigators have traced Bitcoin payments to locate and shutdown the dark web’s largest child exploitation website, arrest hundreds of users and rescue dozens of abused children, according to unsealed court documents.

On March 5 2018, agents from Homeland Security Investigations (HIS), Internal Revenue Service, Criminal Investigation (IRS-CI), the UK’s National Crime Agency (NCA) and Korean National Police arrested Jong Woo Son, 23, for operating the Welcome to Video site, according to the indictment.

The raid led to the seizure of round 8TB of child exploitation videos, and the arrest of over 300 alleged users of the site, believed to be the largest of its kind in terms of material stored. They hailed from the US, UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia, and have all been charged.

Some 23 children were also rescued from abuse by users of the site in the US, UK and Spain.

The vital intelligence behind the successful operation was generated by technology which enabled investigators to trace Bitcoin payments made by users of the site — each of whom had a unique cryptocurrency address assigned on registering an account, in order to buy videos.

The site is said to have had capacity for at least one million such addresses.

Investigators used a product known as Chainalysis Reactor to analyze the flow of digital funds to and from the site, via Bitcoin exchanges.

“Because exchanges typically perform Know Your Customer (KYC) processes, many were able to provide copies of identification, addresses, and other relevant transactions associated with those accounts,” explained Chainalysis.

“While in many cases the information supplied by the exchanges was enough to identify WTV users, in other cases IRS-CI was able to combine the account information with open source intelligence and standard investigative techniques to identify users.”

The firm was also able to break down regionally-specific information for investigators to enable global arrests, it said.

Son is already serving time in South Korea where he was convicted of charges relating to the dark web site.

US Ordered Secret Cyber-Strike on Iran: Report

US Ordered Secret Cyber-Strike on Iran: Report

The US ordered a secret cyber-attack on Iranian IT systems in response to the alleged Tehran-backed September 14 attacks on Saudi Arabian oil facilities, according to a new report.

Two anonymous US officials told Reuters that the attacks were targeted at Iranian hardware in an operation focused on limiting the Islamic Republic’s ability to spread propaganda.

There are few other publicly available details about the raid, although it appears to have been a much smaller-scale and less sophisticated effort than the infamous Stuxnet operation which disrupted Iran’s nuclear program almost a decade ago.

It would make sense though, given President Trump’s reluctance to get embroiled in a full-scale conflict with the country. He is reported to have called off air strikes on Iranian facilities following the June downing of a US Navy drone, for fear of escalating the stand-off.

Dave Palmer, director of technology at Darktrace, argued that nation states are increasingly turning to cyber-strikes to launch attacks on physical hardware, making it more important than ever that such infrastructure is well protected.

“We have entered a new age of cyber warfare, where sophisticated groups are using advanced software that is capable of going under the radar of traditional security controls, plants itself in the heart of critical systems and uses that knowledge to its advantage,” he said.

“Relying on human security teams will not be enough to resist attackers that are backed by nation states and therefore highly sophisticated. The only way to combat these attacks will be with AI that can automatically respond to attacks before any damage is done.”

A Tripwire study from earlier this month revealed that 93% of security professionals in transportation, manufacturing and utilities fear cyber-attacks shutting down operations, with two-thirds (66%) claiming that it could have catastrophic consequences, such as an explosion.

Vermont Schools Spy on What Students Do Online

Vermont Schools Spy on What Students Do Online

Schools in Vermont are hiring companies to monitor what their students post and search for online.

According to a report by investigative journalism platform VTDigger, five schools in the Green Mountain State hired Burlington-based firm Social Sentinel to track the online activities of their students. 

Social Sentinel uses keyword-based algorithms and machine learning to scan social media posts within a set geographic area for words that could indicate that a student is at risk or poses a threat to others. 

When a particular word is discovered, a red flag is raised, causing an alert to be sent to school officials. For an additional fee, Social Sentinel can also scan the contents of students' emails. The aim is to alleviate problems like cyber-bullying, self-harm, and teen suicide and to prevent mass shootings or other violence.

A further eight schools told VTDigger that they had contracts with vendors to monitor activity on district services and school-sponsored email for browsing habits and keywords that could mean a student is a threat or in danger. Companies hired to carry out the monitoring included SecurlyBark, and Lightspeed Systems.

Middle schools in the Burlington school district reported using a product called Admin, which is made by GoGuardian. Admin is a multi-layered filtering solution powered by advanced machine learning, which allows school officials to keep tabs on what students search for, watch, and read while using district devices. 

The information was uncovered when VTDigger sent a public records request to all 52 superintendents in Vermont, asking if any social media monitoring contracts had been signed. 

Contacted for comment by VTDigger, Social Sentinel founder Gary Margolis said: "We built a technology that actually helps prevent bad things from happening by giving information that can give context to what’s going on, in a way that respects privacy, and all I do is get questioned by you and folks in the media about privacy issues. It’s mind-bogglingly frustrating."

Brian Schaffer, principal at Lamoille Union High school, which contracted with Social Sentinel for a year in 2015, said the technology "wasn’t as functional as I had hoped it would be."

According to Schafffer, most of the daily alerts flagged irrelevant posts, some of which were written by Quebec tourists bragging about buying Heady Topper beer while on vacation in Vermont.

task force created by Gov. Phil Scott earlier this year to help prevent school shootings recommended that Vermont invest in monitoring software to scan social media posts statewide. The task force was formed after a plot by Fair Haven Union High School student Jack Sawyer to carry out a mass shooting at his school was discovered in February 2018.

Over 550 Fake US Election Web Domains Discovered

Over 550 Fake US Election Web Domains Discovered

External threat intelligence experts have detected hundreds of fake election web domains designed to target American voters.

New research by Digital Shadows uncovered over 550 fake domains ranging from false funding pages to counterfeit candidate sites set up against 19 Democrat and four Republican presidential candidates.

Most of the sites—68%—simply redirect the user to another domain, often to that of a rival candidate. Worryingly, 8% of domain squats discovered redirect users to file converter or secure browsing Google Chrome extensions that can be used to infringe on voter privacy and host potentially dangerous malware if downloaded. 

One false funding page exploited the possibility of a typo to encourage voters to switch their allegiance. Financial donors who accidentally type WinRde.com when searching for Republican fundraising page WinRed.com are taken to ActBlue.com, a fundraising site for the rival Democratic party. 

Harrison Van Riper, strategy and research analyst at Digital Shadows, told Infosecurity Magazine: "We detected a few redirecting domains (donaldtrump[.]cloud, for example), which sent the browser to doyoulikebread.weebly[.]com and would pose the straightforward question of "Do You Like Bread?" with Yes or No options. 

"Yes would lead the user to a video for “You’re the one that I want” from the musical Grease, and No would lead to a video of Oprah Winfrey exclaiming how much she likes bread. The internet can be a weird place, sometimes!"

In total, 66 of the 550+ domains were being hosted on the same IP address, registered under the privacy protection service WhoisGuard, Inc. and potentially operated by the same individual. Digital Shadows was unable to attribute any of the fake domains to a specific person or group. 

"We really can't say who is responsible for these redirects, but hackers with a sense of humor is certainly a possibility. It could also be individuals who want to see their favorite candidate succeed," Van Riper told Infosecurity Magazine.

Van Riper said that the enactment of the GDPR regulation has made it harder to tell who or what organization stands behind a specific domain. Under the new rules, domain registration details have been removed from official records.

Instead of changing the law to prevent fake sites, Van Riper suggests registrars could do more to combat the problem. He said: "I don't see this as a legal issue; rather, I think that registrars could do more to verify that people registering these domains are doing so for legitimate purposes. This is a huge task, but ultimately, it's within the registrar's control to help combat the issue of people setting up fake domains for legitimate websites."

UK Abandons Planned Online Pornography Age Verification System

UK Abandons Planned Online Pornography Age Verification System

The British government has dropped plans to introduce a national online pornography age verification system because implementing it would be too difficult.

A nationwide system to ensure X-rated online content cannot be viewed by children was first proposed in 2015 by the then culture secretary Sajid Javid. However, it took the proposal two years to become law.

Under the proposal, pornography websites would be required to verify that users were age 18 or older. Suggested ways of doing this included running verification checks on credit cards and making porn passes available to purchase from newsagents on the presentation of photo ID. 

Websites that refused to go along with the age checks could have been blocked by UK internet service providers or had their access to payment services revoked. 

The system was going to be funded and run by private companies and overseen by the British Board of Film Classification.

The system was initially due to come into force on July 15 this year but was then delayed for six months because the government had neglected to announce the plan to the European Union. 

Today, culture secretary Nicky Morgan told parliament that the age verification system would be dropped altogether. Morgan said that the government would focus instead on implementing broader child protection measures as laid out in the online harms white paper published in April 2019. 

The white paper proposes establishing in law a new duty of care toward internet users, which will be overseen by an independent regulator. Companies will be held to account for tackling a more comprehensive set of online harms, ranging from illegal activity and content to behaviors that are harmful but not necessarily illegal.

"The government’s commitment to protecting children online is unwavering. Adult content is too easily accessed online and more needs to be done to protect children from harm," said Morgan. 

"This course of action will give the regulator discretion on the most effective means for companies to meet their duty of care."

While privacy campaigners who raised data security concerns over the proposed system may be celebrating its abandonment, British businesses that had invested time and money in developing verification products are sure to be disappointed.

Industry Calls for Standardization of CISO Role

Industry Calls for Standardization of CISO Role

Professionals from the cybersecurity industry have called for clarity regarding the role of Chief Information Security Officers (CISOs).

Research from Cyber Security Connect UK (CSCUK), a forum for cybersecurity professionals, has stated that CISOs are being pulled into job requirements outside their jurisdiction and that there is a lack of transparency about the responsibilities of cybersecurity teams within UK businesses of all sizes.

The research also pointed to a lack of skilled, fully qualified professionals coming into the profession.

Mark Walmsley, the chair of the CSCUK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “It is no longer a case of if a cyber-attack will occur but more appropriately, when. In addition, these attacks are increasingly becoming more complex and intelligent. With this in mind, a company’s best defense against such events is a dedicated person to lead the fight against cyber-attacks."

Not only does this person need to be qualified, Walmsley added, they must also be dedicated to the cause, have access to information and budgets that allow them to carry out their job and be able to constantly and consistently upskill to keep up with the fast-paced, ever-changing nature of the cybersecurity landscape.

“While it is true that the varying size, financial situation and purpose of a business may affect the role of the CISO or even the requirement for such a person at all, where they are in operation, clear parameters need to be set. Only with standardization and guidance can the role be fully effective. As further digitization of processes occurs and cyber-attacks become more sophisticated, this need will become only greater,” Walmsley argued.

According to CSCUK, in order for standardization to be possible, professionals believe a benchmarking process must be carried out to fully understand the scale of variations within the role.

“In order to support CISOs so that they can carry out their roles effectively, a better understanding of their current situation is required,” Walmsley explained. “This includes comparing the role within different organizations in terms of qualifications, access to the boardroom and budgets, reporting lines and salaries.”

Over 100 Million IoT Attacks Detected in 1H 2019

Over 100 Million IoT Attacks Detected in 1H 2019

A security vendor has detected over 100 million attacks on IoT endpoints in the first half of 2019 alone, highlighting the continued threat to unsecured connected devices.

Russian AV vendor Kaspersky said its honeypots had spotted 105 million attacks coming from 276,000 unique IP addresses in the first six months of the year. The number of attacks is nearly nine times more than the figure for 1H 2018 when only 12 million were detected, originating from 69,000 IP addresses, the firm added.

The figures can be seen in the context of a smart home boom, with consumers buying in increasing numbers connected devices which often have poor in-built security and/or are not properly secured by their owners.

Mirai-like attacks which take advantage of weak factory-default log-ins for such devices are increasingly common, conscripting IoT endpoints into botnets which can then be used to launch DDoS and other attacks, Kaspersky explained. Some attacks also exploit old unpatched vulnerabilities to hijack devices, it added.

The most common malware types are Mirai (39%) and Nyadrop (38.6%), which itself often serves as a Mirai downloader. Some way behind them is Gafgyt (2%), which uses brute-forcing techniques to gain persistence.

“Judging by the enlarged number of attacks and criminals’ persistence, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations,” said Kaspersky security researcher, Dan Demeter.

“This is much easier than most people think: the most common combinations by far are usually ‘support/support,’ followed by ‘admin/admin,’ ‘default/default.’ It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices.”

Devices in China were most affected by attacks, accounting for 30% of infections in the first half of the year, followed by Brazil (19%) and Egypt (12%).

Revealed: State-Sponsored Campaign that Helped China Build an Aircraft

Revealed: State-Sponsored Campaign that Helped China Build an Aircraft

The Chinese government orchestrated a sophisticated multi-year cyber-espionage campaign to gain parity with western aerospace firms and help it build the C919 commercial airliner, a new report has alleged.

The story is an exemplar of the lengths Beijing is prepared to go to steal IP and force tech transfers from foreign companies and nations in order to gain self-sufficiency.

“What is known from CrowdStrike Intelligence reporting and corroborating US government reporting is that Beijing uses a multi-faceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the CrowdStrike report claimed.

“Specifically, state-owned enterprises (SOEs) are believed to help identify major intelligence gaps in key projects of significance that China’s intelligence services then are likely tasked with collecting.”

In this case, that job was taken by the Jiangsu Bureau of the Ministry of State Security (JSSD), tracked by CrowdStrike as Turbine Panda.

Dating back to 2010, the operatives undertook a broad cyber-espionage and human intelligence campaign to target multiple aerospace providers including Honeywell, Safran, Capstone Turbine and others.

Interestingly, many of the operatives were sourced from the local cybercrime community, with PlugX and Winnti hacking tools favored, as well as unique malware linked to a group dubbed “Sakula.”

As part of the campaign, they recruited an insider at General Electric (Zheng Xiaoqing), joint manufacturer of the key LEAP-X turbofan, and a Chinese-born army reservist (Ji Chaoqun) who entered the US on an F-1 student visa to study electrical engineering.

Then the US fightback began: Sakula developer Yu Pingan was arrested whilst attending a US security conference, and insiders Zheng and Ji Chaoqun were also picked up. Other China-based operatives and insiders were also indicted. However, the biggest coup was the arrest of their handler, MSS officer Xu Yanjun: alleged deputy division director of the Sixth Bureau of the JSSD in charge of insider threats.

The report claimed that JSSD operatives were also responsible for the breach of the Office of Personnel Management (OPM) and health insurance firm Anthem.

Depressingly, it seems that even these arrests will do little to halt intrusive Chinese cyber-activity.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” the report concluded. “China still seeks to decrease its dependency on this [Airbus-Boeing] duopoly and eventually compete on an even footing with them.”

Major Carding Forum BriansClub Suffers Data Breach

Major Carding Forum BriansClub Suffers Data Breach

One of the web’s largest marketplaces for stolen card data has been hacked, leading to the theft the second time over of more than 26 million cards.

A source shared the news with security researcher Brian Krebs, whose name and likeness have been used for years by the administrators of the online BriansClub store.

It is claimed that the trove includes credit and debit card details stolen from bricks-and-mortar retailers from the past four years, including eight million uploaded so far in 2019.

The binary data could allow hackers to create fake magstripe cards with which to fraudulently purchase goods in stores. Although the roll-out of EMV is intended to put an end to this practice, there are still enough merchants and cardholders using the legacy cards to make such forums a going concern.

In fact, Krebs calculated that with cardholder losses estimated at $500 per card, BriansClub could have generated as much as $4 billion in losses from the roughly nine million cards it has sold to fraudsters since 2015.

Tim Mackey, principal security strategist at Synopsys, argued that whether you’re running a global enterprise, a small business or an underground carding forum, there are several shared cybersecurity truths.

“First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking. When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data,” he explained.

“Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled? For these questions, and many more, the next question becomes one of “how,” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons."

#ISWUK: Ransomware Remains Top Threat For Present and Future

#ISWUK: Ransomware Remains Top Threat For Present and Future

Ransomware remains the dominant threat for business now, and will continue to be in the future.

Speaking at the NTT Security Information Security World 2019 conference in London, Nicole van der Meulen, head of strategy and development at Europol’s European Cybercrime Centre (EC3) reflected upon the top cyber-threats impacting the security of data today.

van der Meulen Highlighted the five top current threats as:

  • Ransomware
  • Compromised data
  • DDoS attacks
  • Card not present fraud
  • The Dark Web

Van der Meulen said that whilst ransomware was not new and efforts are often determined to be “amateur,” there is a move to more sophisticated attacks “and it is the most dominant threat when it comes to what is reported.”

She added that ransomware reports from law enforcement and the private sector are not different from last year, there has been a “decline in volume” of attacks. However, the next step is to target more profitable targets who are willing to pay, and this is a more efficient approach.

She also said that DDoS attacks are becoming more professional with a financial focus. Meanwhile, card not present fraud continues to rise “and is the most stable” as compromised data is readily available. “The cost of doing business has been accepted, and it is a facilitator for other crimes.”

While there are changes in terms of threats and threat actors, Van der Meulen pointed out that there is a terminology problem, as “we call it cybersecurity, but talk about information security, and confidentiality, integrity and availability” and everything still begins with unauthorized access and the next stage is down to the motive of the attacker.

She also said that there is a lot of focus on the future threats and technology, and while there is a need to predict the emphasis on attackers using AI, it is still cheap to get and use ransomware: “We haven’t solved today’s problems, so why focus on tomorrow? Don’t get too far ahead when threats are the same, but just wearing new clothes.”

Canadian Students Are Sharing Passwords to Prove Friendships

Canadian Students Are Sharing Passwords to Prove Friendships

Canadian students are sharing their online passwords with one another as proof of friendship, according to the Quebec Access to Information Commission (CAI).

Since 2016, CAI has toured secondary schools across Quebec with a campaign called "Ce que tu publies, penses-y" which roughly translates as "Think before you publish."

The purpose of the cybersecurity campaign is to warn adolescents about the risks and consequences of being active online, especially on social media. So far, 32,000 students have been exposed to the company, but despite the efforts of CAI, the incredibly important message doesn't seem to be getting through.

Speaking to The Canadian Press, "Ce que tu publies, penses-y" program coordinator Isabelle Gosselin said that students don't believe that they are at risk and do nothing to protect their privacy.

According to Gosselin, proof of the extent of this problem is that three out of four high school students raise their hands when asked if they share passwords with friends.

Gosselin said that they are almost proud to do it, often seeing it as proof of friendship or of love. In fact, she said the trend has become very fashionable. 

Government organization CAI wants to encourage young internet users to adopt safe and responsible behavior, particularly in terms of privacy and respect for privacy. However, Gosselin said that when she tries to warn teenagers about the potentially dire consequences of sharing their passwords, they respond with "Don't you think you're exaggerating, ma'am?"

A fresh incarnation of the CAI cybersecurity tour will launch this month in an effort to convince teens to adopt best practices when it comes to online security. Gosselin said the tour's goal is to educate students who think they are invincible. 

During the 2019–2020 school year, the commission will again take their "Ce que tu publies, penses-y" to Quebec high schools in hopes of persuading students to take cybersecurity seriously. 

Students will be shown an hour-long presentation that addresses a number of concepts, such as identity theft, sexting, geolocation, and privacy settings from a privacy perspective. 

To ram the point home, the presentation includes genuine real-life examples of what happens when cybersecurity guidelines aren't followed. Some of the stories that students will hear relate to incidents that have happened within their own school.

A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

survey has revealed that a quarter of Americans think that sending unsolicited nude digital images should carry a five-year jail sentence and a hefty fine. 

The survey of 1,058 Americans aged 18 to 73 was carried out on behalf of BadGirlsBible.com. Participants were asked questions about how they send and receive photos in the modern world. 

Seventy percent of women and 50% of men surveyed said they thought that a jail sentence is appropriate for cyber-flashing, with an average recommended term of 1.5 years or a fine of $4,400. These suggested penalties are roughly equivalent to those meted out for committing a class A misdemeanor, such as a DUI or an assault. 

Some believed the punishment should be even more severe, with 25% recommending a jail sentence of five years and a fine of $10,000, which is equivalent to the punishment for a class D felony, like voluntary manslaughter or stalking.

Overall, 89% of women and 79% of men said they think culprits should be fined, with women recommending a fine of $5,700 on average, compared to the $3,300 deemed appropriate by men.

While 40% of women and 21% of men polled thought that people who shared others’ nudes without consent should be added to a public sex offender registry, 58% of women and 38% of men thought culprits' details should be placed on a specially created database of sext offenders.

The survey, conducted in May, revealed that women under age 30 are much more likely to be the unhappy recipients of an unwanted naked image than men in the same age category. While just 12% of men said they had received a nude picture that they didn't want, nearly half of women—47%—had been imposed on by a cyber-flasher. 

Worryingly, 12% of women and 23% of men under age 30 admitted that they had obtained a nude without consent. The most popular way of doing this was by taking a screenshot of a temporary image; however, nudes had also been acquired via friends, captured from a video call, and purchased from a third party. 

Perhaps the most alarming method of getting a nude without the subject's consent—taking a photo of them in person without their knowledge—had been practiced by 10% of men and 6% of women under age 30.

Florida Women’s Clinic Warns 520,000 Patients of Data Breach

Florida Women's Clinic Warns 520,000 Patients of Data Breach

A Florida clinic providing specialized medical care for women has alerted all current and former patients that their personal information and medical records may have been exposed following a data breach. 

North Florida OB-GYN, which joined Women's Care Florida on May 6, 2019, became aware that a cyber-attack had been waged against its network on July 27 of this year. The breach is thought to have taken place on or before April 29, 2019.

In a statement released on their website, North Florida OB-GYN wrote: "Shortly after becoming aware of the incident, North Florida OB-GYN completed a preliminary assessment, in consultation with third-party information technology consultants, and determined that there had been improper access to certain portions of its networked computer systems and that a computer virus had encrypted (made unreadable) certain files on its computer systems."

The assessment findings prompted the clinic to shut down its networked computer systems, initiate its incident response and recovery procedures, and notify the Federal Bureau of Investigation of the breach. The clinic has also launched a confidential forensic investigation into the cyber-incident. 

Medical or personal information affected by the incident may have included name, demographic information, date of birth, Social Security number, driver’s license or identification card number, employment information, health insurance information, and health information, such as treatment, diagnosis, and related information and medical images. 

The affected computer systems did not contain any credit or debit card or financial account information.

All 528,188 patients of North Florida OB-GYN have been contacted by letter and warned that their personal data may have been exposed. 

In a statement released on their website, North Florida OB-GYN wrote: "There is no evidence to date that any unauthorized person has actually viewed, retrieved, or copied any medical or personal information."

The clinic has advised patients to remain vigilant by regularly reviewing their account statements, monitoring free credit reports, and reporting any suspicious activity to their financial institutions.

Virtually all of the encrypted files have now been recovered, and North Florida OB-GYN has taken actions to strengthen security safeguards for the affected systems and to prevent similar incidents.

#ISWUK: Trust Erosion Preventing Business Transformation

#ISWUK: Trust Erosion Preventing Business Transformation

An Erosion trust, and a lack of situational awareness, are continuing to harm advancements in cybersecurity and digital transformation.

Speaking at NTT Security’s Information Security World event in London, Thales CTO Jason Hart reflected upon the journey of 50 million users to radio, television, internet and, most recently, the Pokemon Go app. He likened this journey to the transformation of businesses for data and digital services, as “this is happening to every part of the organization.”

Hart said that “innovation is not about new technology, it is about taking the user experience and making it easier to consume.” This can lead to “habit forming” which has both positive and negative impacts, and this should challenge businesses to make technology “easier and simpler.”

However, data breaches have led to an erosion of trust, and Hart said that “we cannot solve problems using the same thinking” as we invest money in cybersecurity products and services, yet breaches continue to happen. “The approach has not evolved, we are getting there, and I can see an improvement,” he said.

Hart predicted that we will continue to have a “major problem regarding the integrity of data” as we have the “perfect storm of more data, children born into a data world, and yet we still see breaches.” Hart argued that this can be eradicated quickly by realizing situational awareness, and for businesses to realize which of the following they fit into:

  • Situational aware – understand critical elements of data, people and process
  • Situational ignorance – not looking or considering impact of people, data and processes
  • Situational arrogance – consideration of people, data and process, however no action is taken

“Be situationally aware and look to the needs of the organization and of the user, as different users have different needs,” he concluded, recommending businesses to mitigate risks and consider these across technology, humans and processes.

Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

A former TalkTalk executive who led the company’s program to recover from a major 2015 breach is crowdfunding legal fees to bring a landmark equal pay case against the ISP.

Rebecca Burke worked as program director for the embattled UK firm as part of its Top 50 Leadership Team to deliver the top 10 highest priority programs for the business.

These included a strategy to bounce back from the breach in which hackers managed to access the personal details of over 156,000 customers, including 15,000 who also had their financial data exposed.

The ISP was eventually fined £400,000 by privacy watchdog the Information Commissioner’s Office (ICO) for serious failings in its security processes which led to the incident.

However, despite her experience of over two decades working in various public and private sector organizations, Burke alleged she was being paid significantly less at the firm than some male colleagues.

“In May 2017 I was shocked to discover that I had been singled out for redundancy. The suspicious circumstances led me through a slow and painful appeals process that eventually exposed the fact that TalkTalk had been paying me 40% less salary and 50% less bonus than the three other male Programme Directors that were in my team doing the same job,” she explained on her crowdfunding page.

“Myself and my family have endured years of financial and emotional stress in this fight for justice against a giant corporation. I have sacrificed my career, sanity and financial stability because I want to help build a fairer future for our young women and girls by holding our UK businesses to account when they break the equal pay laws that women fought so hard for 50 years ago.”

A personally funded tribunal in 2018 was postponed after Burke’s barrister issued an unusual request for the panel to stand down on the grounds that it was hostile to her case.

She has already received support from BBC journalist, Carrie Gracie, women’s rights group The Fawcett Society and Sam Walker, who won her equal pay and unfair dismissal case against the Co-Op Group in 2018.

The news of Burke’s tribulations will be a PR blow for a cybersecurity industry struggling to become more gender diverse. The latest figures suggest women comprise just a quarter (24%) of roles globally.

Analyst Urges UK CISOs to Act on Brexit

Analyst Urges UK CISOs to Act on Brexit

A leading analyst firm has warned British CISOs to focus on three key areas to mitigate the potential fallout from the UK’s departure from the European Union.

Whether the UK strikes a withdrawal agreement with the EU or not, security bosses must carefully consider action to maintain unhindered international data flows, and manage potential staffing and regulatory challenges, according to senior analyst, Paul McKay.

He warned that a no-deal Brexit would invalidate current equivalence between the UK and EU’s data protection regimes, putting up barriers to seamless data transfers.

“We recommend that CISOs and DPOs start looking into alternative means now for guaranteeing the legal basis for their international data flows between the UK and EU,” he urged. “This can either be through model clauses or a binding corporate rules program, for example, which are already widely used for transfers outside of the EU.”

CISOs should also work hard to provide reassurance and support for any EU citizens on the staff roster, some of whom may need help with applications to remain in the country. More challenging still will be recruitment.

“Restrictions on the numbers of EU citizens entering the UK and vice versa are generally expected, so review your operating model carefully to mitigate the impact that restrictions on freedom of movement could bring to your security organization structure and headcount deployment,” said McKay.

“In addition, consider the implications for business travel for any service providers and staff supporting you from outside of your main headquarters locations.”

Finally, there are the requirements from EU laws PSD2, GDPR and NIS Directive to report breaches to the relevant authorities. McKay urged UK CISOs to review and update reporting lines as regulatory relationships change, as well as to update incident response plans and any supporting operational processes.

Pitney Bowes and Groupe M6 Hit By Ransomware

Pitney Bowes and Groupe M6 Hit By Ransomware

A US mailing technology company and one of France’s largest media groups have been hit by ransomware over the past few days, highlighting the continued threat to businesses of all types.

Pitney Bowes, which provides services to print labels, track parcels and manage expenses, revealed the news in an update overnight.

It claimed a third-party attack “encrypted information on some systems and disrupted customer access to our services.”

SendPro products, postage refill, and Your Account access have all been affected, although the firm said there’s no evidence that customer accounts or data have been impacted.

“Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter,” it added. “We are considering all options to expedite this process and we appreciate our customers’ patience as we work toward a resolution.”

The news comes as French media giant Groupe M6 admitted over the weekend that it was also struck by a cyber-attack, subsequently reported to be ransomware.

According to local reports, the firm’s email servers and phone lines are down due to the attack, although a speedy response from its IT department managed to ensure the threat did not affect the broadcasting of TV channels.

Chris Morales, head of security analytics at Vectra, argued that the best form of protection from ransomware is to identify the warning signs of an attack.

“It is hard to stop, but it can be defeated. There are many precursor signs to a ransomware attack that can be detected and responded to, before a ransomware attack succeeds,” he added.

“Continuous monitoring for network behaviors to proactively detect and respond to attacks does give an organization an opportunity to save themselves from the loss of data.”

Alex Guirakhoo, strategic intelligence analyst at Digital Shadows, claimed that ransomware attackers are getting increasingly targeted in their approach, singling out specific organizations and sectors.

“Future attacks are likely to forgo indiscriminate, widespread targeting in favor of more tailored and specific distribution methods,” he argued. “As organizations continue to pay high extortion demands, sometimes reaching hundreds of thousands of dollars, cyber-criminals are likely to continue perceiving ransomware as a lucrative opportunity.”

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Superior Court judge Kathryn Schrader has pleaded not guilty to improperly accessing, altering, and removing data from the computer network of Gwinnett County, Georgia, located just northeast of Atlanta.  

The judge was indicted on September 18, along with convicted child molester and co-founder of Atlanta sci-fi convention DragonCon, Ed Kramer; private investigator T.J. Ward; and Frank Karic. 

The defendants are each charged with three counts of felony computer trespass, to which they all pleaded not guilty at their arraignment last Thursday. If convicted of all the charges against them, the defendants could each face a maximum of 45 years behind bars.

According to the Gwinnett Daily Post, Schrader hired private detective Ward to monitor her work computer when she became suspicious that it had been hacked by district attorney Danny Porter. 

It is alleged that Schrader gave Ward improper access to the network. Ward then brought in Karic, who was given improper access so he could install a WireShark monitoring device on Schrader's computer to discover if it had indeed been tampered with. 

Ward then hired former computer forensic analyst Kramer, who was also given improper access so that he could keep tabs on Schrader's computer once the installation was complete. 

According to newspaper the Atlanta Journal-Constitution, Danny Porter has vehemently denied the allegation that he hacked Schrader's computer. 

The details of the alleged offence came to light during a search of Kramer's home computer by police in relation to allegations that he had photographed a young child at a Lawrenceville, Georgia, doctor's office. Police reportedly found a folder labeled with Schrader's name on Kramer's computer. 

Since searching Kramer's computer, police have charged him with possession of child pornography. 

The indictment states that between February 7 and 26, all four defendants "did knowingly use a computer network without authority and with the intent to remove network traffic, data from the computer network of Gwinnett County, contrary to the laws of said state, the good order, peace and dignity thereof." 

Schrader has been a judge on Gwinnett's highest court since 2012, but since April, while the investigation into her alleged criminal activities has been ongoing, Porter has sidelined Schrader from hearing any criminal cases prosecuted by his office. 

The Georgia Bureau of Investigation launched the investigation into Schrader and the three men accused along with her; however, the case has now been handed over to the Prosecuting Attorney's Council of Georgia, which is prosecuting the case.

The next hearing in the case is scheduled for November 7.

Thoma Bravo Buys Sophos Group for $3.8bn

Thoma Bravo Buys Sophos Group for $3.8bn

A British manufacturer of cybersecurity products has been bought by American private equity firm Thoma Bravo for $3.8bn.

Thoma Bravo, which raised billions for its latest private equity fund this year, bought Imperva and another cybersecurity firm, Veracode, in late 2018. In a buyout deal announced earlier today, Thoma Bravo said that it will be adding Sophos Group to its fast-growing cybersecurity portfolio. 

Sophos manufactures antivirus and encryption products for an impressive list of customers that includes Under Armour IncFord Motor Co., and Toshiba Corp

Thoma Bravo already owns Sophos' close competitor Barracuda Networks, which made a name for itself managing data security over the cloud. 

Shares in Sophos were listed at 225 pence per share in 2015, but since then they have more than doubled to the 583 pence per share closing price recorded on Friday, October 11. 

In a statement released today, Sophos CEO Kris Hagerman said: "Sophos is actively driving the transition in next-generation cybersecurity solutions, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more. We continue to execute a highly effective and differentiated strategy, and we see this offer as a compelling validation of Sophos, its position in the industry and its progress."

Hagerman told news organization Reuters that his company was first approached by Thoma Bravo in June of this year.

"The (Sophos) board ultimately concluded that this offer and the acquisition can accelerate Sophos' progress in next-generation cybersecurity," Hagerman said.

Thoma Bravo is a leading private equity firm focused on the software- and technology-enabled services sector with more than $35bn in investor commitments. With a 40-year history, Thoma Bravo has acquired more than 200 software and technology companies representing more than $50bn of value.

In a statement released on Monday, Seth Boro, managing partner at Thoma Bravo, said: "The Acquisition fits with our strategy of investing in and growing software and technology businesses globally. 

"The global cybersecurity market is evolving rapidly, driven by significant technological innovation, as cyber threats to business increase in scope and complexity. Sophos has a market-leading product portfolio and we believe that, by applying Thoma Bravo's expertise, operational framework and experience, we can support the business and accelerate its evolution and growth."

Tactics of Supply-Chain Attack Group Exposed

Tactics of Supply-Chain Attack Group Exposed

Researchers have exposed the underhanded methods of a threat group responsible for unleashing a string of supply-chain attacks.

Winnti Group has been targeting the gaming industry for nearly a decade. Their preferred mode of attack is to compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.

In April 2013, Kaspersky Lab reported that in 2011 Winnti had altered a video game to include a backdoor. Then, in March 2019, ESET published research proving that the threat group was responsible for compromising and adding a backdoor to two other games and a gaming platform. 

Gamers in Asia were the target in the most recent supply-chain attack, which researchers estimate affected "tens or hundreds of thousands" of people. Over half of the victims—55%—were located in Thailand. 

Following this publication, ESET continued its investigation to discover how organizations’ digital supply chains had been compromised to deliver malware in their applications. 

"Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle," says ESET researcher Marc-Étienne Léveillé.

The Winnti Group uses a packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an internet-wide scan to try to identify one variant of the backdoor, as well as potential victims. 

Léveillé said: "Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was." 

With their new research, ESET was able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.

Although Winnti is known principally for espionage, researchers discovered that the group was also using a botnet to min cryptocurrencies.

Léveillé said: "Perhaps they use the virtual money they mine to finance their other operations. Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain."

Stolen Cloud API Key to Blame for Imperva Breach

Stolen Cloud API Key to Blame for Imperva Breach

A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed.

The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.

Chief technology officer, Kunal Anand, explained in a blog post that the firm decided back in 2017 to migrate to the AWS Relational Database Service (RDS) in order to provide greater scale for its user database.

As part of this process the firm created a database snapshot for testing on September 15, 2017.

Separately, Imperva’s IT team created an internal compute instance containing an AWS administrative API key. Unfortunately, this server was left exposed and subsequently found by a hacker, who stole the all-important key and used it to access the database snapshot, exfiltrating the information in October 2018.

The stolen data included email addresses, hashed and salted passwords, API keys, and TLS keys — although Anand claimed to have found no evidence so far that it is being abused for malicious ends.

Imperva has since tightened its internal security, by ensuring new instances are created behind a VPN, unused and non-critical instances are decommissioned, and by putting monitoring and patching programs in place.

Other corrective actions taken include an increase in the frequency of infrastructure scanning, tighter access controls, and an increase in auditing of snapshot access.

At Imperva’s request, more than 13,000 customer passwords were changed and over 13,500 SSL certificates rotated following the breach, highlighting the scale of the incident. In addition, over 1400 API keys were regenerated, according to Anand.

Scottish Teens Charged With Met Police Hack

Scottish Teens Charged With Met Police Hack

Two Scottish teenagers have been arrested on suspicion of hacking and defacing a news platform used by London’s Metropolitan Police earlier this year.

An 18-year-old from Lossiemouth near Inverness and a 19-year-old from Glasgow were charged by Scottish police, according to the BBC.

The July attack compromised the Met’s Mynewsdesk platform and allowed the hackers to post a string of offensive and often bizarre messages to the police force’s Twitter feed, as well as emails sent to subscribers and a micro-site.

The Twitter account, which has over one million subscribers, was hijacked to post messages including: “F*** THE POLICE FREE DA GANG!!,” “what you gonna do phone the police?,” and “XEON IS THE BEST FIGHTER IN SCOTLAND.”

At the time, right-wing commentator Katie Hopkins jumped on the news to claim the police force had not only “lost control of London streets” but also "lost control of their Twitter account too.”

Shortly after, Donald Trump retweeted her comments to continue his spat with London mayor Sadiq Khan, claiming: “With the incompetent Mayor of London, you will never have safe streets.”

“Two men, aged 18 and 19, from the Lossiemouth and Glasgow areas respectively, have been arrested and charged in connection with unauthorized access and publication of content on the Metropolitan Police Service's news platform on Friday 19 July 2019,” a Police Scotland spokesperson told the British broadcaster.

“A report will be submitted to the Crown Office and Procurator Fiscal Service.”

It’s unclear how the account was remotely compromised, although the obvious culprit would be easy-to-guess or crack passwords.

At the time of the initial incident, security experts urged organizations to improve login security and for IT to communicate the implications of neglecting such processes to regular users who may be in charge of public-facing accounts.

Microsoft and NIST Team Up on Patching Guide

Microsoft and NIST Team Up on Patching Guide

Microsoft has teamed up with the US National Institute of Standards and Technology (NIST) to develop a new guide designed to make enterprise patch management easier.

Microsoft lead cybersecurity architect, Mark Simon, explained that the firm had first worked closely with partners from the Center for Internet Security, Department of Homeland Security (DHS) and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), as well as visiting several customers.

Two common challenges emerging from discussions with the latter revolved around testing of patches and confusion over how quickly they should be implemented.

“This articulated need for good reference processes was further validated by observing that a common practice for ‘testing’ a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” Simon explained.

“This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE [National Cybersecurity Center of Excellence] in collaboration with other industry vendors. This project — kicking off soon — will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.”

Microsoft has extended an open invitation to join the effort to any vendors which have technology that could streamline the patching process, and organizations or individuals who may have wisdom to share — either best practice tips or lessons learned.

Fixing software vulnerabilities has never been more important, especially as society increasingly relies on modern IT systems. The growth of digital transformation projects will only further amplify their importance, argued Simon.

“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” he concluded.

Mississippi Shows Flagrant Disregard for Cybersecurity

Mississippi Shows Flagrant Disregard for Cybersecurity

An audit of Mississippi government institutions has revealed an alarming lack of compliance with standard cybersecurity practices and with the state's own enterprise security program.

A survey of 125 state agencies, boards, commissions, and universities conducted by the Office of the State Auditor (OSA) revealed that only 53 had a cybersecurity policy in place. Eleven reported having no security policy or disaster recovery plan whatsoever. 

The true number of completely unprepared government entities may well be higher, however, since 54 of the institutions surveyed didn't even bother to respond to the 59-question survey, despite the OSA being authorized to verify compliance. 

"Many state agencies are operating as if they are not required to comply with cybersecurity law, and many refused to respond to auditors' questions about their compliance," wrote state auditor Shad White in a data services division brief dated October 1, in which the research findings were revealed.

In Mississippi it's a legal requirement for state institutions to have a third party perform a security risk assessment at least once every three years. Despite this law, 22 of the government entities admitted that they hadn't conducted a security risk assessment in the last three years. 

Asked about how they stored and sent sensitive information, 38% of respondents said that they do not protect sensitive data with encryption. 

The OSA also found that just over half of the government agencies that responded to the survey were less than 75% compliant with the Mississippi Enterprise Security Program. 

White said: "State government cybersecurity is a serious issue for Mississippi taxpayers and citizens. Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked."

White called for leaders of agencies to question their IT professionals to make sure that their agency is compliant, and to "consider ways to go above and beyond to prevent cyber breaches." 

Leading by example, the Office of the State Auditor requires all its employees to go through training to spot phishing attempts and learn best practices for preventing security incidents. 

The OSA also partnered with the federal Department of Homeland Security and arranged for the DHS to perform a penetration test of the OSA's computer system to identify any vulnerabilities.

"I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now," said White.

Most Americans Are Clueless About Private Browsing

Most Americans Are Clueless About Private Browsing

New research has found that only a quarter of Americans know that surfing the internet in private browsing mode only prevents other users of the same computer from seeing what you've been up to online.

A survey conducted in June by the Pew Research Center asked 4,272 adults living in the United States ten digital knowledge questions. When asked to identify the correct definition of private browsing, 24% of respondents got it wrong, and 49% admitted to being unsure. 

The overall findings of the research reveal that Americans’ understanding of technology-related issues varies greatly depending on the topic, term, or concept. While 67% knew that phishing scams can occur on social media, websites, email, or text messages, only 29% were in the know about WhatsApp and Instagram being owned by social media titan Facebook. 

Researchers wrote: "Just 28% of adults can identify an example of two-factor authentication—one of the most important ways experts say people can protect their personal information on sensitive accounts."

On average, survey respondents were able to correctly answer only four out of the ten questions they were asked. What caused the most confusion was when participants were asked to identify Twitter's co-founder and CEO, Jack Dorsey, from a picture.  

Interestingly, respondents were pretty savvy when it came to the commercial side of social media, with 59% recognizing that advertising is the largest source of revenue for most social media platforms. 

Most respondents were aware of what the kind of cookie that can't be dipped in milk is all about. While 27% said they were unsure what a cookie is for, 63% knew that they allow websites to track user visits and site activity.  

How much education an individual had obtained had an impact on the results. Adults with a bachelor’s or advanced degree answered a median of six questions correctly, compared with three answered by those who had, at most, a high school diploma.

Age, too, had an effect, with 18- to 29-year-olds correctly answering five out of 10 questions on average, while those aged 65 or older typically gave just three right answers.

US Homeland Security Wants to Subpoena ISPs to Hand Over Data

US Homeland Security Wants to Subpoena ISPs to Hand Over Data

The cybersecurity branch of the Department of Homeland Security has requested legal permission from Congress to demand data from internet services providers in a bid to prevent cyber-attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has chosen National Cybersecurity Awareness Month to seek administrative subpoena authority, which will give it the power to compel ISPs to hand over information. 

Currently, when the DHS identifies cybersecurity weaknesses in the private sector, it can obtain only the IP addresses of vulnerable systems. If granted administrative subpoena authority, the DHS will have the power to require ISPs to turn over the contact details of the owners of the vulnerable systems.

The department's plan is to use this information to directly contact the owners and warn them about the vulnerabilities in their cybersecurity. 

CISA assistant director for cybersecurity and communications Jeanette Manfra said: "We can see a lot of industrial control systems or potential industrial control systems, in particular, that have potential vulnerable systems that are accessible from the public internet.

"Over many years, we have tried many methods to be able to contact these entities. The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be."

Manfra said that while the DHS can often locate the vulnerable entity on its own with a spot of detective work, this process can take hours or even weeks, leaving the entity exposed to threat actors.

The logic of the request is easy to follow; however, it does raise some serious privacy concerns.  

"We're very aware of the concerns about overreach," said Manfra. "We have a long history of collecting similar types of data through voluntary programs and demonstrated ways of protecting that, as well to ensure that the information is used only for the purposes for which it was collected."

The proposal is currently being scrutinized by the House of Representatives and Senate Homeland Security panels. 

CISA was created in November last year with the mission to partner with both industry and government to understand and manage risks to America's critical infrastructure.

#SecTorCa: Finding a New Route to Solve Tomorrow’s Cyber-Attacks

#SecTorCa: Finding a New Route to Solve Tomorrow’s Cyber-Attacks

For modern security systems to succeed, it’s important for organizations to expect that security systems will fail. By expecting failure and planning for it, it’s possible to be more resilient and deliver better security outcomes, according to Solomon Sonya, assistant professor of computer science at the United States Air Force Academy.

Sonya delivered his message during a keynote at the SecTor security conference in Toronto, Canada on October 10, where he emphasized the need for employing what is known as a Byzantine Failure approach, rather than relying on a detection-only approach for IT security attacks. The Byzantine Failure approach in computer science is all about understanding that failure is something that will happen and as such, a strategy needs to be put in place for the eventuality.

“Tomorrow’s attacks will be worse than today’s,” Sonya said. “Malware continues to increase in sophistication, prevalence and proliferation across the enterprise.”

Malware has changed over the past two decades, but the basic approach employed by many organizations has not, in Sonya’s opinion. He noted that a key challenge is the fact that many of today’s security paradigms are predicated on a false belief that detection is key to success. Sonya detailed how malware has changed from the early days of SQL Slammer in 2003 to the modern threats of ransomware and fileless attacks. A key part of malware’s evolution is how it has become increasingly sophisticated and difficult to always detect or immediately block.

“Some people will argue that attacks won’t happen tomorrow because AI will better protect us,” Sonya said. “AI is good, but it’s not sufficient.”

Rather, Sonya emphasized that what is needed is for organizations to identify the weakness in systems and networks. With the weak links identified, Sonya said it’s important to understand what should be done to actually secure the assets and data that are critical to the organization.

“So if you look at the attack surface from a Byzantine perspective, you start by taking the system that you want to protect, you draw a circle around it and you say which failures can lead to compromise,” Sonya explained.

What ‘Right’ Looks Like

Rather than relying on existing approaches and expecting to be able to detect incursions, Sonya suggested that organizations should “take the road less travelled” and instead of just buying a product, invest the time to understand and discover what can fail and lead to exploitation.

For Sonya, the ‘right’ approach also involves making use of Software Defined Network (SDN) technology, to segment networks and reduce the potential impact of a failure. While detecting threats alone isn’t a winning strategy, he emphasized that having actionable threat intelligence is a valuable component.

“Many vendors will say they have threat intelligence, but what they actually provide is just data,” he argued. “Intelligence is useful only in order to help us get some kind of action and actually make a decision based on the intelligence.”

Looking beyond just basic passwords, Sonya suggested that organizations consider new forms of secure access protection systems that can validate users based on activity as well as other attributes. Additionally, there is a need for organizations to rethink how Digital Loss Prevention (DLP) technologies are used and deployed. In his view, DLP needs to be deployed in a stack for data at rest and in motion, such that if data is lost or stolen, it can’t be used by an attacker.

To conclude, Sonya noted that security professionals need to constantly question the security paradigm, be curious and explore the possibilities that an unconventional attack might introduce into an organization.

“In our scheme of protecting machines, our initial response should not rely on detection, because if we wait until we detect, it could be too late,” Sonya said.

BAE Systems Pilots Tech to Support Child Protection Agencies

BAE Systems Pilots Tech to Support Child Protection Agencies

BAE Systems has announced details of a technology pilot aimed at supporting child protection agencies. The initial project, run in partnership with Gloucestershire Constabulary Police Force, seeks to improve speed and accuracy for identifying potentially vulnerable children.

BAE Systems has adapted technology normally used to protect and safeguard businesses against fraudulent activity, to quickly and accurately bring together data relating to an individual and reveal the full picture of a vulnerable child’s reported issues.

As well as creating a faster, more efficient process for identifying and sharing key indicators of potentially harmful situations, it also allowed child protection practitioners to delve into more incidents, in more detail and implement urgent care plans where needed. The successful pilot achieved results 10-times faster than under existing processes, solving the challenge of sharing data, linking it together, analysing it and identifying what further investigation is required.

Ravi Gogna, principal consultant at BAE Systems Applied Intelligence, said: “After the tragic case of Baby P, we identified the need to overcome the data problem and adapted our existing technology and data science techniques, which helps banks and insurers tackle fraud, to amalgamate key historic pieces of data across agencies. This provided child protection officers with access to a more in-depth and comprehensive data profile of each child in the quickest possible time.”

The challenge is that we are looking for red flag events – such as a child self-harming or coming into A&E with multiple broken bones, she added. “We have an opportunity to help improve the way the child protection system identifies risk, by bringing together all the information about a child and quickly giving a holistic view of what is happening.”

The UK’s current system makes use of Multi-Agency Safeguarding Hubs (MASHs), which aim to provide a single point of contact for all safeguarding concerns regarding children and young people. 

However, the NSPCC currently estimates that one in 10 children in the UK has suffered some form of abuse or neglect, and the figure continues to grow. With resources continually stretched due to the ever-rising number of cases of neglect in Britain, the current manual processes are becoming strained, with the potential to miss vulnerable children.

“The pilot proves that, with increased information, we have a greater chance of intervening early and preventing catastrophic events from happening down the line,” said Kath Davis, head of the Child Protection Unit, Gloucestershire Constabulary. “To work with people from a completely different sector sheds a whole new light on things. Things that we thought were impossible, became possible.” 

#SecTorCa: Millions of Phones Leaking Information Via Tor

#SecTorCa: Millions of Phones Leaking Information Via Tor

There is a privacy threat lurking on perhaps hundreds of millions of devices, that could enable potential attackers to track and profile users, by using information leaked via the Tor network, even if the users never intentionally installed Tor in the first place.

In a session at the SecTor security conference in Toronto, Canada on October 10, researchers Adam Podgorski and Milind Bhargava from Deloitte Canada outlined and demonstrated previously undisclosed research into how they were able to determine that personally identifiable information (PII) is being leaked by millions of mobile users every day over Tor.

The irony of the issue is that Tor is a technology and a network that is intended to help provide and enable anonymity for users. With Tor, traffic travels through a number of different network hops to an eventual exit point in the hope of masking where the traffic originated from. Podgorski said that there are some users that choose to install a Tor browser on their mobile devices, but that’s not the problem. The problem is that Tor is being installed by mobile applications without user knowledge and potentially putting users at risk.

The researchers explained that they set up several Tor exit nodes, just to see what they could find, and the results were surprising. The researchers found that approximately 30% of all Android devices are transmitting data over Tor.

“You’re probably scratching your head now, like we were a couple of months ago, because that doesn’t make any sense,” Podgorski said. “There's no way a third of Android users know what Tor is and are actually using it.”

What the researchers determined is that Tor is being bundled, embedded and installed in other applications and users are not aware of its existence. It was not entirely clear to the researchers why Tor was being bundled with so many applications. Podgorski said that it could be due to a misunderstanding of the technology and how it can be used. Tor was also found on Apple IOS devices, but the numbers were smaller with only approximately 5% of devices sending data.

Tracking Users

In a series of demonstrations, including live dashboards shown by Bhargava, the researchers showed what data they had collected from mobile users that were inadvertently using Tor. The data included GPS coordinates, web addresses, phone numbers, keystrokes and other PII.

“This data can be used to build a robust profile of an individual,” Podgorski said.

Bhargava explained that the exit nodes the researchers set up intentionally attempted to force browsers to not use encrypted versions of websites, forcing the devices to regular HTTP when possible. With data coming to the exit node without encryption, it was possible for the researchers to see the user data. Bhargava noted that for sites that force HTTPS encryption and do not offer any fallback option to regular un-encrypted HTTP, they wouldn’t be able to see the users data.

Also of note, Bhargava admitted that he found his own phone number in the data, which was a surprise to him, as he had not installed Tor on his device. The only applications on his phone were applications installed by the carrier.

There are several things that need to happen to fix the issue. Podgorski said that the first is awareness that there is a problem, which is what the research is intended to highlight for legislators, government and organizations. For users, Podgorski emphasized that good operational security practices need to be employed, by using encryption everywhere.

In Podgorski's view, there is already a legal compliance risk that the mobile application PII data leaks expose.

“We’re pretty sure what we found breaches GDPR on multiple levels,” he said, “but the issue is that governments can’t enforce the law if they’re not aware.”

New ISF Paper Attempts to Demystify AI in Information Security

New ISF Paper Attempts to Demystify AI in Information Security

In a paper released today, the Information Security Forum is urging organizations to capitalize on the opportunities offered by artificial intelligence while taking sensible steps to reduce the risks posed by this still immature technology.  

Demystifying Artificial Intelligence in Information Security defines exactly what AI is, then lays out a realistic analysis of what it can do, and will be able to do soon, for both legitimate organizations and criminals.

While detailing AI's potential to significantly improve cyber-defenses, especially around early threat detection, ISF's research recognizes that the technology carries with it the disease as well as the cure. 

Researchers wrote: "No matter the function for which an organization uses AI, such systems and the information that supports them have inherent vulnerabilities and are at risk from both accidental and adversarial threats. Compromised AI systems make poor decisions and produce unexpected outcomes.

"Simultaneously, organizations are beginning to face sophisticated AI-enabled attacks—which have the potential to compromise information and cause severe business impact at a greater speed and scale than ever before."

According to researchers, companies that have already adopted AI while it's still in its baby feathers have enjoyed benefits that include being able to counter existing threats more easily. But, as threat actors nurture their own twisted versions of the new technology to maturity, this early advantage will shrink into nothingness. 

"An arms race is developing," said ISF's managing director, Steve Durbin. "AI tools and techniques that can be used in defense are also available to malicious actors including criminals, hacktivists, and state-sponsored groups. 

"Sooner rather than later these adversaries will find ways to use AI to create completely new threats such as intelligent malware—and at that point, defensive AI will not just be a 'nice to have.' It will be a necessity."

Asked how far away the world is from intelligent malware, ISF senior research analyst Richard Absalom told Infosecurity Magazine: "Back in January 2018, in our publication Threat Horizon 2020, we predicted that intelligent malware would emerge by 2020. I don’t think that prediction is far off but can’t be sure—I wouldn’t bet my house on it! 

"What we do know is that attackers can already use AI tools to identify vulnerabilities—although human hackers are still better at exploiting them. As soon as that intelligent malware emerges, AI tools will be required to spot anomalous activity on the network and identify well-hidden malware. 

"For example, social engineering attacks that use deepfake videos and automated vishing are likely to make it impossible for human eyes and ears to identify what is real and what is fake—it may be that intelligent systems will be required to analyze all types of digital communications to establish source and authenticity."

Asked if the benefits of AI will always outweigh the risks, Absalom said: "Yes—if (big IF) the risks are managed properly. AI promises some really exciting developments for information security. The risks are not insurmountable but do require serious thought and investment to manage."

Data of 250K Users of Sex Industry Website on Sale for $300

Data of 250K Users of Sex Industry Website on Sale for $300

A hacker has exploited a vulnerability on Dutch website Hookers.nl to appropriate the account details of all 250,000 users, which he is now offering for sale on the dark web.

The exposed data includes the email addresses, usernames, IP addresses, and passwords of sex workers and their clients. In a sample of the data viewed by Dutch news broadcaster NOS, the passwords were encrypted, but the email addresses—many of which included the actual names of the users—were fully legible.    

The hacker, an unknown man, expressed no guilt or regret over his actions, telling NOS: "Tens of thousands of websites are hacked every day. I'm not the devil. It's not a question of whether your website is hacked, but when."

According to NOS, while the hacker hasn't completed any sales of the data yet, it is available for purchase by any interested parties for a mere $300.

A moderator for Hookers.nl wrote: "Offering this information for sale is punishable by law, and if possible, we will take legal action. In addition, a report has been made to the Dutch data protection authority."

Hookers.nl is a popular website among sex workers and their clients, who use it to write reviews, exchange tips, and share their experiences of the sex industry. The website confirmed to NOS this morning that the breach had occurred and issued the assurance that all users would be notified.

The breach occurred as a result of a technical weakness in the vBulletin forum software, which was revealed a few weeks ago. The opportunistic hacker told NOS that he exploited the hole before the company behind the website, Midhold, plugged it with a patch on September 25. 

"It is of course not an account of your internet provider that leaked, maybe you don't want people to know that you have an account here. We are not happy with this," said Tom Lobermann, spokesperson for Midhold, which also operates Kinky.nl, Erotracks.nl, and Webcambordeel.nl.

A breach of this kind carries with it the threat of blackmail. Arda Gerkens of the Help Wanted foundation, who assists victims of sex-related abuse, said: "Membership in such a forum is certainly something someone can be extorted with. Some people are not secretive about their prostitution visit, but it is certain that when people use a nickname, they want to remain anonymous."

Hookers.nl has set up a forum page for users who want their accounts to be removed.

Verified Mark Certificate Issued to CNN

Verified Mark Certificate Issued to CNN

CNN has been issued a new digital certificate that uses logo verification to prove emails sent from a particular domain are genuine.

The certification of the American news channel with a Verified Mark Certificate by DigiCert, Inc. marks the first time a VMC has been issued for a domain that sends emails at scale. 

The news follows the announcement on September 4, 2019, that Entrust Datacard had become the first certification authority (CA) to issue a VMC. 

VMCs work by verifying the existence of a secure connection between a company domain and a particular sender-designated brand logo included within an email. 

The certificates are signed cryptographically with a trusted root, allowing mail applications to rely on the information the certificate contains. The organization is issued a VMC by a CA once the signature process has been completed.

Receiving their certificate has readied CNN for participation in upcoming pilots of the BIMI (Brand Indicators for Message Identification) standard, which is being developed by AuthIndicators Working Group. BIMI will allow domain owners to specify a logo that will appear in the inbox, alongside authenticated email messages sent from their domains. 

To work, BIMI requires both the email and the logo to be properly validated. The email must be authenticated through the Domain-based Message Authentication, Receiving & Conformance (DMARC) standard, with a policy of quarantine or reject; the logo itself will be validated by the VMC.

While Yahoo Mail is currently running a pilot of BIMI, Google is planning a BIMI pilot of its own in 2020.

VMCs are not currently in use in BIMI pilots, but they are expected to become a requirement because they are a scalable way to ensure that corporate logos are not used fraudulently. 

With widespread use of VMC, BIMI, and DMARC, companies will be able to amplify and protect their online presence through authenticated messages to consumers that are instantly recognizable by their known, protected brand marks.

"DigiCert is excited to work with CNN and members of the AuthIndicators Working Group to take this first step in demonstrating the feasibility and benefit of VMCs for global brands under the BIMI pilot program," said DigiCert chief of product Jeremy Rowley.

Coleen Rooney and Rebekah Vardy in Public Spat Over ‘Leaked Stories’

Coleen Rooney and Rebekah Vardy in Public Spat Over ‘Leaked Stories’

Reports emerged yesterday that Coleen Rooney, wife of professional footballer Wayne Rooney, publicly accused Rebekah Vardy, wife of footballer Jamie Vardy, of leaking personal information about her to tabloid newspaper The Sun. Vardy was quick to refute the claims.

In a lengthy social media post on October 9, Rooney wrote: “For a few years now someone I trusted to follow me on my personal Instagram account has been consistently informing THE SUN newspaper of my private posts and stories.”

She went on to claim that “there has been so much information given to them about me, my friends and my family – all without my permission or knowledge.”

In an attempt to find out who was responsible, Rooney explained how she blocked all users from viewing her Instagram stories, except for one person, and spent five months posting a series of false stories to see if they ended up being leaked to The Sun, which they eventually did.

“Now I know for certain which account/individual it’s come from,” Rooney continued. “I have saved and screenshotted all the original stories which clearly show just one person has viewed them. It’s………Rebekah Vardy’s account.”

In response, Vardy Tweeted to deny any knowing involvement in the issue, suggesting there could have been some sort of unaccounted for activity on her Instagram account which may have led to the leaks: “I never speak to anyone about this [personal stories and information] as various journalists have asked me to over the years can vouch for.

“Over the years various people have had access to my insta & just this week I found I was following people I didn’t know and have never followed myself.

“If you thought this was happening you could have told me & I could have changed my passwords to see if it stopped.”

Researchers Discover Spy Platform with GSM Fingerprinting

Researchers Discover Spy Platform with GSM Fingerprinting

Researchers at ESET have discovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.

According to the analysis, the attacks were conducted using a previously unreported cyber-espionage platform, which is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Given these features, ESET researchers have named the platform Attor.

“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” said Zuzana Hromcová, ESET malware researcher. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”

ESET explained that Attor consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. The plugins are delivered by to the compromised computer as encrypted DLLs and are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” added Hromcová.

The platform targets specific processes, including processes associated with Russian social networks and some encryption/digital signature utilities.

Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices.

Attor’s infrastructure for C&C communications spans four components – the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explained Hromcová.

“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able – using AT commands – to steal data from that device and make changes in it, including changing the device’s firmware,” concluded Hromcová.

#DTXEurope: Defense Now Far Harder Than Attack, Warns Security Researcher

#DTXEurope: Defense Now Far Harder Than Attack, Warns Security Researcher

At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher and ‘Samy’ MySpace computer worm creator, reflected upon the current cyber-threat landscape and warned that defenders are being challenged to a far greater degree than ever before.

That’s because of the ever-increasing numbers of internet-connected devices being used across the world, extremely high levels of information being shared online and the extremely sophisticated technology cyber-criminals now adopt in their attacks.

“Security is challenging,” Kamker said. “It’s very difficult to secure everything and as somebody who is trying to defend, you have maybe 100 holes and maybe you can cover 99 of them. For an attacker it’s much easier, you only need to find one problem, one hole to break in.”

So attacks are now very difficult to stop, he added, and that’s because they are now possible to carry out “with low cost tools – tools that even you and I can purchase, with open source software and hardware that anyone can access.”

Staying secure is therefore not easy, Kamkar warned, but he said there are three fundamental steps that can be taken to make better security more achievable.

The first “is using two-factor authentication wherever you can.”

Next, “do not use SMS two-factor authentication. The SMS network is like your local area network – anyone with access can essentially take over any phone number. Do not use SMS if you have the ability to use something like an authenticator or software on your mobile device.”

Lastly, “please use a password manager. There are pros and cons, and yes you are storing passwords in one place that’s centralized, but do anything [you can] to prevent you from using the same password over and over again, which is how all of the largest attacks I have ever seen occurred,” Kamkar concluded.

Survey Reveals Widespread Ignorance Over Attack That Affects Most Companies

Survey Reveals Widespread Ignorance Over Attack That Affects Most Companies

According to a new research survey, 68% of IT security stakeholders aren't sure whether they've experienced a Pass the Hash attack, and 4% don't even know what this globally prevalent form of attack is. 

These almost fantastical findings, released today by One Identity, came from a survey of more than a thousand IT professionals conducted by Dimensional Research.

One Identity field strategist Dan Conrad told Infosecurity Magazine: "While 4% seems like a small percentage, that means nearly one in every 20 IT security professionals does not even know about a significant cyber-attack method. 

"As attacks that have such a large impact on organizations, it’s imperative that the security industry continues to emphasize the importance of understanding PtH attacks and the proper methods to combat them." 

In a PtH attack, a threat actor obtains privileged credentials by compromising an end user’s machine. The attacker then simulates an IT problem, which prompts a privileged account holder to log into an administrative system. When they do, the attacker stores their login credentials as a hash that can be extracted and used to access additional IT resources across the organization. 

This attack technique has been doing the rounds since the 1990s and was first reported by Paul Ashton on Bugtraq in 1997. Back then it consisted of a modified Samba SMB client that accepted user password hashes instead of cleartext passwords.

Among the survey’s most noteworthy findings is that 95% of respondents say that PtH attacks have a direct business impact on their organizations, with 70% reporting a direct impact on operational costs.

A large majority (87%) of survey respondents say they are already taking steps to prevent PtH attacks, but only 55% have implemented privileged password management. 

Microsoft issued guidance back in 2017 for companies to implement Active Directory Red Forest Design, aka Enhanced Security Administrative Environment (ESAE), to help prevent PtH attacks. The survey found that just a paltry 16% of small organizations and 31% of larger companies have followed this advice. 

Perhaps most shockingly, among the respondents that have not taken any steps at all to prevent a PtH attack, 85% have no plans to do so. 

Dan Conrad told Infosecurity Magazine: "As attacks that typically begin with a phishing email and could lead to a ransomware attack or sensitive data being accessed and stolen, the impact of a PtH attack can be widespread and severe. 

"With data breaches creating a significant time and financial burden on any organization, it’s imperative that businesses take these attacks seriously and put privileged access management strategies and protocols in place to defend themselves."

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

The McCombs School of Business at the University of Texas at Austin has launched America's first professional cybersecurity certificate program specifically geared toward protecting healthcare providers from cyber-attacks. 

The Leadership in Healthcare Privacy and Security Risk Management program has been launched by the school in a bid to help close the 1.8 million person gap that the 2017 Global Information Security Workforce Study predicted will hit the global cybersecurity workforce in 2022.

This unique certification course sprang forth from a collaboration between the school and the cybersecurity industry, healthcare organizations, and governmental agencies. It is endorsed by the Texas Hospital Association, cyber risk management and compliance solution provider Clearwater, and CynergisTek, Inc., a cybersecurity consulting firm dedicated to serving the information assurance needs of the healthcare industry.

"This unique leadership program will rapidly equip individuals with the knowledge, leadership skills, and problem-solving competencies needed to manage risk in healthcare environments," said a statement from the McCombs School of Business. 

Cross-sector experts in healthcare privacy and security and experienced healthcare technology educators are being brought in to teach the course, which will run for eight weeks starting in July 2020. Students will learn via practical, case-based simulations and hands-on exposure to current and future healthcare cybersecurity technologies.

The course, which has been developed to meet the needs of healthcare organizations, vendors, and governmental agencies, will be built around multiple thematic modules. Modules confirmed so far include "Processes to Ensure Organizational Safety and Security" and "Policies and Governance in Healthcare Entities."

To ensure that the curriculum keeps up with the ever-evolving cybersecurity threat landscape, the program will be shaped by ongoing feedback from members of the privacy and cybersecurity industries, and in the future by program graduates as well. 

With nearly 500 US healthcare organizations having been targeted by ransomware attacks since the start of the year, the need for a training program geared toward their protection is unequivocal.

Founder and executive chairman of Clearwater, Bob Chaput, who described the new certification as a "much-needed program," said: "While there’s a massive shortage of traditional technical cybersecurity talent in all industries, healthcare has been specifically challenged as one of our nation’s last industries to undergo significant digital transformation."

Number of Girls Applying for British Cybersecurity Courses Surges

Number of Girls Applying for British Cybersecurity Courses Surges

Britain's National Cyber Security Centre has reported a significant increase in the number of young women applying for cybersecurity courses.

According to new figures released yesterday, applications from girls for the NCSC's 2019 CyberFirst summer courses were up 47% compared to last year.  

Rather appropriately, the surge in female applicants for the free cybersecurity courses was announced on Ada Lovelace Day, an international celebration of women in science, technology, engineering, and math (STEM) held every year on the second Tuesday of October.

According to the figures, nearly 12,000 girls took part in the prestigious CyberFirst Girls Competition 2019. Also, the CyberFirst Defenders course, which introduces teenagers to how to build and protect small networks and personal devices, had 705 female participants. 

NCSC's cybersecurity courses, which are held at venues across the UK, have proved to be popular beyond just girls, with the center reporting a 29% rise in overall applications in 2019 compared to the year before. 

Working with training experts QA and education charity The Smallpeice Trust, the NCSC delivers a range of one-day and five-day courses for 11- to 17-year-olds each year. 

Participants are given the opportunity to encounter and explore everyday technology so they can build an understanding of how it works. They also attend lectures, learn through hands-on practical projects, and have the chance to hear presentations by guest speakers.  

Saskia, who attended the CyberFirst Futures course that took place in Cardiff, said: "I haven't had the opportunity to study computer science at school, but CyberFirst has encouraged me to consider the subject at University—I just wish the course was longer!"

As part of the NCSC's CyberFirst initiative, young people interested in studying cybersecurity at university can apply for an annual bursary of £4,000. They can also put themselves forward for three-year apprenticeships in the cybersecurity industry, which allow them to earn while they complete a recognized degree course. 

Chris Ensor, NCSC deputy director for growth, said: "We're delighted to see so many young people interested in finding out more about cybersecurity. The significant rise in female applications is especially pleasing, and something we want to see continue into the future.

"It's never been more important to increase and diversify the cybersecurity workforce and we're committed to nurturing the next generation of skilled experts and addressing the gender imbalance."

#DTXEurope: Hacking Not Always Malicious, Says ‘Samy’ MySpace Worm Creator

#DTXEurope: Hacking Not Always Malicious, Says ‘Samy’ MySpace Worm Creator

At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher infamous for creating the ‘Samy’ Myspace computer worm that gained notoriety when it propagated across the social networking site in 2005, said that hacking exploits are not always malicious in nature, and are rather often imbedded in inquisitively and a determination to push boundaries.

“There is something super-intoxicating about being able to use some sort of tool and manipulate a system across the internet without knowing anything else about it,” he explained.

It is that capability that often inspires hackers and researchers to continually evolve and develop different attack methods, and explains why threats are not only constantly changing, but are also constantly harder to defend against, Kamkar argued. “Once there is no challenge, the fun is gone [for hackers].”

Kamkar likened hacking to “solving a puzzle” and “it’s always really fun to solve a puzzle – it feels good to get to the other side."

He said: “It’s as if somebody designed a maze; in a typical maze you can escape if you find the right path out. With computer hacking, it’s as if somebody designed a maze and then they blocked off all of the exits, but when you’re hacking, you’re still able to get to the other side.”

Twitter Admit Personal Contact Details Used by Advertising Systems

Twitter Admit Personal Contact Details Used by Advertising Systems

Twitter has admitted that personal contact information of users may have “inadvertently been used for advertising purposes.”

According to a statement published earlier, it discovered that when users provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have been the recipient of Twitter’s Tailored Audiences and Partner Audiences advertising system.

“Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)” it explained, while Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

The statement read: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”

It could not say “with certainty” how many people were impacted by this, but it clarified that no personal data was ever shared externally with partners, or any other third parties.

“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”

In an email to Infosecurity, Javvad Malik, security awareness advocate for KnowBe4, said that many companies have implemented two-step authentication for services via an SMS message to the users phone, as this protects accounts against attacks such as credential stuffing, where attackers can access accounts by having the password.

“However, with email address and phone numbers, advertisers are able to profile people more accurately across multiple services and target them with more accuracy,” he said. “It is unfortunate that Twitter allowed this to happen, as these details were only provided for security purposes.

“In light of this, and other similar revelations in the past, as well as the growing number of attacks such as SIM swap, which hijack users phone numbers, companies should make the strategic decision to move away from using a phone number as a primary means of authentication, and adopt more secure alternatives for multi-factor authentication.”

Stuart Sharp, VP of solution engineering at OneLogin, said that it would be up to the lawyers to decide whether or not Twitter's misuse of personal contact details broke the letter of the law, but “it certainly broke the spirit of GDPR.”

He said: “This type of activity will likely result in users removing their phone numbers from the site, which will ultimately affect the number of people using additional factors for authentication such as text verification, which is a massive step backwards for all those working hard to push MFA as a method of increasing security online. Ultimately, everyone will lose as Twitter accounts will be more vulnerable to malicious take-over.”

#DTXEurope: Former Chief of MI6 Reflects on Growth of Tech and Cyber-Threats

#DTXEurope: Former Chief of MI6 Reflects on Growth of Tech and Cyber-Threats

At Digital Transformation EXPO Europe Sir John Sawers, former chief, Secret Intelligence Service (MI6), explored the recent growth of cyber technology and its impact on cyber-threats and cyber-defense.

Reflecting upon his career at MI6, Sawers noted how cyber and technology became an integral part of the Secret Intelligence Service's work during his tenure.

“Even at MI6, a human-intelligence service, I had to increase our spend on technology from about a third of our budget to half of our budget during the five years that I was chief of the service,” he explained. “Technology was such a big driver of everything we did; the power of data analytics in terms of piecing together puzzles about terrorist plots and identifying who was posing a threat was an absolutely vital tool.”

Sawers saw a “lot of life move online,” including the significant rise of extremist websites and chatrooms, and “the role of cyber developed as both an attack tool, and as a crucial part of national defenses.”

This has led to hostile cyber-attacks, particularly nation state attacks, becoming ever more sophisticated, powerful and capable of reaching diverse, widespread targets. He added that, through cyber and tech evolutions, the “skills of offensive cyber are becoming readily available,” and whilst defenses are getting better and better at both a corporate and state level, the “attack tools available to hostile actors are getting more and more powerful.

“That battle, in the cyber-domain, is bound to continue.”

#DTXEurope: Huawei Dispute Symbolic of Wider Problems in Telecoms Industry

#DTXEurope: Huawei Dispute Symbolic of Wider Problems in Telecoms Industry

Speaking in the opening keynote session of Digital Transformation EXPO Europe Sir John Sawers, former chief, Secret Intelligence Service (MI6), said that the ongoing dispute between the US and Chinese telecommunications giant Huawei is symbolic of broader problems affecting the global telecoms industry.

“A big thing has been made about the intelligence and security threat posed by having Huawei equipment in the British national system," he said. “I actually tend to play that down a little bit. I think we have a rather good system here in the UK whereby all Chinese equipment that goes into the UK national infrastructure goes through a checking station run by GCHQ, and we’ve not, in the 20 years that we’ve had Huawei equipment in our system, experienced it being used by the Chinese state for espionage purposes.”

However, there is a wider problem in the telecoms industry because there are so few suppliers and manufacturers supplying goods, he explained, and you have no “big American player.”

This is what has led to the US making such an issue around Huawei technology in recent months, Sawers argued, pin-pointing three specific matters that have played a particular role in the dispute..

The first is that there is a potential espionage threat that needs to be managed, and we do all have to be mindful of that.

Secondly, and more importantly, “there’s the industrial policy argument, where the West needs its own telecoms national infrastructure manufacturers, so that we can rely on Western-made, Western-designed kit,” Sawers argued.

Thirdly, Huawei has become a “point of leverage in the wider US-China trade negotiations.”

So, the Huawei issue is “much more complicated than is sometimes presented (as a simple one about national security and intelligence threats) and it’s about a much wider issue of the control of technology,” Sawers pointed out.

“In essence, it’s a microcosm of the challenges the West is going to face during the 2020s. As we move into a world of competition between powers, competition over technology and a time when Western politics is not as healthy or as unified as it has been before, it creates a very complicated backdrop for those who are in the technology business,” he concluded.

Microsoft October Update Patches Nine Critical Vulnerabiltiies

Microsoft October Update Patches Nine Critical Vulnerabiltiies

Microsoft patched 59 vulnerabilities yesterday, releasing one advisory for Windows 10 Servicing Stack.

Of the 59 vulnerabilities patched, nine are classified as “critical.” There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.

Jimmy Graham, senior director of product management at Qualys, said that alongside these patches, a Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. “If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized,” he said.

Satnam Narang, senior research engineer at Tenable, said: “Two more vulnerabilities in Remote Desktop were patched this month. CVE-2019-1333 is a remote code execution vulnerability in Remote Desktop Client which requires an attacker to convince a user to connect to a malicious server using the Remote Desktop Protocol (RDP), or compromise an existing server and host malicious code on it, while waiting for vulnerable clients to connect.

“CVE-2019-1326 is a denial of service flaw in RDP that would allow an attacker to exploit it by connecting to the server and sending specially crafted requests, causing the RDP service on the vulnerable server to stop responding.

"There is also a pair of Win32k elevation of privilege vulnerabilities (CVE-2019-1362, CVE-2019-1364) caused by a failure in how the Windows kernel-mode driver handles objects in memory. These vulnerabilities require an attacker to have previously compromised a system before they can elevate privileges. Both vulnerabilities affect Windows Server 2008 and Windows 7, which will no longer receive security updates after January 14, 2020."

#ACS19: Make Your Friends and Plans Before the Breach

#ACS19: Make Your Friends and Plans Before the Breach

Preparing for data breach response should involve practising with third parties, and repeating the processes. 

Speaking at the ATM & Cybersecurity 2019 conference in London, Mark Whitehead, head of customer breach support at Deloitte said that “reputation is an ethereal thing” and hard to control.

He said that reputation is fundamentally based on two things: what you do; and what you say, also consider how you perform. “If you don’t do everything you can, you’re losing the ability to influence in the first place,” he said. “In terms of how you plan and how you prepare, your role and influence becomes incredibly important and brand and reputation means a lot more than you think it does.”

He recommended having in place the following steps, as “no matter how good you get it, you will never be famous for doing it well, but you will be infamous for doing it badly.” These were;

  • Communications – How do you get out ahead of social media, and don’t develop messages on the fly
  • Speed – This is of the essence, as if you don’t respond quickly, you will be behind the message and the press
  • Capacity and Capability – You have capability designed and sized to support ‘business as usual’ so consider how manage that and support those customers who are affected
  • Identity Protection and Repair – Your insurance will cover this, but only 10-20% of customers will take this opportunity up, so consider if it is an effective means of protecting customers?
  • Professional Expertise – Whether it is a law firm, crisis communications or a claim team, it is important to have professional entities of people who have been through the process before

Whitehead said breach response preparation was a classic case of “make friends before you need them” in the event of a crisis. Pointing at the Information Commissioner’s Office, he said that it is clear in the guidance from the EU to the supervisory authorities' 11 criteria to assess organizations with after a data breach, and whether a fine is relevant, and what the size of the fine should be.

One point states that “any action taken by a controller to mitigate the damage suffered by data subjects” should be considered, and of the 11 criteria, “this is the only one to talk duty of care to data subjects.” 

Whitehead said that, if you have exercised duty of care, you may or may not get a fine. “So worry about duty of care and your customers; not just because from a brand and reputation perspective, as if you don’t look after them they will go elsewhere,” he said. “But you should also worry about your duty of care as it is the tipping point for the supervisory authorities to decide on the size of the fine.”

Sharp Spike in Attacks Targeting Company Email Accounts

Sharp Spike in Attacks Targeting Company Email Accounts

A new report by email and data security company Mimecast has revealed a staggering increase in the number of Business Email Compromise (BEC) cyber-attacks.

The quarterly Email Security Risk Assessment (ESRA) report, released today, found a 269% increase in the number of BEC attacks in quarter two of 2019, compared to the first quarter of the year. 

BEC attacks are sophisticated scams that typically target businesses working with foreign suppliers and businesses that regularly perform wire-transfer payments. Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorized funds transfers.

According to the FBI, there are five main types of BEC scams, all of which allow threat actors to commit email-based impersonation fraud using methods that evade many traditional email security systems.

The Bogus Invoice Scheme involves an attacker impersonating a company's supplier and requesting funds transfers to the attacker's bank account in payment of services rendered. An attacker committing CEO Fraud will pose as one of the company's most senior executives and send an email to the finance department requesting that money be transferred to an account they control.  

If the attack is an Account Compromise, an executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

A Data Theft BEC attack targets employees in the HR and finance departments to fraudulently obtain personally identifiable information (PII) or tax statements of employees and executives, which can be sold on the dark web or used for future attacks.

Finally, threat actors can launch an Attorney Impersonation BEC attack, in which they pretend to be a lawyer or someone from a law firm in order to access confidential information.

A further finding of the ESRA report is that 28,783,892 spam emails, 28,808 malware attachments, and 28,726 dangerous files types were all missed by incumbent providers and delivered to users’ inboxes.

The sharp rise in BEC attacks identified by the report echoes the findings of the State of Email Security 2019 report, which revealed that 85% of the 1,025 global respondents experienced an impersonation attack in 2018, with 73% of those victims having experienced a direct business impact, like financial, data, or customer loss.

Industry Leaders Throw Weight Behind Interoperability Alliance

Industry Leaders Throw Weight Behind Interoperability Alliance

An industry initiative to allow data sharing and interoperability in the cybersecurity sector has won the support of 18 vendors.

The Open Cybersecurity Alliance (OCA), created by international consortium OASIS, will unite end users and organizations in an open cybersecurity ecosystem where products can share information, insights, orchestrated responses, and analytics. 

The OCA will strive to increase the cybersecurity value of existing products and discover new security insights by supporting commonly developed code and tooling and encouraging practices for interoperability and sharing data among cybersecurity tools.  

A key aim of the OCA will be to make it easier for different cybersecurity technologies to work together across the entire lifecycle of a threat. 

In a statement issued earlier today, the OCA wrote: "According to industry analyst firm, Enterprise Strategy Group, organizations use 25 to 49 different security tools from up to 10 vendors on average, each of which generates siloed data. 

"Connecting these tools and data requires complex integrations, taking away from time that could be spent hunting and responding to threats. To accelerate and optimize security for enterprise users, the OCA will develop protocols and standards which enable tools to work together and share information across vendors."

The alliance was spearheaded by IBM Security and McAfee and quickly attracted the support of Advanced Cyber Security CorpCorsaCrowdStrikeCyberArkCybereasonDFLabsEclecticIQElectric Power Research InstituteFortinetIndegyNew ContextReversingLabsSafeBreachSyncurityThreatQuotient, and Tufin.

At OCA's heart will be two technologies developed by its founding members. The first is McAfee's cybersecurity messaging format OpenDXL Standard Ontology. The second is STIX-Shifter, a search capability for all types of security products based on an IBM open source library. This useful tool can identify information in data repositories that relates to potential threats, pop it into a usable format, and share it with any enabled security tool. 

"Attackers maximize damage by sharing data with one another. Our best defense strategy is to share data too," said D.J. Long, vice president of business development at McAfee.

"Organizations will be able to seamlessly exchange data between products and tools from any provider that adopts the OCA project deliverables. We’re looking at the potential for unprecedented real-time security intelligence."

University to Create New Cybersecurity Approach Inspired by the Human Body

University to Create New Cybersecurity Approach Inspired by the Human Body

Researchers at the University of Arizona are developing a fresh approach to cybersecurity modeled on the human central nervous system. 

The new method, which is being created as part of the Partnership for Proactive Cybersecurity Training project, will aim to detect and neutralize cyber-threats in their earliest stages before they have a chance to do any serious damage. 

Inspiration for the project came from human biological responses; for example, how the body's immune system fights a virus and how a person will instinctively pull their fingers away from a burning hot surface before their brain has even received the message that the body is at risk of harm.

"I felt we could learn about how the body protects us by reacting to threats and maybe apply it to cyber by building a 'cyber immune system,'" said Salim Hariri, UA electrical and computer engineering professor and the project's principal investigator. 

"We're trying to build these abilities where, when somebody attacks your computer, these measures can detect the attack and act on it before you're even aware something is compromised."

In contrast with security methods that deal with cyber-threats in a reactive way, the new system being constructed is being designed to function proactively. The plan is to use artificial intelligence and machine learning to train machines to recognize cyber-threats on their own, as a doctor might recognize diseases from their symptoms. 

To stop the threats before they infect a network or device, researchers will also teach the machines how to recognize threats as they evolve and how to execute a wide range of cures. With an encyclopedia of remedies at their disposal, the machines will be able to search for the one that is most appropriate and automatically apply it to the threat. 

"An attacker can reach hundreds of thousands of devices in a fraction of a second, so we need our ability to detect threats and protect a system to work just as quickly," said Hariri. 

The National Nuclear Security Administration's Minority Serving Institution Partnership Program has awarded the project a $3 million grant to be paid over a three-year period. Under the terms of the grant, researchers will train students, especially underrepresented minorities, from the University of Arizona, Howard University, and Navajo Technical University as they work to develop new cybersecurity techniques.

#ACS19: Make Cyber a Business Risk for Management Adoption

#ACS19: Make Cyber a Business Risk for Management Adoption

Don’t treat cyber-risk any differently to any other risk to your business, as engagement with senior management continues to be a challenge.

Speaking at the ATM & Cybersecurity 2019 conference in London, Nina Paine, global head of cyber partnerships and government strategy, Standard Chartered (UK), discussed the need to keep senior management engaged when creating and maintaining a cybersecurity culture internally.

Paine said that with growing teams there is a “race to keep pace against cyber-criminals and cyber-threat actors” and this means that security teams “cannot do it alone and it is incredibly important that we share knowledge and insights and key learnings with partners across the world.”

Paine said that people ask if a cybersecurity culture can be driven from the “top down or bottom up” and she said that it is probably both as “the tone from the top and senior executive engagement is the key differentiator.” She also said that cyber-leaders are clear on the strategic implications that cyber-risks represent, and this may be about metrics that the business has put in place.

One tone to adopt for senior executives is to stress that “cybersecurity is tremendously important to our customers.” Therefore, cybersecurity has to be treated as a business risk, “as we know the consequences of not doing so are stark.”

Paine also said that cyber-risk should be “normalized as part of enterprise risk management as a whole.”

So how cybersecurity can be part of the wider business discussion? This needs to be done with a trickle down through the business, and not just by having a technical team in a separate room, Paine advised. She said that at Standard Chartered, cybersecurity is treated as a principal risk type, and this means it is subjected to enterprise-wide risk management rules.

She added: “Whether you have got that or not, you have got some principles to think about within each function around challenges and assurance that are absolutely vital to all firms.”

Paine recommended setting up a layered effort to enable better adoption of culture, and one thing firms have done is to set up a senior executives’ safe space “where there are not stupid questions and everybody is a human.” She said that this forum can allow increased understanding of risks, as we “cannot simply rely on small groups of technical experts to keep our organization safe.”

She acknowledged that employee awareness can “sound pink and fluffy,” but you can make it a hard skill set and discipline through automated platforms. She said that as Standard Chartered was automating its awareness, this will enable training and results and learning to be better collected, adding an element of gamification.

To conclude, she pointed out that “what gets measured gets done” and recommended introducing security measurement tools, as well as publishing test scores to divisional heads, as that can drive cultural change in a business.

“I’d like to reiterate that cybersecurity risk and its management is very much a shared responsibility, and everyone from the board to the front line has a critical role to play,” she said. “Whilst an organization’s risk culture does have formal risk policies in it, there is also a really important people side.”

#ACS19: Police Chief’s Council Highlights Major Attacks and Threats to UK

#ACS19: Police Chief’s Council Highlights Major Attacks and Threats to UK

Speaking at the ATM & Cybersecurity 2019 conference in London, detective superintendent Andrew Gould, National Cybercrime Programme Lead, National Police Chief’s Council, detailed common attackers, attack tactics and the most common ways to prevent them from happening.

Saying that the main attack groups were “no great surprise,” he highlighted the hostile states as having different motives but having “really invested in their capabilities” which he said was the main challenge, as “if a hostile state comes after you as an organization they are probably going to get you” unless you have significantly invested in your protection. “For most people though, that is probably not going to be a significant concern.”

However, a rising threat is from organized crime, which he said has involved a blurring between a hostile state and organized crime, whether it is being franchised or “tasked out,” while there are organized crime groups who do this as a way to make money.

What has also been a major concern over the last couple of years is “more and more high-level sovereign state tools leaked out.” He explained that these may have been the preserve of American intelligence agencies, but are now in the wild and “available for anyone to download and use as part of criminal enterprise.”

As well at attacks such as more DDoS and Business Email Compromise, Gould also said that “the most common type of cyber-dependent crime, where computers are attacking computers” and affecting organizations, is ransomware. While he admitted that detections and infections are down, the trend is towards more targeted ransomware, and recommended businesses protect and test backups.

In terms of sophistication, Gould said that attackers are getting better in how they are targeting organizations, as one in five “are successful with spray and pay” techniques. “Actually a lot of criminals are investing time and effort in their targets, and we make it easy for them by putting our personal information online,” he added.

Moving on to the role of the police, he acknowledged that the attitude of the police toward cybercrime has changed over time; “we know there are millions of offences committed in the country each year, but only 25-26,000 of those get reported to Action Fraud.”

However, that has improved, Gould said, “and now we've got teams dealing with cyber-dependent crime like ransomware in every force in England and Wales, when 18 months ago nothing existed.” He continued that every incident is investigated and every victim is advised “to stop them being a victim again.”

He concluded by highlighting the most common mistakes that businesses make in dealing with cyber-incidents, which were:

  • No plan, nothing exercised
  • Unmapped and poorly understood networks and endpoints
  • Business negotiates with blackmailers
  • Slow to ask for police help (if at all)
  • Only communicate with police through lawyers
  • Media messaging does not consider secondary fraud
  • Ineffective back ups 

Join our webinar on 24th October where we will be discussing advanced attackers, and how to defend against automated attacks - register here


Global Study Finds Orgs Are Failing to Protect Data in the Cloud

Global Study Finds Orgs Are Failing to Protect Data in the Cloud

A new global study from Thales and the Ponemon Institute has exposed a disparity between the rapid growth of data stored in the cloud and organizations’ approaches to cloud security.

The firms surveyed more than 3000 IT and IT security practitioners in Australia, Brazil, France, Germany, India, Japan, the UK and the US, discovering that whilst nearly half (48%) of all corporate data is stored in the cloud, only 32% of organizations believe protecting data in the cloud is their own responsibility.

What’s more, the study found that organizations consider cloud service providers to be the ones to bear the most responsibility for securing sensitive data in the cloud (35%), although just 23% of respondents said security was a factor to them when selecting a cloud service provider.

Furthermore, the research found that more than half (51%) of businesses and other organizations still do not use encryption or tokenization to protect sensitive data in the cloud, whilst 54% of respondents stated that cloud storage makes it more difficult to protect sensitive data.

“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Not knowing this information makes it essentially impossible to protect the most sensitive data – ultimately leaving these organizations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”

Tina Stewart, vice-president of market strategy for cloud protection and licensing activity at Thales, added: “This study shows that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security. Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process. It does not matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organization’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”

New Zealand Health Organization Discovers Multiple Hacks Dating Back Three Years

New Zealand Health Organization Discovers Multiple Hacks Dating Back Three Years

A health organization in New Zealand that was targeted in a global cyber-incident in August has uncovered evidence of earlier attacks dating back three years.

Tū Ora Compass Health took its server offline and strengthened its IT security following a cyber-attack on its website in August. On Saturday, the primary health organization (PHO) announced that an investigation by authorities, including the police, Ministry of Health, and the National Cyber Security Centre, has found evidence of multiple earlier attacks dating from 2016 to early 2019.

Martin Hefford, chief executive officer of Tū Ora Compass Health, said: "As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health. We are devastated that we weren’t able to keep people’s information safe. 

"While this was illegal and the work of cybercriminals, it was our responsibility to keep people’s data safe, and we’ve failed to do that."

Tū Ora holds information dating back to 2002 on approximately 1 million individuals from the greater Wellington, Wairarapa, and Manawatu regions. Tū Ora does not hold GP notes, which are held by individual medical centers.

The organization is one of 30 PHOs that collect data from medical centers, then analyze it to ensure patients are screened for diseases like cancer and receive treatment for chronic conditions, including diabetes.

"We don’t know the motive behind the attacks, and we cannot say for certain whether or not these have resulted in any patient information being accessed, but we have laid a formal complaint with police," said Hefford. "Experts say it is likely we will never know. However, we have to assume the worst, and that is why we are informing people."

New Zealand's director-general of health, Dr. Ashley Bloomfield, said: "We have been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.

"This work is ongoing, and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."

Elad Shapira, head of research at Panorays, commented that the best way for hackers to reach sensitive and confidential information is often through third parties, who can access data but lack the adequate security to guard it. 

He said: "For this reason, assessing and continuously monitoring healthcare organizations' third-party security is critical."

Data of 92 Million Brazilians for Sale on Underground Auction Site

Data of 92 Million Brazilians for Sale on Underground Auction Site

The personal information of 92 million Brazilian citizens has been discovered for sale to the highest bidder on an underground forum auction. 

According to BleepingComputer, the auction is present on multiple dark web marketplaces that can only be accessed by paying a fee or via an invitation from someone who is already on the inside. 

The information is being sold as a 16GB database in SQL format and has a starting price of $15,000 and a step-up bid of $1,000. According to its seller, X4Crow, the records include names, dates of birth, taxpayer IDs, and some address details. 

A sample of the database, which was seen and verified as genuine by BleepingComputer, also contained information relating to gender and the names of individuals' mothers. 

The origin of the database is unclear, though the inclusion of the taxpayer IDs and the seller's claims that it contains the unique information of 92 million Brazilian citizens could indicate that it's a government database of the approximately 93 million Brazilians who are currently employed. 

In addition to offering the data for sale, X4Crow claims that they can retrieve data available in national identification documents, such as ID cards and driving licenses, together with phone numbers, email addresses, previous addresses, professions, education levels, and vehicles. And all they need to do it is the individual's full name, taxpayer ID, or phone number.  

Under Article 18 of the Brazilian General Data Protection Law ("Lei Geral de Proteção de Dados" or "LGDP"), consumers have rights relating to their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated. Unfortunately, the law does not go into effect until August 15, 2020, a six-month extension from the previous February 2020 date.

Jonathan Deveaux, head of enterprise data protection with comforte AG, believes that in the future, companies may rely more on methods like tokenization to protect valuable consumer data. 

He said: "An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization.

"Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps."

Class-Action Lawsuit Filed Against CafePress Following Data Breach

Class-Action Lawsuit Filed Against CafePress Following Data Breach

Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach. 

The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.

Third-party consumer sites, including weleakinfo.com and haveibeenpwnd.com, were independently warning consumers of the breach as early as July 13, 2019, but the incident was not officially reported by CafePress to their customers until last week.

Data exposed by the breach included email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes. 

The suit has been filed by consumer-rights law firm FeganScott, which alleges that CafePress failed to employ best practices when alerting customers of the data breach. According to the complaint, CafePress’ first notifications appeared on its website on September 5, but the company did not directly notify its customers until October 2, 2019. 

"As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew—or should have known—about the breach and failed to warn their customers that their credit card information and Social Security numbers could be for sale to the highest bidder on the dark web," said Beth Fegan, a founder of FeganScott.

It is further alleged that CafePress failed to offer adequate protection to its customers by neglecting to update security software that was widely known to be flawed. 

"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security," said Fegan. "Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep."

The suit, filed today in US District Court in Illinois, seeks to represent all US consumers who were impacted by the breach. Consumers who are interested in learning more about this class-action suit can contact cafepress@feganscott.com.

US and UK Sign Crime Data Sharing Agreement

US and UK Sign Crime Data Sharing Agreement

UK Home Secretary Priti Patel and US Attorney General William Barr have signed a bilateral agreement paving the way for UK and US law enforcement agencies to obtain data more quickly from electronic service providers operating in each jurisdiction.

According to Julian Hayes and Michael Drury at BCL Solicitors, this “will inevitably be one way traffic, expediting the UK’s acquisition of evidence from US tech giants such as Facebook, Google and Twitter in the fight against serious crime, including terrorism and child abuse.”

According to the FT, the deal will compel US technology companies including Facebook, Google and Twitter to hand over the content of emails, texts and direct messages to British law enforcement bodies, and require the same of UK companies holding information sought by US investigators.

It currently takes police and security services anything from six months to two years to request and access electronic data, under the “mutual legal assistance” treaty between the US and UK governments. “Under the new arrangements, a UK Judge can issue the police, SFO and other specified with an Overseas Production Order, bypassing cumbersome mutual legal assistance procedures and, in principle, obtaining electronically stored data from the US within just seven days,” Drury and Hayes said.

The treaty is based on the US CLOUD Act 2018 and the UK’s Crime (Overseas Production Orders) Act 2019. The agreement still requires ratification by the US Congress and is to be presented to Parliament.

While this has been welcomed by some organizations, including the NSPCC, which described the new arrangements as “a hugely important step forward,” the bilateral agreement has been criticized on the basis that it potentially erodes key rights. “The risk is that, in the rush to comply within tight time frames, tech companies might be required to hand over data to which law enforcement authorities have no right,” Drury and Hayes said. 

They also questioned whether service providers will be expected to scrutinize the order to ensure that legal and procedural requirements have been adhered to, and asked how the requirements of the new arrangements will be reconcilable with the service providers’ desire to provide encrypted services? 

‘The Cyberthreat Handbook’ Released, Documents ‘Who’s Who’ of Attackers

‘The Cyberthreat Handbook’ Released, Documents ‘Who’s Who’ of Attackers

Thales and Verint have announced the release of The Cyberthreat Handbook, a report designed to provide insights into the most significant groups of global cyber-attackers through detailed rating cards.

The two companies combined to carry out a year-long investigation into the current cyber-threat landscape, observing attack techniques, targeted sectors and attack motives.

The research details the activities of approximately 60 major groups of cyber-attackers throughout the world, discovering that almost half of the groups analyzed were state-sponsored, often aiming to steal sensitive data from targets of geopolitical interest.

Just over a quarter were named as ideologically-motivated hacktivists, followed by financially-driven cyber-criminals (20%) and cyber-terrorists (5%).

The Cyberthreat Handbook warned that all the world’s major economic, political and military powers are priority targets of cyber-attackers, and that the sectors most targeted are States and their defense capabilities, followed by the financial sector, energy and transportation.

It was also noted that a growing number of groups of attackers are now focusing on vulnerabilities in the supply chain, and in particular on smaller partners, suppliers and service providers that are used as Trojans to access major targets.

Marc Darmon, executive vice-president, secure communications and information systems, Thales, said: The Thales and Verint teams are immensely proud to release this report today as part of its technology and domain expertise cooperation. Unique in its breadth and depth, it is the culmination of many months of research, investigation and painstaking analysis and correlation of relevant data. As cyber-threats proliferate and evolve, cybersecurity clearly has a major role to play, particularly for critical infrastructure providers.”

Elad Sharon, president, Verint Cyber Intelligence Solutions, added: “This report generates unique insights and knowledge to cyber and security experts to mitigate and foresee cyber-attacks.”

Over Three-Quarters of UK Workers Lack Basic Cyber-Training

Over Three-Quarters of UK Workers Lack Basic Cyber-Training

More than three-quarters (77%) of UK workers claim to have never received any form of cyber-skills training from their employer, according to research from Centrify.

The company surveyed 2000 fulltime professional services workers in the UK, discovering that along with the notable absence of training aforementioned, 69% of those polled lack confidence in their own ability to keep their data safe and secure.

These findings come at the beginning of European Cyber Security Month, an EU awareness campaign that aims to promote cybersecurity among citizens and organizations, highlighting the importance of information security and the steps that can be taken to protect data online.

Well, it seems as though there is still significant work to do in this regard; 27% of respondents admitted to using the same password across multiple accounts, whilst 14% keep passwords recorded in unsecured notebooks.

Experts warned that such a lackluster approach to critical cyber-awareness could land employers in hot water.

Donal Blaney, cyber-law expert, Griffin Law said: “Ignorance of the law is no defense. Company directors and business owners owe it to themselves, their staff, their shareholders, and their customers to know how to protect their businesses and their customers’ data. They will only have themselves to blame if this blows up in their face one day.”

Andy Heather, VP, Centrify added:“In an age where cyber-attacks have emerged as one of the most ruthless and successful forms of crime that can be committed against a business on a large scale, it is astounding to hear that so many UK companies neglect to instill even the most basic cybersecurity measures in their employees.”

Hundreds of New Cybersecurity Jobs Created in Ireland

Hundreds of New Cybersecurity Jobs Created in Ireland

Ireland is cementing its reputation as an international security hub after four companies announced 400 new cybersecurity jobs in the Emerald Isle in the past three weeks. 

Yesterday, American insurance company Aflac Incorporated announced that it will be opening a new Global IT and Cybersecurity Innovation Center as part of a multimillion-dollar investment in Northern Ireland. 

Belfast has been chosen as the location of the new center, which will create 150 new jobs over the next five years, with an average salary of $55,500. 

“We conducted extensive research in Europe to identify a location that not only has the expertise in IT development and cybersecurity to support our business strategy, but also complements our company culture. We believe we have found that here," said Virgil Miller, executive vice president and chief operating officer of Aflac US. 

Belfast has also been chosen as the location of Contrast Security's new development and delivery center. The DevSecOps company's new facility, announced at the end of September, will bring 120 new jobs to the local economy.

Cybersecurity firm MetaCompliance said on September 30 that it would be creating 70 new jobs in the Northern Irish city of Derry as part of a $5.5 million global expansion plan. The new positions will focus on developing cloud-based solutions for the cybersecurity learning market. 

Also in September, American cybersecurity consulting firm Security Risk Advisors opened its European Headquarters and Security Operations Centre in the southern Irish city of Kilkenny. The site will create 52 jobs over the next five years.

This year's growth in Ireland's cybersecurity sector follows reports in December 2018 that cybersecurity firm Imperva would be creating a new base in Belfast that would generate 220 new jobs.

Invest Northern Ireland has played a key role in this flurry of investment, supporting Imperva's new base with £1.4m, the MetaCompliance expansion with £695,000, and the new Contrast Security center with £786,500 of assistance. The company also offers support through its Skills Growth Programme. 

With so many new jobs being created, the only thing that could prevent Ireland from becoming the biggest star on the international cybersecurity stage is a lack of housing and skilled labor. 

Speaking to the Irish Examiner after the FutureSec conference in Cork on September 24, Ronan Murphy, CEO of multinational cybersecurity firm SmartTech247, said: "The housing crisis is seriously affecting our ability to scale. We're building our own very sophisticated AI and machine learning which we will distribute globally. It's pretty cool that we're doing it from Cork, but there's nowhere to live."

Also speaking to the Irish Examiner post-conference, Koos Lodewijkx, vice president of IBM, which has offices in Dublin, Cork, and Galway, said: "It is a challenging time, and staffing is still in short supply. We would like to expand, but it's hard to find employees."

Amex Employee Suspected of Wrongfully Accessing Customer Data to Commit Fraud

Amex Employee Suspected of Wrongfully Accessing Customer Data to Commit Fraud

A former employee of American Express is under investigation by the police for allegedly accessing customer information with the intent to commit fraud. 

The exact details of the incident have not been disclosed, but the employee is thought to have wrongfully accessed the personal information of Amex customers in America in an attempt to open accounts at other financial institutions. 

Amex began notifying customers of the data breach by letter on September 30. Customers who received the letter were told "as a result of the incident, your name, current or previously issued American Express Card account number, physical and/or billing address, date of birth, and Social Security number were compromised." 

When contacted for comment, Amex would not say precisely how many customers had been affected by the breach but stated that "only a small number of our customers were impacted."

Affected cardholders have been asked by Amex to vigilantly monitor their account statements for the next two years for signs of fraudulent charges. However, Amex has stated that customers whose information was wrongfully accessed will not be held liable for any fraudulent charges.

In the letter sent to customers to notify them of the breach, Amex offered impacted cardholders a free two-year membership with Experian's identity theft and resolution service IdentityWorks by way of compensation. Customers who are already members are being offered the opportunity to extend their coverage for two years free of charge. 

After informing them that their personal information was wrongfully accessed, the letter goes on to tell customers that they will need to entrust their Social Security number and current mailing address to the service provider if they wish to sign up for membership. 

A spokesperson for American Express told Infosecurity Magazine: "Ensuring the security of our customers’ information is our top priority, and we are investigating this matter in close partnership with law enforcement. 

"I would note that this was not a breach of American Express’ systems and the person in question is no longer an employee of American Express. In addition, only a small number of our customers were impacted, and those who are affected are being notified. 

"As a reminder, our customers are not liable for any fraudulent charges on their American Express cards. Given this is an active criminal investigation, we can’t provide any further comment."

EA Games Leaks Personal Data of 1600 FIFA 20 Competitors

EA Games Leaks Personal Data of 1600 FIFA 20 Competitors

EA Games has leaked the personal data of 1600 gamers who registered to take part in a competition via the company's website. 

Contenders signing up for the FIFA 20 Global Series competition were asked to enter personal information into what should have been a blank online form to verify their EA account details. But instead of being empty, the form's fields displayed the personal information of gamers who had already signed up for the soccer video game challenge.

Personal information compromised in the breach included email addresses, account ID numbers, usernames, and dates of birth. 

Rather ironically, the breach occurred just hours after EA Games announced that users switching on two-factor authentication would get free access to an Origin Access Basic subscription for four weeks as part of the UK's National Cyber Security Month.

Gamers took to Twitter to vent their frustrations regarding the breach, with one gamer who was confronted with the personal data of a fellow competitor joking that he would send the player a birthday card.

Another gamer, whose personal information was leaked during the breach and who is on Twitter as @Kurt0411Fifa, tweeted: "Before I get to the absolute farce of that competitive bullsh*t, when you click the link register for verification you get other people's personal information!!!!!! WTFF, this is a new low even for this joke of a company."

It didn't take EA Games long to become aware of their balls-up, and the registration page was taken down yesterday, just 30 minutes after it was first put up. 

In a statement regarding the breach released on Twitter yesterday, EA Games said: "We were able to root cause the issue and implement a fix to be clear that information is protected. We're confident that players will not see the same issues going forward."

The games publishing company also said it was taking steps to contact the 1600 gamers affected by the breach with more details and to protect their accounts. 

When contacted for comment by Infosecurity Magazine, EA Games said: "We have issued a couple statements to our community on this topic but aren’t in a position to discuss further at this point. However, I will keep you updated if that should change or we make any further statements."

Registration for the competition remains closed but is expected to re-open in the next few days.

#VB2019: Time For an Ethical Debate on Cyber Moral Decisions

#VB2019: Time For an Ethical Debate on Cyber Moral Decisions

Morals and ethics should be considered when it comes to making decisions in cybersecurity.

Speaking at the Virus Bulletin 2019 conference in London, Ivan Kwiatkowski, security researcher at Kaspersky Lab, said that there are not a lot of discussions on ethics in cybersecurity, as the concept of white hat versus black hat is “the wrong way to think about things” as even the subject of ethical hacking rarely covers the issue of ethics.

Saying he was talking to people “who were thinking of doing something terrible but had not stopped to think about it yet,” he said that this a young industry and we had not developed a moral compass yet, and it is not an issue of maturity or diversity, but people rely on their personal intuition on the decisions that they face.

“Nobody wants someone to tell them right from wrong” he added, but he urged people to realize that “knowledge is power and if you control what people know about something, you can convince people.

“Infosec is about controlling what access people have to certain information.” He said that there are ethical dilemmas that people may face. such as:

  • A legitimate hacking problem – that intelligence agencies and military attack organizations, and some nations set up a “surveillance apparatus which can be invaluable in preventing terrorism,” whilst others rely on “hacking back”, and some people carry the term of hacktivist and feel justified in hacking something or someone
  • Vulnerability handling – when we find a vulnerability, Kwiatkowski said that we still need to reach an agreement on how to handle vulnerabilities. Some companies specialize in selling hacking tools and exploits, and swear that they only do business with governments with a good track record of democracy and human rights. However, he argued: “In some cases, there have been suspect decisions in that regard”

In the case of exploits being sold on the offensive market, he asked if it is a legal or moral issue, as moral decisions change over time. “All cultures may disagree on what morals are, we all have a moral code and maybe those questions are unsolvable and unescapable.”

He went on to say that we “owe it to ourselves” to determine what constitutes ethical behavior and what does not. Concluding, he recommended “allocating more attention to ethics” and said that it was time we adopted a global code of conduct too, and cited the EFF as being able to push that standard.

He also called on conference organizers to consider this, and to concentrate less on celebrities “especially those celebrities whose success may be traced back to suspicious behavior” and instead, he recommended conference organizers to invite philosophers and “victims of cyber-abuse to tell their stories” to let us know our shortcomings.

#VB2019: Cyber Threat Alliance Cites Vendor Collaboration Benefits

#VB2019: Cyber Threat Alliance Cites Vendor Collaboration Benefits

Speaking at the Virus Bulletin 2019 conference in London, members of the Cyber Threat Alliance discussed the benefits of sharing intelligence.

Led by moderator and Cyber Threat Alliance COO Heather King, panelists Kathi Whitbey, program manager of cyber threat intelligence information Sharing at Palo Alto Networks and Jeannette Jarvis, director product marketing at Fortinet, said that there are clear benefits to sharing data, as Jarvis explained: “There is the opportunity to expand and share more deeper intelligence.” 

Jarvis said that there is an intention with the Alliance to “build equal or better ecosystems beyond what our adversaries are doing, and to know what they are sharing” and this can better protect customers with “actionable intelligence.”

Whitbey added that the founding members believed in the “power of collaboration and sharing.” Asked by King how the Cyber Threat Alliance is unique, Jarvis admitted that all of the members have different missions, but the collaborative nature means that companies can get enough data to get the complete picture of an issue.

Pointing at the WannaCry incident in 2017, Whitbey said that within hours they knew what each other was seeing and what the issue was, and “we were able to paint a picture as everyone provided what they had and we could see all the information in real time.”

Jarvis admitted that “no one has all the information” and by sharing they get the complete picture and fill in the gaps. 

The panellists explained that the members don’t have the same technology, customers or are in the same regions, “but if we collaborate we all get into the environment,” Whitbey said.

Jarvis reflected on a previous role at an aerospace company, saying that it was clear from working in that role “that we need to be more connected to help customers.”

#VB2019: Endpoints Remain Vulnerable to WannaCry Two Years On

#VB2019: Endpoints Remain Vulnerable to WannaCry Two Years On

Despite the main infections taking place two and half years ago, a large number of computers remain vulnerable to the WannaCry ransomware.

Speaking to Infosecurity at the Virus Bulletin 2019 conference in London, Sophos security researcher Chet Wisniewski said that there are large numbers of businesses who did not apply the patches, released in March and after the infection in May 2017, so machines still remain vulnerable. “That’s what surprised me, with the amount of hype and the amount of news around that vulnerability, it shows that even standing on the rooftop and lighting your hair on fire is not going to be enough for people to take action,” he said.

“The good news is that there is an accidental vaccination which means that the good people won’t get infected with it,” he said. He explained that a version of WannaCry drops a payload, but that payload is currently corrupted and if another infection is attempted, if that file is detected at all, the infection will not take place.

“Fortunately, all of these copies of WannaCry we’re seeing are neutered,” he added. “It’s not hurting anyone, it’s just spreading around and making a lot of noise.”

Wisniewski went on to say that people are still not realizing that “these weaponized exploits are really dangerous, and BlueKeep has been an interesting trial of this.” In that case, he said that wormable exploits are typically published within hours, but in the case of BlueKeep that has only been added to Metasploit and other companies are using it as a penetration testing tool.

“If people have not patched since 2017, if a BlueKeep publicly exploitable worm was released, instantly millions of machines would be impacted again, and we would be in the same boat as when WannaCry was spreading around,” he said. “Every single one of those machines would be vulnerable as they have not been patched in two years, not to mention all of those that have been patched since.”

Attacks on UK Businesses Soar 243%

Attacks on UK Businesses Soar 243%

Cyber-attacks on UK businesses surged by a whopping 243% over the summer, compared to the same period last year, according to new findings from Beaming.

The Hastings-based business ISP analyzed data from the thousands of organizations across the UK that it supplies.

It found that UK firms experienced 157,528 attacks each on average between July and September, up from 45,970 during the same three months of 2018.

The firm detected nearly 500,000 unique IP addresses used to launch cyber-attacks on UK businesses during the period, with the number originating from China more than doubling over last year. A large number of attacks also originated in Taiwan, Brazil and Russia, Beaming said.

The most frequently targeted systems were Internet of Things (IoT) devices and file sharing services, accounting for 20% and 6% of attacks respectively.

FireEye warned in June of a “dramatic” increase in abuse of file sharing services such as WeTransfer, Dropbox, Google Drive and OneDrive, which are used to host malicious and phishing files in email-borne attacks.

What’s more, cyber-criminals are increasingly gearing up to exploit unprotected IoT devices, according to a Trend Micro report released last month. The firm analyzed chatter on dark web forums across the globe and found routers and IP cameras were the most commonly discussed devices.

Businesses face a threat on two fronts: they could be DDoS-ed or attacked in other ways from botnets of compromised IoT machines like these; or their own operational technology could be hijacked and sabotaged, disrupting key business and manufacturing processes.

“Previous summers have been relatively quiet when it comes to cybercrime, but the hackers haven’t yet taken a break this year. Throughout 2019 we have witnessed new highs in the volume of cyber-attacks hitting organisations in the UK and also the number of active agents behind those attempts,” said Beaming managing director, Sonia Blizzard.

“We are tackling more and more malicious code at a network level to minimize the threat of online attacks to our customers. The hackers are after the weakest link they can find, so companies need to boost their resilience to these sustained, indiscriminate attacks. They can do this by ensuring their software and cybersecurity defenses are up-to-date, putting in place measures such as managed firewalls and educating employees to help them avoid the main risks they could be exposed to.”

UK Councils Faced 800 Cyber-Attacks Per Hour in 2019

UK Councils Faced 800 Cyber-Attacks Per Hour in 2019

The UK’s local authorities are facing an unprecedented barrage of cyber-threats, amounting to almost 800 every hour in the first half of 2019, according to insurance broker Gallagher.

Of the 203 councils that responded to the firm’s Freedom of Information (FOI) requests, nearly half (49%) had been targeted since the start of 2017, with over a third (37%) attacked in the first half of the year.

Over the first six months of 2019, those councils experienced 263 million attacks — a number that is likely to be much higher if those authorities which chose not to answer the FOI request were factored in.

However, despite the barrage, most authorities seem to be holding up: just 17 attacks were reported to have resulted in the loss of data or money, although one council reported the loss of over £2m, according to Gallagher.

Just 13% of local authorities have cyber insurance, a figure the firm would obviously like to see much higher.

“Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the taxpayer will ultimately foot,” argued Tim Devine, managing director of Public Sector & Education at Gallagher.

“Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber-insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”

However, most of the attacks noted in the report are likely to be the result of “automated probing and discovery tools” and therefore should not be classed as true security incidents, according to Tripwire senior director, Paul Edon.

“However, the truth of the matter is that many local authorities and councils still remain unprepared for a true cyber-attack,” he added.

“To get security right, organizations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded. Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”

Experts Slam US, Australia and UK’s Facebook Encryption Demands

Experts Slam US, Australia and UK’s Facebook Encryption Demands

Security and privacy experts have heavily criticized an attempt by the UK, US and Australian governments to strong arm Facebook into halting its roll-out of end-to-end encryption.

Mark Zuckerberg announced a major overhaul of the social network in July following its $5bn fine from the FTC — a move which will include creating a privacy-by-design culture in the firm and extending end-to-end encryption beyond WhatsApp to Instagram and Messenger.

However, western governments are predictably dismayed at any efforts which will confound attempts by their intelligence agencies and the police to track suspects.

A widely reported open letter to Facebook from three-fifths of the Five Eyes nations demanded that the firm not continue with the encryption roll-out “without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.”

That effectively means backdoor access for governments and law enforcers, something that the world’s leading cryptographers have repeatedly stated is not possible without undermining security for all.

Hannah Quay-de la Vallee, senior technologist at the non-profit Center for Democracy and Technology (CDT), repeated these arguments.

“Strong encryption and end-to-end security are bedrock technologies that keep information safe online. These technologies protect billions of communications every day, from the sensitive correspondence of victims of domestic violence to businesses’ financial records to our private medical information,” she explained.

“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping. It’s ridiculous, it won’t work, and it puts us all at far greater risk of serious injury.”

NSA whistleblower Edward Snowden also chipped in, warning that if Facebook caves to these government demands, “it may be the largest overnight violation of privacy in history.”

That doesn’t seem likely though, with a Facebook statement issued to confirm: “We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”

The open letter comes as the US and UK trumpeted a new “world first” data sharing agreement, that will allow law enforcers on both sides of the Atlantic to demand data from tech firms in the other country without needing to go through a lengthy liaison process with their respective governments.

FDA Issues Cybersecurity Warning for Medical Devices

FDA Issues Cybersecurity Warning for Medical Devices

The US Food and Drug Administration (FDA) issued a warning on Tuesday over vulnerabilities detected in decades-old software being used by many medical devices and hospital networks. 

The 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. If exploited, the vulnerabilities could allow hackers to remotely control a medical device, change its function, obstruct service, or trigger information leaks that could stop it from working.

Makers of the original IPnet software, Interpeak, no longer support it, but some manufacturers have a license to use it without support, meaning it could be incorporated into other software applications, equipment, and systems still in use in medical devices. 

IoT security company Armis discovered the vulnerabilities in the IPnet stack, collectively known as URGENT/11, back in July 2019. As a result, more than 30 vendors have issued security advisories. 

When the vulnerabilities were discovered, it was thought that they only affected some versions of the popular real-time operating system Wind River VxWorks. However, the true impact of the cybersecurity risk is much greater because the IPnet software was licensed and used in multiple operating systems employed by the healthcare industry. 

According to the FDA, some versions of operating systems Integrity by Green Hills, ThreadX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component. 

Medical devices affected so far include an imaging system, an infusion pump, and an anesthesia machine. The FDA said in its warning that it "expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software." 

IPnet's vulnerabilities are zero-day, meaning that they have existed since the software's creation. 

The Cybersecurity and Infrastructure Security Agency issued a warning regarding cybersecurity vulnerabilities in Wind River VxWorks on July 30.

The news follows the release of a 45-page guidance document, Principles and Practices for Medical Device Cybersecurity, this week by the International Medical Device Regulators Forum (IMDRF).

The document, which was put together by the FDA and Health Canada, says regarding third-party components: "These components can create risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices. 

"Similarly, post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."

Nearly 70 US Government Organizations Hit by Ransomware Since January

Nearly 70 US Government Organizations Hit by Ransomware Since January

Ransomware gangs, intent on stealing American dollars, have struck at least 621 targets in the US government, education, and healthcare sectors since January. 

report into stateside ransomware attacks, released on October 1 by antivirus company Emisoft, which is an associate partner in Europol’s No More Ransom Project, paints a picture of a nation in a serious cyber-predicament. 

At least 68 state, county, and municipal entities have been impacted by this particular type of attack since the beginning of the year. In just one attack on Baltimore, MD, carried out in May using the ransomware RobbinHood, recovery costs are estimated to have been $18.2 million. 

A Ryuk attack on Lake City, FL, in June led to insurers forking over a $460,000 ransom minus a $10,000 deductible, and only part of the data affected was recovered. 

So far this year, there have been at least 62 ransomware incidents involving school districts and other educational establishments, which potentially impacted operations at up to 1,051 individual schools, colleges, and universities.

The healthcare sector has suffered just under 500 attacks since this year's ball drop in Times Square heralded the start of 2019.

Fabian Wosar, Emisoft CTO, told Infosecurity Magazine: "When we look at absolute numbers in all areas—business, government, and home users—ransomware is on the decline. However, this is mostly due to the fact that ransomware gangs focus on business and government targets these days instead of the large-scale spray-and-pray attacks against home users that were dominant just a few years ago. So, while the pressure on home users went down dramatically, it skyrocketed for those other areas."

Describing the biggest ransomware payout he had come across, Wosar said: "The biggest confirmed payout I have seen was $700,000, but I cannot disclose specific details about that case."

How an organization decides to deal with a ransomware attack has a major bearing on whether it will be re-targeted at a later date. 

Wosar told Infosecurity Magazine: "What definitely will make you a big target is if you got ransomed and paid. During a lot of these attacks we have seen ransomware groups leave behind backdoors that allow them to access the systems again in the future. Given this backdoor access and your willingness to pay for your data, you become a prime target for a second attack later down the line."

Sharing his predictions on how ransomware attacks will evolve, Wosar said: "I believe that attacks on organizations with outsourced infrastructure and IT will become increasingly common. The tools used by MSPs and other service providers act as a gateway to their clients’ systems and, as we saw in the Texas and PercSoft incidents, enable multiple organizations to be ransomed in one fell swoop."

NiceHash Co-Founder, Wanted in the US, Arrested in Germany

NiceHash Co-Founder, Wanted in the US, Arrested in Germany

The co-founder and former CTO of cryptocurrency mining marketplace NiceHash has been arrested by German federal police in connection with US charges of racketeering and fraud. 

According to the news website 24ur.com, Matjaz Škorjanc was arrested on Monday in Schwarzbach after crossing the German border in a car with Slovenian license plates. 

Slovenian national Škorjanc is wanted in the US on suspicion of being a member of a criminal organization that committed a number of cyber-frauds between 2008 and 2013. 

The US alleges that the 33-year-old set up and managed online password-protected hacking forum Darkode, in which cyber-criminals convened to buy, sell, trade, and share information, ideas, and tools to facilitate unlawful intrusions into others’ computers and electronic devices.

Darkode was shut down in 2015 as part of an internationally coordinated law enforcement effort called Operation Shrouded Horizon.

Škorjanc, who was known online as "iserdo" and "serdo," is further accused of creating and deploying the malicious botnet Mariposa, which harvested personal data from nearly a million computers around the world. Mariposa caused estimated damages of around $4 million after using cyber-scamming and denial-of-service (DOS) attacks to effectively turn infected computers into remotely controlled zombies. 

An indictment was filed in the US District Court for the District of Columbia on December 4, 2018, against Škorjanc, fellow Slovene Mentor Leniqi, Spaniard Florence Carro Ruiz, and American Thomas McCormick. Each of the accused was charged with racketeering conspiracy and conspiracy to commit wire fraud and bank fraud. The racketeering conspiracy charge includes conspiracy to commit bank, wire, and access device fraud, identity theft, hacking, and extortion. 

McCormick—the last known administrator of the Darkode forum—was also charged with five counts of aggravated identity theft. He was arrested at the FBI’s Washington Field Office in Washington, DC, six days after the indictment was filed.

If convicted of the charges, each of the accused could spend up to 50 years behind bars.

Škorjanc has already served four years and ten months in a Slovenian prison after being convicted for his role in the Mariposa botnet.

Škorjanc's father and H-Bit CEO Martin Škorjanc said: "There is no real legal basis for the prosecution, as Matjaz Škorjanc was already convicted for the same act as prosecuted by the US prosecutor, and the sentence has already been fully passed in Slovenia. 

"It is an inadmissible retrial of the same thing; it is forbidden by Slovenian, European, and American law."

Security Serious Awards: Infosecurity Magazine, Canon Europe and Cordery Among Winners

Security Serious Awards: Infosecurity Magazine, Canon Europe and Cordery Among Winners

The annual Security Serious “Unsung Heroes” awards were announced at an event in central London last night.

The fourth annual awards are intended to celebrate the people of the cybersecurity industry, recognizing the individuals and teams working hard to protect Britain from cybercrime and raise awareness of security issues.

Compered by Stephen Bonner, partner at Deloitte UK, and organized by Eskenzi PR, Smile on Fridays and IT Security Guru, they were supported by sponsors (ISC)2, Nozomi Networks, KnowBe4 and LMNTRIX.   

“It can often be a thankless task working in cybersecurity; and as an industry, we tend to focus on technology and innovation,” said lead organizer of Security Serious Week, Yvonne Eskenzi.

“The cyber skills gap is a huge issue for this country and an event like this really shows off what a great industry it is to be a part of and the wonderful people that make it.”    

The full list of winners were:  

Security Leader
Winner: Joe Hancock – MDR Cyber
Highly Acclaimed: James Packer – (ISC)2
 
Cyber Writer
Winner: Dan Raywood – Infosecurity Magazine
Highly Acclaimed: Kate O'Flaherty – Tech Journalist
 
Best Security Awareness Campaign
Winner: Host Unknown 
Highly Acclaimed: City of London Police
 

Rising Star
Winner: Hamish McGowan – Channel 4
Highly Acclaimed: Sophia McCall – Bournemouth University 
 
Captain Compliance
Winner: Jonathan Armstrong – Cordery Compliance
Highly Acclaimed: David Hyett - UKRI
 

Best Educator
Winner: Bayside School Cyber Club supported by GVC Group 
Highly Acclaimed: Toni Scullion and the Turing’s Testers
 
Best Ethical Hacker / Pentester
Winner: Rob Hillier – XQ Cyber
 
Security Avengers
Winner: Ascential
 
CISO Supremo
Winner: Quentyn Taylor – Canon Europe
Highly Acclaimed: Shan Lee – Transferwise

Godparent of Security
Winner: Paul Simmonds – Global Identity Foundation
Highly Acclaimed: Adrian Davis – Consulting COO & CIO

Airbus Supplier Attacks Part of Multi-Vertical Campaign

Airbus Supplier Attacks Part of Multi-Vertical Campaign

Security researchers have identified a new state-backed threat group they believe to be behind the recently disclosed attacks on European aerospace supply chain companies and organizations in other verticals.

Reports had suggested the attacks — which affected UK engine-maker Rolls Royce, French tech supplier Expleo and two other French Airbus suppliers — had been carried out either by China’s APT10 group or a regional branch of the country’s Ministry of State Security, known as JSSD.

However, security researchers at Context believe the attacks are the work of another nation state hacking group. Although the firm falls short of blaming China, it admits that the “Avivore” group does operate in the same time zone, and shares some similarities with APT10/JSSD.

The group’s attack methodology follows a set pattern. After using compromised user credentials and legitimate remote access tools to infiltrate targeted networks, hackers escalate privileges by abusing legitimate tools and/or highly privileged accounts.

Next, they conduct account and host enumeration using “net” commands, schedule execution of scripts and tooling run in the context of the “SYSTEM” user, and remove any traces of scripts, tooling and event logs following execution. RDP is also used for lateral movement.

While many supply chain attacks are “vertical” in nature, involving an initial compromise of MSPs or software vendors, the Avivore campaigns are more “horizontal” — relying on island hopping techniques.

The group abused the commercial VPNs and other collaborative solutions used by large multi-nationals and smaller engineering or consultancy firms in their supply chain. Other legitimate tools leveraged by Avivore include network scanning and certificate extractions tools, and Windows SysInternals tools such as ProcDump.

Binaries were disguised as Windows DLLs, with tools executed remotely using scheduled tasks and then removed, according to Context.

“Avivore showed themselves to be highly capable; adept at both 'living-off-the-land' and in their operational security awareness; including forensically covering their tracks. They demonstrated detailed knowledge of key individuals associated with projects of interest, and were able to successfully mirror working times and patterns of these users to avoid arousing suspicions,” explained the report.

“They were also able to manipulate victim environments and security controls to facilitate and obfuscate their activities: e.g. modifying firewall rules to accept RDP over alternate ports; establishing hosts within the victim environment as remote access proxies.”

Although most Avivore activity has taken place since early 2018, the researchers claimed that the PlugX Remote Access may have been deployed on victim networks as early as October 2015.

Other verticals thought to have been targeted include automotive, consulting, energy/nuclear and satellite/space technology.

Zendesk Breach Hits 10,000 Corporate Accounts

Zendesk Breach Hits 10,000 Corporate Accounts

Customer support software giant Zendesk has discovered a security breach dating back to 2016, affecting thousands of corporate clients.

After being alerted to the incident by a third party, the firm last week identified 10,000 Zendesk Support and Chat accounts which had been accessed by an unauthorized third party.

Although this number contained some trial accounts and others that are no longer active, Zendesk has a number of high-profile clients including Airbnb, Uber and OpenTable that could be affected.

There’s apparently no evidence that ticket data was accessed. However, email addresses, names and phone numbers of agents and end users of certain Zendesk products up to November 2016 were accessed, as well as hashed and salted agent and end user passwords. In this context, “agents” are the customer support staff from client organizations who use the software, while “end users” are their customers.

The firm said there’s no evidence these passwords were used to access Zendesk services.

In addition, for around 700 accounts, the TLS encryption keys and the configuration settings of apps installed from the Zendesk app marketplace or private apps were accessed.

“As a precautionary measure, in the next 24 hours, we are starting to implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016,” Zendesk explained.

“This password rotation will impact all other products which share authentication with Support, including Guide, Talk and Explore. Upon their next login, each of these users will be required to create a new password. You will not be impacted by this if we have been able to identify that you have updated your password since November 1, 2016 or have implemented Single Sign-On in connection with your account.”

The firm urged customers with accounts dating back prior to November 1 2016 to: rotate all credentials for any Zendesk Marketplace or private apps, upload new TLS certificates and revoke the old ones and rotate authentication credentials used in Zendesk products before the November date.

Over 20 Million Russian Tax Records Exposed in Privacy Snafu

Over 20 Million Russian Tax Records Exposed in Privacy Snafu

Over 20 million Russian tax records were found publicly exposed in a misconfigured Elasticsearch database last month, in yet another privacy snafu.

Security researcher Bob Diachenko teamed up again with Comparitech to discover the unsecured server, which contained personally identifiable information (PII) on Russian citizens dating from 2009-2016.

Lacking password protection or any other authentication mechanism, the Amazon Web Services Elasticsearch cluster was first indexed by search engines in May 2018. Diachenko discovered it on September 17 and notified the Ukraine-based owner.

Although the researchers are still unclear what entity managed the database, it was made inaccessible three days after Diachenko raised the red flag.

The unencrypted PII included names, addresses, residency status, passport and phone numbers, tax ID numbers, and employer names and phone numbers. It sat exposed for over a year.

“The cluster contained multiple databases. Some seemed to contain mostly random and publicly sourced data. Two databases, however, included tax and personally identifiable information about Russian citizens. Most of those citizens appear to be from Moscow and the surrounding area,” explained Comparitech’s Paul Bischoff.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over six million from 2009 to 2015.”

The data is highly sensitive and could be used to craft convincing follow-on phishing and identity fraud schemes.

Organizations across the globe are failing to protect their Elasticsearch databases. This year alone, researchers have used simple online search tools to find: 8TB of email metadata belonging to a leading Chinese university, 24 million financial records from multiple banks, a copy of the Dow Jones Watchlist containing 2.4 million records and PII on 82 million Americans exposed by a mystery company.

AWS S3 buckets and MongoDB instances are also commonly misconfigured, exposing countless organizations and their customers to the threat of data theft.

#VB2019: Telcos Faced Sustained Exfiltration Attack Efforts

#VB2019: Telcos Faced Sustained Exfiltration Attack Efforts

Speaking at the Virus Bulletin 2019 conference in London, Cybereason researchers Amit Serper, Mor Levi and Assaf Dahan discussed the “worldwide campaign against telecommunication providers” that they coined Operation Soft Cell.

Described by Serper as an access operation which was a “multi-wave attack,” he said that the operation targeted call detail records (CDRs) which contain details of call information, where calls are made and the originating number and IMEI number.

“With this you can build a complete picture of a person and where they are located through the day,” he said. “You get a lot of information without getting on the phone as metadata is siphoned off.”

Levy said an investigation usually started with small pieces being tied together, and the researchers were able to learn more about the attacker. Levy said that the investigation started in 2018, and nothing was unusual at first, but second, third and fourth waves of attack were spotted, which led them to conclude that this was the same actor “as behavior and techniques were almost the same, and they were adaptive and changing indicators to bypass detection.” It was later revealed by the researchers that the compromise had sometimes gone on for up to seven years.

During the third phase, the researchers realized the attacker was not after bill data or domain administrator details.

Dahan said that the attacker was able to get in, do external reconnaissance, and use third party tools for exfiltration and to move laterally and obtain credentials.

“We understood that the attack was on exfiltration, as they compressed and password protected it,” Dahan said. Serper pointed out that remote access Trojans like Poison Ivy were used. 

Levy added that it was “hard to connect the dots but we knew the bigger picture,” and the purpose of the threat intelligence research was to get the big picture. The companies were informed, and it initially expanded from Cybereason’s customer to dozens of other telcos.

The research also revealed that a lot of the attacks took place in GMT+8, the Chinese time zone, where a two-hour lunch break was also taken. Serper concluded by saying that upon telling those affected, he got very negative responses as “cyber insurance doesn’t cover nation state attacks as it is an act of war.”

Hackers Are Impersonating Each Other to Hide Their Real Agendas

Hackers Are Impersonating Each Other to Hide Their Real Agendas

Threat actors have been using cyber-disguises to keep their true intentions secret, according to a report published today by Optiv Security.

Typical cyber threat intelligence usually categorizes threat actors in fixed classes, such as nation-states, cyber-criminals, commercial entities, and hacktivists. But, according to Optiv’s new 2019 Cyber Threat Intelligence Estimate (CTIE) report, "it’s a mistake to assume these categories are rigid or to assume that a threat actor’s classification is static."

The CTIE report is inspired by national intelligence estimates, which are analytic reports produced by the intelligence community of the United States for consumption by Congress. The CTIE comprises contributions from Optiv’s Global Threat Intelligence Center (gTIC), cyber threat intelligence company IntSights, and Carbon Black, a leader in cloud endpoint protection.

Optiv researchers found that it's not unusual for threat actors to have multiple criminal identities that they can switch between to get what they want without revealing who they are or what their actual agenda is.

For example, nation-state actors may pretend to be just a regular cyber-criminal targeting a company’s customer database, when in reality their target is to delve into the firm's deepest recesses to steal its intellectual property. 

According to the report: "Sometimes threat actors may masquerade as a certain type in order to hide their true agenda. Or, threat actors may belong to two or more classes, switching between them as their priorities change."

Threat actors who demonstrate this switching behavior to cloak the true nature of their dastardly deeds are described by Optiv's researchers as "hybrid threat actors." According to the report, their primary targets are governments, manufacturing, energy, and utilities. 

According to Optiv CISO Brian Wrozek, spotting when an impersonation is taking place is "quite difficult." He told Infosecurity Magazine: "Imagine robbing a bank, but the bank robber is able to present themselves as a police officer. It would be extremely difficult to identify that person. Security professionals look for patterns, which can create opportunities for bad actors to abuse those patterns to obscure their true identities."

Asked which class of threat actor is the easiest to impersonate, Wrozek said: "It’s difficult to say which is easiest, but one of the most common places we see this is in regard to nation-states. With so much politically driven activity regarding cybersecurity happening across the globe, it can be easy for nation-states to play the blame game with one another, making attribution difficult. Also, no one likes to admit they got hacked by some random individual. Saying a rich, powerful nation-state was behind an attack is much less embarrassing, so there’s that aspect to consider as well."

Other findings of the report are that crypto-jacking and ransomware attacks are increasing in popularity, and that retail, healthcare, government, and financial institutions continue to be among the most targeted verticals of cybersecurity attacks or attempts among the 10 categories of Optiv clients.

"Cyberspace has become more hostile. Hackers are more organized and sophisticated in 2019, and we’re seeing malicious attackers increase their counter measures to avoid detection,” said Tom Kellermann, chief cybersecurity officer at Carbon Black. 

"According to our research, no vertical is immune, but the financial industry continues to stand out as a key target for advanced attacks. We hope cybersecurity leaders and teams will use this data as a clarion call to improve their cybersecurity postures."

10 Hospitals Held to Ransom by Cyber-Criminals

10 Hospitals Held to Ransom by Cyber-Criminals

Ten hospitals in Australia and the United States have been hit by ransomware attacks since Monday. 

In America, computers at three Alabama hospitals operated by DCH Health System were affected, causing staff to close their doors to any new patients who weren't critically ill. 

In a statement posted on their website earlier today, DCH wrote: "Early Oct 1, the DCH Heath System discovered that it had suffered a ransomware attack that impacted their systems. We immediately implemented emergency procedures to continue providing safe and patient-centered care."

The hospitals affected by the attack are DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northport Medical Center. While access to computer systems remains limited, local ambulances are taking patients to other healthcare providers located nearby. 

Surgeries scheduled for tomorrow will go ahead however outpatients with appointments at any of the three hospitals affected by the ransomware attack are advising to call to confirm before attending. 

Services at seven hospitals and healthcare facilities in Australia have likewise been boggled by ransomware in a separate cyber-attack which struck in Gippsland and south-west Victoria on Monday. 

The impacted hospitals are part of the South West Alliance of Rural Health and also of Gippsland Health Alliance. Multiple computer systems have been disconnected to while the Victorian Cyber Incident Response Service works to resolve the situation. 

Barwon Health, which operates hospitals affected by the attack, said that some elective surgeries and appointments had been cancelled. 

The Victorian government's Department of Premier and Cabinet said: "A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact. 

"At this time, there is no suggestion that personal patient information has been accessed."

Commenting on the ransomware attacks, senior director of managed threat response at Sophos, J.J. Thompson, said: "Ransomware is foreseeable and preventable. Organizations need to have effective, advanced protection in place at every state of an attack. The techniques, tactics and procedures that occur prior to a ransomware incident can and should be detected by existing security capabilities and are foundational pillars to the patient care model in healthcare 4.0.

"It’s also important to have off-site backups to reduce the pressure to comply with expensive ransom demands and to be able to recover faster."

America Launches New Cybersecurity Directorate

America Launches New Cybersecurity Directorate

America's National Security Agency has launched a new organization to beef up the country's defenses against cyber-attackers. 

The Cybersecurity Directorate has been created to unify the efforts of the NSA's existing foreign intelligence and cyber-defense missions. The new organization will bring the Agency's threat detection, future-technologies, and cyber-defense personnel together under one roof for the very first time.

Underpinning the creation of the directorate is the idea that forming partnerships to allow intelligence and technical expertise to be pooled and operationalized represents America's best chance of thwarting cyber-adversaries. 

A spokesperson for the NSA said: "Many organizations work tirelessly to protect against today’s threats and tomorrow's risks, but the adversaries are tenacious, and they only need to be successful once.

"The Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity.

"The new directorate will also better position NSA to operationalize its threat intelligence, vulnerability assessments, and cyber-defense expertise by integrating these efforts to deliver prioritized outcomes." 

One of the NSA's partners is the Department of Homeland Security, with whom the Agency has been working to identify and monitor the systems in the financial sector that make the easiest hacking targets.

By launching the new directorate, the NSA hopes to strengthen the cyber-shield protecting the country's national security systems and critical infrastructure from threat actors. 

Topping the freshly launched organization's list of priorities are defending America's industrial base and innovating ways to improve the security of the nation's extensive arsenal of weapons. 

Helping to safeguard the private sector is also something that the new directorate will focus on. Efforts will be made to declassify threat intelligence received by the new organization as speedily as possible so that it can be shared with US businesses. 

NSA director General Paul Nakasone said: "What I’m trying to get to in a space like cyberspace is speed, agility, and unity of effort."

Leading the new Cybersecurity Directorate is director of cybersecurity Anne Neuberger, who reports directly to General Nakasone. Her previous positions include NSA’s first chief risk officer, deputy director of operations, and lead of NSA’s Russia Small Group. 

#VB2019: Magecart Attack Groups Move to More Targeted Efforts

#VB2019: Magecart Attack Groups Move to More Targeted Efforts

Speaking at the Virus Bulletin 2019 conference in London, Yonathan Klijnsman, head of threat research at RiskIQ, said that many groups had been identified as being behind recent Magecart attacks, but new movements were being made towards more targeted attacks.

Klijnsman explained that traditional Magecart attacks groups would get into a company’s network, and they would typically target e-commerce organizations, with only “25 lines of javascript.” He said that the web skimmers worked on the server side, and in 2016 RiskIQ observed more groups starting to do this, “and there are 15 active groups that we tracked.”

Pointing to Group 6 that IBM’s X-Force published a report on, Klijnsman said that “once they are in your network they will know more than you do, they are the admins you want to hire.” The group later hit both NewEgg and British Airways, having access to the former for six months, but crucially not being present during Black Friday, as they had been detected and removed by then.

Another called Group 5 are “experts in support,” and Klijnsman said that they know of at least 20 suppliers that have been hit by this group. “They hit one supplier who had over 100,000 victim websites” and while it delivers malicious code, it will not have access to payment data.

A group that RiskIQ plans to reveal more details on in the coming months is Group 15, who Klijnsman said are “very specialized” as they have built a framework for skimming, and are able to remove a payment form and put their own in it's place.

This, he said, was part of the evolution of the groups, as they are doing more targeting and learning more about content management systems. In the case of the attack on Ticketmaster, this was enabled by a compromise of Sociaplus between December 2017 to June 2018.

This was part of one of the three main compromise capabilities: via outdated or misconfigured systems, via password reuse as groups are looking at breached user lists and supply chain attack.

“The latter is not something people are talking about and while you want analytics and CDNs and services, they make you vulnerable and make your customers and visitors vulnerable to attack.”

#VB2019: NCSC Reflects on Three Years of Countering and Attribution

#VB2019: NCSC Reflects on Three Years of Countering and Attribution

As it prepares to mark its third anniversary of opening, the National Cyber Security Centre (NCSC) has said that defending the UK is a team effort and encouraged more businesses to work with it.

Speaking at the Virus Bulletin 2019 conference in London, director of operations at the NCSC Paul Chichester, reflected on the work done to create the NCSC, and how UK businesses needed to work alongside it.

Chichester explained that the momentum for a response center had begun when, in the 2000s, the attackers targeting the UK were looked at closer, and today “there are 20 nation state threats that we track” and while it does not track all threats and compete with commercial companies, it can “understand additional insights.” 

He said that with 20 years of capability and insight to understand threats to the UK, the government funding in 2010 led to the development of the NCSC, which solved the problem of the “obvious flaws in the approach that the UK took,” in particular that there was no single point or place to go to report issues. 

Admitting that the work of the NCSC will not stop the UK being an interest for attackers, Chichester pointed out that it is able to counter threats. “Our work in the past has been on observing threats, and our view is that it is not about counting but countering the threat,” he added. 

He also said that as the NCSC is responsible for attribution, the UK government understands the context of threats and can assess threat as it pertains to the UK. “Also, we don’t respond with a red button, but by helping people, reporting to the victim and doing victim notification,” he continued, that the NCSC does “a huge amount of work in the UK and works with organizations to help them recover. Attribution is an art, not a science,” he said.

He concluded his talk by saying that the NCSC wants to collaborate more, and work with people in the industry “and for us it is a team sport and please talk to us - we care about the things you care about.”

Later speaking to Infosecurity, Chichester said that the efforts undertaken by the NCSC include doing formal attribution, and protecting the anonymity of the organizations it protects. As part of this, it feeds tactical intelligence via its CISP and partner channels, and he said that companies are often not judged by the compromise, “but how they deal with it.”

Asked if businesses are coming to the NCSC to collaborate, Chichester said they are “massively” and this is fundamental for the business. “We want people to come to us to get insight into threats at a macro level, and we want to work with organizations to help us understand what they are seeing and doing [regarding] incident response.”

Two-Thirds of Firms Have Suffered ERP Data Breaches

Two-Thirds of Firms Have Suffered ERP Data Breaches

Nearly two-thirds of businesses which rely on SAP or Oracle have suffered a breach of their ERP systems in the past two years, according to new research from Onapsis.

The security vendor commissioned IDC to poll 430 IT decision makers knowledgeable about their organization's ERP applications.

Of the 64% that have suffered a breach of SAP or Oracle E-Business Suite (EBS), sales data (50%) was most commonly compromised, followed by HR data (45%), personal customer information (41%), intellectual property (36%) and financial data (34%).

The range of sensitive information listed above highlights the crucial role security teams have in protecting ERP applications, especially considering that, on average, three-quarters (74%) of these ERP applications were internet connected.

“ERP applications can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays,” said Frank Dickson, program vice-president, cybersecurity products with IDC.

“Cyber-miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”

The high volume of breaches is also somewhat at odds with another finding: that 78% of respondents audit their ERP apps every 90 days or more.

Larry Harrington, former chairman of the Global Board of the Institute of Internal Auditors (IIA), said the findings should raise questions at a board level about the quality of such audits.

“The lack of these controls is one way for cyber insurance companies to deny claims,” he warned “The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”

WEF: Cyber-Attacks Are Biggest Business Risk in Europe and US

WEF: Cyber-Attacks Are Biggest Business Risk in Europe and US

Cyber-attacks remained the biggest perceived risk of doing business for executives in North America and Europe, and second globally, according to an annual World Economic Forum (WEF) report published yesterday.

Compiled from the responses of over 12,900 executives in 133 countries, the Regional Risks for Doing Business 2019 report outlines “the five global risks that you believe to be of most concern for doing business in your country within the next 10 years.”

Cyber-attacks were pegged as the biggest risk by CEOs in six of the world’s 10 largest economies: the US, Germany, the UK, France, Italy and Canada, as well as Italy and six other European countries.

Data fraud or theft was put in seventh place in terms of most concerning business risks for global respondents.

“The fact that cyber-threats worry the business community as much as they do academia, civil society, governments and other thought leaders shows just how disruptive this risk is to all aspects of life,” the report noted.

“As economies and societies continue to digitize, cyber-attacks are both more lucrative for attackers and more dangerous for victims.”

The WEF report highlighted the emergence of “formjacking” or Magecart attacks, alongside cryptojacking and the persistent threat of ransomware including the major losses suffered by Norsk Hydro as contributing to CEO unease over cyber-threats.

Some 61% of European businesses reported cyber-incidents in 2019 compared to 45% the previous year, according to insurer Hiscox.

In the US, the report pointed to a spate of ransomware attacks on local government authorities across the country and concerns over the security of election systems.

“Cybersecurity remains the most concerning risk to business leaders in advanced economies, and growing technology dependence for many businesses will only amplify this,” argued John Drzik, president of global risk and digital at Marsh.

“Combined with fractious geopolitical developments, and growing economic concerns, executives face a very challenging portfolio of potential threats. Business leaders should re-evaluate their underlying view of the global risk environment and make greater efforts to strengthen their corporate agility and resilience.”

Former Yahoo Employee Pleads Guilty to Hacking Accounts

Former Yahoo Employee Pleads Guilty to Hacking Accounts

A former Yahoo employee has pleaded guilty to hacking thousands of customer accounts in search of sexual images and videos.

Reyes Daniel Ruiz, 34, of Tracy, California, admitted in a San Jose federal court on Monday to hacking around 6000 accounts — targeting those belonging to young women, including friends and colleagues.

He is said to have copied the content to a hard drive at home, although Ruiz destroyed it after his employer raised the alarm about suspicious activity.

It’s unclear exactly how he actually compromised the accounts, but the Department of Justice claimed he was first able to “crack” user passwords to access internal Yahoo systems.

Once inside, he was then able to compromise other accounts, including iCloud, Facebook, Gmail and DropBox — presumably if password reset emails were sent to the hacked Yahoo accounts.

Ruiz was charged with one count of computer intrusion and one count of interception of a wire communication. Under a plea agreement he admitted to the first charge, which carries a maximum sentence of five years behind bars plus a fine of $250,000.

Carl Wearn, head of e-crime at Mimecast, argued that all organizations should have measures in place to mitigate the insider threat, and claimed the incident shows that password resets represent a serious business risk.

“We need to make it harder for hackers to trickle into a number of systems from one weak point. A starting point is to monitor systems for unusual behavior. A pattern of multiple employees resetting passwords, for example, should trigger a warning,” he added.

“Additionally, there should always be multiple administrators so that access privileges are not abused. Businesses may not be able to prevent every employee from using their skills or access for malicious means, but they can put a plan in place for spotting and tackling such behavior.”

Prying-Eye Vulnerability Exposes Online Meetings to Snooping

Prying-Eye Vulnerability Exposes Online Meetings to Snooping

Web-conferencing users who don't assign passwords could be having online meetings with more people than they think, according to new research.

The Cequence CQ Prime Threat Research team today announced its discovery in July 2019 of a vulnerability in the Cisco Webex and Zoom video-conferencing platforms that potentially exposes millions of online meetings to snooping.  

By launching an enumeration attack that targets web-conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs, threat actors could exploit the vulnerability to view and listen to active meetings that haven't been protected by a password. 

"In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community," said Shreyans Mehta, Cequence Security CTO and co-founder. 

"In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web-conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities."

Following best practices on vulnerability disclosures, the CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings.

Richard Farley, CISO of Zoom Video Communications, Inc., said: "Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature."

The Cisco Product Security Incident Response Team (PSIRT) issued an informational security advisory to its Webex customers, but said it "is not aware of any malicious exploitation of this potential attack scenario."

PSIRT said: "Cisco Webex provides the host with controls that protect the meeting—such as disallowing join before host, locking a meeting, as well as ensuring guests do not join without authentication."

Passwords are enabled as a default setting for meetings on both the Zoom and Cisco Webex platforms. However, users who are in the mood to live dangerously have the option to make meetings on both platforms password-free. 

Publishers Targeted by GhostCat Malware

Publishers Targeted by GhostCat Malware

A malicious campaign that waged 13 attacks against hundreds of well-known publishers has been identified and put down by The Media Trust.  

Rather appropriately for the Halloween season, the malware was given the name GhostCat-3PC by researchers in the Trust's Digital Security & Operations (DSO) team. 

GhostCat-3PC ran behind an ad that used advanced, obfuscated code and delivery patterns to evade detection by the traditional signature-based ad blockers used by many of the publishers. 

After a quick prowl to check if the user was on a list of targeted domains, GhostCat would initiate a fraudulent pop-up that, if clicked, led to malicious content. 

The team discovered the malware in late August and observed it escalate its attack until well into September.

"What makes GhostCat-3PC unique is the scale of this highly orchestrated campaign, the sophistication of obfuscation techniques to outsmart security tools, and what appears to be an attempt to test and track the response of signature-based security defenses," Mike Bittner, The Media Trust's associate director of digital security and operations, told Infosecurity Magazine.

"Bad actors behind GhostCat-3PC know what blockers are present in these publications and are likely using these attacks as a kind of stress test to determine the risk of being discovered and impeded."

In a report published today, the DSO researchers explained how the creators of GhostCat hid malicious code inside seemingly innocuous code to get the malware past ad blockers. 

The researchers wrote: "Most blockers work by detecting known malicious signatures found in an ad tag or on a publisher site. These signatures are typically static in nature and therefore must result in an exact match to the malicious code in order to be successful. Any change to the targeted code, no matter how minor, will prevent the blocker from producing a match to the specified signature."

The Media Trust sees an average of 1,000 active, unrelated incidents in any 24-hour period, and more than 170 newly minted malicious domains each day. 

Asked how new ad blockers need to be to have any kind of effect against this continually evolving threat, Bittner told Infosecurity Magazine: "Pre-2019 blockers would be useless.

"Signature-based defenses like conventional blockers will have to update their keyword blocklists many times each day just to keep up with bad actors’ relentless assault. Just this past month, five premium publishers using conventional blocking solutions have had at least one major incident unrelated to GhostCat-3PC."

Russian Underground Sells Disinformation Services to Influence Western Media

Russian Underground Sells Disinformation Services to Influence Western Media

Engaging threat actors to launch a disinformation campaign in the Western media is "alarmingly simple and inexpensive" according to a new report.

Using the Recorded Future platform, Insikt Group researchers set up a fake company located in a Western country to gain insight into the chilling world of disinformation. Researchers then hired two sophisticated disinformation vendors, which they found on a Russian-speaking underground forum, to influence public perception of the fictitious company.

The first vendor, given the code name Raskolnikov in the report (presumably as a nod to Dostoevsky's protagonist in Crime and Punishment), was engaged to paint a positive picture of the company. The second vendor, code-named Doctor Zhivago, was hired to destroy the reputation of the company, which was code-named Tyrell Corporation in the report. 

Researchers were able to launch a customizable month-long media campaign with each vendor for only a few thousand dollars. Services ranged from $8 for a social media post to $1,500 for SEO services and traditional media articles.

Raskolnikov created accounts for Tyrell Corporation on major Western social media platforms and gathered over 100 followers on each account. They offered a price list for sharing content on 45 websites, including ft.com, thelondoneconomic.com, eveningexpress.co.uk, and thefintechtimes.com.  

Insikt Group researchers said: "In two weeks, the Tyrell Corporation was in the 'news'—one of the media sources was a less established media outlet, though the other was a very reputable source that had published a newspaper for nearly a century."

Doctor Zhivago claimed to work with a team that included journalists, editors, translators, search engine optimization (SEO) specialists, and hackers. The threat actor used social media to spread claims that Tyrell Corporation had manipulated employees, and even offered to file a complaint against the company for its supposed involvement in human trafficking. 

Researchers said: "First, a group of older accounts—referred to as 'aged accounts'— that posted links to the articles they had published in media sources was employed. Then, a new batch of accounts that reposted content from the aforementioned aged accounts to amplify the messages was used. 

"These new accounts befriended citizens living in the same country the Tyrell Corporation was located in to make the campaign more effective by targeting the audience."

Commenting on the research, Roman Sannikov, head of analyst services at Recorded Future, told Infosecurity Magazine: "We were surprised by how professional the vendors seemed to be. They provided much better customer service than your typical underground threat actor. They were there to provide us with advice on how we should carry out the campaigns and were very responsive to our questions and requests."

Asked how the research has shaped his view of the world, Sannikov said: "I think we already suspected that this was going on, though the fact that these threat actors were able to carry out the campaigns so quickly, inexpensively, and effectively in the West was certainly jarring.

"It underscores how important this issue is, not only when it comes to the public sector, but for private companies and individuals as well. We hope that our research will open people's eyes to this problem before it becomes pervasive outside of the vendors' traditional markets of Russian-speaking countries and Eastern Europe."

Carbon Black: Defense Capabilities Match Increased Attack Sophistication

Carbon Black: Defense Capabilities Match Increased Attack Sophistication

While businesses are seeing an increase in attack sophistication, and the overall attack volume in the past 12 months has increased, defense is getting better.

According to research by Carbon Black of 250 British CTOs and CISOs, 84% of UK businesses reported an increase in overall attack volume while 90% cited more sophistication.

Speaking to Infosecurity, Rick McElroy, head of security strategy at Carbon Black, said that these statistics were due to what he called the “trickle down cyber-economy for adversaries” where nation state actors, cyber-militias and contractors working for them develop multi-million dollar tools which get into the wild – such as the exploits which enabled WannaCry and NotPetya to spread.

“As new capabilities and ammunition are developed, you’ll see that move into things like ransomware,” he explained. “Secondary, [offense] is not a highly specialized skill anymore, a lot of people are trained in it, and you can buy a lot of capabilities on the dark web. So the rise is down to more people being involved, and the sophistication is down to the cyber-economy, but defenders do have better tools.”

On that point, McElroy said that because there is better tooling in prevention and detection, the adversary has to improve and become more “stealthy.”

Asked if the state of cybersecurity was improving for defenders, McElroy said he believed it was getting better as “people are starting to sleep a bit more” and getting some of things that they need thanks to budget approval. “It comes back to how to make the army bigger, and recruit successfully as people look at ‘non-traditional areas’” he said.

The research found that 76% of UK organizations were more confident in their ability to repel cyber-attacks than they were 12 months ago.

McElroy said: “As the cyber-defense sector continues to mature, businesses are becoming more aware of the tools at their disposal and the tactics they can use to combat cyber-attacks. We believe this growing confidence is indicative of a power shift in favor of defenders, who are taking a more proactive approach to hunting out and neutralizing threats than previously.”

He praised the MITRE ATT&CK framework as enabling defenders as it made vendors improve their technology, and pointed out that there is a feeling that defenders have better tools than ever before “which is definitely increasing the confidence that they have” as things can be found in environments that otherwise would not have been known about.

The research also found that 90% of UK businesses said threat hunting has improved their defenses, and McElroy noted that there is less reliance on alerting, and this has had a positive impact, “but where do you find the threat hunters as this is a skill that has not been around for long and globally there is a massive shortage of threat hunters and incident responders.”

Hearing Aid Giant Warns of $95m in Ransomware Losses

Hearing Aid Giant Warns of $95m in Ransomware Losses

A Danish firm has revealed that a suspected ransomware attack on its IT systems last month may end up costing as much as $95m.

Demant, which is one of the world’s leading makers of hearing aids, said it experienced a “critical incident” on September 3. Although it refuses to clarify the nature of the incident, local reports were less circumspect.

Although the firm had backed up data, the sheer scale of the attack appears to have had a major impact on its recovery.

“The Group’s IT infrastructure was hit by cybercrime. Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution,” Demant admitted in an update late last week.

“We continue ramping up to accommodate the back-log built up since the incident, to rebuild necessary inventories across the supply chain and to reduce turnaround times of repair and custom-made hearing aids. We are still in the recovery and ramp-up phase at our amplifier production site in Denmark and at our cochlear implants production site in France.”

The cumulative effect of these outages will have a negative financial impact on the firm in the region of DKK 550-650m ($80-95m). This includes a DKK 100 ($15m) deduction thanks to the firm’s cyber insurance policy.

Demant expects DKK 50m ($7m) to be incurred due to direct losses.

The firm’s hearing wholesale business was particularly badly affected, accounting for around half of estimated lost sales.

“The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” it continued.

“Despite our efforts to operate the business in the best possible way, our immediate focus on supporting existing customers to prevent them from being impacted by the incident has impacted sales and will likely impact our organic growth rate throughout the rest of the year.”

The news is another cautionary tale for firms currently unprepared to deal with the ransomware epidemic that continues to spread across the globe. Norwegian aluminium giant Norsk Hydro was hit earlier this year, leading to losses in the tens of millions of dollars.

Six in 10 Global Firms Hit by a Data Breach

Six in 10 Global Firms Hit by a Data Breach

Around 60% of global organizations have suffered a breach in the past three years, with the rest increasingly feeling like their turn is coming soon, according to new research from Bitdefender.

The security firm polled over 6000 cybersecurity professionals from organizations of all sizes in the UK, US, Australia, New Zealand, Germany, France, Italy and Spain to compile its Hacked Off! study.

While six in 10 respondents said they’d been hit by a data breach, 36% claimed they could be facing one without knowing. It’s no surprise that over half (58%) are concerned about the readiness of their organization to deal with such an attack.

Board-level buy-in is a major sticking point: 57% of respondents claimed that the C-suite is the least likely to comply with corporate cybersecurity policy, putting their firm at risk and making it hard to drive the kind of company-wide security-by-design culture demanded by GDPR and other regulators.

Nearly three-quarters (73%) believe they’re more at risk as they are under-resourced, while alert fatigue is a major problem, with over half (53%) of endpoint detection and response (EDR) alerts described as false alarms.

The research found that, partly because of this EDR failure, firms are reacting too slowly to incidents.

Over a fifth (29%) claimed it would take a week or longer to detect an advanced cyber-attack, while just three in every 100 cybersecurity professionals claimed 100% of attacks can be efficiently detected and isolated.

Yet despite all of these shortcomings, more than half (57%) of respondents rated their organization’s cybersecurity “very good” or “excellent.”

Liviu Arsene, global cybersecurity researcher at Bitdefender, explained that further investments in anti-malware, network traffic analysis and EDR were all highlighted by respondents as necessary.

“Poor cybersecurity is an undeniable threat to businesses today. From the loss of customer trust to the impact on the bottom line it is critical for infosec professionals to get it right,” he added.

“According to respondents, 53% of infosec professionals have contemplated leaving their job due to under-resourcing in terms of staff. Resources are in fact such a bugbear that infosec pros say the main obstacles to their organizations’ strengthening their cybersecurity posture are a lack of budget and a lack of skilled personnel.”

HMRC Disciplines 100 Staff for IT Misuse

HMRC Disciplines 100 Staff for IT Misuse

Nearly 100 HMRC employees have faced disciplinary action after misusing computer systems over the past two years, according to Parliament Street.

The think tank sent Freedom of Information (FOI) requests to the UK tax office to better understand the insider threat there.

It revealed that 92 staff members had misused IT systems over the previous two financial years, with eight sacked for their indiscretions.

Most common was misuse of email, with 15 written warnings issued in 2017-18 and a further 11 in 2018-19. According to the think tank, the culprit in many of these was a repeat offender, who had also been issued with a final written warning for computer misuse.

In 2018-19, nine written warnings were issued for misuse of social media channels, compared to zero the previous year.

In addition, 13 HMRC employees were reprimanded for misuse of telecommunications, and 19 were disciplined for misuse of computer equipment or systems.

In fact, all eight dismissals were for “misuse of computer equipment.”

Absolute Software CEO, Christy Wyatt, said tackling insider abuses should be a top priority for the public sector, especially organizations handling highly sensitive financial data on millions of citizens.

“This kind of activity often involves individuals abusing access to personal information and in some cases sharing it, leading to a potential data breach,” she added.

“Organizations like HMRC need to adopt an enterprise resilience mindset not only around potential bad employee behavior, but fortifying their overall security posture and risk management profile.”

The HMRC has been called out before for poor data protection practices. In May, privacy regulator the ICO handed it an enforcement notice after it broke the law over collection of biometric data from taxpayers.

Some 20% of cybersecurity incidents and 15% of the data breaches investigated by Verizon this year were linked to insiders, according to its Data Breach Investigations Report (DBIR).

German Police Bust Dark Web Hosting Cyber-Bunker Business

German Police Bust Dark Web Hosting Cyber-Bunker Business

Hundreds of servers used to support child pornography, cybercrime, and the sale of illegal drugs have been seized in a police raid on a former NATO bunker in Germany.

German authorities arrested thirteen people between the ages of 20 and 59 on Friday after busting up a dark web hosting operation being run from a heavily fortified five-floor military bunker in the peaceful riverside town of Traben-Trarbach. 

After breaking through an iron door to gain access to the temperature-controlled bunker, 600 police searched the 1.3-acre premises and found around 200 servers stored in stacks together with disks, mobile phones, documents, and a large sum of cash. 

A 59-year-old Dutchman, who purchased the bunker in 2013, is thought to be the owner and operator of the business, which offered secured "bulletproof" website hosting to illegal businesses and concealed their activities from authorities. Sites linked to the bunker include illegal online drug stores Cannabis Road, Orange Chemicals, and Wall Street Market, formerly the second-largest global marketplace for drugs, where users could also buy hacking tools and financial-theft ware.

Suspects arrested in connection with the raid are thought to have links to organized crime and are likely to be named as accessories to over 250,000 offenses involving money counterfeiting, drugs, data mining, forged documents, and the distribution of child pornography.

Seven of the people arrested are being held in custody, with two thought to hold previous convictions for running a similar business out of a former military bunker in the Netherlands, which was sold as CyberBunker. 

Regional criminal police chief Johannes Kunz said, "I think it’s a huge success . . . that we were able at all to get police forces into the bunker complex, which is still secured at the highest military level. We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center."

Since the operation of the bunker hosting service isn't illegal per se, German authorities must prove the suspects arrested were aware of the illegal behavior of the hosted businesses to secure a conviction. Evaluating the stored data to determine this could take anywhere from months to years. 

Commenting on the raid, Vectra's head of security, Chris Morales, said: "We need to see more collaboration like this which involves the coordination between digital forensics and investigation and physical police enforcement. I applaud all of the German law enforcement agencies involved on a job well done."

Hiding a Data Breach Can Derail an Acquisition

Hiding a Data Breach Can Derail an Acquisition

Companies can drive down their value by hiding or mishandling data breaches, according to research by the world's largest nonprofit association of certified cybersecurity professionals, (ISC)².

Researchers questioned 250 mergers and acquisitions (M&A) experts based in the US to determine how important a company's cybersecurity program and breach history is in deciding its value ahead of a potential purchase. 

Findings shared in the Cybersecurity Assessments in Mergers and Acquisitions report, released today, revealed that 49% of M&A experts have seen deals derailed after due diligence brought an undisclosed breach to light. 

Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.

"While every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price," John McCumber, director of cybersecurity advocacy, North America, for (ISC)², told Infosecurity Magazine.

Having strong cybersecurity can give a company the edge over a competitor. Researchers found that 77% of experts had recommended a particular company be acquired over another because of the strength of its cybersecurity program.

The report is a reality check for companies who think a lackluster approach to cybersecurity won't diminish their stock. All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

"While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favorably by potential buyers than those who seem doomed to repeat their mistakes," McCumber told Infosecurity Magazine.

"Each deal is different. But what our report indicates is that in order to maximize the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance."

Pennsylvania Might Be Second State to Criminalize Cyber-Flashing

Pennsylvania Might Be Second State to Criminalize Cyber-Flashing

Pennsylvania could follow Texas to become the second US state to make cyber-flashing illegal. 

Philadelphia County state representative Mary Isaacson told Infosecurity Magazine that she plans to introduce a bill to ban the unsolicited electronic transmission of sexually explicit and obscene images in the Keystone State at the end of October.

Isaacson sent a memorandum to all 203 members of the Pennsylvania House of Representatives on September 20, calling for them to co-sponsor her proposed legislation. 

"Despite the success of the #MeToo movement, sexual harassment remains a serious problem in our society, particularly due to online forms of sexual harassment. 20% of women and 10% of men ages 18 to 29 report having been sexually harassed online," wrote Isaacson in the memorandum, before calling on members to "please join me in combatting online sexual harassment and ensuring the dignity of all Pennsylvanians."

Speaking to Infosecurity Magazine, Isaacson said that although she hadn't personally received any unsolicited sexually explicit images, she had heard stories from her children about cyber-flashing experienced by their peers. 

"I represent a lot of millennials, and I am a parent of two teens. I worry for my son and my daughter," said Isaacson. "With Air Dropping technology, if a group of teens are at a concert, someone there can send them obscene images that the teens will see whether they have given permission or not. Their privacy is being invaded when they are just trying to have a good time."

Asked what she thought drove people to become cyber-flashers, Isaacson said: "I think that it's their psychology, that they do it to bully and intimidate people and invade their privacy. It's a very serious societal problem that affects everyone, men as well as women."

Isaacson's proposed legislation follows the passage of House Bill 2789 into law in Texas on August 31 this year. Under the new law, the electronic transmission of sexually explicit material without the recipient's consent became a Class C misdemeanor, punishable by a fine of up to $500.

Describing how her bill will differ from what was passed in the Lone Star State, Isaacson said: "Right now, it's modeled after what was done in Texas, but it could possibly change."

Isaacson, who was on the road when speaking to Infosecurity Magazine, was unable to state exactly how many members had answered her co-sponsorship call. However, the state representative was able to confirm that her proposed legislation has secured bipartisan support.

BlackBerry Launches New Cybersecurity Development Labs

BlackBerry Launches New Cybersecurity Development Labs

Security software and services company BlackBerry Limited has announced the launch BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space.

The Labs will be led by CTO Charles Eagan and will include a team of over 120 software developers, architects, researchers, product leads and security experts working to identify, explore and create new technologies to ensure BlackBerry is on the cutting edge of security innovation.

The company stated that initial projects from BlackBerry Labs will focus on machine learning approaches to security in partnership with BlackBerry’s existing Cylance, Enterprise and QNX business units.

“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Charles Eagan, BlackBerry CTO. “Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; artificial intelligence to zero trust environments.”

Senate Passes Ransomware Law

Senate Passes Ransomware Law

A new law has passed the US senate which will demand the federal government ramp up its support for organizations hit by ransomware.

The DHS Cyber Hunt and Incident Response Teams Act would require the Department of Homeland Security (DHS) to build dedicated teams tasked with providing advice to organizations on how best to protect their systems from attack, as well as other technical support, including incident response assistance.

Although the new capabilities would be available to all public and private organizations on request — including businesses, police departments, hospitals, and banks — senate minority leader Chuck Schumer focused on protection for New York state schools in his comments on the legislation.

“The Senate passing the DHS Cyber Hunt and Incident Response Teams Act is an important step in protecting upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments,” he said in a statement.

“It’s critical that we use all available resources to protect New York students from cyber crooks, and enhance and increase our resiliency to these attacks. I’m proud of the role I played in pushing this sorely-needed legislation through the senate and won’t stop working until it’s signed into law.”

One security vendor calculated last week that ransomware attacks have disrupted operations at 49 US school districts and educational institutions in the first nine months of the year, compromising potentially 500 K-12 schools versus just 11 last year.

This makes the sector the second most popular for ransomware attackers after local municipalities.

These have been battered by attacks over the past few months, with one campaign in Texas hitting 23 local government entities simultaneously.

A similar piece of legislation to the DHS Cyber Hunt and Incident Response Teams Act has already passed in the House of Representatives, so the two will now begin the reconciliation process.

Airbus Suppliers Hit in State-Sponsored Attack

Airbus Suppliers Hit in State-Sponsored Attack

Airbus has been forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year, according to reports.

The commercial and military aircraft-maker revealed in January that it suffered a cyber-attack resulting in unauthorized access to data, but this campaign is thought to be much bigger in scope.

Hackers have targeted UK engine-maker Rolls Royce and French tech supplier Expleo, as well as two other French Airbus suppliers, although none of the organizations confirmed the news to AFP.

Unnamed “security sources” told the newswire that the “sophisticated” attack on the companies focused on compromising the VPNs connecting them with Airbus networks.

The sources claimed that the hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems.

These are areas Chinese aircraft manufacturers are thought to be relatively weak in, while state-backed Comac is said to be struggling to gain certification for its C919 commercial airliner.

The notorious APT10 and the Jiangsu outpost of the Ministry of State Security, known as JSSD, have both been pegged as possible perpetrators.

“Our national security is at risk and it's well past time to address this challenge with leadership and resources,” argued Jake Olcott, VP of government affairs at BitSight. “The entire defense supply chain has been under attack for years, and it's not just the small companies that are vulnerable. Defense agencies must gain visibility immediately. We can't afford to wait.”

Ilia Kolochenko, CEO of web security firm ImmuniWeb, added that third party risk management is still at an early stage in many organizations.

“The situation is largely exacerbated by different national and regional standards and best practices, often incompatible or contrariwise overlapping,” he argued.

“Globally recognized standards, such as ISO 27001, 27701 and 9001, can definitely ensure a baseline of security, privacy and quality assurance amid suppliers. One should, however, bear in mind that they are no silver bullet and some additional monitoring of suppliers handling critical business data is a requisite.”

Microsoft Launches CyberPeace Institute to Tackle Attacks

Microsoft Launches CyberPeace Institute to Tackle Attacks

Microsoft and others have launched a new non-profit which aims to reduce the “frequency, impact and scale” of cyber-attacks on citizens and critical infrastructure (CNI).

The Hewlett Foundation and Mastercard, alongside other unnamed “leading organizations,” have joined Microsoft as initial funders of the CyberPeace Institute.

Its three core functions are to: help and defend civilian victims of cyber-attacks, including by mobilizing a new CyberVolunteer Network, analyze and investigate attacks, to raise understanding and drive global accountability and promote cybersecurity norms of responsible behavior by nation states.

“The escalating attacks we’ve seen in recent years are not just about computers attacking computers – these attacks threaten and often harm the lives and livelihoods of real people, including their ability to access basic services like heath care, banking and electricity,” argued Microsoft corporate vice president, Tom Burt.

“For years, non-governmental organizations around the world have provided on-the-ground help and vocal advocacy for victims of wars and natural disasters, and have convened important discussions about protecting the victims they serve. It’s become clear that victims of attacks originating on the internet deserve similar assistance, and the CyberPeace Institute will do just that.”

The Geneva-based organization will be headed up by President Marietje Schaake, former member of the European Parliament and international policy director at Stanford university’s Cyber Policy Center and CEO Stéphane Duguin, head of the European Internet Referral Unit at Europol.

The institute joins other recent initiatives designed to tackle the global challenge of cybercrime and incidents impacting CNI, including: the Cybersecurity Tech Accord, which has signed up more than 100 companies and the Paris Peace Call for Trust & Security in Cyberspace, which now has signatories from 67 countries, 139 international and civil society organizations, and 358 private organizations.

Cyber-Harassment Expert Wins MacArthur Genius Grant

Cyber-Harassment Expert Wins MacArthur Genius Grant

Lawyer, law professor, and civil rights advocate Danielle Keats Citron has been awarded a MacArthur grant for her efforts to address the scourge of cyber-harassment. 

Citron, a professor at Boston University Law School, is one of 26 individuals this year to receive a so-called genius grant from the John D. and Catherine T. MacArthur Foundation. Citron was awarded $625,000 to support her ongoing mission to study and write about online abuse and invasions of sexual privacy, the harm that they inflict, and how law and society should respond to them.

Through her work, Citron has found that cyber-harassment can have a devastating and long-lasting effect on victims, making it difficult for them to go about their daily lives. 

"Cyber-harassment is the targeting of specific individuals with a course of conduct that causes severe emotional distress and often the fear of physical harm, and it impacts them in a way that takes away what we consider crucial ability to make the most out of their lives in the 21st century; to get employment, keep a job, engage with other people, and go to school free from the fear of online abuse," said Citron.

She continued: "We wouldn’t accept people walking down the street and being screeched at and threatened and humiliated and hurt, and we shouldn’t find it an acceptable part of online life."

Citron has been studying and writing about online abuse for 15 years. During that period, she has worked with tech companies to update safety and privacy policies. She has also advised US legislators and state attorneys general on how to combat the most extreme forms of cyber-abuse, including cyber-stalking and revenge porn—the posting of intimate photos or videos without consent. 

The situation is improving, with the number of states to pass cyber-stalking laws rising from 4 in 2009 to 46 today.

Currently, Citron is focused on studying and writing about deep fake technology, which is machine learning technology that lets you manipulate or fabricate audio and video to show people doing and saying things that they’ve never done or said. 

She said: "The technology is advancing so rapidly that soon—within months—technologists expect that the state of the art will become so sophisticated that it will become impossible to distinguish fakery from what’s real. The impact that it has is not just on individuals; it has an impact on the truth and more broadly on our trust in democratic institutions."

New Spyware Threatens Telegram’s 200 Million Users

New Spyware Threatens Telegram's 200 Million Users

A new piece of spyware, designed to steal sensitive information from users of the messaging app Telegram, is for sale on the black market.  

Trojan-delivered Masad Stealer and Clipper was clocked by researchers at Juniper Threat Labs. The spyware uses Telegram as a command and control (CnC) channel to cloak itself in a veil of anonymity. 

After installing itself on the computer of a Telegram user, Masad Stealer busies itself collecting information stored on the system, such as browser passwords, autofill browser field data, and desktop files. The spyware also automatically replaces cryptocurrency wallets from the clipboard with its own.

Other information vulnerable to an attack perpetrated through Masad Stealer includes credit card browser data, FileZilla files, steam files, browser cookies, PC and system information, and installed software and processes. 

Masad Stealer is being advertised for sale in several hack forums, making it an active and ongoing threat. Buyers can pick up a variety of versions, ranging from a free one to a premium package costing $85, with each tier of the malware offering different features.

Researchers at Juniper said: "Masad Stealer sends all of the information it collects—and receives commands from—a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers."

Masad Stealer is written using Autoit scripts and then compiled into an executable Windows file. Most of the samples discovered by Juniper were 1.5 MiB in size; however, the spyware has also been strutting around in larger executables and has been spotted bundled into other software.

Telegram, which celebrated its sixth birthday in August, has over 200 million monthly active users. While its platform may have been breached, the app is fully confident in its ability to protect the privacy of messages sent by its users. 

The app claims on its website to be "more secure than mass market messengers like WhatsApp and Line" and offers anyone who can decipher a Telegram message up to $300,000 in prize money. 

Dunkin’ Sued for Keeping Data Breach Secret

Dunkin' Sued for Keeping Data Breach Secret

New York is suing Dunkin' for allegedly failing to inform its customers of multiple cyber-attacks that compromised customer accounts.

According to the lawsuit, filed in state Supreme Court in Manhattan, money was stolen by cyber-criminals, who hacked into the online accounts of 20,000 Dunkin' customers in 2015. New York further alleges that Dunkin' didn't disclose to its customers full details of a cyber-attack that affected 300,000 customer accounts in 2018.

The lawsuit states: "In 2015, Dunkin’s customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen."

During the summer of 2015, Dunkin's app developer repeatedly alerted Dunkin' to ongoing attempts by hackers to log in to customer accounts and provided the company with a list of 19,715 accounts that had been compromised over just a sample five-day period, but the donut-seller failed to tell customers, according to the lawsuit.   

Dunkin’ chief communications officer Karen Raskopf told Infosecurity Magazine that there was no credence to the claims being made in the lawsuit.

In an emailed statement to Infosecurity Magazine, Raskopf said: "There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case. 

"The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts. The database in question did not contain any customer payment card information. 

"The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers."  

Dunkin' Brands, Inc. has 8,000 Dunkin' restaurants across America, a thousand of which are in New York.  

"We take the security of our customers’ data seriously and have robust data protection safeguards in place. We look forward to proving our case in court," said Raskopf.

Global Consumers Reject Government-Mandated Encryption Backdoors

Global Consumers Reject Government-Mandated Encryption Backdoors

Global consumers overwhelmingly reject government arguments that encryption backdoors will make them safer from terrorists, according to new research from Venafi.

The security vendor polled over 4100 consumers in the US, UK, France and Germany to better understand their attitudes to government and social media when it comes to data protection.

Law enforcers and governments on both sides of the Atlantic have consistently argued that encrypted services and devices provide a safe space for terrorists and criminals to operate.

In July, US attorney general, William Barr, added his voice to the calls for government-mandated backdoor access to such data in specific circumstances, saying it “can and must be done.”

However, 64% of respondents told Venafi that they don’t believe government access to private data would make society any safer from terrorists. In fact, just 30% said they thought governments can be trusted to protect their personal data, falling to 24% in the US and climbing slightly (to 40%) in the UK.

“Many politicians and law enforcement officials wish to use surveillance tools and backdoors that most consumers associate with authoritarian regimes, not democracies,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.

“If we can’t trust governments to protect sensitive personal data, it’s difficult to imagine how they will be able to regulate the private sector effectively.”

The poll’s respondents are joined by IT security professionals and cryptography experts in their views on mandated backdoors.

Nearly three-quarters (73%) of IT security pros told Venafi in March that laws effectively forcing tech companies to insert backdoors in their products would make their nation less secure.

As if that weren’t enough, a group of world-leading cryptography experts last year backed senator Ron Wyden’s demands that the FBI explain the technical basis for its claim that backdoors can be engineered without impacting user security. The Bureau has so far chosen not to respond.

The Venafi poll also revealed that, perhaps unsurprisingly, just 22% of consumers believe social media companies can be trusted to protect their personal and private data.

Banks Add to Confusion as Scammers Target Thomas Cook Customers

Banks Add to Confusion as Scammers Target Thomas Cook Customers

Experts are urging Thomas Cook customers not to respond to unsolicited messages in the wake of the UK travel company’s bankruptcy, as scammers are trying to harvest their bank details.

The 178-year-old firm collapsed on Monday, leaving a £3bn black hole in its balance sheet and 150,000 holidaymakers stranded abroad.

However, like any high-profile incident, scammers have been jumping on the news to try and part consumers with their cash.

Reports soon emerged of customers being cold called by individuals claiming to work for a company ‘refund agent’ and requesting their bank or card details to reimburse them.

Adding to the confusion, UK banks have been sending unsolicited text messages about the bankruptcy to customers, some of which contain links and a phone number.

According to tweets cited by consumer rights group Which? some of the messages were sent to individuals who hadn’t even booked holidays with Thomas Cook, adding to the sense that they may be a scam.

“We’ve heard worrying stories of criminals trying to scam people affected by the collapse of Thomas Cook, so while the messages being sent by some banks might be well-meaning, this flawed approach will only be adding to the confusion customers are facing,” said Which? consumer rights expert, Adam French.

“Our advice is to ignore unsolicited calls and texts, and avoid sharing your card or bank details. Anyone looking to claim back the cost of their flight through their debit or credit card provider should contact their bank directly themselves.”

In the wake of the travel agent’s collapse, Action Fraud urged consumers to be vigilant about potential scams and to not click on links in unexpected messages.

“Legitimate organizations will never contact you out of the blue and ask for your PIN, card details, or full banking passwords. If you get a call or message asking for these, it’s a scam,” the UK’s national fraud reporting center added.

“Remember, your bank or the police will never ask you to transfer money out of your account, or ask you to hand over cash for safe-keeping.”

DoorDash Breach Exposes Data on Nearly Five Million Users

DoorDash Breach Exposes Data on Nearly Five Million Users

US food delivery service DoorDash is in the process of notifying its customers after discovering a data breach affecting millions of consumers.

The firm claimed in a notice published yesterday that an unauthorized party managed to access data on 4.9 million customers.

“Earlier this month, we became aware of unusual activity involving a third-party service provider,” it said. “We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.”

Users who registered with the platform on or before April 5 2018 are said to be affected. Email addresses, delivery addresses, order history, phone numbers and salted and hashed passwords were stolen, as well as the last four digits of some users’ payment cards.

The last four digits of bank account numbers belonging to some of the firm’s restaurant clients and delivery drivers were also taken, along with the driver’s license numbers of 100,000 delivery staff.

Despite salting and hashing passwords, the firm is advising users to reset their credentials for the site.

Experts were quick to criticize the firm: despite its efforts to encrypt passwords, the stolen data could be used in follow-on attacks, argued Lucy Security CEO, Colin Bastable.

“In the race to grab market share, businesses like DoorDash place security too far down the list,” he argued. “Outsourcing data in-sources cyber-insecurity, and consumers pay the price of a carelessly clicked email phishing link or a targeted spear-phishing attack."

DoorDash is no stranger to security incidents. Back in September 2018 it claimed that reports from multiple users of their accounts being hacked were down to credential stuffing.

In response to that incident, it blocked the suspect IP address trying to take over accounts, integrated with the HaveIBeenPwned? breach notification site, and rolled out two-factor authentication.

Cyber-battle Over Real Model City Planned for Abu Dhabi Security Conference

Cyber-battle Over Real Model City Planned for Abu Dhabi Security Conference

The daily war waged between cyber-criminals and security experts will be played out in miniature in Abu Dhabi next month using an accurate model of a real city.

As part of the week-long HITB + Cyber Week security conference taking place at the Emirates Palace October 12–17, The Standoff challenge will pit competing teams against each other in a cyber-fight to gain control over a miniature city's digital infrastructure. 

The simulated cyber-battle will take place in a live-fire environment, allowing players to develop valuable insight into vulnerabilities that could be exploited in a real-life cyber-attack. 

The model city has been created to feature technology in use in the critical infrastructure of an actual modern-day metropolis and has its own power plants, freight and passenger trains, banks, and petrochemical facilities. 

Red teams representing attackers will attempt to hack into the city's industrial control systems (ICS) and supervisory control and data acquisition equipment and take control of its traffic systems, electrical plants, and transportation services, while blue teams push back to defend the city's companies.

Under the competition's rules, the blue team will not be allowed any time to study the infrastructure, find weak points, pick attack detection tools, or apply fixes. Instead, they will jump straight into protecting vulnerable services that are about to be targeted by red teams.

Web-application firewall (WAF) rules, next-generation firewall (NGFW) policies, basic account management, and the ability to delete malicious payloads are the only tactics allowed in the blue team's defensive repertoire. Attackers are under no such constraints and can do what they like, provided they don't disturb the infrastructure needed to run the contest. 

Dhillon Kannabhiran, founder and CEO of Hack In The Box (HITB), said: "The Standoff is one of the most challenging attack and defense contests in the world, where teams are competing to find vulnerabilities and attack vectors in real-world critical infrastructure."

The Standoff's hackable city was designed by Positive Technologies as a fun way for cyber-professionals to hone the protection and monitoring skills they use when dealing with real-world cybersecurity problems.

Head of cyber-battle business development at Positive Technologies, Gregory Galkin, said: "We've been working on The Standoff for almost 10 years now. We started with specialized trainings for information security experts and CTF players, but then understood that bringing our expertise even closer to the realities of life is a must in order to maximize the cyber-battle's practical value."

Health Industry Cybersecurity Matrix Launched

Health Industry Cybersecurity Matrix Launched

America's Healthcare and Public Health Sector Coordinating Council (HSCC) has launched an information-sharing resource aimed at improving the cybersecurity of the healthcare sector.

The new Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) helps users stay on top of the latest security threats by providing them with a convenient list of cybersecurity information-sharing organizations across the United States. 

Featured in the new matrix are details of more than 25 cybersecurity information-sharing organizations and their services, including nine resources geared specifically toward the healthcare industry and the security of medical devices. 

Each listing includes a description of the organization and its mission together with details about any areas of cybersecurity specialization and how much, if anything, they charge for the information they share. 

Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC Information Sharing Task Group that created the HIC-MISO toolkit, said: "Many health organizations are beginning to understand the importance of cybersecurity information sharing but don't know where to start.

"With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement. The HIC-MISO points them in the right direction."

The launch of HIC-MISO follows a recommendation in a 2017 report by a Department of Health and Human Services advisory group, the Healthcare Industry Cybersecurity Task Force, to improve cybersecurity information sharing in the healthcare sector.

A key objective of the matrix is to make it easy for smaller healthcare organizations, which may lack the resources to implement a first-rate cybersecurity system, to engage with the cybersecurity information and defensive tips that are being shared. 

More help is on its way, according to Bill Hagestad, co-lead of the task group behind the new matrix.  

Hagestad said: "The Task Group recognized the broad range of budgets and capabilities across the sector, and accordingly we will begin work to supplement the HIC-MISO with a guide for how organizations can establish an information sharing management structure appropriate to their enterprise size, resources, and risk profile."

Texas Prepares to Implement Mandatory Cybersecurity Training for Government Employees

Texas Prepares to Implement Mandatory Cybersecurity Training for Government Employees

Preparations are underway in Texas to introduce mandatory annual cybersecurity training for nearly all government employees. 

The Lone Star State passed a House bill to introduce the cyber-safety training into law on June 14 of this year. As if to reinforce the need for Texas to protect itself from cyber-criminals, 23 local government entities in the state were targeted in a single coordinated ransomware attack just two months later.

On Monday, the Texas Department of Information Resources (DIR) announced that it was accepting applications to certify cybersecurity training programs. DIR, in consultation with the Texas Cybersecurity Council, is required to certify at least five cybersecurity training programs as required by the new legislation.

To be certified, a cybersecurity awareness training program must focus on forming habits and procedures that will help government employees protect information resources. The program must also teach best practices for detecting, assessing, reporting, and addressing information security threats. 

A spokesperson for DIR said: "DIR has worked with statewide stakeholders and the Texas Cybersecurity Council to develop detailed certification criteria and a systematic process for certifying cybersecurity programs. Once DIR certifies a minimum of five training programs, the list of programs will be published on the DIR website."

To be considered for inclusion on the very first list of certified training programs, applicants must submit their security-awareness training programs by Friday, October 4.  

The initial year of the mandatory training will be a rolling certification period, in which additional programs will be certified on a continuing basis. In subsequent years, companies that want to put forward their programs for certification will have to submit them within a designated time frame. To remain on the approved list, training programs will have to be resubmitted for certification annually.

Once the certified programs have been chosen, all mandated state and local government employees will have until June 14, 2020, to complete their cybersecurity training. 

In state agencies, the training will only be mandatory for elected or appointed officials and for employees who use a computer to complete at least 25 percent of their required duties. At local government entities, all elected officials and employees who have access to a local government computer system or database must complete the training.

Local governments can get around the obligatory training if they employ a dedicated information resources cybersecurity officer and have a cybersecurity training program in place already that satisfies the requirement. 

Secure DevOps Practices Expected to Increase for Cloud Apps

Secure DevOps Practices Expected to Increase for Cloud Apps

Very few companies are securing the majority of their cloud-native apps with DevSecOps practices, according to new research.

According to findings from ESG and Data Theorem, only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices today.

However, 68% of companies are expected to be securing 75% (or more) of their cloud-native applications with DevSecOps practices within two years. The research analyzed 371 responses, and according to Doug Cahill, senior analyst and group practice director of cybersecurity for ESG, while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers.

He said: “Organizations should consider newer approaches to securing their cloud-native apps, particularly solutions that address API-related vulnerabilities, which tops respondents’ minds when identifying their top threat concern.

Doug Dooley, Data Theorem COO, said that as production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions, they need to understand the associated risks and new threat model they are facing, and the means of addressing cloud native and API risks.

Asked by Infosecurity if they are seeing more companies adopt DevSecOps practices at the moment, or planning to adopt that strategy, Dooley said that security automation is gaining momentum for apps that are run by DevOps teams.

“We are still a few years away before it’s completely mainstream,” he said. “The culture of enterprise security has been a bit reluctant to embrace automation, but it’s the only way the best security teams are keeping up with the pace of DevOps.”

In an email to Infosecurity, Jeff Williams, co-founder and CTO of Contrast Security, said that most organizations only secure a small percentage of their application portfolio (cloud native or not) and they typically use application security tools, techniques and practices on only 10-20% of their apps and APIs which are determined to be the “critical,” “external,” public facing, or privacy related apps.

“To help remedy this gap, DevSecOps practices and tools are rapidly being adopted,” Williams said. “However, there is also a disturbing trend to shove the same old AppSec tools onto development teams that don’t have the skills to use them effectively under the guise of ‘shifting left’. Real DevSecOps requires a fundamental change to the way application security work is performed.”

Regarding the increase from 8% to 68% of cloud native app teams practicing DevSecOps, Williams said it is possible, as cloud native apps are close to the ideal scenario for DevSecOps. “However, it won’t happen without hard work to transform the people, process and pipeline in these teams."

Magecart Group Goes After Commercial Router Users

Magecart Group Goes After Commercial Router Users

Security researchers have spotted a new tactic being trialed by Magecart hackers: targeting commercial grade routers to skim large volumes of card details.

Magecart is the generic name given to a number of groups using JavaScript code to covertly steal card details from users. The tried-and-tested technique used up until now involves injecting this code into a website’s payment page, either directly or through the compromise of a third-party provider.

However, according to IBM, Magecart Group 5 (MG5) is testing malicious code which could be injected into legitimate JavaScript loaded by Layer 7 routers.

These routers are typically used in venues such as airports, casinos and hotels to serve large numbers of users — theoretically giving the attackers a major haul of card details if they succeed.

“We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” IBM said in its report.

“The compromise can therefore be two-fold: 1. Guest payment data can be stolen when they browse through a compromised router; 2. malicious content can be injected into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to hotels’ free Wi-Fi hot spots.”

IBM also claimed to have found evidence that MG5 had injected malicious digital skimming code into a popular open source mobile module which provides sliding features on devices. This kind of supply chain attack could result in spreading the code to all apps which unwittingly incorporate that module, in order to steal data en masse from users.

This is in keeping with MG5’s usual MO, which is to target larger numbers of victims by infecting third-party platforms, improving the ROI of attacks versus those such as the raids on BA and Newegg which targeted the website/e-commerce provider directly.

Blackmail Fears as Data Leak Exposes Dating App Users

Blackmail Fears as Data Leak Exposes Dating App Users

Another unprotected Elasticsearch database has been found online, leaking the personal data of tens of thousands of dating app users.

Researcher Avishai Efrat of VPN comparison firm WizCase was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.

The 600MB of data contains a trove of sensitive personal information which could be used in follow-on phishing or identity fraud attacks, including: name, email address, country, date of birth, dating history, phone number, occupation, and even a link to social media profiles.

Given the sensitive nature of the dating app, there are also exposed details which could be used to blackmail individuals, such as sexual orientation and preferences. If hackers found users of the app who are already married or in long-term relationships, that could also provide an opportunity to extort money from them.

Most of the affected users are from Turkey, where there’s a less forgiving climate for the LGBT community than in many western countries.

There were also a significant number of Heyyo users from the US and Brazil exposed in the leak, according to WizCase.

“Heyyo used an Elasticsearch engine, which is installed on a Digital Ocean cloud hosted server. The Elasticsearch default setting requires no authentication or password to gain entry,” explained the firm’s web security expert, Chase Williams.

“Servers should never be exposed like this to the open world. Password authentication, IP whitelisting, and additional monitoring would have greatly reduced the chances of such a data breach. Unfortunately, companies using default or misconfigured security settings for their databases is an all too common scenario these days.”

Automated cloud security tools can be used to detect, alert and remediate misconfigurations like the one affecting Heyyo, according to DivvyCloud CTO, Chris DeRamus.

“Database misconfigurations have proven time and time again to be the Achilles’ heel of many organizations that have suffered data breaches this year, yet there are very simple and highly effective solutions available to prevent this,” he argued.

UK Teen TalkTalk Hacker Indicted in US

UK Teen TalkTalk Hacker Indicted in US

A UK teenager convicted of hacking ISP TalkTalk in a notorious 2015 data breach has been indicted in the US for stealing funds from customers of a cryptocurrency exchange.

Elliott Gunton, 19, of Old Catton, near Norwich is accused alongside US citizen Anthony Nashatka of targeting the EtherDelta exchange.

Back in 2017, they are alleged to have gained control of an admin account belonging to CEO Zachary Coburn, using it to manipulate the site’s DNS records in order to redirect customers to a domain under their control.

Harvesting customer credentials in this way, they were allegedly able to subsequently log-in as these victims to steal cryptocurrency from their accounts.

The total sum stolen isn’t known, although one victim lost $800,000 in the operation, according to reports.

The charges, filed in San Francisco, could apparently lead to prison sentences of up to 20 years.

Gunton was only 16 when he hacked TalkTalk. Back in August, the teen was sentenced to 20 months behind bars for offering hacking services online. At that time he was ordered to pay back £400,000 in cryptocurrency he is said to have made from these endeavors.

After his arrest, police were able to trace at least £275,000 of these funds, although it’s unclear whether any of them were linked to the EtherDelta attack.

Edgard Capdevielle, CEO of Nozomi Networks, warned that law enforcers are slowly turning up the heat on budding cyber-criminals.

“While there can be no denying hacking tools are increasing in sophistication, the tools law enforcement use to track cyber-criminals are also improving,” he argued. “We are likely to continue to see more and more perpetrators charged for cybercrimes, making hackers think twice before launching attacks, as traces will always be left.”

Cleverly Faked Website Targets US Veterans

Cleverly Faked Website Targets US Veterans

American military veterans on the hunt for a new job are the latest group to be targeted by bold new threat group Tortoiseshell.

The group, which was discovered earlier this month by researchers at Symantec, has been active since July 2018, primarily targeting IT providers in Saudi Arabia with a mix of customized and "common or garden" malware.

New intelligence published yesterday by Cisco Talos reveals that Tortoiseshell has refocused its criminal campaign to strike at targets in the United States. Talos discovered that team Tortoiseshell was behind a malicious website that has been cleverly crafted to resemble a legitimate recruitment site for US military veterans.

Users of the site hxxp://hiremilitaryheroes[.]com were prompted to download an app that in reality was a malware downloader that deployed malware and spyware. 

Warren Mercer, technical leader at Cisco Talos, told Infosecurity Magazine that the nature of the attack indicated that Tortoiseshell was hoping to ensnare active military personnel in addition to former servicemen. 

"As it seems they were targeting HR/recruitment efforts, it's possible they hoped to attack current military servicemen as well as current veterans."

Talos would not confirm or deny whether reports that Tortoiseshell is based in Iran are correct. However, what is clear is that should Tortoiseshell get its claws into active members of the military, the outcome could be potentially devastating. 

Mercer told Infosecurity Magazine: "Depending on the victim they are successful compromising, the level of detail/information they [Tortoiseshell] can obtain is very varied. 

"If Tortoiseshell successfully targeted a currently enlisted military professional with access to potentially confidential information, this could become very damaging to the parties involved."

Close attention had been paid to every detail of the malicious website to ensure that it closely mimicked a genuine site in its choice of name, imagery, and the style of language used. However, Mercer said that what might appear to be sophisticated actions by the group were more probably evidence of their dogged resolve. 

Commenting on the site's seemingly genuine appearance, Mercer told Infosecurity Magazine: "This isn’t suggestive of a sophisticated actor; it’s more indicative of a determined actor. They want to ensure that they remain as aligned as possible to their fake website, and the text, images, and domain name help with that."

In carrying out this latest attack, Tortoiseshell used the same backdoor method employed against its targets in the Middle East. Perhaps this reliance on the same tactics, techniques, and procedures (TTPs) will be the group's downfall. 

Access Rights Not Updated for 45% of Employees Who Change Roles

Access Rights Not Updated for 45% of Employees Who Change Roles

Almost half of employees who switch roles within a company retain unnecessary network access rights, according to the results of a new survey by IT software company Ivanti.

The online survey questioned 400 people, of whom 70% were IT professionals, about what happened in their company when new staff were onboarded and when current employees switched roles or were deprovisioned. 

Asked whether unnecessary access rights are removed when employees change roles, 45% of the respondents said "no." This statistic swells in importance when paired with the knowledge that more survey respondents worked for the government (14.5%) than for any other industry. 

When it came to the access rights of employees leaving for new pastures, 13% of those surveyed said that they were not confident that the last person to exit their organization no longer had access to the company's critical systems and information. Only 48% said they were "somewhat confident" that access had been blocked. 

Given what respondents thought their former coworkers might get up to, it's surprising that closer tabs weren't being kept on their access rights. When asked what security risks were a concern in relation to improperly deprovisioned employees, 38% said a leak of sensitive data, 26% feared a cybersecurity hack through an unmanaged account, and 24% were concerned about malicious data detection/theft. 

Perhaps the survey's most worrying finding was that 52% of respondents admitted that either they or somebody they knew still had access to a former employer’s applications and data.

Most of the respondents (84%) were based in the US, but the online survey was also completed by people in the Netherlands, the UK, and Canada. 

Senior director of information technology at Ivanti, Adam Jones, told Infosecurity Magazine: "If you don’t know where you are vulnerable, it creates big issues and problems, especially when people can access privileges they shouldn’t. It creates an opportunity for exploitation by cyber-criminals or disgruntled employees (malicious insiders)."

It isn't clear from the survey whether access rights are being mismanaged due to the absence of proper assignment and management processes or because the trouble isn't being taken to regularly monitor permissions and update them as necessary. 

"Essentially, manually monitoring these processes is a productivity vampire," said Jones. "People often fail to complete their manual checklists, and we’ve even heard of instances where HR terminates an employee and forgets to tell their IT team.  

"Make sure you have the tools to automate manual tasks, so that you can monitor just the exceptions for when something doesn’t go right." 

Malicious RDP Behavior Detected in 90% of Organizations

Malicious RDP Behavior Detected in 90% of Organizations

A new study has found that hackers are exploiting a popular remote working tool to attack almost all the companies that use it. 

The Remote Desktop Protocol (RDP) has become a virtually indispensable part of modern business operations, as it allows users to control systems from afar without losing any functionality. 

Research published today by Californian tech firm Vectra has revealed suspicious RDP behaviors in 90% of companies using RDP, with organizations in the manufacturing, finance and insurance, retail, government, and healthcare industries identified as being most at risk of attack.

Researchers used Vectra's Cognito platform to monitor metadata collected from network traffic between more than four million workloads and devices in customer cloud, data centers, and enterprise environments between January and June 2019. 

During the six-month period, the platform detected 26,800 suspicious RDP behaviors. However, more could have occurred, since Cognito was set up to spot only two specific incidences. The first is repeated failed attempts to establish an RDP connection to a workload or host, and the second is a successful connection with unusual characteristics; for example, a connection normally established via an English-character keyboard being made instead with a French keyboard. 

Manufacturing organizations had the highest rate of dodgy RDP detections, with mid-sized operations showing a detection rate twice as high as the industry's average, which was 10 detections per 10,000 workloads and devices.

Together, the finance and insurance, manufacturing, and retail industries accounted for 49.8% of all suspect RDP detections. 

Alarming as the findings are, they come as no surprise to Vectra's head of security, Chris Morales, who told Infosecurity Magazine: "RDP is so widely used in different organizations that a high rate of misuse is inevitable. It's used in multiple forms of attacks as attackers look to hide from detection.

"The rate of detection in the six-month period is consistent with what Vectra has monitored over an extended period of time. RDP is a regular occurrence in attacks and a staple tool of the attackers' toolkit."

Despite the cybersecurity risk posed by RDP, Morales foresees no sunset on the tool's use. He told Infosecurity Magazine: "The business value delivered by RDP will ensure its continued use, and it will therefore continue to represent significant risk as an exposed attack surface."

Asked if we should all ditch the internet and go back to using fax machines, Morales said: "I do not think so. We just need to be more diligent in how we use services and thoughtful in their implementation."

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the launch of its global open call for its fourth cohort of cyber-scaleups.

LORCA, launched in June 2018 and hosted at Plexal, an innovation center located in the Here East campus in London’s Queen Elizabeth Olympic Park, aims to bolster the UK’s cybersecurity sector and make the internet safer for everyone by supporting the most promising later-stage companies.

LORCA offers 12-month programs from which companies can benefit from a collaborative ecosystem of academia, innovators, government, investors and industry.

It has already welcomed three cohorts of companies into its previous programs, which have gone on to raise over £58m in investment and won 514 contracts.

LORCA is now inviting new applications based on three innovation themes, after consulting with industry leaders from various sectors about their most pressing cyber-challenges and the types of solutions they need from the market in the future.

The three themes are: connected economy, connected everything and connected everyone.

The latest cohort will receive bespoke support with scaling in the UK and abroad, as well as access to commercial and engineering experts through delivery partners Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

Saj Huq, program director, LORCA, said: “As technology increasingly impacts all aspects of business and society, it’s clear that a cybersecurity paradigm shift is needed. Now more than ever, we need to support the development of cutting-edge innovations across the board to help us lead safer digital lives, keep our infrastructure secure and protect our digital economy from complex and evolving cyber threats. Given its increasing significance within a world that is more connected by the day, cybersecurity has to be everywhere – and serve everyone.”

The deadline for applying is Monday November 4 2019, with full details available here.

Experts Question ECJ’s Right to be Forgotten Ruling

Experts Question ECJ’s Right to be Forgotten Ruling

Google’s victory in a landmark right to be forgotten case asks more questions than it answers, according to legal and technology experts.

The European Court of Justice (ECJ) ruled yesterday that the search giant only needs to remove links from its services inside the EU in order to comply with legitimate right to be forgotten/right to erasure requests.

French privacy regulator CNIL had demanded that Google remove links globally to pages containing false or damaging info on a person, in a case dating back to 2015.

Part of Google’s argument for not removing info outside the EU was that the law could be exploited by oppressive governments to cover up abuses and control the flow of information, much as China does with its Great Firewall censorship apparatus.

“Since 2014, we've worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people's rights of access to information and privacy,” the search giant said of the result. "It's good to see that the court agreed with our arguments."

However, some argued that the ruling undermines the right to be forgotten by failing to institute the law globally.

“Google is normally able to detect visitors from Europe to its global search engines and block them from seeing certain web pages containing sensitive information about individuals from queries made using their names,” explained Simon Migliano, head of research at Top10VPN.

“However, anyone connected to a VPN server located outside Europe will evade such detection and be able to view those results regardless of any 'right to be forgotten' decision in place. This loophole highlights the significant limitations of geo-restricting contentious web content in this day and age.”

Mishcon de Reya data protection adviser, Jon Baines, added that there are still question marks over what happens to the UK if it leaves the EU without a deal.

“Will UK search engine domains retain links to information removed from EU search engine domains? Or might the UK decide ultimately to give effect to delinking decisions made in the EU? Private individuals, as well as businesses, will want urgent clarification on this from government,” he argued.

EU citizens have been able to request information on them be removed from the web since 2014. However, since then, the GDPR has made it easier for EU citizens to request that such information be expunged from the web, with its right to erasure clause. Providers have a month to respond to a verbal or written request.

Ron Moscona, a partner at international law firm Dorsey & Whitney, explained that the ruling has failed to add clarity on how and when the GDPR should be limited in scope to within the EU.

“The provisions of Article 3 of GDPR that define its territorial effect clearly extend the legal rights and obligations of GDPR, in many circumstances, to the processing of personal data outside the EU including by entities operating outside the EU,” he said.

“Today’s decision of the EU court does not address these broader territorial issues.”

LookBack in Anger: 17 US Utilities Firms Targeted by RAT

LookBack in Anger: 17 US Utilities Firms Targeted by RAT

An APT campaign targeting US utilities firms with a remote access trojan (RAT) has now hit at least 17 firms, according to a new report from Proofpoint.

The security vendor first spotted phishing emails sent to three utilities providers in late July, although the campaign now appears much wider in scope after the discovery of more in August.

It begins with reconnaissance scanning for SMB over port 445, perhaps to identify targets with vulnerabilities in the protocol that could be exploited later on to help attackers spread laterally.

Then comes the delivery of the phishing email itself, using as a lure an invitation to take an exam run by licensing body Global Energy Certification (GEC), administered by the Energy Research and Intelligence Institution.

Emails include the subject line “Take the exam now” and a malicious Microsoft Word attachment named “take the exam now.doc” alongside a legitimate PDF for exam preparation hosted on the real GEC site. This helps to add legitimacy to the spoofed message.

“The attachments titled ‘take the exam now.doc’ contained VBA macros to install LookBack. The macros were mostly the same as those first observed in July and were similarly obfuscated with concatenation commands that made the macros difficult to detect with static signatures,” explained Proofpoint.

“When a user opens the malicious attachment and enables macros, the VBA macro within the Microsoft Word attachment installs several privacy-enhanced mail (PEM) files on the host.  When decoded, we found these to be both malware modules and macro variables.”

The ultimate aim of the macro execution is to download LookBack, a modular RAT designed to find, read and delete files, start and delete services, take screenshots, and even move or click the victim’s mouse.

“The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset,” warned Proofpoint.

Andrea Carcano, co-founder of Nozomi Networks, argued that cyber-criminals will often look to exploit human weaknesses to reach targeted systems.

“Therefore, utility providers need to take the time to teach staff to recognize phishing emails and not to click on links or open attachments from unknown sources,” he said.

“In addition, the implementation of advanced cybersecurity technologies, such as machine learning and artificial intelligence, is a critical step towards safe and reliable critical infrastructure. These technologies provide utilities with the ability to jump start their visibility, situational awareness, and their capacity to detect and mitigate cyber-attacks.”

Microsoft Issues Emergency Patch for Critical IE Bug

Microsoft Issues Emergency Patch for Critical IE Bug

Microsoft has issued an emergency out-of-band patch for a critical remote code execution vulnerability in Internet Explorer.

CVE-2019-1367 is a bug in the browser’s scripting engine which affects how it handles objects in memory. Specifically, it could corrupt memory so as to allow an attacker to execute arbitrary code, according to a security update.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”

Redmond’s patch modifies how the scripting engine handles objects in memory, in order to fix the issue.

The vulnerability affects Internet Explorer versions 9-11.

The critical bug represents another good reason why IE users should migrate to a modern browser. Yet although Microsoft has been trying to push them towards its Edge offering, the latest stats show it trailing Internet Explorer, with less than half of the legacy browser’s 5.87% market share.

Trustwave’s director EMEA of SpiderLabs, Ed Williams, said the emergency update underlines the importance of good patch management.

“It also highlights the importance of regular asset identification and vulnerability scanning of environments, for example, knowing what to patch once a vulnerability has been identified. We know that attackers are flexible and dynamic and will be looking to further leverage this vulnerability to suit their needs, be it financial or otherwise,” he added.

“While Internet Explorer isn’t as popular as it once was, it is still a rich target for attackers, and with the release of this patch, further emphasizes why it is a business risk when compared to other browsers.”

Alderman Censured for Not Completing Cybersecurity Training

Alderman Censured for Not Completing Cybersecurity Training

An alderman in the Tennessee city of Germantown has been censured for not completing a 45-minute cybersecurity training course.

Dean Massey received the official rebuke from his fellow aldermen at a heated two-hour meeting of the administration, which took place last night. The censure, which was passed on a 3-2 vote, stipulates that Massey must complete the cybersecurity training by September 27, 2019.

Authored by Alderman Rocky Janda, the censure states: "Alderman Dean Massey willfully and intentionally placed and continues to place the City of Germantown at risk of a cybersecurity breach by refusing to take reasonable training measures to prevent online security attacks."

Massey and another alderman had their city email accounts restricted earlier this month after missing the deadline to complete the cybersecurity course, which Massey told Infosecurity Magazine was not designated as mandatory.

Instead of completing the training to regain access to his email account, Massey elected to create an alternative Gmail account through which to carry out official city business.

Describing what happened next, Massey told Infosecurity Magazine: "I never opposed or refused to take cyber-training. I requested that the IT director schedule time to publicly discuss cybersecurity and training with the Board of Mayor and Aldermen, but rather than simply honoring my request and acting in the public's interest, the administration went into cover-up mode and replaced my request for public discussion about cybersecurity policies with another alderman's request to censure me."

Official censures are typically reserved for conflicts of interest, misuse of public funds, and cases of sexual harassment. 

Massey said that last night's meeting "should have been a meeting about the mayor's lack of a cyber policy" and described the censure as "completely self-serving and a total waste and abuse of taxpayer resources."  

He said: "The administration has never implemented a cybersecurity policy and has failed to discuss the threats with aldermen for decades."

Since news of the restriction placed on Massey's city email account got out, the alderman has received what he describes as "harassing email and comments on social media." 

One such comment, which Massey shared on the Facebook page Massey for Germantown, read "F**k you, you entitled pr*ck. Take the training. Oooh, you don't trust the IT department? You're an ignorant a**hole."

Massey feels that the actions of Germantown officials have put the lives of his family at risk. 

He wrote on Facebook: "By ginning up unwarranted hatred for me through the government-sanctioned smear campaign, members of the administration made my family a target and put the lives of my wife and young son in danger."

In an email sent to Massey on September 20 and shown to Infosecurity Magazine, Vice Mayor Mary Anne Gibson wrote, "As a parent, I often reminded my children that actions have consequences," before describing the media attention Massey as received as "a circus of your own creation."

Malware Attack Prompts US Transport Authority to Axe Online Store

Malware Attack Prompts US Transport Authority to Axe Online Store

An American transport authority has responded to a malware attack by permanently closing its online store.

The Southeastern Pennsylvania Transport Authority (SEPTA) shuttered the site Shop.SEPTA.org within an hour of discovering that the personal data of 761 customers had been stolen in a data-skimming Magecart attack. 

Hackers were able to steal shoppers' credit card numbers, names, and addresses during an online crime spree thought to have begun on June 21 and ended on July 16. The store, which sold online travel tickets along with SEPTA-branded mugs and clothing, was hosted by Amazon Web Services. 

SEPTA was alerted to the attack on July 16 by a user who received a malware warning while browsing the online store. However, the transport authority waited until September 5 to inform customers affected by the attack by letter that a breach had taken place. 

Asked what had caused the two-month time lag, SEPTA spokesperson Andrew Busch told Infosecurity Magazine: "Customers were notified as soon as SEPTA was confident that it had gathered accurate information regarding the individuals who were affected. SEPTA followed proper reporting protocols as soon as the breach was discovered by notifying the FBI and the Pennsylvania Department of Transportation."

The revelation that the online store had been permanently closed in an effort to prevent any future malware attacks only came to light on September 19 when it was reported by The Philadelphia Inquirer.

Explaining SEPTA's arguably extreme approach to cybersecurity, Busch told Infosecurity Magazine: "The primary reason for shutting it down was to eliminate the potential for any additional customer information to be compromised. 

"In addition, the site was mostly used for purchases of fare products that have or are being phased out with SEPTA’s modernized fare system, the SEPTA Key, and in general it was not widely used. The SEPTA Key has a separate e-commerce site, and that site was not breached."

Busch confirmed that SEPTA has not suffered any further attacks since closing its online store, whose quiet death failed to arouse much notice. 

Describing the impact of SEPTA's decision to axe the store, Busch said: "There has not been a significant amount of customer feedback."

27 Countries Sign Pledge to Play Nice Online

27 Countries Sign Pledge to Play Nice Online

Countries around the world have joined forces to declare that they are fed up with the lawless state of cyberspace. 

As the newest frontier to be riddled with humanity, it's perhaps no surprise that while cyberspace has brought with it some positives like the promotion of free expression, it has also given rise to behavior that goes way beyond bad. 

Spiraling cybercrime, some of it sponsored by states themselves, is costing the global economy $2.9m per minute, and digital espionage is going on left, right, and center. 

In a joint statement published yesterday at the United Nations, 27 countries pledged their support to clean up an arena that has become the digital equivalent of the old Wild West. 

The statement, which was affirmed by Australia, Belgium, Canada, Colombia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, the Netherlands, New Zealand, Norway, Poland, the Republic of Korea, Romania, Slovakia, Spain, Sweden, the United Kingdom, and the United States, declared: "State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them."

Signatories called for nations to act online in accordance with international laws reflecting the voluntary norms of responsible state behavior in peacetime, before stating that "there must be consequences for bad behavior in cyberspace."

The countries said that they would work together to hold states accountable for their digital misdeeds. No specific countries were named and shamed in the statement; however, the digs about undermining democracies could be construed as a reference to Russia, which has been accused of meddling in elections in the US, the Ukraine, and France.  

"The recently issued statement still does not clarify how and when attribution can be effectively used in cyberspace," Isidoros Monogioudis, senior security architect at Digital Shadows, commented to Infosecurity Magazine. "Furthermore, some topics are still in the negotiation phase, so the concept of 'responsible state behavior' is still not fully defined. This might ultimately create challenges."

Noting which countries had not signed the statement, Chris Morales, head of security analytics at Vectra, told Infosecurity Magazine: "This is a document that doesn’t include the most cyber-capable countries, such as Russia, China, and Iran, who are constantly engaged in cyber-warfare. Frankly, I’m not sure what impact, if any, this will have."

Hundreds of US Schools Hit by Ransomware in 2019

Hundreds of US Schools Hit by Ransomware in 2019

Ransomware attacks have disrupted operations at 49 US school districts and educational institutions, making the sector the second most popular for attackers after local government municipalities, according to Armor.

The cloud security vendor analyzed publicly reported attacks since January 2019 to better understand the scale of the threat facing the education industry.

It claimed that attacks may have compromised as many as 500 K-12 schools in the first nine months of 2019, versus just 11 last year.

In a little over a week in mid-September, nine new school districts and one college were hit, affecting around 100 K-12 schools, the firm said.

Crowder College, which reported an attack on September 11, claimed the ransom was a massive $1.6m, the first $1m+ demand since Monroe College in New York was hit with a $2m ransom note in July.

According to the school, there’s evidence that hackers had been inside the Crowder College IT systems since November last year. This would make sense if it was one of the five targets hit by Ryuk ransomware this year, as these infections are typically preceded by Emotet or Trickbot trojans, which often lay the groundwork for the ransomware.

Connecticut has the dubious honor of being the state with the most number of compromised school districts, with seven hit, covering 104 schools.

It’s unclear whether the rash of attacks over recent weeks was designed to cause maximum disruption during the busy back-to-school period.

“Educational institutions, municipalities and other organizations whose infrastructure is critical to their communities host a variety of data, most of which is sensitive,” said Chris Hinkley, head of threat resistance at Armor.

“Cyber-criminals know these organizations can’t afford to shut down, they are often using out-of-date hardware and software, and they have few security measures in place. This is a deadly combination in the case of a ransomware attack, which provides for a high sense of urgency and a high probability of large payments.”

North Korean Malware Attacks ATMs and Banks

North Korean Malware Attacks ATMs and Banks

The infamous Lazarus Group is behind new malware discovered targeting ATMs and back-office systems in Indian banks and research centers, according to Kaspersky.

The Russian AV vendor claimed in a new report that it discovered the ATMDtrack malware back in late summer 2018. It is designed to sit on targeted ATMs and effectively skim the details of cards as they are inserted into the machine.

However, digging a little deeper, the researchers found another 180+ new malware samples similar to ATMDtrack but which were not designed to target ATMs.

Collectively, these Dtrack malware tools seem to be focused on information theft and eavesdropping, via functionality such as: keylogging; retrieving browser history; gathering host IP addresses and network info; and listing all running processes and files.

The dropper also contained a remote access trojan (RAT) to give attackers complete control over a victim’s machine.

Kaspersky claimed the Dtrack malware shares similarities with the DarkSeoul campaign of 2013, also linked to North Korea’s Lazarus Group, which disrupted computers at a South Korean bank and three TV stations, as well as countless ATMs.

“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers,” noted the report. “And once again, we see that this group uses similar tools to perform both financially motivated and pure espionage attacks.”

However, Dtrack attackers would need to take advantage of weak network security policies, weak password policies, and a lack of traffic monitoring. So by addressing these issues and putting in place reputable AV featuring behavior-based tools, as well as regular security training and IT audits, organizations could repel the threat, said Kaspersky.

“The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets,” said Kaspersky security researcher, Konstantin Zykov.

“Even if you are a research center, or a financial organization that operates solely in the commercial sector with no government affiliates, you should still consider the possibility of being attacked by a sophisticated threat actor in your threat model and prepare respectively.”

Malindo Air: Data Breach Was Inside Job

Malindo Air: Data Breach Was Inside Job

A budget Asian airline group has revealed that two former employees of a third-party provider were responsible for a massive breach exposing around 35 million records.

The records — which contained names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates — were spotted circulating on the dark web last month, although the breach only came to light last week.

They belonged to passengers of Malaysia’s Malindo Air and Thai Lion Air, which operate under parent group Lion Air.

Initial reports suggested a misconfigured Amazon Web Services (AWS) S3 bucket may have been to blame for the security incident, but AWS has since confirmed that its “services and infrastructure worked as designed and were not compromised in any way.”

Malindo Air yesterday clarified that two former workers at its e-commerce provider GoQuo in a development center in India “improperly accessed and stole the personal data of our customers.”

“Malindo Air has been working closely with all the relevant agencies including the Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency (NACSA) as well as their counterparts overseas,” it added in a statement.

“Malindo Air wishes to reiterate that this incident is not related to the security of its data architecture or that of its cloud provider Amazon Web Services. All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act.”

Robert Ramsden-Board, VP EMEA at Securonix, argued that detecting malicious insider behavior in the supply chain is extremely difficult.

“Organizations need to assess their suppliers’ cybersecurity, ensuring that they have appropriate measures in place to detect unauthorized activity by external and internal actors,” he added.

“They also need to properly vet all third-party suppliers before onboarding and establish boundaries on what a supplier can access with immediate alerts on any attempts to access or download off-limits or customer data.”

Ransomware Attack Disrupts Wyoming Health Services

Ransomware Attack Disrupts Wyoming Health Services

Healthcare in Wyoming has been seriously disrupted after a ransomware attack brought down the computer systems of Campbell County Health.

Campbell County Health (CCH), which is based in Gillette, includes Campbell County Memorial Hospital, a 90-bed acute-care community hospital; Campbell County Medical Group, with nearly 20 clinics; The Legacy Living & Rehabilitation Center long-term care center; and the Powder River Surgery Center. 

All of CCH's 1500 computers and its email server were affected by the attack, which took place on Friday morning, September 20. As a result, surgeries have been canceled, and new inpatient admissions have ceased. 

All of today's appointments in the cancer center's radiation oncology department were canceled, and no outpatient lab, respiratory therapy, blood draws, or radiology exams or procedures are being carried out.

The attack prompted the hospital to go "on full divert," meaning patients arriving at the emergency room or walk-in clinic are triaged then transferred to an alternative care facility, if needed.

Other hospitals in the region have been informed of the situation and are working with CCH to provide urgent care, although two of them, Casper and Rapid City, were already full when news of the attack broke. 

press release issued by CCH on Friday afternoon stated: "Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care.

"The appropriate authorities have been notified, and efforts are underway to restore the affected systems. Information on CCH services will be updated as soon as information becomes available."

CCH said that the attack had not compromised any patient data.

A CCH spokesperson said on Friday: "At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services."

As of Sunday, Campbell County Memorial Health's maternal child department had begun accepting patients again on a case-by-case basis. It is not yet clear when CCH services will be back to normal. 

A CCH spokesperson said: "We are collaborating with the local, state, and federal authorities to address this unfortunate incident securely and as quickly as we can. We are very thankful for the local support from the City of Gillette, Campbell County Commissioners, [and] Campbell County Emergency Management."

Most CISOs Believe They’re on Track to Become CEOs

Most CISOs Believe They're on Track to Become CEOs

The role of chief information security officer (CISO) is being treated with newfound respect, according to research by a security solutions integrator.

Optiv Security's State of the CISO survey questioned 100 CISOs in the US and 100 CISOs in the UK to discover how the role is currently perceived within the traditional business hierarchy. 

The results, published today, show that 96% of respondents think that senior executives have a better understanding of cybersecurity than they did five years ago, and 67% said the business they worked for prioritized cybersecurity above all other business considerations. 

Interestingly, 58% of CISOs reported that their job prospects had improved after they experienced a data breach. In fact, most respondents thought that the career path of a CISO was today more illustrious than ever. 

Of the CISOs surveyed, 76% felt that cybersecurity risk was now so important to businesses that CISOs would start being promoted to the role of CEO. Not bad for a relatively new role in the corporate executive hierarchy.

"The Chief Information Security Officer has traditionally reported to the CIO because the job has been regarded as primarily technical. However, the current epidemic of breaches coupled with privacy regulations like the GDPR and CCPA has made cybersecurity a tier-1 business risk," wrote researchers for Optiv. 

According to Optiv’s practice director of risk management & transformation, Mark Adams, CISOs have many qualities that would make them great in the role of CEO. He said: "The CISO exhibits a mastery of negotiation by actively listening and applying the disciplines of consensus-building among his peers and subordinates. The effective CISO thinks more strategically than tactically, planning for the long term and what organizational conditions must be managed to achieve success."

But before CISOs ascend the ranks they have some serious work to do, especially in the US, which the research shows lags behind the UK when it comes to practicing what to do in the event of a cyber-attack.

Adams said: "UK-based organizations report a significantly higher frequency of rehearsing their incident response plans. It is a bit surprising that 36% of US-based companies reported exercising their plans less than once per year, particularly given the adverse impact that perceived negligence can have on the brand/reputation of the organization."

Cybersecurity Firm Tops List of Highest-Paying Companies

Cybersecurity Firm Tops List of Highest-Paying Companies

New research has shown that cybercrime really does pay, but not for the people you'd expect. 

A study conducted by a company review site to find out which firms are the most generous when it comes to remuneration found that the best-paying gig was to be had at an American multinational cybersecurity company. 

Glassdoor's list of the 25 highest-paying companies in the US for 2019 was topped by Palo Alto Networks, which has its headquarters in Santa Clara, California. The cybersecurity firm, which employs over 5,000 people around the world, rewards workers for their efforts with a median total salary of $170,929. This figure dwarfs the Bay Area's average median base pay, which is $73,128. 

After reporting a 29% year-over-year increase in revenue for the 2018 fiscal year, in which they made $2.3bn, Palo Alto Networks certainly has the cash to splash. Such bountiful paychecks are likely to have been a contributing factor when Palo Alto Networks was ranked number one as "best place to work" in the Bay Area by SF Business Times in 2016.

"Not surprisingly, tech companies dominate the list of high-paying employers, including companies like TwitterGoogle, and LinkedIn," Glassdoor's researchers wrote. "The three highest-paying employers in 2019 were all tech companies paying a median total salary over $160,000 a year."

In fact, every one of the top ten highest-paying companies was tech related. Second after Palo Alto Networks was NVIDIA, which has more than 50 offices worldwide and is also based in Santa Clara. The median total salary NVIDIA pays employees is $170,068. 

The list of highest-paying companies was drawn from data reported to Glassdoor between July 1, 2018, and June 30, 2019, by employees based in the US. The information reported included details on base pay and other forms of compensation, including commissions, tips, and bonuses. To be considered for the report, companies had to have received at least 75 salary reports during this timeframe. 

Though tech companies are leading the way on median pay, researchers found that the highest-paid jobs are in the field of medicine. Physicians topped Glassdoor's list of the 25 highest-paying roles in the US for 2019, earning a median base salary of $193,415.

However, Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security, and risk management, thinks that doctors may lose their spot at the top to a future gatekeeper of cybersecurity.

Durbin said: "Our digital world today runs on shared data and networks, and it relies on the public trust. Security professionals are the protectors of these assets. Moving forward, organizations should rise above the hiring fray and focus on fresh, strategic, long-term approaches to building, supporting, and integrating the security workforce. 

"Security professionals are key to the future and their skill sets may very well push their profession to the top of the salary list."

Twitter Culls 10,000 More State-Sponsored Accounts

Twitter Culls 10,000 More State-Sponsored Accounts

Twitter has removed another 10,000 accounts across six countries after discovering coordinated activity among nation states designed to spread misinformation.

The move comes nearly a year after the social network first began efforts at uncovering state-sponsored propaganda efforts using fake accounts. Since then, it has announced new discoveries in January, June and August this year.

Chinese efforts to spread misinformation about Hong Kong’s pro-democracy protesters appears to be showing no signs of slowing down. On top of the network of 200,000 fake accounts disclosed in August, Twitter has added another 4301 which it said were attempting to “sow discord” about the protests.

Elsewhere, 4248 accounts were suspended in the UAE for “often employing false personae and tweeting about regional issues, such as the Yemeni Civil War and the Houthi Movement.”

A further network of 271 accounts in Egypt and the UAE were focused on spreading misinformation about Qatar and other countries such as Iran.

Twitter also suspended 1019 fake accounts in Ecuador linked to the PAIS Alliance party for a propaganda operation supporting President Moreno’s administration.

A further 259 accounts were suspended in Spain, once again linked to a major political party – this time the right-wing Partido Popular.

As per previous culls, Twitter has permanently suspended the flagged accounts and made available an archive of removed tweets for researchers to study.

“Nearly one year on, the archive is now the largest of its kind in the industry. Thousands of researchers have made use of these data sets that contain millions of individual Tweets and more than one terabyte of media. Using our archive, these researchers have conducted their own investigations and shared their insights and independent analyses with the world,” the firm explained.

“Transparency and openness are deep-seated values at the heart of Twitter which define and guide our methodology around these disclosures. Going forward, we will continue to enhance and refine our approach to disclosing state-affiliated information operations on our service.”

Thinkful Resets Passwords After Data Breach Exposes Coders

Thinkful Resets Passwords After Data Breach Exposes Coders

Online education platform Thinkful has suffered a data breach which may have given hackers access to users' accounts.

The training site for developers notified all of its users by email that an unspecified number may have had their “company credentials” accessed by an unauthorized third party.

However, it clarified that no government identification or financial info belonging to the company would have been available to the hackers via this route. “As soon as we discovered this unauthorized access we promptly changed the credentials, took additional steps to enhance the security measures we have in place, and initiated a full investigation,” it continued.

“Additionally, at this time we have no evidence of any unauthorized access to any other Thinkful user account data or user information. However, as a measure of added precaution, we are requiring all users to reset their Thinkful passwords.”

The cause of the breach is still unclear, although a phishing attack against a site admin or a credential stuffing raid are among the usual suspects. Also unclear is the number of users affected and when the incident occurred.

It does come at an awkward time for Thinkful, however, given the firm only recently announced its $80m acquisition by student learning platform provider Chegg.

That firm has also been on the receiving end of unwanted attention from the black hat community: last year it revealed in a regulatory filing that hackers managed to access a company database, stealing log-ins, and email and shipping addresses.

It was forced to reset 40 million passwords as a result.

Securonix VP EMEA, Robert Ramsden Board, argued that the incident highlights the importance of due diligence before buying a company.

“Purchasing a company that has taken a lax approach to security will only come back to haunt the buyer, as Marriott learned the hard way after its purchase of Starwood hotels,” he added.

“Data breaches pose a serious reputational and business risk to organizations. Therefore, to avoid unauthorized access to internal systems organizations should simulate data breach security drills to identify weaknesses that could be exploited and train staff on the malicious tactics cyber-criminals use to reduce the risk of human error.”

Facebook Suspends Tens of Thousands of Apps

Facebook Suspends Tens of Thousands of Apps

Facebook has removed tens of thousands of apps from hundreds of developers as the fallout from the Cambridge Analytica scandal continues.

In March last year it was revealed that the shadowy political consultancy got hold of the personal details of over 50 million users of a Facebook app after its developers broke the social network’s rules on data collection.

As part of its $5bn settlement with the FTC, Facebook promised greater oversight of its developer ecosystem to ensure a repeat incident could not occur.

According to Facebook VP of product partnerships, Ime Archibong, the tens of thousands of suspended apps are linked to around 400 developers.

“We initially identified apps for investigation based on how many users they had and how much data they could access. Now, we also identify apps based on signals associated with an app’s potential to abuse our policies,” he explained.

“Where we have concerns, we conduct a more intensive examination. This includes a background investigation of the developer and a technical analysis of the app’s activity on the platform. Depending on the results, a range of actions could be taken from requiring developers to submit to in-depth questioning, to conducting inspections or banning an app from the platform.”

Although many of the suspended apps were still in their test phase and did not pose an immediate threat to user privacy, they were still suspended if they didn’t meet Facebook rules and/or if the developer failed to respond to a request for further information.

Some were banned outright if they inappropriately shared Facebook data, made it publicly available without protecting users’ identities, or otherwise violated policies.

These include myPersonality, whose developers stored psychology profiles for millions of users on a poorly secured site for years. Archibong also revealed that Facebook is suing South Korean data analytics firm Rankwave, as well as LionMobi and JedMobi, which are apps linked to malware distribution.

Aside from the ongoing App Developer Investigation, Facebook claims to have made improvements to its developer oversight, including removing APIs, enhancing its number of investigators, and introducing new rules to restrict developers’ control over user data.

City of Los Angeles Teams Up with IBM to Fight Cybercrime

City of Los Angeles Teams Up with IBM to Fight Cybercrime

The City of Los Angeles and IBM are joining forces with the LA Cyber Lab to help local businesses combat cybercrime.

In a new project announced by IBM Security on September 17, the American multi-national IT company will provide technologies and data that will give the city's commercial movers and shakers an edge in the event of a cyber-attack.

As part of the project, business owners will be able to access two new free tools made available by the LA Cyber Lab, a non-profit providing threat intelligence to local businesses. 

The first tool is a mobile application that any citizen can use to submit and analyze suspicious emails to determine their risk and if they are phishing attacks. The second tool, and the real centerpiece of this collaborative effort, is the cloud-based Threat Intelligence Sharing Platform (TISP), developed in collaboration with TruSTAR

Functioning as a kind of digital neighborhood watch, TISP will allow users to circulate their spear-phishing concerns and educate themselves on the latest business email compromise (BEC) or ransomware campaigns. 

A neat feature of the platform is that it reviews suspicious emails submitted by users, extracting key information and searching over 25 common and unique data sources, to indicate the level of risk posed. It can also correlate key information in the email to the associated threat group and their latest attack campaign. 

"Public safety in the 21st century isn't just about protecting our physical streets and neighborhoods—we need to protect the digital presence that is part of everyday life for our residents and businesses," said Los Angeles' mayor, Eric Garcetti. 

"The Threat Intelligence Sharing Platform and mobile app will advance the LA Cyber Lab's work that has made our city a national cybersecurity model, all while better defending Angelenos from cyber-threats." 

In a bid to help other cities in the US know what to do in the event of a cyber-attack, IBM is hosting three complimentary training sessions for municipalities in the IBM X-Force Command Cyber Range in Cambridge, Massachusetts.

At each of the sessions, which will take place on October 22, November 19, and December 10, 2019, attendees will experience a simulated attack in order to practice their response. 

The attack may be simulated, but the threat is very real. In this year alone, more than 70 American cities have become the victims of ransomware. 

Kevin Albano, associate partner, IBM Security Services, IBM Security, said: "While a collaboration like this takes time and the right partners, the process itself was refreshing as a result of the city’s eagerness and dedication to improving cybersecurity for the area. The development of the LA Cyber Lab two years ago was the first real push in the right direction, and the development of these solutions is only continuing that goal and leading the charge for other cities to become more prepared."

WeWork’s WiFi Security Worryingly Weak

WeWork's WiFi Security Worryingly Weak

A lack of security on WeWork's WiFi network has left sensitive user data exposed.

In August, Fast Company revealed that WeWork had used the same WiFi password at many of its rentable shared co-working spaces for years, a password that appears in plain text on WeWork's app. 

The security of the real estate company's WiFi came under further criticism yesterday when CNET reported that the network's poor security had left sensitive data of WeWork users exposed.

Evidence of the exposure was provided by Teemu Airamo, who has been routinely running security scans on WeWork's WiFi network since May 2015. Airamo's scans, which were reviewed by CNET, show nearly 700 devices, including servers, computers, and connected appliances, leaking bank account credentials, email addresses, ID scans, and client databases, among other data.

Airamo said that multiple attempts made by him to alert WeWork's upper management to the security problem were met with indifference. 

WeWork has around 527,000 members renting out its 833 spaces in 125 cities around the world. The company filed for an initial public offering (IPO) in 2018. However, earlier this week the IPO was postponed until the end of the year after the company's reported valuation fell from $47 billion to under $20 billion. 

A spokesperson for WeWork said: "WeWork takes the security and privacy of our members seriously, and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.

"We are in a quiet period and can't comment beyond this statement." 

Commenting on this report, Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, said: "For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network where the attacker can connect to exposed file sharing services and tamper with connections to load fake websites.

"My recommendation for concerned WeWork customers is to set up a VPN for their own private use."

US Air Force Bids $95m Cybersecurity Contract

US Air Force Bids $95m Cybersecurity Contract

The US Air Force is requesting quotes from vendors that can provide support for a cybersecurity project under a contract worth up to $95m.

Vendors of any size are being sought to support an experimental cybersecurity platform development team that is part of the Air Force's LevelUP program. 

The team's engineers are looking for vendors that can give them access to a secure DevOps platform in which they can build and test new products. Testing will be conducted at every security level and classification on private, public, and hybrid clouds. 

Bidding vendors will need to prove that their company can process data securely at the second-highest security level for Defense Department systems, impact level five. 

To provide the development team with the support it requires, vendors will have to access classified information, something they cannot do from their local cafe over a cappuccino. Vendors will only be considered for this valuable contract if they have access to a facility with a secret level of security clearance that they can use when they need to handle classified data.

A Blanket Purchase Agreement (BPA) for up to 15 cloud vendors is being drawn up by the Air Force Life Cycle Management Center, with a performance period of up to five years. To be eligible to receive a BPA, companies must be based in the United States with no foreign ownership or control.

Bidders have until 12:00 PM CST on October 16, 2019, to submit a quote via email. Two Ask Me Anything (AMA) sessions are planned for September 25 and October 3; however, times and locations are yet to be announced.

The LevelUP program, which is based at the Command, Control, Communications, Intelligence, and Networks Directorate Joint Base in San Antonio, Texas, was founded with the strategy to create two main products.

One product, Unified Platform, is a tool that aggregates cybersecurity incident data in a single platform that is visible not just across the Air Force, but to other military branches too. The other is LevelUP Cyber Works, a “cyber factory” in which to develop and field new capabilities at the speed and scale required in today’s cyberspace operations environment.

Republicans U-Turn to Back $250m Election Security Boost

Republicans U-Turn to Back $250m Election Security Boost

In a surprise u-turn, senate Republicans have decided to back Democrat calls for an extra $250m to enhance the security of the nation’s voting infrastructure.

Speaking on the floor yesterday, senate majority leader Mitch McConnell said: “I’m proud the Financial Services & General Government bill will include a bipartisan amendment providing another $250 million for the administration and security of their elections, to help states improve their defenses and shore up their voting systems.”

Republicans have twice blocked attempts to bring legislation to the floor designed to improve election security, in 2018 and then again in July this year. Both times they claimed that states had still not spent the $380m they were given in 2018.

“This morning, after months and months and months of Republican resistance, and months of insistent Democratic pressure, senate Republicans have finally agreed to support our Democratic request for additional election security funding in advance of the 2020 elections,” responded senate minority leader, Chuck Schumer.

“A year ago, our Republican friends unfortunately and short-sightedly rejected this amendment. Well, maybe, just maybe, they are starting to come around to our view that election security is necessary; that if Americans don’t believe their elections are on the up-and-up, woe is us as a country and as a democracy.”

However, even this sum may not be enough to provide the safeguards needed to improve resilience against possible Russian intrusions.

Marian Schneider, president of election transparency non-profit VerifiedVoting, argued that more is needed to help states shore up their security ahead of the 2020 Presidential election.

“This amount falls short of the $600m that passed in the House, which is much closer to meeting the need for proper investment in election security. Congress has the obligation to protect the country from threats to national security and has the opportunity to act on this nonpartisan issue — after all, everyone votes on the same equipment,” she added.

“By making federal funds available, states will be able to replace aging, insecure voting equipment and implement modern security best practices, which include using voter-marked paper ballots and robust post-election audits. Despite the progress shown today, congress still needs to vote on bipartisan, comprehensive election security legislation to protect and ensure trustworthy elections backed by adequate funds for state and local governments to implement such measures.”

A senate report from July warned that Russian hackers had likely compromised voting infrastructure in all 50 states ahead of the 2016 election.

Senior Execs Shun Cyber Risk as Concerns Grow

Senior Execs Shun Cyber Risk as Concerns Grow

Nearly 80% of global organizations now rank cyber-risk as a top-five business concern, but just 11% are highly confident they can assess, prevent and respond effectively to attacks, according to new research from Marsh and Microsoft.

The insurer has teamed up with the computing giant once again to poll 1500 global organizations for its 2019 Global Cyber Risk Perception Survey.

It found those ranking cyber-risk as a top-five concern had risen from 62% in 2017 to 80% this year, while those confident in being able to deal with a threat fell from 19% to 11% over the period.

Ownership of and engagement with cyber-risk management seems to be a key challenge for many.

Although 65% of respondents identified a senior executive or the board as main owner of this function, only 17% of executives and board members said they’d spent more than a few days in the past year focusing on the issue. Some 51% spent several hours or less.

Similarly, 88% of organizations identified their IT/IT security teams as primary owners of cyber-risk management, but nearly a third (30%) of IT respondents said they spent just a few days or less over the past year focusing on this.

At the same time, adoption of new technologies continues apace, often without adequate safeguards.

Half of respondents said cyber-risk is almost never a barrier to the adoption of new tech, and although three-quarters (74%) evaluate risks prior to adoption, just 5% said they do so throughout the technology lifecycle. A significant minority (11%) do not perform any evaluation.

The report also revealed that organizations were likely to hold their own cyber-risk management actions to a higher standard than that of their suppliers.

That’s despite the fact that 39% said the risk posed by their partners was high or somewhat high versus just 16% who admitted their own organization poses high risk to their supply chain.

“We are well into the age of cyber-risk awareness, yet too many organizations still struggle with creating a strong cybersecurity culture with appropriate levels for governance, prioritization, management focus, and ownership,” said Kevin Richards, global head of cyber-risk consulting at Marsh.

“This places them at a disadvantage both in building cyber-resilience and in confronting the increasing complex cyber-landscape.”

Duo Indicted in $10m Tech Support Scam Case

Duo Indicted in $10m Tech Support Scam Case

Two individuals have been indicted as part of a crackdown on a $10m tech support scam operation.

Romana Leyva and Ariful Haque have now been charged with one count of wire fraud and one count of conspiracy to commit wire fraud, which could land them with a maximum 40 years each behind bars, according to an unsealed indictment.

It alleges that the fraud ring operated a classic tech support scam campaign targeting mainly elderly computer users.

After seeing pop-ups appear on their screens warning of a serious virus infection, they were urged to call a tech support number. Often these windows were branded with legitimate corporate logos to enhance legitimacy.

Doing so would take them through to an Indian call center, where operatives would use remote access tools to investigate the ‘problem’ before charging a fee — one-time, one-year or lifetime — to the victim and installing free anti-virus on their machine.

Around 7500 North American victims were scammed in this way, losing hundreds or thousands of dollars each.

In some cases, the fraudsters came back for more, claiming the original company that promised to provide tech support was going out of business and they wanted to refund the victim.

During this 'refund' process, they claimed to have reimbursed the victim too much money by accidentally adding an extra zero onto the amount. They then demanded the victim reimbursed them to the tune of thousands of dollars via gift cards, according to the indictment.

Nevada resident Leyva and New York-based Haque are accused of creating multiple fake companies to receive the fraudulently obtained funds, and of recruiting others to do so.

The scheme is said to have lasted from at least March 2015 to December 2018.

A report from Microsoft last year revealed that 63% of consumers globally experienced a tech support scam, down slightly from 68% in 2016.

MITRE Names 2019’s Most Dangerous Software Errors

MITRE Names 2019's Most Dangerous Software Errors

Eight years ago, a list of the world's most dangerous software errors was published by problem-solving nonprofit the MITRE Corporation. Yesterday saw the long-awaited release of an updated version of this rag-tag grouping of cyber-crime's most wanted.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list (CWE Top 25) is a roundup of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.

What makes these bad boys so lethal is that they are often easy to find and exploit. And once attackers have gotten their grappling hooks into the errors, they are frequently able to completely take over execution of software, steal data, or prevent the software from working.

Each error was given a threat score to communicate its level of prevalence and the danger it presents. Topping the table of treachery with a threat score of 75.56 and leading by a huge margin is "improper restriction of operations within the bounds of a memory buffer."

The second-most lethal error was determined to be "improper neutralization of input during web page generation," also known as cross-site scripting, which had a threat score of 45.69. 

In 2011, a subjective approach based on interviews and surveys of industry experts was used to create the list. In 2019, the list's compilers took a data-driven approach, leveraging National Vulnerability Database (NVD) data from the years 2017 and 2018, which consisted of approximately 25,000 CVEs. 

MITRE's goal is to release an updated list each year based on data from that specific year. Asked why the gap between the first two lists was so long, a MITRE spokesperson answered: "Based on the previous methodology employed for the 2011 CWE Top 25 List, it was clear that there was no basis upon which to credibly change the list. 

"As new methodologies were explored, and upon selection of the current data-driven approach, it became valuable to produce a new list because it would validate whether or not the new data-driven methodology would result in a different list. And, since it did result in a different list, community stakeholders now have a new list to consume that is evidence-based and different from the 2011 list."

The lists are indeed different, but both include some of the same offenders. Explaining why, the spokesperson said: "Significant work remains in the community to educate developers, improve analysis tools, and for consumers of software products to understand that weaknesses exist, and that they have the ultimate leverage with respect to evaluating products and selecting those products that deliberately work weaknesses out. 

"Effective security can exist only if a broad number of stakeholders demand that it does. The 2019 CWE Top 25 List is a tool that different stakeholders can use to understand what the most prevalent weaknesses are and how to orient themselves toward defending against them."

Vacationers Hit by Skimming Attack

Vacationers Hit by Skimming Attack

People using mobile apps to book hotel rooms for their vacations have been targeted by a skimming attack. 

Research by cybersecurity company Trend Micro discovered that a series of incidents took place earlier this month in which the booking websites of two well-known hotel chains were hit by credit card–skimming malware known as Magecart. 

Both websites affected were developed by Spanish company Roomleader. One of the impacted brands has 73 hotels in 14 countries and is comparable in size and geographical distribution to Exe Hotels. The other undisclosed chain has 107 hotels in 14 countries and is comparable in size and geographical distribution to Eurostars Hotels. Exe and Eurostars both have websites powered by Roomleader.  

Attackers were able to pilfer data by replacing the original credit card form on the booking page of each website with a fake one, then stealing the data entered into the imposter form by the user. In this case, the thieves made off with users' names, email addresses, telephone numbers, credit card details, and hotel room preferences.

The researchers theorized that the reason why the attackers went to the trouble of creating a fake form may have been that the original form didn't ask users to fill in their credit card's card verification number, known as a CSC, CVV, or CV2.

To make the switch appear more legitimate, the digital bandits even prepared credit card forms in the eight different languages supported by the targeted hotel websites. 

Trend Micro's findings follow the discovery of another Magecart-using group by the company back in May of this year. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented: "There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place."

Study Reveals Most Expensive State for Cyber Insurance

Study Reveals Most Expensive State for Cyber Insurance

Purchasing cyber insurance to protect your business from the ever-increasing number of threats will cost you more in Delaware than in any other US state. 

A new study by business insurer AdvisorSmith has found that the average cost of annual cyber insurance in the Blue Hen State is 8.34% higher than the national average and a staggering 32.49% higher than its cost in the cheapest state for cyber insurance, Arizona. 

Across America's 50 states and the District of Columbia, the cost of cyber insurance averaged out at $1,501 per year, or around $125 a month, but for Delaware business owners the price rose to $1,626.92 per year. In Arizona, where the cost of cyber insurance was 24.15% cheaper than the national average, policies were on average $1,139 per year.

The study was conducted using quote estimates gathered in August and September 2019, as well as rate filings supplied by over 50 insurance companies throughout America between January 2019 and September 2019. 

Premiums nationwide ranged from as low as $544 to as high as $2,642 for comparable insurance coverage, based upon companies with moderate risks. The premiums were based upon liability limits of $1m, with a $10,000 deductible and $1m in company revenue.

North Carolina was the second most expensive state for cyber insurance, with an average annual cost of $1,611. At the other end of the scale, after Arizona, Michigan and Minnesota offered the cheapest cyber insurance.  

Asked how the average cost of cyber insurance has changed since last year, AdvisorSmith's Adrian Mak said: "Premium increases in the cyber market are tracking at 5% or less, which is relatively stable for an insurance product."

The Marsh-Microsoft 2019 Global Cyber Risk Perception survey published yesterday found that only 17% of executives said they had spent more than a few days on cyber-risk over the past year. However, a little investment of time in their company's cybersecurity could save them money.

Mak said: "We are seeing insurance companies focus more on operational cybersecurity defenses, where they are raising premiums on companies that don’t address cybersecurity vulnerabilities, while charging less to companies that are following the latest cybersecurity best practices."

Describing how he expects the cyber insurance landscape to change going forward, Mak said: "The cyber insurance marketplace is expected to experience continued growth over the next decade. We expect more growth in the small and midsize business sector. Especially in small business policies, we are seeing cyber insurance bundled into package policies."

Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq

Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq

Facebook has taken down hundreds of Facebook and Instagram Pages and accounts after two separate coordinated campaigns were discovered attempting to influence user behavior in Iraq and Ukraine.

It’s possible that the fake news operations were an attempt to peddle misinformation ahead of elections in the Middle East nation last year and in the eastern European country a few months ago.

The social network removed 76 Facebook accounts, 120 Pages, one Group, two Events and seven Instagram accounts linked to “coordinated unauthentic behavior” in Iraq. One of more of the Pages managed to garner around 1.6 million followers while 339,000 accounts followed at least one of the groups, it said.

“The people behind this activity used fake accounts to amplify their content and manage Pages — some of which were likely purchased,” explained Facebook head of cybersecurity policy, Nathaniel Gleicher.

“Many of these Pages merged with one another and changed names over time. They also impersonated other people and used their IDs to conceal their identity and attempt to avoid detection and removal.”

The content itself was largely critical of the US occupation and pro-Saddam Hussein, according to an analysis by the Atlantic Council’s Digital Forensic Research Lab (DFRLab).

A much bigger operation was taken down in Ukraine, where Facebook was forced to remove 168 accounts, 149 Pages and 79 Groups. Around 4.2 million accounts followed one or more of these Pages and around 401,000 accounts joined at least one of the Groups, while a whopping $1.6 million was spent on Facebook and Instagram ads, the social network revealed.

Facebook linked the activity to Ukrainian PR firm Pragmatico, despite attempts to conceal its involvement.

“The people behind this activity used fake accounts to manage Groups and a number of Pages — some of which changed their names over time, and also to increase engagement, disseminate content and drive people to off-platform sites posing as news outlets,” explained Gleicher.

According to another DFRLab analysis, there may have been political intent behind this campaign, although it was also an attempt to build a national audience for media conglomerate Znaj Media Holdings, which is linked to Pragmatico.

“The pages primarily posted local Ukrainian news content, much of which was lifted from other Ukrainian news outlets with only partial attribution,” it concluded. “This network may have been partially politically motivated — some of the pages launched personal attacks against particular Ukrainian politicians — and partially commercial in nature.”

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) have announced a partnership to combat cybercrime within the European financial services sector.

The FS-ISAC is an industry consortium dedicated to reducing cyber-risk in the global financial system, and the EC3 protects European citizens, business and governments from online crime.

The Memorandum of Understanding (MOU) between the two will aim to facilitate and enhance the law enforcement response to financially motivated cyber-criminals targeting banks and other financial institutions through a symbiotic intelligence sharing network.

The partnership is a response to the acceleration of sophisticated cyber-attacks in recent years affecting numerous countries and jurisdictions at once. The MOU will help foster a pan-European approach to intelligence sharing, ensuring the cross-border cooperation necessary for the detection, prevention and reduction of cybercrime. In addition to facilitating information sharing, the agreement will also enable education and resilience through training exercises and informational summits.

“Cyber-criminals are increasingly targeting financial services and institutions to the cost of citizens and businesses across the EU,” said Steven Wilson, head of EC3. “It is crucial to bring key stakeholders around the table to improve the coordinated response; this MOU with FS-ISAC builds a platform to allow us to do exactly that.”

Ray Irving, managing director of FS-ISAC, added: “Accelerated global digitalization combined with the growing sophistication of cyber-criminals demands a more concerted approach from both the public and private sector. Through a collaborative peer-to-peer network, FS-ISAC and EC3 are enabling intelligence sharing to better safeguard the global financial system.”

NCSC: Nation State University Attacks Could Harm UK

NCSC: Nation State University Attacks Could Harm UK

The UK’s National Cyber Security Centre (NCSC) has been forced to issue a new report detailing the threat to the country’s universities from cyber-criminals and nation state operatives.

The NCSC argued that, while the sector has traditionally been one of the most open and outward-facing, both in terms of culture and technology, this makes the attackers’ job even easier.

The main threats are from untargeted cybercrime raids, such as ransomware and bulk personal info theft via phishing, and targeted ones like Business Email Compromise (BEC). However, it also highlighted the challenge posed by nation state hackers looking to steal cutting-edge research and IP.

“While it is highly likely that cybercrime will present the most evident difficulties for universities, state-sponsored espionage will likely cause greater long-term damage. This is particularly true for those universities which prize innovation and research partnerships. This damage will extend to the UK’s larger national interest and to those researchers whose work may give others the chance to 'publish first',” the report argued.

“Nation states almost certainly target universities for the data and information they hold. Cyber offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students,' or direct investment.”

The NCSC warned that attacks on UK universities by nation states could even threaten the long-term health of the country itself.

“There's a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimizing of other avenues to gain insight and advantage,” it added.

The GCHQ spin-off urged university IT teams to focus on: improving user security awareness; enhancing access controls, especially for sensitive data stores; and to revisit network design to segment high-value information.

Iranian hackers have been among the most prolific attackers of university IT systems: just last week more info emerged on the Cobalt Dickens group, which is targeting at least 380 universities worldwide in a major new phishing operation.

Lion Air Breach Hits Millions of Passengers

Lion Air Breach Hits Millions of Passengers

Tens of millions of passengers from at least two Asian airlines have had their personal data compromised after workers at the parent company left them exposed via an AWS server, it has emerged.

Although it’s unclear how long the data had been exposed for, security researchers have pointed to at least 35 million records circulating online and linked to an individual with the moniker “Spectre.”

They belong mainly to passengers of Lion Air companies Malindo Air and Thai Lion Air, and include names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates, and more.

There are suggestions that a third Lion Air brand, Batik Air, may also be affected.

An official statement from Malindo Air reveals little except that, along with AWS and the airline’s e-commerce partner GoQuo, it is investigating.

“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS),” it claimed.

“We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.”

The firm urged its passengers to change passwords on their Malindo Miles accounts and basically sit tight.

Reports suggest a misconfigured S3 bucket was again responsible for the security snafu, perhaps dating back to August.

Airlines are an increasingly popular target for hackers, with both Cathay Pacific and BA suffering major breaches over the past year.

The mistake or oversight that led to the Lion Air breach was most likely a very simple one, argued Stephan Chenette, co-founder and CTO of AttackIQ.

“Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs,” he added.

“To protect customer data, organizations should employ continuous security validation tools to identify and prioritize gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.”

The Infosecurity Magazine Online Summit is happening next week! Join thousands of professionals from around the world and gain access to industry leading education sessions covering the latest infosec trends & technology for free. Do not miss this great opportunity to earn upto 12 CPEs in just two days. Register Now http://bit.ly/2XY1eCX

Barclaycard: So Far, So Good for Strong Customer Authentication

Barclaycard: So Far, So Good for Strong Customer Authentication

Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend. 

The new user authentication rules mandated by the European Union's revised Payment Services Directive (PSD2) were introduced by the UK's leading acquirer on Saturday, September 14. 

Barclaycard analyzed transaction data from September 14 and 15 to check what effect the new two-step authentication rules were having. The company found that merchants had not experienced an increase in abandoned transactions, nor had they seen a spike in declined payments.  

"Our data offers encouraging news for merchants, whose transaction volumes have been, so far, unaffected by the go-live of SCA," said Paul Adams, director of acquiring at Barclaycard Payment Solutions.

SCA legislation officially came into force across Europe on September 14; however, the European Banking Authority (EBA) has given each member state the option to apply for extensions. 

One country that took them up on the offer was the UK, which secured an 18-month extension to the deadline. The UK's financial regulator, the Financial Conduct Authority (FCA), announced in August that the country's payments and e-commerce providers would have until March 14, 2021 to achieve full compliance. 

Action will not be taken by the FCA before that date against firms that haven't implemented SCA, provided that "there is evidence that they have taken the necessary steps to comply with the plan." However, the FCA is expecting third-party providers to implement SCA for online banking by March 14, 2020.

The new SCA legislation requires that all European Economic Area (EEA) transactions go through a two-factor authentication process, unless they qualify for an exemption. Transactions that are exempt include contactless payments below €50/£30; payments made at unattended terminals, such as parking lot payment machines; and recurring payments of the same value to the same merchant, such as subscription payments.

Customers can also skip two-factor authentication for payments made to trusted merchants by whitelisting that merchant with their issuer. 

To help merchants prepare for the changes required by SCA, Barclaycard, which handles nearly half of the nation’s credit and debit card transactions, has launched Barclaycard Transact, which went live over the weekend.

The fraud protection solution allows businesses to benefit from SCA exemptions while making sure that all high-risk transactions still go through two-factor authentication, in accordance with the regulation.

Adams said: "We have designed Transact to help our customers get the most out of the incoming regulation, by enabling them to provide a smooth payment experience for their shoppers, while at the same time reducing risk and managing fraud."

New Attack Group Targets Saudi IT Providers

New Attack Group Targets Saudi IT Providers

A previously undocumented threat group has been mounting what appear to be supply-chain attacks against IT providers in the Middle East.

Since July 2018, Tortoiseshell Group has targeted at least 11 organizations, using a deadly mix of custom-made and off-the-shelf malware. The majority of the companies to come under virtual fire are based in Saudi Arabia.

Tortoiseshell's nefarious activities were spotted by researchers at Symantec, who have recorded activity stemming from the group as recently as July 2019. 

At two of the organizations unfortunate enough to be attacked by Tortoiseshell, several hundred network computers ended up being infected with malware. Researchers believe that this unusually large number of compromised consoles is indicative of the group's desire to infiltrate particular computers. 

The exact intentions of the attackers are unknown, though Symantec's researchers believe that the threat group's end goal was to compromise the computers belonging to the customers of the IT firms targeted. And you can bet that they weren't going to all this trouble just to change people's screensavers to a goofy picture of an adorable puppy. 

Evidence gathered by the researchers suggests that the attackers were able to gain domain admin–level access to the networks of at least two of the IT providers upon which they preyed.  

Gavin O'Gorman, an investigator with Symantec Security Response, said: "Tortoiseshell deployed its information-gathering tools to the Netlogon folder on a domain controller, on at least two victim networks. This results in the information-gathering tools' being executed automatically when a client computer logs into the domain. 

"This activity indicates the attackers had achieved domain admin–level access on these networks, meaning they had access to all machines on the network."

Highlighting the inherent danger in hackers' gaining access at this level, O'Gorman said: "Shamoon is a good example of one of the worst-case scenarios, where an attacker can wipe every computer on a network by obtaining domain-level access."

The unique component used by Tortoiseshell is a piece of malware called Backdoor.Syskit, which is run with the "-install" parameter to install itself. Once it has settled its virtual butt on the couch of a computer, the malware collects and sends the machine’s IP address, operating system name and version, and MAC address to the C&C server. 

Tortoiseshell's last observed activity occurred in July, but there's every chance they'll be back for more.

O'Gorman said: "Groups tend to not go away, but rather they use different tools, and so it becomes difficult to connect their various attacks. For some groups we have been able to identify their activity spanning more than 10 years."

US Cybersecurity Firm to Create 52 Jobs in Ireland

US Cybersecurity Firm to Create 52 Jobs in Ireland

An American cybersecurity consulting firm has opened its first overseas site in the southern Irish city of Kilkenny.

The new office in the Republic of Ireland will become the European Headquarters and Security Operations Centre (SOC) for growing company Security Risk Advisors (SRA). SOC's current staff of three will grow to seven by mid-October and is expected to swell to 52 over the next five years. 

Having an office in Europe allows SRA to offer around-the-clock system monitoring to its US-based clients. It will also help the company support its growing European clientele and is likely to attract new customers east of the Atlantic. 

SRA's managing director, Tim Wainwright, said: "The proximity to top colleges and industry-leading companies, in addition to the quality of life in the South East region, made the decision to open our first international office in Kilkenny an easy one."

Wainwright has already chosen his favorite local watering hole, and the honor goes to Cleere’s Bar & Theatre in Kilkenny’s Irishtown. 

Support for SRA's international expansion is being provided by Ireland's inward investment promotion agency, the IDA

"The IDA walked us through incentives and hosted our initial visit. They introduced us to local stakeholders and helped us fill out paperwork. They have continued to work with us in support of setting up our office," said SRA’s Amanda Larsen. 

Irish minister of state at the Department of Housing, Planning, and Local Government, John Paul Phelan TD, said: "The decision to locate their office here is testament to Kilkenny’s highly skilled workforce, as well as its strong network of nearby educational institutions like Waterford IT and Carlow IT, which provide companies like SRA with the talent they need to succeed and grow.

"This announcement is a great boost for the city, and I wish SRA every success in Kilkenny."

SRA was founded as a virtual organization in Pennsylvania's largest city, Philadelphia, back in 2010, by a home-grown team of four Philly locals. Since then, the company has grown 20% on average every year and now employs around 140 people.

The company's growth strategy of mentoring a large number of university hires was so successful that in 2017 SRA opened a physical office on the city's Market Street. 

Two years of success followed, causing SRA to outgrow its original space. In June of this year the company announced the expansion of its office in Philadelphia to accommodate 25 additional employees, together with the opening of a new site in Rochester, New York.

Indicating that SRA plans to implement a similar growth strategy at their new European HQ, Larsen said: "We will be working closely with the Waterford Institute of Technology and Institute of Technology Carlow. The South East region has such a great amount of tech talent."

Government Report Warns of AI Policing Bias

Government Report Warns of AI Policing Bias

A new government-backed report has warned that the growing use of automation and machine learning algorithms in policing could be amplifying bias, in the absence of consistent guidelines.

Commissioned by the Centre for Data Ethics and Innovation (CDEI), which sits in the Culture Department, the report from noted think tank the Royal United Services Institute (RUSI) will lead to formal recommendations in March 2020.

It’s based on interviews with civil society organizations, academics, legal experts and police themselves, many of whom are already trialing technology such as controversial AI-powered facial recognition.

The report claimed that use of such tools, and those used in predictive crime mapping and individual risk assessments, can actually amplify discrimination if they’re based on flawed data containing bias.

This could include over-policing of certain areas and a greater frequency of stop and search targeting the black community.

It also warned that the emerging technology is currently being used without any clear over-arching guidance or transparency, meaning key processes for scrutiny, regulation and enforcement are missing.

RUSI claimed that police forces need to carefully consider how algorithmic bias may result in them policing certain areas more heavily, and warned against over-reliance on technology which could reduce the role of case-by-case discretion. It also said that discrimination cases could be brought by individuals unfairly “scored” by algorithms.

“Interviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight,” the report concluded.

“It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology.”

OpenText head of AI and analytics, Zach Jarvinen, argued that the best way of avoiding bias in AI is to implement “ethical code” at the data collection phase.

“This must begin with a large enough sample of data to yield trustworthy insights and minimize subjectivity. Thus, a robust system capable of collecting and processing the richest and most complex sets of information, including both structured data and unstructured, and textual content, is necessary to generate the most accurate insights,” he added.

“Data collection principles should be overseen by teams representing a rich blend of views, backgrounds, and characteristics (race, gender, etc.). In addition, organizations should consider having an HR or ethics specialist working in tandem with data scientists to ensure that AI recommendations align with the organization’s cultural values.”

Third of Brits Concerned About Election Interference

Third of Brits Concerned About Election Interference

A third of British adults are concerned about hackers interfering in future general elections or referendums, according to new research from SANS Institute.

The global IT training organization polled over 2000 individuals to better understand their concerns about the impact of cyber-related issues on society.

It found that 34% believe cyber-attackers could influence the democratic process in future.

A long-awaited parliamentary committee report issued earlier this year claimed that while it was difficult to say definitively if there was "successful" interference in the 2016 EU referendum, “there is, however, strong evidence that points to hostile state actors influencing democratic processes.”

Russia in particular came under scrutiny for the pro-leave propaganda circulated by its state-backed media outlets RT and Sputnik.

Election interference can also be more insidious: a senate report out in July argued that Russian hackers likely compromised voting infrastructure in all 50 states ahead of the 2016 Presidential election.

Just a fifth of UK adults responding to the SANS Institute poll said they thought the UK is well prepared to defend itself against future cyber issues, and nearly half (45%) claimed there’s not enough security experts in the workforce to protect the country from attack.

However, less than one in 10 (6%) said they thought being a cybersecurity professional was an important job in society, highlighting the major PR challenge facing the industry in trying to get more people to consider a career in the sector.

Skills shortages currently stand at nearly three million globally, including 142,000 in EMEA, according to (ISC)².

SANS Institute CTO, James Lyne, argued that it is the role of government, industry and parents and teachers to emphasize the important role cybersecurity professionals play in defending democracy and economic growth.

“The findings of the poll demonstrate a lack of awareness of what cybersecurity practitioners do to protect our national interests, economy and personal finances,” he added. “The UK will only be prepared to cope with the evolving geopolitical cyber-frontier if we can educate and nurture greater numbers of cyber-defenders and instil a sense of urgency in that new generation of cybersecurity professionals.”

The research was conducted to promote the beginning of the latest annual Cyber Discovery program, which aims to educate and inspire 13-18-year-olds in the UK to be the cybersecurity stars of tomorrow.

US Government Sues Edward Snowden Over Book

US Government Sues Edward Snowden Over Book

The US government is suing Edward Snowden for violating a non-disclosure agreement (NDA) in the publication of a new book.

The civil suit alleges that the former government contractor published the book, Permanent Record, without first submitting it to the CIA and NSA for review, as per the agreements he signed. It alleges Snowden has also discussed intelligence matters in public speeches, further violating the NDA.

Yet despite its allegations, the US government doesn’t want to prevent publication of the book; instead it wants to seize all proceeds, naming his publishers as co-defendants so that no money can be transferred to the whistleblower.

“Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor,” said assistant attorney general Jody Hunt of the Department of Justice’s Civil Division.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations. This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

However, Snowden’s attorney and director of the American Civil Liberties Union (ACLU), Ben Wizer, has hit back, arguing that the book contains no information that hasn’t already been published by “respected news organizations.”

“Had Mr Snowden believed that the government would review his book in good faith, he would have submitted it for review. But the government continues to insist that facts that are known and discussed throughout the world are still somehow classified,” he added.

“Mr Snowden wrote this book to continue a global conversation about mass surveillance and free societies that his actions helped inspire. He hopes that today’s lawsuit by the United States government will bring the book to the attention of more readers throughout the world.”

New Banking Regs Increase Cyber-Attack Risk

New Banking Regs Increase Cyber-Attack Risk

report released today by Trend Micro has found that new European open-banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.

The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost. 

Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.

Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.

In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.

Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."

Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.   

Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"

Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity. 

He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."

Vulnerabilities in IoT Devices Have Doubled Since 2013

Vulnerabilities in IoT Devices Have Doubled Since 2013

A follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago. 

In the 2013 study SOHOpelessly Broken 1.0, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.

An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research, dubbed SOHOpelessly Broken 2.0, could affect millions of IoT devices.

For their latest study, ISE tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.

The results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.

"We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: 'It can't really be this easy, right?'" said ISE researcher Joshua Meyer. 

Conducting the study has changed how Meyer uses IoT devices. He said: "I will be more selective of any IoT devices I purchase for personal use. I am also more aware of the features provided by my devices and disable all of the ones that aren't necessary to its security."

After completing the study, ISE sent vulnerability reports and proof-of-concept (PoC) codes to affected vendors. While the majority of companies acknowledged the reports, TOTOLINK and Buffalo have not yet responded.  

"Netgear and Drobo only responded to us after we continuously messaged them about the critical security issues in their products," said Rick Ramgattie, lead researcher at ISE.

Asked if any plans were afoot for a SOHOpelessly Broken 3.0, Ramgattie said the team is looking into starting a new IoT/Embedded Device research project mid-2020.

Ramgattie elaborated: "We aren't sure if it is going to be the same format as SOHO 1.0 and SOHO 2.0. We might mix things up and pick a smaller set of manufacturers and narrow in on new attack surfaces we have been wanting to dive into for a long time. 

"We might also research more enterprise devices, different protocols, and more complex data-processing workflows."

Nevada Students Top First Official National Cyber League College Rankings

Nevada Students Top First Official National Cyber League College Rankings

America's National Cyber League (NCL) has published official college rankings for the very first time, and the University of Nevada has come out on top. 

Cyber-savvy students at the Reno-based university prevailed against 5,026 students from 419 schools across the nation to achieve victory in the NCL's spring 2019 season. This impressive win contributed heavily to Nevada's securing the pole position on the inaugural NCL leaderboard published last week.

In second place was the University of Hawaii at Manoa, followed by California State University at Chico, which took third. Lingering at the bottom of the board in 100th place was Grossmont College, a community college in California.  

The NCL has been challenging high school and college students to demonstrate their cybersecurity skills by taking part in two cybersecurity competitions staged annually since 2011. Entrants step onto a virtual field of competition to solve a series of puzzles based on real-world scenarios. 

Previous challenges included identifying hackers from forensic data, breaking into simulated bank websites, and staging a recovery from a ransomware attack. The University of Nevada's winning team, the Nevada Cyber Club, completed all the challenges set in this year's spring season with 99.26% accuracy. 

Club member and computer science and engineering major Bryson Lingenfelter, speaking after his team's unequivocal victory, said: "I've learned a tremendous amount in three seasons of competing in NCL, and it's a major inspiration for my plans going forward with Cyber Club. NCL is how many of us got started with the club, and I hope to expand our use of competitions as learning tools in the future to engage even more people with cybersecurity." 

Competing in the NCL does more for students than simply give them a chance to vaunt their talent and learn new skills. Thanks to industry-leading cybersecurity skills-evaluation technology from Cyber Skyline, NCL competitors can obtain scouting reports of their performance, which they can use for hiring purposes.

"Cyber competitions like NCL provide a way for cybersecurity students to demonstrate their skills to employers, especially with many entry-level jobs requiring experience," said Franz Payer, CEO of Cyber Skyline.

"The new Cyber Power Rankings highlight the top schools producing new cybersecurity professionals. We're excited for what competitions can do to help address the cyber talent shortage.

New Test Service Launched to Gauge Tech Skills of Job Candidates

New Test Service Launched to Gauge Tech Skills of Job Candidates

A new testing service has been launched with the aim of gauging and ranking job candidates based on their technical skillsets.

TechRank, created by Pioneer Labs, is run by tech consultants and sources, tests and objectively ranks tech talent, helping companies hire the best and most capable person for tech-based roles. TechRank seeks to eliminate the subjectivity of personality and interview charm and to ensure that jobs are offered based on genuine skillsets.

Candidates take the TechRank test online, opting for the specific area relevant to their skills. Candidates are then logged in the TechRank system and alerted if a suitable job is advertised. Employers can sort candidates by their skill level quicker and more accurately than reading through large numbers of CVs.

TechRank was co-founded by Gurvinder Singh, Co-CEO, Pioneer Labs, and he explained how TechRank was born out of frustration.

“We were finding it highly time-consuming and difficult to find great tech talent. It was a constant problem. So, we asked ourselves what needed to change and how this could be facilitated – the answer was clearly testing. It’s great for both the candidate and the employer. We trailed the system in our own business and found that it worked really well. It made a huge difference to Pioneer Labs so we decided to create a version that other businesses could use – and TechRank was born.”

Speaking to Infosecurity, Singh said: “We are looking to disrupt tech recruitment. We believe tech recruitment has been broken for far too long. It’s been very difficult for employers to be sure they are hiring people with the right skills; skills that are suitable for the specific job they are being asked to do. Some people look great on paper, perform brilliantly at interview, but simply don’t have the level of knowledge required for the job on offer.

“In the future, I believe CVs will become obsolete in the tech industry. Skills matter more than words and finding the best skilled people is where companies, which are trying to build or maintain market share via technology, will be competing most vigorously.”

Webcam Security Snafus Expose 15,000 Devices

Webcam Security Snafus Expose 15,000 Devices

Researchers have discovered 15,000 private webcams around the globe which could be accessed by anyone with an internet connection, raising serious security and privacy concerns.

Working for Wizcase, white hat Avishai Efrat located the exposed devices from multiple manufacturers including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.

They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.

By failing to put in place even cursory protection on the devices, these owners are exposing not only the webcam streams themselves but also, in some cases where admin access is possible, user information and approximate geolocation. In these cases, Efrat was also theoretically able to remotely control the device view and angle.

Control of such feeds and personal info could allow attackers to rob the premises being monitored, blackmail users, and even steal PII for identity fraud.

The problem lies with the cameras’ remote access functionality. In some cases UPnP was enabled without additional protections like password authentication or IP/MAC address whitelisting, whilst in others unsecured P2P networking was used.

“Web cameras manufacturers strive to use technologies which make the device installation as seamless as possible but this sometimes results in open ports with no authentication mechanism set up. Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections,” explained Wizcase web security expert, Chase Williams.

“If these devices have open network services, then they could be exposed.”

Wizcase urged webcam operators to change the default configuration of their device in order to: whitelist specific IP & MAC addresses to access the web camera, add strong password authentication and disable UPnP if P2P networking is being used.

It also advised users to configure a home VPN network so the webcam would no longer be exposed to the public-facing internet.

Emotet is Back and Spamming Again

Emotet is Back and Spamming Again

A notorious botnet has begun sending out spam again after a several month hiatus, which could spend bad news for organizations around the world.

Emotet has been dormant for around four months, but starting pumping out spam on Monday morning, with phishing emails sent in German, Polish, English and Italian, according to Malwarebytes.

The firm said that an uptick in command-and-control (C2) server activity forewarned it of a return to the front line for the infamous botnet.

In this new campaign, users are tricked into opening an attached document and enabling macros, triggering a PowerShell command which will try to download Emotet from compromised sites, often those running WordPress.

“Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware,” warned Malwarebytes.

“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.”

Linked to the North Korean Lazarus Group, Ryuk is thought to have made almost $3.8m for its operators in the six months to January 2019.

Like Trickbot, Emotet was originally a banking Trojan that was re-written to function as a malware loader. Its operators sell access to the botnet for clients to use as a malware distribution network.

According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018 alone. In July last year, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.

Most Port Vulnerabilities Are Found in Three Ports

Most Port Vulnerabilities Are Found in Three Ports

The vast majority of vulnerabilities in ports are found in just three, making it theoretically easier for organizations to defend them against attack, according to Alert Logic.

The security vendor analyzed 1.3 petabytes of security data, over 2.8 billion IDS events, 8.2 million verified incidents, and common vulnerabilities for more than 700 SMB customers, in order to compile its Critical Watch Report for 2019.

It claimed that 65% of vulnerabilities it found in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are linked to SSH (22/TCP), HTTPS (443/TCP) and HTTP (80/TCP).

RDP/TCP comes in fourth place, which is no surprise as it has already been patched several times by Microsoft, including one for the Bluekeep bug which Redmond warned could provide attackers with WannaCry-like “wormable” capabilities.

The number of vulnerabilities in a port is a good indication of its popularity and it’s no surprise that the top three ports for flaws are also ones exposed to the public-facing internet, Alert Logic said.

However, the findings may provide useful intel for security teams in smaller companies to help them reduce their attack surface quickly and easily.

“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic,” the report advised.

“Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities.”

Alert Logic also urged IT security teams to patch and harden any device, software or service connected to ports and to tackle any new vulnerabilities as they appear, as well as changing all default setting and passwords and running regular configuration checks.

The report found that most unpatched vulnerabilities in the SMB space are over a year old, and that misconfigurations, weak encryption and unsupported Windows versions also represent serious risks.

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training. 

Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a mandatory cybersecurity training course.

All Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. 

Massey, who holds a degree in criminal justice from the University of Mississippi, told the Commercial Appeal website that he refused to complete the cybersecurity training because the instruction to do so had come to him from the city’s unelected director of information technology. 

"I don't think it's appropriate for a city employee to tell aldermen what they have to do to access their email," said Massey.  

Massey responded to the imposed restriction by setting up a personal email account—dmassey.cityofgermantown@gmail.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines but could complicate the process of fulfilling public records requests. 

Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers. 

Commenting on Massey's argument that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own." 

Asked if Mr. Massey's actions had undermined the authority of Germantown's aldermen, Janda said: "Nothing Mr. Massey can do would undermine the authority of the aldermen. There is nothing special about him."

Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, believes mandatory cybersecurity training for elected officials is a good idea. Asked if he thought that Massey's ability to carry out his alderman duties had been affected by the restriction of his official email account, Janda said: "Yes, at least with staff." 

Stating how he would like to see the situation resolved, Janda said: "Mr. Massey just needs to take the training. It's 45 minutes . . ."

According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.  

Massey did not respond to Infosecurity Magazine's request for comment.

Data of Virtually All Ecuadoreans Leaked Online

Data of Virtually All Ecuadoreans Leaked Online

The personal data of almost every citizen of Ecuador has been leaked online in a catastrophic data breach. 

The names, phone numbers, and financial information of approximately 20 million Ecuadoreans were found on an unsecured cloud server by researchers working on a web-mapping project at security company vpnMentor.

The enormous 18GB cache of data included personal information relating to individuals who were deceased as well as to the country's living population of approximately 17 million. Personal information relating to 6.7 million Ecuadorean children was among the data leaked.

Exposed files revealed a large amount of sensitive personally identifiable information, such as family records, marriage dates, education histories, employment records, and official ten-digit government ID numbers called cédulas de identidad.

"This data breach is particularly serious simply because of how much information was revealed about each individual," wrote Noam Rotem and Ran Locar from vpnMentor. "Scammers could use this information to establish trust and trick individuals into exposing more information." 

Tax records and financial records revealing the account balances of customers of a large Ecuadorean bank were among the data breached. 

Rotem and Locar wrote, "Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank."

A simple search of the leaked data would enable anyone to put together a list of wealthy Ecuadoreans that would be the envy of kidnappers everywhere. Taken as a whole, the data revealed not just who had large amounts of money in the bank but also where they lived, if they were married, if they had children, what cars they drove, and the license plates of their vehicles. 

Within the leaked records researchers also found an entry and national identification number for WikiLeaks founder Julian Assange, who was granted political asylum by Ecuador in 2012. 

Rotem and Locar found the exposed data in a number of files saved on a server located in Miami, Florida, which was set up and maintained by Ecuadorian marketing and analytics company Novaestrat

After discovering the data cache, vpnMentor contacted Novaestrat. The Ecuador Computer Emergency Security Team restricted access to the unsecured server on September 11, 2019. 

The breach follows a similar incident that took place recently in another South American country. Last month, a server was found that exposed the voter records of 80% of Chile's 14.3 million citizens.

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures. 

An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.

Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds. 

The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.  

On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."

In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."

PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."

The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts. 

"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli police have arrested several employees of a domestic company that makes cyber-surveillance tools and raided its offices over the weekend, according to local reports.

Although a court order has prevented many details of the case from making it into the public domain, including the identity of the suspects, the arrests were apparently made under charges of fraud, smuggling and money-laundering.

The individuals are thought to be staff at Ability Computer & Software Industries and Ability Security Systems, subsidiaries of Ability, which markets itself as providing interception technology for mobile cellular and satellite communications.

Founded in 1994 by “military and communication experts,” Ability claims to count governments, military, law enforcement and border control agencies as its customers.

However, there are suspicions that the firm may have broken Israeli laws around the export of specific security-related technologies, according to Haaretz.

The Israeli defense ministry is said to have suspended Ability subsidiaries from its official list of registered defense export companies after it exported geolocation systems without a license.

The firm is also facing a backlash from US regulator the SEC over an anti-fraud investigation dating back to 2017 about its 2015 merger with shelf company Cambridge Capital Acquisition Corporation.

Ability also paid out $3m last year to settle out-of-court with investors who said they’d been misled about the state of the firm’s finances.

The police investigation is being undertaken by the International Crime Investigations unit alongside the Director of Security of the Defense Establishment, according to the report.

The news comes just weeks after the Israeli government made moves to ease the process for exporting cyber-weapons to certain countries, despite warnings from the UN and others that such tools are being used by despotic governments to crack down on dissent.

US Slaps Sanctions on Three North Korean Cyber Groups

US Slaps Sanctions on Three North Korean Cyber Groups

The US Treasury has finally announced sanctions on three notorious North Korean state hacking groups, which it accused of attacks designed to generate money for the country’s illegal weapons program.

The Office of Foreign Assets Control (OFAC) said on Friday that the sanctions would apply to Lazarus Group, Bluenoroff and Andariel. It effectively demanded that global banks block any transactions related to the groups.

All three entities have been pegged as under the control of the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency.

Lazarus Group is the largest and best known, having been blamed for the destructive malware attack on Sony Pictures Entertainment and WannaCry. Along with Bluenoroff hackers it is also said to have launched the daring $80m cyber-heist on Bangladesh Bank.

While Lazarus Group targets range far and wide — including government, military, financial, manufacturing, publishing, media, entertainment, international shipping and critical infrastructure — Bluenoroff was apparently set up explicitly with the aim of making money to overcome global sanctions on North Korea.

Andariel, meanwhile, is apparently focused on hacking ATMs, stealing customer information to sell on the dark web, and stealing from online gambling sites, as well as hacking South Korean military systems to gather intelligence.

The groups’ efforts also focused on cryptocurrency exchanges in a bid to generate more funds for Pyongyang’s missile and nuclear weapons programs, the Treasury claimed.

This chimes with allegations from the UN, denied by North Korea, that the hermit nation had amassed a trove of $2bn from “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence. 

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

UK’s Environmental Agencies Lose Hundreds of Devices

UK’s Environmental Agencies Lose Hundreds of Devices

The UK government is in hot water again after Freedom of Information (FOI) requests revealed its Environment Department has misplaced hundreds of laptops and mobile devices over recent years.

Security vendor Absolute Software sent requests for info to the Department for Environment, Food, and Rural Affairs (DEFRA) and non-departmental public body the Environment Agency, which it sponsors.

They revealed that the two organizations lost a combined 540 devices over the past three financial years: DEFRA accounting for 100 of these and the Environment Agency reporting a total of 440.

Mobile phone losses were most common, with the Environment Agency again losing the lion’s share (363) and DEFRA just 63.

The Environment Agency misplaced 59 laptops over the period, with just 35 going missing from DEFRA, while only 21 tablet computers were lost in total – three from DEFRA and 18 from the Environment Agency.

Yet despite the headline stats, it’s the Environment Agency which appears to be improving its device security processes. It recorded an overall decrease of 24% in lost IT kit over the three-year period, while DEFRA witnessed a 43% increase.

A spokesperson from the Environment Agency played down the findings, claiming they should be seen in the context of the public body’s 10,000+ nationwide staff.

“Due to the nature of our work, we have operational staff working in the field to protect the environment and support our incident response capabilities,” the statement noted.

“Because of this there is always a risk that exposure to threats concerning mobile technology will be increased. All staff are required to work in accordance with our IT and security policies so that we continue to work toward minimizing losses, and risk associated with losses.”

Absolute Software vice-president, Andy Harcup was less forgiving, branding the losses “unbelievable.”

“Every single lost device is a potential goldmine of confidential information and should be properly secured so that if stolen it can be tracked, frozen and recovered,” he argued.

“It’s also critical that government agencies have capabilities in place so that when mobile devices are exposed to threats outside of their control, they are able to locate the devices whether they are on or off the network, and wipe the data on the devices in order to comply with critical regulations like GDPR.”

These are just the latest two government bodies to have had their device security policies scrutinized: the Ministry of Defence recorded a 300% increase in losses of both devices and sensitive data over the past two financial years, according to Absolute Software.

Symantec Axes Hundreds of US Jobs

Symantec Axes Hundreds of US Jobs

American software giant Symantec is cutting hundreds of jobs at four different sites across the US as part of a $100 million restructuring program.

Government filings of notices made by the company in August under the Worker Adjustment and Retraining Notification (WARN) Act indicate that the roles of 230 Symantec employees will be terminated on October 15, 2019.  

The company's Californian headquarters at Mountain View will bear the brunt of the losses, with 152 job cuts expected. In San Francisco 18 jobs will go, and a further 24 will be axed from the company's site in Springfield, Oregon. In Culver City, Los Angeles County, 36 positions will be scrapped. Employees were notified in early August. 

The cuts will affect many different job classifications but most of the roles targeted were primarily related to tech work. According to the Employment Development Department (EDD) filings made by Symantec in California, many software engineer and software development engineer jobs are to go along with a raft of middle-management positions.

In a letter which accompanied the filings, Symantec wrote: “Layoffs are expected to be permanent," before stating, "None of the affected employees are represented by a union, and no bumping rights exist."

Symantec, which supplies 50 million people with Norton antivirus software and LifeLock identity theft protection, has over 11,000 employees globally. The US job cuts are part of a planned 7% reduction in Symantec's international workforce announced last month alongside news of the company's $10.7 billion sale of its enterprise division to San Jose chipmaker Broadcom.

News of the cuts come amid rumors that Symantec has received interest from two private-equity suitors who, according to the Wall Street Journal, are seeking to buy the cybersecurity firm for more than $16 billion.

The Journal reported that "Permira and Advent International Corp. recently approached Symantec proposing a takeover deal valuing Symantec at $26 to $27 a share that would hand them the company’s consumer operation while preserving the sale of its enterprise business to Broadcom Inc." 

With the sale of its enterprise arm to Broadcom pending, it's not clear how the proposed deal would work if it was to go ahead.

Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Two employees of a Colorado cybersecurity firm hired to test the security of an Iowa courthouse have been charged with burglary after allegedly breaking into the building.  

Gary Edward Demercurio, 43, of Seattle, Wash., and Justin Lawson Wynn, 29, of Naples, Fla., were arrested at approximately 1 a.m. on Wednesday morning after being found inside the Dallas County Courthouse in possession of burglary tools. 

Dallas County deputy sheriffs arrived at the scene after an alarm at the courthouse at 908 Court Street in Adel was tripped.

Demercurio and Wynn, who both work for global cybersecurity firm Coalfire, have been charged with third-degree burglary and possession of burglary tools. 

At the time of their arrest, Demercurio and Wynn told Dallas County deputy sheriffs that "they were contracted to break into the building for Iowa courts to check the security of the building."

In a press release issued later that day, Iowa Judicial Branch confirmed that while the state court administration had hired cybersecurity firm Coalfire to carry out security testing, the midnight shenanigans allegedly committed by Wynn and Demercurio were not exactly what it had in mind. 

While the administration had asked Coalfire to test vulnerabilities in the the state’s electronic records system, it "did not intend, or anticipate, those efforts to include the forced entry into a building."

"It’s a strange case," said Dallas County Sheriff Chad Leonard on Wednesday. "We’re still investigating this thing."

When contacted for comment, Coalfire replied with the following statement: "Coalfire is a global cybersecurity firm that has conducted over 10,000 security assessments since 2001. We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client. 

"However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter." 

Demercurio was released from Dallas County Jail after posting a $57,000 bond. Wynn was likewise released after posting a bond of $50,000. Both men are scheduled to appear before Dallas County District Court for a preliminary hearing on September 23.

MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

A Wisconsin university today celebrated the grand opening of a new cyber-learning facility funded by a $34m donation from a former student and his wife. 

Dwight Diercks graduated from the Milwaukee School of Engineering (MSOE) in 1990 with a degree in computer science and engineering. Now senior vice president of software engineering at California-based technology company NVIDIA, Diercks today serves as a regent of the university, which awarded him an honorary engineering doctorate in 2014.

A day-long program of events was held to mark the opening of the Dwight and Dian Diercks Computational Science Hall, which included a keynote address by Jensen Huang, founder, president, and CEO of NVIDIA.

According to the MSOE website, "Diercks Hall—and the courses taught within—position MSOE at the educational forefront in artificial intelligence (AI), deep learning, cyber security, robotics, cloud computing and other next-generation technologies."

The four-floor building features seven contemporary classrooms, nine innovative teaching laboratories, 25 offices for staff, and a 256-seat auditorium. At the heart of the hall is a state-of-the-art data center with an NVIDIA GPU-accelerated AI supercomputer, which is named Rosie after the women known as Rosies who programmed one of the earliest computers, the ENIAC. Rosie is also the name of Diercks' mother, who passed away in 2006.

On the building's third floor, the Caspian Cyber Security Laboratory will allow students to conduct real-world cybersecurity experiments and test defensive mechanisms in a professional and controlled environment. The room is grounded with special shielding paint and an electromagnetic field to prevent computer viruses that students are working on from spreading to the rest of campus through the wireless network.

The substantial donation given by Diercks and his wife, Dian, was bolstered with an additional $4m contributed by several individuals and corporations to support long-term operations and maintenance of the facility. 

Speaking at today's live-streamed opening ceremony, held in the new hall's atrium, the mayor of Milwaukee, Tom Barrett, quipped, "When I first heard the words artificial intelligence I thought someone had heard I had inflated my SAT scores," before declaring Friday, September 13, 2019, to be Dwight and Dian Diercks Day throughout the entire city of Milwaukee.

After Diercks and his wife cut a red ribbon with a giant pair of scissors to officially open the hall, he shared with the crowd his pleasure at learning that the addition of an external staircase to the building had increased the facility's final size to a square footage of 65,536, which is the number of different values representable in a number of 16 bits.

#44CON: GPS Trackers Hacked to Make Premium Rate Calls

#44CON: GPS Trackers Hacked to Make Premium Rate Calls

Speaking at 44CON, Pen Test Partners researchers Tony Gee and Vangelis Stykas demonstrated vulnerabilities in GPS trackers, which enabled them to call premium rate phone numbers, and possibly influence the outcome of television talent shows.

Gee said that there is demand for GPS trackers, which are used in watches for kids, cars and even on pets’ collars, but their research had found consistent API vulnerabilities. Gee said that the problems were in “a lot of common APIs and used across platforms” in IoT products that were available cheaply.

Stykas called one product range “a monstrosity,” saying that the research into Thinkrace technology found that most API calls did not require authentication, and all users start with the default password “123456.” There were at least 370 vulnerable devices, across 80 domains on 40 different servers, which Stykas said allows anyone to be tracked, with a hacker able to change the email and take over the device, and force a firmware update. 

Calling it a “classic horizontal escalation of privilege,” Stykas said that the vendor had not responded to vulnerability disclosures for three years “on multiple attempts.”

In further research, Gee said that a lot of the GPS devices, particularly tracker watches for kids, used a pay-as-you-go SIM card, and allowed for a premium rate phone line to be called. “If we own the number, we make the money,” he said, pointing out that the costs of setting up a number only runs into hundreds of pounds, but regulation by the PSA was strong on doing this.

Looking at the options of hacking a GPS tracker to enable text voting to a premium line, Gee said that a typical SMS vote is 35p, so with a £10 top up you could vote 28 times. If there are 25 million vulnerable devices, that can enable seven billion votes. While he admitted that the voting at the annual Eurovision song contest could not be influenced because of the jury system, it was possible to influence talent shows like X Factor and Britain’s Got Talent. This would also allow the attacker to gamble on who the winner would be.

Talking on the disclosure, Gee said that the UK’s main four providers (o2, Vodafone, EE and 3) have a default “on” for premium lines to be called. Meanwhile, the vendors have been notified but “most products are not fixed and multiple devices have the same flaws.” However, the PSA have responded and said that Pen Test Partners will be invited to review changes.

Gee concluded by saying that most trackers will not be fixed, but manufacturers “need to get better” as “authentication is not authorization.”

#44CON: Establishing a Mental Health Toolbox

#44CON: Establishing a Mental Health Toolbox

Noting the warning lights to assess your levels of stress and mental health now, and in the future, can save a lot of anguish in your working life.

Speaking at 44CON in London on the issue of dealing with mental health, Duo Security CISO advisory group member J Wolfgang Goerlich recommended a strategy of a “career owners manual” and knowing what to do to “make sure you have got a career and what you’re doing well.”

He recommended having a the right state of health to be able to thrive in what he called a “good community,” where we need to be supportive of others, as “a lot of us struggle.”

Goerlich advised taking a back seat, stepping back from work for a few months and to avoid being afraid of duplicating work.

When looking at yourself in a current position, he recommended taking the following steps:

  • Look at how your culture fits the company culture. Are we happy with the people in our organization “and do they make us feel good?”
  • Are our values reflected in theirs, and do we feel good about ourselves when we look in the mirror or do we feel like we are compromising ourselves?
  • Are the tasks we are doing good?
  • Is diversity good where we work, as diversity beings different perspective and points of view

“You need to be sure the inputs line up, as different companies have different values” he said, as if we are unhappy, it is too easy to ignore warning lights around our mental health, and it is too easy to take a “teenager’s action” as they ignore warning lights on a car. These warning lights should be around:

  • Physiological effects
  • Non-competitive compensation
  • Lack of training
  • Lack of career path
  • Poor teamwork
  • Poor leadership
  • No appreciation or recognition
  • Misaligned values and culture

In terms of tools, Goerlich recommended relaxing, recharging and re-learning, and doing “what is good for you.” This included time off work, what Goerlich called “zero days,” to recharge. The steps to take to recharge are as follows:

Weekly: prepare for the week ahead, do the “basic things,” de-stress and energize, and review the previous week.

Monthly: review stress, check warning lights, and schedule “zero days.”

Quarterly: check your health, review accomplishments, review learning, plan for next quarter, and schedule time off.

Annually: annual job reviews, and annually review your job.

Decade: asses who you are now, what you enjoy now, and where is the job market going?

“Make sure you have got the tools in your toolbox and are doing maintenance on your career,” he concluded. “This [cybersecurity] is a fantastic career and industry, but we see too many people struggle.”

Marketer Exposes 198 Million Car Buyer Records

Marketer Exposes 198 Million Car Buyer Records

Another unprotected Elasticsearch database has been discovered by researchers, this time exposing personally identifiable information (PII) linked to 198 million car buying records.

The privacy snafu was discovered back in August by Jeremiah Fowler, researcher at SecurityDiscovery.

The non-password protected database contained a massive 413GB of data on potential car buyers, including names, email addresses, phone numbers, home addresses and more stored in plain text.

Also left publicly accessible were IP addresses, ports, pathways, and storage info “that cyber-criminals could exploit to access deeper into the network,” he explained.

Fowler spent several days trying to locate the owner of the database, which contained information from multiple websites.

“Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com,” he added. “I was able to speak with the general sales manager who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.”

As the name suggests, Dealer Leads provides online marketing support in the form of prospective car buyers for dealerships around the US. It's unknown how long the data was exposed for.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,” Fowler warned.

“Also, when contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold, or shared via DealerLeads.”

The incident is just the latest in a long line of privacy leaks via Elasticsearch, AWS S3, and other online platforms, due to security misconfigurations.

In recent months, Honda exposed 134 million company documents, a leading Chinese uni leaked 8TB of email metadata, and Dow Jones left a sensitive global watchlist of criminals and terrorists open to the public — all via misconfigured Elasticsearch instances.

Iranian Threat Group Targets 380 Global Universities

Iranian Threat Group Targets 380 Global Universities

An Iranian threat group exposed last year has been detected targeted hundreds of universities in over 30 countries in a global phishing operation.

Cobalt Dickens has been linked to indictments last year against nine Iranian nationals who worked for the Mabna Institute. They allegedly stole more than 31TB of data from over 140 US universities, 30 US companies and five government agencies, alongside more than 176 universities in 21 other countries.

The Secureworks Counter Treat Unit this week claimed their activity has not declined despite the publicity given to the indictments; in fact, it discovered a new campaign similar to the group's August 2018 phishing raids, using free online services and publicly available tools.

Specifically, the group uses compromised university resources to send spoofed library-themed emails containing links to log-in pages designed to harvest user credentials.

Some 20 new domains were registered in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland using the Freenom domain provider. Many use valid SSL certificates issued by Let’s Encrypt to add further authenticity to the phishing campaigns.

Continuing the theme of using publicly available resources to carry out these attacks, the group utilized the SingleFile plugin available on GitHub and the free HTTrack Website Copier standalone application, to copy the login pages of targeted university resources, according to Secureworks.

The researchers claimed that metadata in the spoofed web pages indicates the attackers are of Iranian origin. At least 380 universities worldwide have apparently been targeted in this latest campaign.

“Some educational institutions have implemented multi-factor authentication (MFA) to specifically address this threat,” it concluded.

“While implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, single-password accounts are insecure. CTU researchers recommend that all organizations protect Internet-facing resources with MFA to mitigate credential-focused threats.”

Universities are an increasingly popular target for nation state attackers looking for highly sensitive research to advance homegrown development programs.

Mirai and SMB Attacks Dominate 1H 2019

Mirai and SMB Attacks Dominate 1H 2019

Attacks on IoT devices using Mirai and its variants and raids against the Windows SMB protocol dominated the first half of 2019, according to new data from F-Secure.

The Finnish security vendor analyzed its global network of honeypots to find the number of “attack events” in the first six months of 2019 was 12 times higher than the same period in 2018.

The largest share, 760 million events, came via the Telnet protocol, followed by 611 million events on UPnP, both of which are used by connected devices.

The malware found in F-Secure’s honeypots was predominantly versions of Mirai, the infamous strain which searches for exposed IoT endpoints before cracking those open that are protected only by default credentials.

SMB port 445 also featured strongly, with 556 million events. This indicates continued interest on the part of cyber-criminals in exploiting the protocol targeted by the WannaCry hackers. According to F-Secure, it remains popular due to the high number of unpatched servers around the world.

In fact, Kaspersky data from last November revealed that WannaCry hit almost 75,000 users in Q3 2018.

“Three years after Mirai first appeared, and two years after WannaCry, it shows that we still haven’t solved the problems leveraged in those outbreaks,” said F-Secure principal researcher Jarno Niemela.

“The insecurity of the IoT, for one, is only getting more profound, with more and more devices cropping up all the time and then being co-opted into botnets. And the activity on SMB indicates there are still too many machines out there that remain unpatched.”

The report also revealed a decline in crypto-jacking, suggesting that this had been influenced by lower prices for digital currency and the shutting down of CoinHive earlier this year.

However, ransomware is once again a major threat. Interestingly, the most popular attack vector is RDP (31%), revealing that easily brute-forced passwords are a key security risk. Second most popular was email spam (23%), followed by compromised firmware/middleware.

Ireland Hit by Pedophile Sextortion Email Scam

Ireland Hit by Pedophile Sextortion Email Scam

Residents of Ireland are being targeted by an aggressive email sextortion scam that accuses recipients of being pedophiles before threatening to expose them as such unless a ransom is paid. 

The scam was highlighted yesterday by the Irish arm of IT security company ESET, which posted a warning on its website. ESET Ireland registered several complaints related to the illegal extortion scam.

Victims were sent emails with the subject lines "I know you are a pedophile . . ." and "What the **** are you doing, pedophile?" from someone claiming to be an internet security specialist affiliated with the Anonymous group. 

The sender of the email claimed to have installed spyware on the victim's computer that they purported to have used to record the victim watching illegal pornographic videos featuring young teens.

Victims were told that four video files in which they were captured masturbating to illegal porn were in the possession of the hacker, who threatened to send them out to everyone in the victim's address book unless a Bitcoin ransom of 5,000 GBP was paid.

In a bid to blackmail their victims into paying up, the scammers wrote: "I was observing you for quite some time, and what I have collected here is overwhelming. I know about your sexual preferences and your interest in young bodies. I have secured 4 video files clearly showing how you masturbate (captured from your camera) to young teenagers (captured from your internet browser). Glued together is a pretty overwhelming evidence that you are a pedophile."

Predicting that people who receive the sextortion emails may contact the police, the scammers wrote: "Don’t even think about going to police. If you try, I will immediately know it and I will send them your masturbation videos, pedo."

While sextortion scams that weaponize shame are nothing new, American software company Symantec says cyber-attacks of this type are plentiful and on the rise. From January through May of 2019, Symantec blocked almost 289 million of these emails from landing in the inboxes of potential victims. Of these, about 30% were sent during a 17-day period around Valentine's Day. 

ESET Ireland recommends that anyone who has received these emails does not reply and marks them as spam. If the emails contain any identifiable personal info, recipients are advised to report them to the police.

A Third of Security Pros Have Skipped Cyber-Safety Checks to Launch Products Faster

A Third of Security Pros Have Skipped Cyber-Safety Checks to Launch Products Faster

survey of 300 security professionals has found that 34% admit to bypassing security checks to bring products to market faster.  

The research was carried out by cyber assessment company Outpost24, which questioned attendees at the Infosecurity Europe Conference held in London in June of this year. 

Worryingly, 64% of the security professionals surveyed were of the opinion that their customers could be affected by data breaches as a direct result of unpatched vulnerabilities in their organizations' products and applications. 

Asked if the products their company is happy to sell to the public would stand up well under penetration testing, 29% of respondents said either that they weren't sure or that they didn't believe their organization’s products and applications would fare well if tested. 

According to the survey results, an alarming number of organizations have the same attitude toward security testing as many people have toward flossing their teeth—they know they should do it, but rarely bother. 

Despite 92% of security professionals agreeing that it is important to carry out security testing on new products and applications, 39% of them said that their organizations didn't introduce security testing from the beginning of the product or application lifecycle. 

Bob Egner, VP at Outpost24, said: "Our study shows that even despite continuous warnings, organizations today are still leaving their customers at risk because of a failure to address security vulnerabilities in products before they are introduced to market. If organizations are not addressing these security vulnerabilities, they are taking a huge gamble and abusing customer trust."

Egner foresees a bleak future for companies whose greed blocks them from adequately checking for vulnerabilities in their products and resolving identified weaknesses before products are launched. 

He said: “Negligence towards security will eventually lead to disastrous outcomes for technology and application vendors and their customers. There should be no excuses today, especially when security is such a big issue and so many breaches, which have happened up and down the technology stack, are well publicized.”

Egner advised organizations to save their reputations and be more considerate of their customers by unearthing software vulnerabilities in products and applications before they go on sale, using a combination of penetration testing and automated application scanning.

UNICEF Leaks Personal Data of 8000 Online Learners

UNICEF Leaks Personal Data of 8000 Online Learners

The United Nations (UN) children’s agency UNICEF has apologized after inadvertently leaking the personal data of users of its online learning platform, Agora.

The leak occurred on August 26, when 20,000 Agora users were accidentally emailed a spreadsheet containing the personal information of 8,253 people enrolled in a course about childhood immunization.

Among the information accidentally leaked were names, email addresses, duty stations, gender, organization, name of supervisor, and contract type. 

A staff member unwittingly triggered the leak after running a report. The incident was detected by UNICEF the day after the email was sent out, and their response was swift and effective. 

In an email about the leak sent to Devex, UNICEF’s media chief Najwa Mekki wrote: “Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring.”

After discovering the leak, UNICEF sent an apologetic email to Agora users. The message included an appeal for recipients to permanently delete the email containing the leaked data, erase any data downloaded, and then empty the recycle bin. 

Plans are said to be in motion for UNICEF to carry out an internal assessment and review of the incident. 

Learning portal Agora is free to access and open to UNICEF staff, partners, and the general public. Part of the mandatory staff training program on Agora is an information security awareness course that teaches "concepts and solutions for data protection, use of UNICEF’s information assets and best practices for cyber security at work and at home." 

Commenting on the incident, senior director of security research at Tripwire Lamar Bailey said: "You can have the all the industry-leading security controls in place, but nothing stops human error.  

“Training employees is often overlooked, or the investment is not as high as it needs to be. Employee security training is always a tough area. The training programs can be too simplistic, and this causes people to ignore them or blow them off.”  

Google Searches Reveal the 15-Year Decline of AV

Google Searches Reveal the 15-Year Decline of AV

The past 15 years has seen huge changes in the cybersecurity-related search terms internet users are deploying to find out more about the industry, with anti-virus supplanted by emerging next-gen solutions, according to new data from Redscan.

Taking its cue from Google’s Year in Search report, the security vendor decided to analyze the past decade-and-a-half of search data to understand how trends have evolved over time.

Internet searches for “anti-virus” and “network security” have declined significantly over that time, as has interest in the main AV brands. At the same time, there’s been a surge of interest in terms such as “SIEM,” “Cloud Computing,” “Mobile Device Management” and “BYOD.”

Interestingly, searches for “passwords” have declined rapidly since 2004, although terms such as “two-factor authentication” and “multi-factor authentication” have not risen significantly over the same time period.

“It’s a bit concerning that searches for passwords are in such a steep decline. Good password hygiene is essential, and people are often really bad at setting unique passwords,” the report noted.

As for the threat landscape itself, searches for “keyloggers” declined sharply from around 2004 onwards, while “phishing,” “ransomware” and “DDoS” have remained pretty consistent. Spikes in searches for DDoS coincided with the major Mirai botnet attack on Dyn in 2016 and for ransomware with the WannaCry attack of 2017.

In 2004, “Spyware” and “adware” were far more popular search terms than “malware,” although the trend has now been reversed. “Cryptojacking” also spiked sharply from around 2017 while searches for “GDPR” understandably rocketed shortly before its introduction in early 2018.

As for the future, Google search term analysis indicates the rising popularity of “threat hunting,” “IoT security,” “AI and security” and “zero trust security.”

"Cybersecurity has changed remarkably over the past 15 years and Google’s search data is a great measure of this,” said Andy Kays, technical director at Redscan.

“As businesses embrace digital transformation, their security strategy must evolve accordingly. Our data shows that interest in traditional preventative tools is declining in favor of next-generation technologies that offer enhanced threat detection and response capabilities.”