Author Archives: www.infosecurity-magazine.com

Truckers’ Medical Records Leaked

Truckers' Medical Records Leaked

Medical records belonging to truck drivers and rail workers may have been exposed following an alleged cyber-attack on an occupational healthcare provider in Virginia. 

Data apparently belonging to employees of the United Parcel Service (UPS) and Norfolk Southern Railroad was published online to a leak site by the gang behind Conti ransomware. The cyber-criminals claimed to have obtained the data during a December cyber-attack on Taylor Made Diagnostics (TMD).

The HIPAA Journal reported that the leaked data includes full names, Social Security numbers, details of medical examinations, drug and alcohol testing reports, and scans of driver’s licenses.

With locations in Chesapeake and Newport News, TMD is an operator of occupational health clinics used by transportation companies and government agencies. The company provides services including drug testing, CPR training, fit-for-duty evaluations, vaccinations, and respirator fit testing.

According to their website, TMD clients include the US military, the US Secret Service, the navy special warfare development group, BAE systems, Old Dominion University, the Social Security Administration, and the Virginia Department of Military Affairs.  

While TMD has not verified the alleged attack, FreightWaves reported that among the more than 3,000 TMD files leaked on January 8 were multiple health records for employees at both UPS and Norfolk Southern dated as recently as December 2020. 

In addition, the trucking news source spotted records belonging to employees of US government agencies, defense contractors, and multiple smaller trucking companies.

Norfolk Southern Railroad, which employs nearly 25,000 people in 22 states, said that it was investigating the veracity of the cyber-criminals' claims.

“The security of our employees’ data is a priority for Norfolk Southern and a requirement for our vendors,” Norfolk Southern spokesperson Jeff DeGraff wrote in an email to FreightWaves.

“Norfolk Southern is looking into the issue but has no further comment at this time.”

UPS, which employs 362,000 people in the US and an additional 82,000 internationally, said it was also looking into the possible data breach. 

According to the US Department of Health and Human Services, in December alone, 37 US healthcare providers reported hacking or unspecified information technology incidents that compromised nearly 1.5 million patients.

France Arrests 14 Over Online Child Sexual Abuse

France Arrests 14 Over Online Child Sexual Abuse

Fourteen people have been arrested in France as part of a nationwide sweep to combat the sexual exploitation of children online. 

The arrests were made by the French Gendarmerie (Gendarmerie nationale) with the support of Europol as part of an operation that was code-named Horus. All suspects were taken into custody between November 16 and November 20, 2020.

In a statement released yesterday, Europol said: "The alleged suspects used social media networks to approach minors aged between 12 and 13 and lured them into sharing intimate images and videos." 

It is not believed that there were any links between the 14 arrested suspects, three of whom have already been convicted and sentenced. 

Operation Horus, which is still ongoing, has so far contributed to the identification of eight potential victims who are minors and resulted in the seizure of 1,058 illicit images.

Over 50 cyber-investigators were brought in to work on the operation to track the online activities of a large volume of users. The investigators' efforts were coordinated by the French Gendarmerie’s cybercrime center, C3N.

Support provided by Europol included operational analysis and real-time database cross-checks to enable the identification of potential suspects and victims.

Europol said that the investigation was made more complex by the suspected users' often swapping their online pseudonyms. 

Statistics published by Europol in June showed that the exchanging of child sexual abuse material (CSAM) had increased sharply during the COVID-19 pandemic. 

"With both children and sexual offenders confined at home, law enforcement authorities have seen in the past few months the amount of child sexual exploitation material shared online increasing globally," said Europol.

"Sex offenders have increased their criminal activities in social media, via peer-to-peer networks and on the darkweb. Attempts to access websites featuring child sexual abuse material, calls to helplines and activities in dark net and surface web chats sharing child abuse material have all increased during the confinement period."

Europol reported that the amount of webcam footage depicting CSAM had increased considerably in forums accessed by offenders. 

"This includes videos depicting forced or coerced children, videos produced by children for peers or for social media attention or others which were captured without their knowledge."

Exploit Allows Root Access to SAP

Exploit Allows Root Access to SAP

A team of enterprise resource planning security experts in Massachusetts have identified a functional exploit affecting SAP that is publicly available.

The exploit was discovered by Onapsis Research Labs on code-hosting platform GitHub, where it had been published by Russian researcher Dmitry Chastuhin on January 14. Researchers said the exploit can be used against SAP SolMan, the administrative system used in every SAP environment that is similar to Active Directory in Windows.

The fully functional exploit abuses United States' National Vulnerability Database listing CVE-2020-6207, a vulnerability in which SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check, does not perform any authentication for a service. This vulnerability results in the complete compromise of all SMDAgents connected to the Solution Manager.

A successful attack exploiting this vulnerability could impact an organization's cybersecurity and regulatory compliance by placing its mission-critical data, SAP applications, and business process at risk.

"While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited," wrote Onapsis researchers. 

"The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own."

Because it was created to centralize the management of all SAP and non-SAP systems, SolMan has trusted connections with multiple systems. An attacker that could gain access to SolMan could potentially compromise any business system connected to it. 

"Unfortunately, since it doesn't hold any business information, SAP SolMan is often overlooked in terms of security; in some companies, it does not follow the same patching policy as other systems," noted researchers. 

An attacker with SAP SolMan control could shut down systems, access sensitive data, delete data, cause IT control deficiencies, and assign superuser privileges to any new or existing user. 

"It is not possible to list everything that can potentially be done in the systems if exploited, since having admin privileged control in the systems or running OS commands basically make it limitless for an attacker," wrote researchers.

Barmak Meftah Joins Board of Directors at Nozomi Networks

Barmak Meftah Joins Board of Directors at Nozomi Networks

IoT and OT security firm Nozomi Networks has announced that enterprise security leader Barmak Meftah has joined its board of directors.

Meftah brings more than 25 years of experience in building market-leading enterprise SaaS and cybersecurity companies to Nozomi Networks and most recently served as president of AT&T Cybersecurity where he established its cybersecurity division and grew revenue by double digits.

In addition to his independent board position with Nozomi Networks, Meftah also serves on various other boards of directors, is an advisor and coach to multiple CEOs and is an independent investor as well as a limited partner to a number of VC funds.

Commenting on the announcement, Nozomi Networks CEO Edgard Capdevielle, said: “Barmak’s impressive track record of success in Silicon Valley has gained him international respect as a pillar in enterprise security. His keen business instincts and depth of knowledge in security software and SaaS will be invaluable as we add cloud-based solutions to our product portfolio and accelerate market expansion and growth. We are ecstatic to welcome him to the board.”

Meftah added: “Nozomi Networks is leading the charge to ensure a secure future for critical infrastructure and industrial networks. IT/OT convergence and a growing reliance on AI-powered processes and IoT devices has created a flaming hot market for advanced security solutions that can help CISOs effectively span mixed networks, physical systems and IoT devices.

“I look forward to helping Nozomi Networks take its business to the next level.”

Global Cybersecurity Spending to Soar 10% in 2021

Global Cybersecurity Spending to Soar 10% in 2021

The worldwide cybersecurity market is set to grow by up to 10% this year to top $60bn, as the global economy slowly recovers from the pandemic, according to Canalys.

The analyst firm clarified that double-digit growth from $54.7bn in 2020 would be its best-case scenario. However, even in the worst case, cybersecurity spending would reach 6.6%, it predicted.

That would factor in a deeper-than-anticipated economic impact from lockdowns, although the security market has proven to be remarkably resilient thus far to the pandemic-induced global economic crisis, Canalys said.

That said, SMB spending was hit hard last year, along with certain sectors like hospitality, retail and transport.

However, while spending is set to soar, so are data breaches and ransomware attacks. Human error continues to be a major factor, via misconfigurations of cloud infrastructure and susceptibility to phishing attacks, the analyst argued.

Mass remote working and learning in 2021 and the ongoing pressure placed on healthcare services will continue to expose these organizations to threats, it said.

Chief analyst, Matthew Ball, claimed the recent SolarWinds attacks highlight the continued unpredictability of the threat landscape. Amidst this volatile backdrop, organizations will need to adopt multi-layered approaches combining staff awareness training, data protection and threat detection and response, he said.

“Cybersecurity professional services engagements in response to this latest issue will be one of many factors contributing to sustained investment this year, especially in newer solutions to mitigate emerging threats,” Ball noted. “Growth in add-on subscriptions providing new features, products to secure the cloud and delivered from the cloud, and upgrades to existing solutions will be key drivers for expansion.”

The Canalys report covered shipments of endpoint security, network security, web and email security, data security, vulnerability and security analytics, and identity access management (IAM).

Web and email security (12.5%) will grow the most in 2021 with vulnerability and security analytics (11%) not far behind. Data security (6.6%) and network security (8%) are set to bring up the rear in terms of growth.

Security Biggest Barrier to Cloud Adoption for Over Half of UK Firms

Security Biggest Barrier to Cloud Adoption for Over Half of UK Firms

Over half (58%) of UK businesses have cited security concerns as the biggest barrier to public cloud adoption, according to a new study from Centrify.

The survey of 200 business decision makers in large and medium-sized enterprises in the UK also found that over a third (35%) who have adopted cloud are less than 80% confident it is completely secure.

Additionally, more than a quarter (28%) of those surveyed revealed that their organization had been targeted by a cloud hacking attempt since the start of the COVID-19 pandemic.

In regard to their companies’ security weaknesses, close to half (45%) of decision makers pinpointed the growth in machine identities and service accounts, such as those used by servers and applications, as their biggest exposure point.

Worryingly, 31% of business decision makers admitted their development teams are more interested in getting around security than building it into the DevOps pipeline, raising concerns over the ability of many companies to combat cyber-attacks in the future.

Kamel Heus, VP EMEA for Centrify, commented: “Adapting to the COVID-19 pandemic has been a bumpy ride for many businesses and, in most cases, companies have had to adopt the public cloud in at least some capacity due to the level of scalability, availability and efficiency it provides for distributed workforces.

“Whilst the common misperception is that cloud security is quite different to that of on-premises infrastructure, it is by no means less secure if common security protocols are followed, and security controls are applied.

“One core challenge posed by digital transformation is accurately verifying human and machine identities before granting access to systems, applications and other high value targets. Therefore, adopting cloud-ready privileged access management software is essential in protecting access to workloads in the public cloud, by granting access only when a requestor’s identity has been properly authenticated.”

While cloud adoption has grown since the shift to remote working as a result of the COVID-19 pandemic, in many cases, security has not adapted. Last year, a survey by Trend Micro revealed that nearly half of UK IT leaders have not updated their security to account for their move to cloud environments.

Threat Actor Dumps 1.9 Million Pixlr Records Online

Threat Actor Dumps 1.9 Million Pixlr Records Online

A notorious threat actor appears to have published 1.9 million user records for the popular online photo editing site Pixlr, putting customers at risk of follow-on attacks.

“ShinyHunters” dumped the files over the weekend for free on an underground forum, claiming the site was breached at the same time as 123RF, which is owned by the same company, Inmagine.

Among the data up for grabs are email addresses, usernames, hashed passwords and users’ countries.

So far there’s been no word from the firm itself, despite the fact that these users could be at risk of phishing attacks, credential stuffing attempts and other fraud if not informed promptly.

ShinyHunters is a prolific actor on the cybercrime underground, having been involved in breaches at Wishbone (40 million records), Heavenly (1.4 million), Dave (7.5 million) and many more.

If this incident is legitimate, as seems the case, Pixlr customers would be advised to be on the look-out for scams and to change their log-ins on the site, and any others they share the same passwords for.

ShinyHunters claimed to have stolen the data from Pixlr’s Amazon Web Services (AWS) S3 bucket late last year.

It’s unclear how, but CloudSphere VP of product, Pravin Rasiah, warned that misconfigured cloud storage is one of the leading causes of data breaches.

“The chances of leaving an S3 bucket exposed are all too high, as inexperienced users can simply choose the ‘all users’ access option, making the bucket publicly accessible. Leaving these S3 buckets open and exposed invites hackers to exploit the personal data entrusted to companies by their customers,” he argued.

“To prevent incidents like this from occurring, awareness within the cloud environment is imperative.” 

Cloud Security Posture Management (CSPM) tools are widely regarded as best practice in this space, as they continuously monitor such environments for configuration errors.

Interpol: Dating App Victims Lured into Investment Scams

Interpol: Dating App Victims Lured into Investment Scams

Interpol has issued a global warning that dating app users are being groomed for investment fraud scams.

The policing body’s Purple Notice claimed that lonely hearts are picked off online, when the fraudsters establish an “artificial romance” with their victims. Once they have built up a level of trust through regular communication, they share investment tips and encourage the victim to join up to a scheme.

“Victims download a trading app and open an account, buy various financial products and work their way up a so-called investment chain, all under the watchful eye of their new ‘friend.’ They are made to believe they can reach Gold or VIP status,” the notice explained.

“As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites and customer service agents pretend to help victims choose the right products.”

However, eventually the victims are abruptly locked out of their accounts, having invested significant sums in the financial products.

They’re then left with a double whammy of financial loss and emotional pain.

Investment and romance scams are nothing new: in fact, they’ve thrived under lockdown. The UK’s National Cyber Security Centre (NCSC) revealed in August last year that it had been forced to take down over 300,000 related URLs.

In the UK alone, the period June-August 2020 saw a 26% year-on-year increase in romance scams, with losses for the previous 12 months hitting £66m.

Over 19,400 romance scams were recorded by the FBI in 2019, making it the second highest earner for cyber-criminals after business email compromise (BEC). Scammers took $475m from victims.

Interpol urged dating site users to be vigilant, think twice before transferring money or getting involved with online investment schemes and to do their research to check the reputation of any new apps or services.

Kentucky Senior Arrested for Identity Theft

Kentucky Senior Arrested for Identity Theft

Two women in Kentucky have been arrested in connection with a year-long cybercrime operation involving stolen identities and fraudulent benefit claims. 

An investigation was launched by police in West Buechel at the beginning of January when they received a call from a local branch of the bank BB&T to say that a fraudulently authorized check for nearly $40,000 had just been cashed. 

Police traced the fraudulent check to 57-year-old Lori Davis and subsequently obtained a search warrant for her home. 

West Buechel Detective Robert Monroe told local news source WDRB that a search of Davis' residence led to the discovery of "lots of evidence of stolen mail, stolen identity."

As a result of the search, a second female suspect, 70-year-old Julianna Whobrey, emerged. Upon searching Whobrey's residence, police discovered evidence that included mail addressed to other people at locations all over the country.

Davis was charged with theft by deception and engaging in organized crime. Whobrey was charged on January 18 with trafficking in stolen identities, engaging in organized crime, misuse of computer information, intent to defraud to obtain benefits, receiving goods by fraud, and theft by deception.  

Monroe said that the suspects were work colleagues who used their jobs in a Louisville mailroom to cover up their illegal activity. The pair allegedly bought stolen identities on the dark web then used them to fraudulently obtain unemployment benefits and cards pre-paid with thousands of dollars. 

"These suspects both had other people's unemployment applications from other states, specifically New York State Department of Labor," Monroe said. 

"These envelopes were addressed to different people at different addresses, and what they're doing is collecting all the information out of this mail, and they're actually creating people who either don't exist, are dead, or people who do exist. And what they're doing is they're clogging up the dissemination of these benefits for people who actually need them."

Police believe that the two women have been scamming victims for a year and were acting as money mules for a third suspect who resides in another country. 

Monroe said: "I'm forwarding the case to the FBI with all I've gathered so far, and I'm going to work with them."

Trump Pardons Google Trade Secret Thief

Trump Pardons Google Trade Secret Thief

A former executive of Google subsidiary Waymo, imprisoned in the United States for stealing a trade secret and sharing it with rival company Uber, has been pardoned by outgoing president Donald Trump.

On March 19, 2020, Anthony Scott Levandowski pleaded guilty to one of 33 counts of trade secrets theft originally filed against him in 2019. The 40-year-old was sentenced to 18 months in jail and a 3-year period of supervised release by US District Judge William Alsup on August 4, 2020.

As per his plea agreement, Levandowski admitted that from 2009 to 2016 he worked in Google’s self-driving car program, known then as Project Chauffer, which had a confidentiality requirement.

Levandowski left the Google subsidiary to found his own business, Ottomotto, an autonomous driving hardware and software developer that was acquired by Uber Technologies in 2016 for $680m. 

As part of his plea agreement, the entrepreneur admitted downloading thousands of Project Chauffer files onto his personal laptop prior to leaving Waymo. He also admitted downloading a variety of files from a corporate Google Drive repository. 

Among these files was an internal tracking document entitled “Chauffeur TL weekly updates – Q4 2015” that contained confidential details regarding the status of Project Chauffer. Levandowski admitted that he downloaded this file with the intent to use it to benefit himself and Uber Technologies, Inc.  

Levandowski further admitted that the stolen document was Google’s trade secret, and that stealing it caused the company to lose an estimated $1,500,000.

In addition to the custodial sentence, Judge Alsup ordered former exec Levandowski to pay a $95,000 fine and $756,499.22 in restitution to Waymo LLC, as Google’s self-driving program is now known. 

Yesterday, Levandowski was one of 73 convicted criminals who were pardoned by President Trump on his final day in office. 

In pardoning Levandowski, Trump wrote: "Mr. Levandowski pled guilty to a single criminal count arising from civil litigation. Notably, his sentencing judge called him a 'brilliant, groundbreaking engineer that our country needs.' 

"Mr. Levandowski has paid a significant price for his actions and plans to devote his talents to advance the public good."

US Marines Create “Blue Team”

US Marines Create "Blue Team"

The United States Marine Corps today announced the creation of a Marine Corps’ Adversarial Cyber Assessment "Blue Team" (MCAT).

A Blue Team is a group of people who identify security threats and risks in the operating environment and analyze the network environment and its current state of security readiness. 

Using their findings and expertise, a Blue Team will typically provide recommendations that integrate into an overall community security solution to increase a customer's cybersecurity readiness posture.

MCAT was established by Marine Corps Tactical Systems Support Activity (MCTSSA) and comprises eight to ten people from a variety of backgrounds, including cybersecurity, computer engineering, and information technology.

In a memo authorizing the new adversarial Blue Team designation, Commander of Marine Corps Forces Cyberspace Command Maj. Gen. M.G. Glavy said that the newly formed Blue Team will support Marine Corps Systems Command’s (MCSC's) Programs of Record (PoRs), which enhances acquisitions' cyber testing and evaluation capabilities.

The new team is authorized to perform evaluator, tester, and aggressor roles in accordance with the Mission Focused Cyber Hardening memo released in October 2019 by the Office of the Under Secretary of Defense Acquisition and Sustainment.

“This capability strengthens our acquisition cyber footprint while also enhancing our Corps’ operational cyber resiliency,” said MCTSSA commanding officer Lt. Col. Michael Liguori.

“The cyber ‘Blue Team’ is another example of MCTSSA’s dedication to support MCSC and our Corps’ cyber efforts in contested environments.”

MCAT will assess the security and defense of MCSC and Program Executive Officer Land Systems PoRs for systems in the field and for those that are still in the developmental test phase. 

“I would agree that having the first cyber 'Blue Team' designation for the Marine Corps is an important step and I’m proud be a plank owner,” said Gunnery Sgt. Patrick McKelvey, staff non-commissioned officer in charge of the Test and Certification Division.

“It also enables MCTSSA to potentially increase manning for Defensive and Offensive Cyberspace Operators, those with the 17XX military occupational specialty, to support the mission."

Panel Reflects on How Orgs Should Approach Security in 2021

Panel Reflects on How Orgs Should Approach Security in 2021

The growing importance of ethical hacking in protecting organizations against the current threat landscape was discussed by a panel speaking during a HackerOne webinar entitled ‘Hacker Powered Security Predictions for 2021 EMEA.’

Moderator Mårten Mickos, CEO of HackerOne, firstly emphasized how the shift to digital, including remote working, had “opened up a lot of new attack surfaces and exposures to various forms of criminality.” In addition, the SolarWinds attack at the end of last year demonstrated just how interconnected everything is, with one security breach impacting numerous organizations throughout the world. Mickos added this showed “we are not really cyber-secure until everything is cyber-secure.”

Julien Ahrens, a full-time ethical hacker, believes that in this environment, organizations firstly must embrace transparency, clearly communicating when an attack has taken place or when a vulnerability has been discovered. He said: “If I’m going to report a security vulnerability in a system, then I would expect the company to be transparent about how they tackled the issue and when they plan to release a fix.” Ahrens added this approach can help ethical hackers like him to find further security issues.

Teemu Ylhaisi, CISO at OP Financial Group, concurred, saying this kind of external transparency is “vital” in the financial industry. “This is an area where financial institutions do not need to compete – we’re not competing against each other – we have a common enemy, the criminals, and we’re working together to fight them.”

In regard to the use of bug bounty programs to find vulnerabilities, both Ylhaisi and Ahrens acknowledged that many industries have some reluctance, but Ahrens noted that “as soon as you explain the principle and the details to stakeholders, they tend to agree.”

Mickos commented: “The best way to develop resistance to COVID-19 is to take the vaccine, and similarly, ethical hacking is the immune system of the internet – it’s better to take the ethical hackers and the reports that they give you than to allow a breach to happen.”

As well as bug bounty programs, Mickos highlighted the growth of vulnerability disclosure programs (VDPs), particularly favored by governmental organizations in the US. Here, “the organization will say anybody’s welcome to report vulnerabilities to us but we don’t promise to pay you anything.” Mickos added that “it’s a way of having an official channel for anybody who finds a flaw to report it.”

In the view of Ahrens, these can be useful for companies in learning about their security weaknesses, but generally won’t be as effective as paid bug bounty initiatives, “where you usually get the attention of hackers that are on more of a professional level.”

Looking ahead to the coming year, Ylhaisi outlined that “visibility, detection capabilities and the reaction to incidents is key” for organizations to protect themselves.

Early detection is critical as the panellists acknowledged that it is virtually impossible for organizations to block every potential pathway into a system. The best way of achieving this, according to Ylhaisi, is improving user awareness of staff, as the targeting of employees through tactics such as phishing is by far the most common cause of system breaches. He noted that staff at his company now report 35,000 email threats monthly. “This has helped us a lot to react at the very early phases,” he stated.

Summing up, Mickos compared the situation to being a soccer goalkeeper, stating “you cannot cover the whole goal but if you are very quick in your reactions and if you can predict where they [the cyber-criminal] will try, you can jump there to catch it.”

#Inauguration2021: Cyber-Experts React as Joe Biden Set to Become 46th US President

#Inauguration2021: Cyber-Experts React as Joe Biden Set to Become 46th US President

Today, January 20 2021, Joe Biden will be sworn in as the 46th President of the Unites States of America.

He and Vice-President-elect Kamala Harris will take their oaths of office on the West Front of the US Capitol.

The Inauguration Day celebrations will take place in unprecedented circumstances, with increased security measures following the January 6 attack on the US Capitol building and a variety of social distancing precautions due to the ongoing COVID-19 pandemic.

Experts in the cybersecurity field have commented on the key cybersecurity matters that are likely to play pivotal roles in the Biden/Harris administration over the next four years.

“The first days of 2021 have been marked by tumultuous events that have diverted attention and resources from what should be a safe and streamlined transfer of power,” said Andrew Rubin, CEO and co-founder, Illumio.

“On top of that, the US is dealing with the SolarWinds breach, which is perhaps the largest and most catastrophic single breach event our country has ever seen. Together, this has created a perfect storm for cyber-attacks and left the United States with a heightened level of cyber-risk, which threatens the safety and security of the country as a whole.”

Biden therefore has a huge amount of work to do in the cybersecurity area, with attacks at an all-time high against the US public and private sector, added Chris Morales, head of security analytics at Vectra.

“We did not improve the nation’s cybersecurity posture over the last four years,” he argued.

A key area of concern is the debate over end-to-end encryption and law enforcement, Morales continued. “The Trump administration believed that private industry should provide access to encryption, which fundamentally breaks personal privacy.”

Furthermore, at the end of Trump’s term, “he fired the top level cybersecurity official at DHS, Chris Krebs, who routinely countered Trump’s statements as contradictory. Chris Krebs did a great job of aligning government with industry and cybersecurity.”

Rubin argued that, moving forward, the US needs a more robust, multi-pronged strategy to mitigate future attacks that couples prevention and monitoring with an effective perimeter protection strategy for all critical entities.

“Given the current situation and vulnerabilities, the US should assume that bad actors are already in their environment. To keep people and information safe, the government should prioritize measures, like establishing deeper layers of security, that can mitigate the impact and spread of a breach.”

Morales concurred, adding: “I would like to see a pivot from cyber-warfare back to risk mitigation and personal privacy. While going on the offensive sounds like a deterrent, it is not aligned with how cyber-attacks truly occur.

“The target is a mix of public/private, and every organization is left to its own defenses. Attacks happen on home turf, not in a distant land where a military can wage war, and cyber-attacks end up hurting the end users more than the army waging war. It is good to have offensive capabilities, but we’ve got to shore up our own internal defenses first. For example, solving ransomware targeting local/state governments with small security staffs and lack of budget.”

Retail and Hospitality Facing Deluge of Critical Web App Flaws

Retail and Hospitality Facing Deluge of Critical Web App Flaws

More than three-quarters of applications in the retail and hospitality sector contain at least one vulnerability, with a high percentage of these requiring urgent attention, according to Veracode.

The application security vendor analyzed more than 130,000 applications to compile its latest State of Software Security report.

However, while the 76% of buggy apps in the retail and hospitality sector is about average compared to other verticals, Veracode warned that 26% are high severity — one of the worst rates of any industry.

This matters, as the industry has been delivering a raft of new applications in order to reach customers online during the pandemic, amid social distancing and lockdowns. It’s especially important to hospitality firms, which have been forced to radically reshape their business models to adapt to the new reality.

Yet while web applications can be a life-saver for such businesses, they might also introduce extra cyber-risk. They were involved in 43% of breaches analyzed by Verizon last year and were the number one attack vector for the retail industry, with personal or payment data exploited in about half of all breaches.

That said, retail and hospitality ranked second-best for overall fix rate, according to Veracode. Half of its flaws were remediated in 125 days, which is nearly one month faster than the next-fastest sector.

Veracode claimed that, although retail and hospitality firms did well at addressing common flaw types like information leakage and input validation, developers struggled with encapsulation, SQL injection and credentials management issues.

“Retail and hospitality companies face the dual pressure of being high-value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Veracode chief research officer.

“Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the best opportunity for improvement for development teams in the sector.”

Malwarebytes: SolarWinds Hackers Read Our Emails

Malwarebytes: SolarWinds Hackers Read Our Emails

Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims.

While many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials.

The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained.

“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”

Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments.

The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks.

They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.

The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said.

The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.

Quarter of Orgs Don’t Offer Cybersecurity Training Due to Lack of Budget

Quarter of Orgs Don’t Offer Cybersecurity Training Due to Lack of Budget

A quarter (25%) of company directors are prevented from delivering cybersecurity training to staff by budgetary constraints, according to iomart’s Cybersecurity Insights Report.

The survey of UK-based workers across C-level, director, manager and employee level, found that 28% of businesses offer no cybersecurity training whatsoever. Additionally, 42% said that whilst some training was offered by their firm, it was only available to select staff, while over two-thirds (70%) of respondents revealed their company doesn’t provide training to all employees.

Of those that confirmed they did receive training, 82% admitted this only consisted of a short briefing rather than a comprehensive course, with just 17% receiving regular sessions related to cybersecurity.

iomart therefore calculated that less than one in 10 (8%) of those who took part in the survey received regular cybersecurity training.

The study also found that a quarter (25%) of businesses do not have a disaster recovery policy, while a further 31% said there was one but they had never tested it.

These findings are especially concerning given that 20% of respondents reported they had seen an increase in cyber-attacks as a result of remote working, which has expanded enormously since the start of the COVID-19 pandemic.

Although company directors cited budget as the main factor in not delivering cybersecurity training, other factors highlighted by all respondents were a lack of technical expertise within the business (8%) and the issue not being a main priority (5%).

Bill Strain, security director of iomart, commented: “It’s clear that many organizations still don’t consider cybersecurity and data protection to be a top priority.

“They need to understand what the potential threats are and build resilience into their business strategy so they can react quickly and maintain operations if their IT systems are compromised.

“Many businesses would not survive the operational – let alone financial – impact of a data breach. By understanding the potential risk and introducing positive behavior around cyber-awareness, they have a much better chance of surviving an incident.”

In a survey at the end of last year, a third of remote working employees said they had not received security training in the last six months.

Coin-Mining Malware Volumes Soar 53% in Q4 2020

Coin-Mining Malware Volumes Soar 53% in Q4 2020

Detections of crypto-mining malware surged by 53% quarter-on-quarter in the final three months of 2020 as the value of Bitcoin soared, according to Avira.

The price of one Bitcoin now stands at over $35,500, close to an all-time-high it hit earlier this month, according to the security vendor’s Avira Protection Labs.

"The rapid increase in coin-miner malware suggests that malware authors are taking advantage of the price trend in recent months and increasingly spreading malware that aims to exploit other people’s computer resources for illegal mining activities,” argued Alexander Vukcevic, director of Avira Protection Labs.

“This correlation is not surprising but is nevertheless worrying for legitimate miners and investors.”

Crypto-mining or crypto-jacking came of age in 2017 and 2018 as cyber-criminals sought a quick and easy way to monetize attacks. It was claimed at the time that because attacks didn’t require user interaction to start generating profits for the perpetrator, many would-be ransomware groups were pivoting to the new threat.

Avira listed three main types of coin-mining malware today: executable files, browser-based cryptocurrency miners and advanced fileless miners.

It was the browser-based Coinhive that drove the previous spike in cryptocurrency-mining activity. By February 2018 it had impacted 23% of global organizations, according to one study. One researcher even found it installed on UK and US government sites including those belonging to the UK’s Information Commissioner’s Office (ICO), United States Courts, the General Medical Council, the UK’s Student Loans Company and NHS Inform.

Coinhive shut down in February 2019, but the practice appears to be spiking again alongside the value of digital currency.

Chris Sedgwick, security operations director, Sy4Security, argued that it is the lesser-known Monero currency rather than Bitcoin that’s in high demand.

“The reason why the majority of cryptocurrency malware mines Monero instead of Bitcoin is that the mining requirements for Monero is a fraction of that required for Bitcoin,” he said.

“Monero is also favored over Bitcoin amongst those individuals looking to use their gains for illegal use as there is no tracking of transactions and the Blockchain is not transparent.”

MAZE Exfiltration Tactic Widely Adopted

MAZE Exfiltration Tactic Widely Adopted

New research by New Zealand company Emsisoft has found that a cyber-blackmail tactic first debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber-gangs.

The internationally renowned security software company declared a ransomware crisis in the last month of 2019. Their latest ransomware report shows that this particular type of malware has had a huge impact on the United States in 2020.

Emsisoft threat analyst Brett Callow described the numbers in "The State of Ransomware in the US: Report and Statistics 2020" as "pretty grim."

At least 2,354 US governments, healthcare facilities, and schools were impacted by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, colleges, and universities.

Researchers noted that the attacks "caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted."

In 2020, MAZE became the first ransomware group to be observed exfiltrating data from its victims and using the threat of publication as additional leverage to extort payment. 

"At the beginning of 2020, only the Maze group used this tactic," wrote researchers. "By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites."

According to a November report by Coveware, some ransomware gangs that exfiltrate data don't delete it, even after receiving a ransom from their victims. Coveware observed REvil (Sodinokibi) asking for a second ransom payment for stolen data it had already been paid to erase. 

Netwalker (Mailto) and Mespinoza (Pysa) were observed publishing exfiltrated data on dedicated leak-site portals despite receiving ransoms from their victims. 

Emsisoft found that in 2019 and in 2020, the same number of federal, state, county, and municipal governments and agencies were impacted by ransomware (113). 

"Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4," they wrote.

Suspicious Vaccine-Related Domains Triple

Suspicious Vaccine-Related Domains Triple

The number of suspicious domains that feature the word "vaccine" in their title increased by almost 100% in the month after the first Pfizer COVID-19 vaccine was given outside of a clinical trial.

British grandmother Margaret Keenan became the first person in the world to receive the vaccine on December 8, 2020, a week before her 91st birthday. 

New research by American cybersecurity software company Webroot observed that December 8 through January 6, there was an 94.8% increase in suspicious domain names using "vaccine" compared with the previous 30 days.

When compared with the month of March 2020, the total use of the word "vaccine" within suspicious domain names between December and January 6 was found to have increased by 336%.

“As 2021 brings the first mass vaccination programs to fight COVID-19, we’re already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks," said Nick Emanuel, senior director of product at Webroot.

"Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they’re in the public interest."

Webroot’s Real-Time Anti-Phishing protection system detected a rise in malicious URLs using other words related to the pandemic.

Over 4,500 new suspicious domains were found, which contained a combination of words relating to "COVID-19," "Corona," "Vaccine," "Cure COVID," and others.

The word "vaccine" was specifically included in the title of 934 domains, while misspellings of "vaccine" cropped up in 611 more. 

"COVID" was in the title of 2,295 suspicious domains, and "Test" or "Testing" appeared in the title of 622 domains.

Threat actors also appeared to be using public interest in travel restrictions as a phishing lure. Among the suspicious domain titles flagged by researchers were "COVID Validator," "Testing Update," "COVID Travelcard," and "Private Vaccine."

"For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive," said Emanuel. 

"This should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies.”

Atlanta Synagogue Reports Cyber-Attack

Atlanta Synagogue Reports Cyber-Attack

An annual religious service held in Atlanta in honor of Martin Luther King Jr. Day was disrupted by a cyber-attack. 

Threat actors reportedly targeted a Shabbat service that was being broadcast live over the internet from Atlanta synagogue The Temple on January 15. The attack occurred as US Senator-elect Raphael Warnock, the pastor at Martin Luther King Jr.’s historic Ebenezer Baptist Church in Atlanta, was delivering a sermon.

People attempting to watch the service live via the Temple's website were unable to access it, according to a letter penned by the synagogue's president, Kent Alexander.

Writing to the congregation on Saturday, Alexander said: “To the many of you who tried to log on through the Temple website but could not, and missed the service, we apologize and want to offer an explanation.

“Our website service provider informed our executive director, Mark Jacobson, last night that ‘malicious user agents’ had continuously loaded the Temple website with the objective of shutting it down.” 

Alexander did not name the service provider but added that he had been told that the attack was the "largest-ever attack affecting the provider's network of client synagogues" and that websites across the United States had also been blocked.

"Eventually, access was restored for all, but The Temple was last," the director wrote. "Our site was down for over an hour into the service."

The incident is currently under investigation by the authorities. Alexander theorized that the attack was inspired by religious and racial bigotry.  

After highlighting that Warnock will soon become Georgia's first African American senator, Alexander wrote: "Presumably, The Temple was singled out by a racist and anti-Semitic group or individual bent on silencing our joint Temple-Ebenezer Baptist Church MLK Jr. Shabbat."

The Temple was founded in 1867 and is located in the city's midtown. An annual Martin Luther King Jr. Day Shabbat service has been hosted there for over a decade. 

In 1958, the Temple's north entrance was bombed by the "Confederate Underground" in an incident denounced by then President Dwight Eisenhower. The bomb, made using 50 sticks of dynamite, caused damage valued at $750k today.

World Economic Forum: Action Required to Address Digital Inequalities Post-COVID

World Economic Forum: Action Required to Address Digital Inequalities Post-COVID

“A world leader once said ‘a decade can go by without any real news and then you can feel a decade happening in a week.’ I feel that a decade has happened in the past year,” commented Børge Bende, president of the World Economic Forum (WEF), speaking during a press conference highlighting the findings from the organization’s 16th Global Risks Report 2021.

This has arisen from the ongoing COVID-19 pandemic, which has brought about substantial changes to the political, economic and social landscape. During the webinar, the panellists emphasized the growing importance of technology, both in helping governments and businesses function amid the ongoing crisis, and for the rebuilding of the world’s economy going forward.

Peter Giger, group chief risk officer, Zurich Insurance Group, explained that COVID-19 had accelerated the so-called ‘fourth industrial revolution’ by rapidly expanding areas such as e-commerce, online education, digital healthcare and remote working. “These shifts will continue to transform human interactions and livelihoods long after COVID is behind us,” he outlined.

This move towards a “digital economy” offers great opportunities but also poses the risk of more global inequality by the creation of an “underclass” of people who are excluded from work as a result of a lack of internet and educational access. For instance, the report noted that internet usage ranges from 87% of the population in high-income countries to under 17% in low-income countries. Widening inequality gaps is particularly dangerous at this time of substantial polarization and the biggest peacetime economic slump in history, as it will threaten global stability, according to Bende.

It is for this reason that the report listed digital inequality as one of the main risks over the coming years, and argued that economic growth needs to be more inclusive and sustainable. It is therefore critical that efforts are made to improve access to the internet and the development of digital skills. Bende added: “We have to invest in global access to the internet and we have to invest in schools, upskilling, reskilling, making sure that inequalities are not growing but are declining.”

As well as the potential sowing of more division through digital inequality, the panel highlighted other dangers that a rapid shift to technology brings. One of these is cybersecurity failures, which the WEF report highlighted as a big worry over the next two years. Carolina Klint, risk management leader for continental Europe at Marsh, noted that the almost overnight shift to home working many businesses were forced to undertake last year has “exponentially increased cyber-exposures and created more complex and potentially less secure networks.” Klint added: “Businesses should now really take the time to assess changes that were made in the heat of the pandemic and verify that the right investments have been made in networks and controls.”

Another major issue emanating from greater internet usage is the rise in misinformation, which has been particularly demonstrated by the fear-mongering and conspiracy theories linked to the COVID-19 crisis. In the view of Giger, this is causing more disconnect and polarization, as well as threatening democracy. However, governments must be cautious when taking regulatory action over this, and on protecting people from big tech monopolies, as this could lead to information censorship and more restricted internet access, risking “our hard won personal freedoms.”

Ultimately, the panel stated that the pandemic has provided an important lesson to countries in dealing with unexpected events. Guillaume Barthe-Dejean, director, chairman’s office at SK Group.  noted that those countries “that digitized early tended to perform better” both from a health and economic point of view. These were nations such as Japan, Korea and China, which have effective track and trace systems, more effective communications, a greater continuity of public services and minimized labor disruptions. Barthe-Dejean added: “That’s a real learning point from hyper-connected economies such as South Korea, which has the highest internet penetration, at 96.2% of it’s population.”

Cloud Config Error Exposes X-Rated College Pics

Cloud Config Error Exposes X-Rated College Pics

A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted, according to vpnMentor.

A research team led by Noam Rotem discovered the AWS S3 bucket on October 13 last year, tracing it back to Fleek and owner Squid Inc.

The app apparently marketed itself as an uncensored alternative to Snapchat “Campus Stories.” A hit with US college students, it promised to automatically delete photos after a short period, encouraging users to post salacious pics of themselves engaged in sexually explicit and illegal activities.

However, as the researchers found, many photos were not deleted at all — in fact, they were still being stored long after the app was closed down in 2019.

“Many of these were shared in folders given offensive and derogatory names like ‘asianAss’ by the app’s developers,” vpnMentor explained.

“Fleek users were mostly college students naive of the implications of uploading images that show them engaging in embarrassing and criminal activities, such as drug use. If cyber-criminals obtained these images and knew how to find the people exposed, they could easily target them and blackmail them for large sums of money.”

In total, the research team found around 377,000 files in the 32GB bucket. This also included photos and bot scripts which it’s believed relate to a paid chat room service the app’s owners were trying to promote to users.

To encourage male users, the app’s owners appear to have created numerous bot accounts using images of women scraped from the internet. To ‘chat’ to these bots, users would have to pay a fee.

Having contacted both Squid Inc’s founder and AWS to notify about the privacy snafu, vpnMentor found the bucket had been secured about a week after it was discovered. However, it’s unclear whether the data has been deleted or not.

“Never share anything you’d be embarrassed about online — few systems are 100% secure from hacking, leaks, or dishonest people saving incriminating images to hurt you in the future,” warned vpnMentor.

“It's also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future.”

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Financial services firms were hit hard over the past year, with 70% experiencing a successful cyber-attack and most of these blaming COVID-related conditions for the incident, according to Keeper Security.

The password security firm commissioned the Ponemon Institute to poll over 370 UK IT security leaders in the sector, as part of a larger global study.

It revealed that the rapid shift to remote working forced on businesses during the pandemic provided threat actors with an opportunity to target remote workers.

Over half (57%) of respondents argued that cyber-attacks are increasing in severity as a result of work-from-home (WFH) and 41% argued that remote workers are putting the business at risk of a major data breach.

Respondents were most concerned about a lack of physical security wherever their employees are remote working from (48%) and their devices becoming infected with malware (34%). This matters in the UK especially as it boasts more privileged users than any other country: 31% of remote workers have access to critical, sensitive and proprietary information.

Trend Micro research last year revealed that home workers often engage in more risky behavior than when they’re at the office. When combined with the surge in COVID-19 phishing emails and devices that may be shared with other users in the same household and/or less well protected than corporate equivalents, it adds up to a potential perfect storm of risk.

Insufficient budget and lack of know-how on combatting cyber-attacks were flagged by respondents as the biggest IT security challenges with remote working.

They were most concerned about the threat to customer records (50%) and financial information (48%). IT security managers right to be worried, given the potential regulatory and reputational impact of a breach.

According to Keeper Security CEO, Darren Guccione, things are particularly precarious given the double whammy of the pandemic and Brexit, which saw UK banks lose their crucial “passporting” rights.

“The adjustments to life as we know it due to COVID-19, and the limitations set to be imposed by Brexit, have seen businesses struggle adopt essential operational requirements to stay afloat,” he argued.

“Without rigorous security in place, financial institutions across the UK jeopardise their future. It only takes one cyber-attack to destroy the reputation of the entire business.”

GDPR Fines Surge 39% Over Past Year Despite #COVID19

GDPR Fines Surge 39% Over Past Year Despite #COVID19

The past year has seen double-digit increases in the value of GDPR fines imposed by regulators and the volume of breaches notified to regulators, according to a new analysis by DLA Piper.

The international law firm said that €158.5m ($192m, £141m) in fines was imposed since January 28 2020, a 39% increase on the previous 20-month period since the law came into force in May 2018.

Breach notifications surged by 19%, the second consecutive double-digit increase, to reach 121,165 over the past year.

In total, €272.5m ($332m, £45m) in fines has been issued since the start of the new regulatory regime, with Italy (€69m) having imposed the larges number, followed by Germany and France.

Total breach notification volumes have reached 281,000, with Germany (77,747), the Netherlands (66,527) and the UK (30,536) topping the table. However, when weighted according to national populations, Denmark comes top, followed by the Netherlands and Ireland.

Although the upward trajectory of fines and notifications would suggest that the GDPR is forcing organizations to be more transparent about incidents and providing regulators with a powerful statutory instrument to punish major transgressors, the truth is more nuanced.

In the UK, for example, the Information Commissioner’s Office (ICO), a leading regulator in the drafting of the legislation, significantly reduced fines planned for BA and Marriot International, from a combined £282m to just £38m last year. It is believed the COVID-19 pandemic may have been a factor.

Concerns were raised last year that national regulators are simply not resourced sufficiently to launch major investigations against the world’s biggest companies, especially tech giants with deep pockets.

However, the coming year is likely to see a ramping up of regulatory pressure, warned Ross McKean, chair of DLA Piper’s UK Data Protection and Security Group.

“Regulators have adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead. However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship,” he explained.

“During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt."

No US Trial for Irish Hacker

No US Trial for Irish Hacker

The United States has withdrawn an extradition request for an Irish hacker convicted of breaking into virtual wallets to steal millions of dollars in cryptocurrency.

Conor Freeman was identified by US Homeland Security as one of at least five co-conspirators involved in a string of digital thefts that robbed multiple victims of their life savings in 2018.

Freeman was arrested at his Dublin home in May 2019 on a warrant issued by US authorities. Following his arrest, the hacker handed over stolen Bitcoin worth $2,187,977 to Gardaí.

Freeman, of Dun Laoghaire, pleaded guilty to stealing cryptocurrency, dishonestly operating a computer to make a gain, and knowingly engaging in the possession of the proceeds of crime. In November 2020, the 21-year-old was sentenced to three months in prison minus one month served in custody by Judge Martin Nolan in Dublin Circuit Criminal Court. 

The US had asked Freeman to be surrendered and extradited to the United States to face charges of one count of conspiracy to commit wire fraud, four counts of aiding and abetting wire fraud, and four counts of aiding and abetting aggravated identity theft. 

US authorities alleged that Freeman was a member of an organized online criminal gang called The Community that conspired to steal from targets they picked out on social media. The gang used SIM-swapping to gain control of a victim's phone number, leveraging it to break into their virtual wallets.

A member of The Community, arrested in Michigan in May 2018, gave US authorities access to his computers. The member's online chat records revealed an individual calling himself Conor was involved in the thefts.

IP addresses used by this Conor were linked to an Irish mobile phone and residential internet service providers used by Conor Freeman. 

The High Court heard this morning that following his conviction in Ireland, the United States was no longer seeking to prosecute Freeman, who had no prior convictions. 

Had Freeman been convicted in the US on all counts, the Dubliner could have been sentenced to a maximum of 108 years behind bars.

EEMA Appoints Digital Identity Expert to Board of Management

EEMA Appoints Digital Identity Expert to Board of Management

EEMA, the leading independent European think tank focused on identity, privacy and trust, has announced the appointment of Steve Pannifer to its board of management. Pannifer, who is chief operations officer at Consult Hyperion, is renowned for his expertise in the field of digital identity.

Joining Consult Hyperion back in 1999, Pannifer has worked on numerous identity and payments initiatives for card schemes, banks and governments globally. He has also played a major role within the EEMA community, including as an advisory board member on the Horizon 2020 project. Additionally, he has chaired panel sessions with the ENISA and EEMA board management members Kim Cameron and Dave Birch during the EEMA Annual Conference in June 2020 as well as in EEMA’s ISSE 2020 webinar The European Single Identity System in November 2020.

Pannifer joins a host of big names in the field of identity and security who are part of the EEMA board of management. These include Hans Graux, partner at law firm Timelex, who was appointed in June last year.

Commenting on his appointment to the board, Pannifer said: “Through my work at Consult Hyperion I am fortunate to be involved in many interesting developments around the world, especially in identity and payments. My hope is that this will enable me to bring ideas and connections that will help to shape and guide EEMA’s future activities.

“EEMA presents a fantastic way to connect into the many digital identity and related developments across Europe and beyond. The combination of conferences, fireside sessions and projects is unique. As well as meeting people EEMA offers the chance to work with those people on forward looking projects.”

Jon Shamah, chair of EEMA, stated: “I am delighted to welcome Steve to the EEMA board of management. He is very well respected in the field of digital identity and has long been a generous contributor to our community, sharing his wealth of experience and expertise.”

Brussels-based EEMA provides events, projects, collaboration, education, engagement, communication, participation and networking for companies, the public sector and individuals as part of an effort to enable the building of enduring and mutually beneficial working relationships.

Health Insurer Fined $5.1m Over Data Breach

Health Insurer Fined $5.1m Over Data Breach

An American health insurer has agreed to pay $5.1m to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

The agreement entered into by Excellus Health Plan, Inc. relates to a data breach that lasted 17 months and affected over 9.3 million people. 

Excellus is a New York–based health services corporation that provides health insurance coverage to over 1.5 million people in upstate and western New York.

A breach report filed by Excellus on September 9, 2015, stated that cyber-attackers had gained unauthorized access to the company's information technology systems.  

The breach began on or before December 23, 2013, and dragged on until May 11, 2015. After gaining entry to the company's systems, malicious hackers installed malware and conducted reconnaissance activities that ultimately resulted in the disclosure of protected health information (PHI) of more than 9.3 million individuals.

Information exposed in the attack included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.

Plans affected by the breach were BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.

OCR’s investigation into the security incident found potential violations of the HIPAA rules, including failures to implement risk management, information system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said OCR director Roger Severino. 

“We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

In addition to paying a sizable monetary settlement, Excellus has agreed to undertake a corrective action plan that includes two years of monitoring.

NSA Appoints Cyber Director

NSA Appoints Cyber Director

The United States National Security Agency has announced the appointment of Roy Joyce as the new leader of its Cybersecurity Directorate. 

Joyce will take over from Anne Neuberger, who was first to lead the NSA's Cybersecurity Directorate when it was established in October 2019.

Neuberger was recently appointed Deputy National Security Advisor for Cyber and Emerging Technology for the National Security Council (NSC) by the incoming Biden administration. 

Joyce has worked in NSA’s Cybersecurity and Signals Intelligence missions since 1989. Currently, he is serving as the NSA's special liaison officer at the US Embassy in London. Prior to that he worked as a senior advisor for cybersecurity strategy to the NSA director. 

In 2018 Joyce won a place on the Federal 100 list. At the time of his win, Joyce was a special assistant to the president and cybersecurity coordinator in the NSC for the Trump administration. 

His role at the White House was to lead the development and implementation of national and international cybersecurity strategy and policy for the US, ensuring that the federal government was effectively partnering with the private sector, nongovernmental organizations, other branches and levels of government, and other nations. Joyce also served as deputy homeland security advisor and acting homeland security advisor. 

From 2013 to 2017, Rob served as the chief of Tailored Access Operations (TAO), the NSA’s mission element that provided tools and expertise in computer network exploitation to deliver foreign intelligence. Prior to being named chief, he served as the deputy director of the Information Assurance Directorate (IAD) at the NSA, where he led efforts to harden, protect, and defend the nation’s most critical national security systems and improve cybersecurity for the nation. 

Joyce has also spoken at major tech events, including the 2019 edition of the RSA conference, where he presented sessions on the weaponization of the internet and reverse engineering. 

Outside of cybersecurity, Joyce is known for planning elaborate computerized light displays set to music over the holiday period. His 2020 festive efforts, titled "Notre Dame" and inspired by college football, were so impressive that NBC Sports shared a video on Twitter of the display in action. 

MoD Experiences 18% Growth in Personal Data Loss Incidents

MoD Experiences 18% Growth in Personal Data Loss Incidents

The UK’s Ministry of Defense (MoD) experienced an 18% rise in personal data loss incidents in the financial year 2019/20, according to official figures analyzed by the Parliament Street Think Tank.

The UK government’s defense department revealed there were 546 reported incidents of personal data loss during the last financial year, up from 463 in 2018/19. Seven of the incidents were reported to the Information Commissioner’s Office (ICO) owing to their serious nature.

The vast majority (454) of incidents were recorded under the category of unauthorized disclosure. A further 49 were classified under loss of inadequately protected electronic equipment, devices or paper documents from secured government premises, with another 19 reported from outside of government premises.

Of the seven most serious incidents reported to the ICO, one involved a sub-contractor incorrectly disposing of MoD originated material in July 2019, which led to the personnel and health data of two former employees being accidently disclosed. Another occurred when a recorded delivery package containing the claims for forms of five individuals was lost in transit between two stations in February 2020. A third example revolved around a whistleblowing report that had not been properly anonymized.

Commenting on the figures, Tim Sadler, CEO at Tessian, said: “Time and time again we see how simple incidents of human error can compromise data security and damage reputation. The thing is that mistakes are always going to happen. So, as organizations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people.

“Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions, in order to stop mistakes turning into breaches.”

The data is likely to add to fears over the vulnerability of public sector organizations to data breaches, particularly since the shift to remote working during COVID-19.

In December, Parliament Street reported that the Ministry of Justice (MoJ) had suffered 17 serious data breaches during the last financial year.

Thales and TT Electronics Partner to Enable OT Cybersecurity Initiatives and Research

Thales and TT Electronics Partner to Enable OT Cybersecurity Initiatives and Research

Multinational technology company Thales and global provider of engineered electronics for performance critical applications TT Electronics have announced a partnership to enable the development of operational technology cybersecurity initiatives and research.

These programs will be delivered out of the National Digital Exploitation Center (NDEC) in South Wales, which offers cyber-skills and knowledge to the region. The partnership brings together Thales’ expertise in securing critical systems with TT Electronics’ innovative approach to electronics manufacturing for high-reliability markets.

“Thales and TT Electronics have very complementary and synergistic technologies,” said Perry Duffill, VP/GM, TT Electronics Global Manufacturing Solutions. “This collaboration enables TT to provide an additional level of security assurance for our aerospace and defense, medical and industrial customers who rely on us to manufacture highly complex systems for mission critical applications.”

Gareth Williams, VP, secure communications and information systems at Thales, added that the agreement is the next logical step in the long-standing relationship between the two companies.

“While we have previously worked together at the NDEC – with TT Electronics sitting on the steering group – this agreement enables a much more intimate level of collaboration between the two companies, with a clear goal of secure and resilient operational technology.”

Joker’s Stash Carding Site to Close in February

Joker’s Stash Carding Site to Close in February

The largest carding marketplace on the dark web has announced it is shutting down for good, although experts warned that this will have little impact on the overall cybercrime economy.

The administrator of the Joker’s Stash site posted the news on Friday, claiming that the marketplace would remain open until February 15 this year before they go on a “well-deserved retirement.”

Experts at threat intelligence firm Gemini Advisory speculated that the announcement may be linked to October news posted by “JokerStash” that the site had recently been disrupted after they had to spend over a week in hospital with COVID-19.

They also questioned whether the recent spike in the value of Bitcoin had made the site admin now rich enough to retire.

Having been in operation since 2014, Joker’s Stash added 40 million stolen records and generated an estimated $1bn in revenue. However, the site apparently suffered a decline in the volume and quality of cards it was able to offer over the past six months.

“Most other top-tier carding marketplaces actually increased their posted data during this time. However, Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service,” noted Gemini Advisory.

“Additionally, JokerStash’s tactics, techniques and procedures (TTPs) involved advertising in advance and then posting high-profile major breaches. The threat actor leveraged media coverage of these breaches to boast about their ability to compromise even major corporations. Most dark web marketplaces eschew such TTPs because they attract undue attention from security researchers and law enforcement; JokerStash actually celebrated such attention.”

In a sign of the adaptability of the cybercrime underground, it is predicted that JokerStash’s retirement won’t have a significant impact on the industry.

Threat actors tend to split the sale of data across multiple marketplaces anyway, so they’ll simply pivot to other sites in the future, argued Gemini Advisory.

Environmental Regulator Suffers Ransomware Blow

Environmental Regulator Suffers Ransomware Blow

The Scottish Environment Protection Agency (SEPA) has warned that it could take a “significant period” of time before systems and services are fully restored after it was hit by ransomware on Christmas Eve.

In a lengthy update late last week, the agency claimed that “a number” of its IT systems will remain “badly affected for some time,” and in some cases will need to be replaced completely.

“The agency confirmed that email, staff schedules, a number of specialist reporting tools, systems and databases remain unavailable with the potential for access to a series of systems and tools to be unavailable for a protracted period,” it continued.

One of these systems is a service for online reporting and enquiries about pollution. Although now restored, any information submitted to the service during the early days of the attack is not accessible.

On the plus side, SEPA said that its main regulatory, monitoring, flood forecasting and warning services continue to operate. Contact center and online self-help services are being slowly restored, including SEPA’s Floodline, 24-hour pollution hotline and environmental event reporting.

However, attackers also stole 1.2GB of data from the agency including information on procurement, commercial projects and SEPA staff, as well as its corporate plans, priorities and change programs. Some, but not all, is thought to have been publicly available.

“Whilst the actions of serious and organized criminals means that for the moment we’ve lost access to our systems and had information stolen, what we’ve not lost is the expertise of over 1200 staff who day in, day out work tirelessly to protect Scotland’s environment,” said SEPA CEO Terry A’Hearn.

“Sadly we’re not the first and won’t be the last national organization targeted by likely international criminals. Cybercrime is a growing trend. Our focus is on supporting our people, our partners, protecting Scotland’s environment and, in time, following a review, sharing any learnings with wider public, private and voluntary sector partners.”

Leaked #COVID19 Vaccine Data “Manipulated” to Mislead Public

Leaked #COVID19 Vaccine Data “Manipulated” to Mislead Public

Official COVID-19 vaccine data stolen and leaked online by threat actors had been changed prior to publication in what could be a deliberate attempt to sow disinformation, a medical regulator has claimed.

The European Medicines Agency (EMA) first revealed the data breach back in December. Although at the time it refused to clarify what was stolen, German biotechnology company BioNTech revealed that it was one of the firms affected.

“Some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” it said at the time.

Last week the EMA claimed some of the stolen data was released online by the attackers, although it was unclear what their motives were.

However, in an update on Friday, the agency indicated that the end goal may have been to spread fake news.

“The ongoing investigation of the cyber-attack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines have been leaked on the internet,” it noted.

“This included internal/confidential email correspondence dating from November, relating to evaluation processes for COVID-19 vaccines. Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”

Attempts to manipulate public perception of events could indicate the hand of state-sponsored threat actors. Both Russia and China have developed rival vaccines to the Pfizer/BioNTech effort, and are looking to build their soft power by striking deals to supply other countries in a “vaccine diplomacy” push.

Anything that casts doubt on the efficacy of the Pfizer jab could therefore work in their favor. Alternatively, it may simply be the work of hacktivists appealing to a growing anti-vaxxer movement.

For its part, the EMA sought to reassure the public in its statement on the matter.

“Amid the high infection rate in the EU, there is an urgent public health need to make vaccines available to EU citizens as soon as possible,” it said.

“Despite this urgency, there has always been consensus across the EU not to compromise the high quality standards and to base any recommendation on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.”

Florida Man Cyberstalked Survivor of Murder Attempt

Florida Man Cyberstalked Survivor of Murder Attempt

A man from Florida has admitted cyberstalking a woman who survived a violent attack in her childhood that left another young girl dead. 

Alvin Willie George of Cross City pleaded guilty to two counts of cyberstalking related to the online harassment of the survivor and her sisters. 

According to court records, the victim was in a Texas bedroom with another girl in December 1999 when an assailant entered and attacked the two friends. Both girls had their throats slit. 

One girl died from the attack, while her friend survived. The perpetrator of this vicious assault was later caught and convicted. 

George, who has no connection to the surviving victim or her family, began harassing the victim and her family 17 years after the attack took place.  

In or around November 2016, George started researching the deadly crime on the internet. The 25-year-old then created various Facebook accounts that he used to send harassing messages to the victim and her sisters, all of whom live in Idaho. In the messages, George threatened to rape and kill the women. 

The case was investigated by the Federal Bureau of Investigation and the Boise Police Department.

A federal grand jury in Boise indicted George on December 11, 2019. On Thursday, the US Attorney's Office in Boise, Idaho, announced George's guilty plea.

Sentencing is scheduled to take place on April 8, 2021, before US District Judge B. Lynn Winmill at the federal courthouse in Boise.

In Idaho, the crime of cyberstalking is punishable by up to five years in prison, a maximum fine of $250,000, and a supervised release period of up to three years, per charge.

According to the Stalking Prevention, Awareness and Resource Center, an estimated 6 to 7.5 million people are stalked annually in the United States. 

The majority of stalking victims are stalked by someone they know; just one in five stalking victims are stalked by a stranger. 

A quarter of stalking victims report being stalked through the use of some form of technology such as e-mail or instant messaging. While 10% of victims report being monitored with global positioning systems, 8% report being monitored through video or digital cameras, or listening devices.

Women in Cybersecurity Mid-Atlantic Partners with CMMC COE

Women in Cybersecurity Mid-Atlantic Partners with CMMC COE

The Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE) yesterday announced a Memorandum of Understanding with the Women in Cybersecurity (WiCyS) Mid-Atlantic affiliate.

The executed MOU creates a cooperative agreement between the two parties to partner in the furthering of their missions and objectives around the adoption, use, and expansion of CMMC-based cybersecurity practices for the US Department of Defense (DoD) global Defense Industrial Base (DIB) contractor community and the information and communication technology community.

Objectives of the new partnership include a desire to aid efforts to advance the goals for improving the cyber and supply-chain security and resilience of the DIB network of contractors, suppliers, and vendors.

Among the specific actions planned is the co-development of CMMC advisory services, cyber education and training programs to increase cyber adoption, accelerating CMMC certification, and improving cyber protection and resilience.

The partners also want to expand and drive diversity across the cybersecurity workforce, which in 2019 was 80% male

“The WiCyS Mid-Atlantic is excited to team with the CMMC COE in efforts to enhance the overall security of the defense industrial base supply chain," said Diane Janosek, founder and senior advisor of Women in Cybersecurity Mid-Atlantic.

"This partnership clearly demonstrates the CMMC COE’s commitment to a diverse cybersecurity workforce, which is key to defending the nation’s cyber critical infrastructure. Creative and inclusive teaming is essential to the CMMC’s success." 

Further actions planned by the partnership are the co-sponsorship of symposiums, training programs, and podcasts, leveraging their combined cyber and IT expertise, and the hosting of regular working groups, along with additional partners, to allow collaboration and communication. 

The establishment of an independent Industry Cyber Security Advisory Council is also planned, with peer organizations brought in to advise and educate leaders across government and industry on the effectiveness and continued evolution of CMMC.

“This is exciting opportunity for us,” said John Weiler, chairman of the board at CMMC Center of Excellence. “This new partnership will further help advance the goals and objectives for improving the supply chain security and resilience of the US Department of Defense.”

UK Accidentally Deletes 150k Arrest Records

UK Accidentally Deletes 150k Arrest Records

The UK government is investigating a technical issue that led to 150,000 arrest records' being accidentally wiped from nationwide police databases. 

The unintentional erasure, reported initially by The Times, is believed to have been caused by human error and defective code that earmarked the wrong files for deletion.

Over 150,000 fingerprint records, DNA records, and arrest history records were lost as a result of the glitch. One source told The Times that the error could potentially allow offenders to escape justice as biometric evidence captured from crime scenes will no longer be flagged on the Police National Computer (PNC). 

The error also impacted Britain's visa system, causing the processing of applications to be suspended for two days. 

Sources told The Times that the records were accidentally wiped during one of the weekly data expunging acts known as "weeding" sessions. 

The newspaper reported that “crucial intelligence about suspects” had vanished as a result of the incident. However, the Home Office said that no records of criminals or dangerous persons had been deleted and that the lost data related to individuals who had been arrested and then released without charge.

UK Minister for Policing Kit Malthouse said officials were “working at pace” to attempt the recovery of the lost records.

He said: “A fast time review has identified the problem and corrected the process so it cannot happen again. The Home Office, NPCC [National Police Chiefs’ Council] and other law enforcement partners are working at pace to recover the data.

“While the loss relates to individuals who were arrested and then released with no further action, I have asked officials and the police to confirm their initial assessment that there is no threat to public safety. I will provide further updates as we conclude our work.”

Shadow Home Secretary Nick Thomas-Symonds said: “This is an extraordinarily serious security breach that presents huge dangers for public safety. The incompetence of this shambolic government cannot be allowed to put people at risk, let criminals go free and deny victims justice.”

The loss of the data follows the removal of 40,000 alerts regarding European criminals from the PNC with the UK's Brexit departure from the European Union.

NCSC Reveals New Solution to Protect Remote Public Sector Workers

NCSC Reveals New Solution to Protect Remote Public Sector Workers

The UK’s National Cyber Security Center (NCSC) has outlined the creation of a new protective domain name service (PDNS) solution in partnership with Nominet, the official registry for UK domain names.

The service, named PDNS Digital Roaming, is designed to enhance the security of public sector staff working from home as a result of the COVID-19 pandemic. The free at the point of use app will extend the protection offered by the original PDNS solution, which is delivered by Nominet, to remote networks.

PDNS has been in place since 2017, and helps keeps public sector organizations secure by hampering the use of DNS for malware distribution and operation. Last year, it was being used by over 760 public sector organizations, protecting an estimated 2.8 million staff.

PDNS Digital Roaming enables these protections to extend to employees working from home by detecting when a device is outside of its enterprise network and redirecting DNS traffic to PDNS, using the encrypted DNS over HTTPS (DoH) protocol. This applies from whichever network employees connect to the internet from.

David Carroll, MD of Nominet’s cybersecurity arm commented: “The NCSC reacted quickly to the challenges that coronavirus presented to the cyber-defense of the nation. For example, elements of the Active Cyber Defense program – including the PDNS, which is delivered by Nominet on behalf of the NCSC – were made available to many more organizations in the past year, including over 200 frontline public health bodies.

“Without a fixed IP address, staff needed another option for accessing the protections of the PDNS – PDNS Digital Roaming has been the answer. This app was launched in September to all those currently eligible to use the PDNS. By installing it on their device, staff can ensure that their DNS traffic is being directed to the PDNS and is thus protected by this innovative service.

“Keeping critical services secure has never been so important. As we position our country as a global digital leader for the future, it will be important to devise solutions that are adaptable as well as highly resilient and secure.”

At the end of last year, Infosecurity spoke to Russell Haworth, CEO of Nominet, about how the company is combatting the rise in malicious domain names since the start of the COVID-19 pandemic.

#CES2021: AI and Quantum Technologies Set to Disrupt Cybersecurity Industry

#CES2021: AI and Quantum Technologies Set to Disrupt Cybersecurity Industry

Artificial intelligence (AI) and quantum are set to be the next major technology disruptors and will have a profound impact on the cybersecurity sector, according to speakers in a session at the Consumer Electronics Show (CES) 2021.

Advancements in these areas are likely to lead to new opportunities for cyber-criminals to leverage attacks, but conversely, can also enable the development of stronger cybersecurity defenses.

Vikram Sharma, founder and CEO at QuintessenceLabs, explained that these technologies form part of the predicted “fourth industrial revolution,“ which will radically enhance our technological capabilities. “The fourth industrial revolution is really a confluence of a number of technologies, so alongside AI, 5G, robotics, 3D printing and IoT, quantum is one of these very important technologies of our time.”

He said it is critical organizations now look at how they can leverage quantum for cybersecurity purposes. This is because of its potential to provide a “robust” protection of data as well as to counter the threats this tech could pose in the hands of attackers. Sharma added: “The general consensus is we may see an adversary who has a quantum computer at the right scale to impact cybersecurity within the next five to 10 years.”

Similarly, it is critical that proactive steps are taken to tackle the use of AI by threat actors to launch attacks. Pete Tortorici, director, Joint Information Warfare at the Department of Defense (DOD) Joint Artificial Intelligence Center, outlined a number of considerations in this regard: “How are we going to understand what network incident detection is going to look like in the world of AI? How do we leverage AI to secure network capabilities? How do we build robust analytics to let us know when things have happened inside of a network?”

For organizations to successfully implement AI solutions, underlying issues first need to be resolved. Tortorici said: “A lot of organizations haven’t solved the data problem that underlies being able to get after an AI solution.” He added this can be as simple as collecting and keeping the data needed to feed their algorithm.

Another issue is meeting the demand for AI specialists and data engineers from a security standpoint. Tortorici commented: “I wonder if we have the required incentives, both educational and professional, to grow this skillset over the next several decades.” He added that at the Department of Defense there is now a strong emphasis on “cultivating and retaining talent” in this area.

In regard to quantum, Sharma said that his company has observed organizations becoming increasingly aware of the transformative potential of quantum, and “a number of them have started the process of building internal subject matter expertise within their engineering and development groups around quantum.”

However, much more focus needs to be placed on its potential impact on cybersecurity. Part of this is ensuring organizations are better educated on how to adapt their security posture. Sharma added: “While awareness of quantum is developing and generally people have some conception that there is a risk to cybersecurity, there isn’t a proper understanding of what this means in terms of implications for the cyber-technologies that are deployed today.” 

It is therefore critical that organizations prepare for the expected growth in AI and quantum, both to improve their productivity and enhance their cybersecurity. Two key factors in ensuring this is the case that were emphasized by Sharma and Tortorici were general awareness and developing the right skillsets.

NSA: DNS over HTTPS Provides “False Sense of Security”

NSA: DNS over HTTPS Provides “False Sense of Security”

The US National Security Agency (NSA) has warned enterprises that adoption of encrypted DNS services can lead to a false sense of security and even disrupt their own DNS-monitoring tools.

DNS over HTTPS (DoH) has become an increasingly popular way to improve privacy and integrity by protecting DNS traffic between a client and a DNS resolver from unauthorized access. This can help to prevent eavesdropping and manipulation of DNS traffic.

However, although such services are useful for home and mobile users and networks not using DNS controls, they are not recommended for most enterprises, the US security agency claimed in a new report.

DoH is “not a panacea,” as it doesn’t guarantee that threat actors can’t see where a client is going on the web, said the NSA.

“DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied,” the report noted.

“While this allows clients to privately obtain an IP address based on a domain name, there are other ways cyber-threat actors can determine information without reading the DNS request directly, such as monitoring the connection a client makes after the DNS request.”

Moreover, DoH can actually impair network monitoring tools designed to spot suspicious activity in DNS traffic.

“DoH encrypts the DNS traffic, which prevents enterprises from monitoring DNS with these network-based tools unless they are breaking and inspecting TLS traffic. If DoH is used with the enterprise resolver, then inspection can still occur at the resolver or using resolver logs,” the report continued.

“However, if external DoH resolvers are not blocked and DoH is enabled on the user’s browser or OS to use a different resolver, there could be issues gaining visibility into that encrypted DNS traffic.”

Malware can also use DoH to hide its C&C communications traffic, the NSA warned.

The agency urged enterprises that use monitoring tools to avoid using DoH inside their networks.

Facebook Sues Devs of Alleged Data-Scraping Chrome Extensions

Facebook Sues Devs of Alleged Data-Scraping Chrome Extensions

Facebook is suing two European developers for allegedly violating its terms of service by scraping user data.

Legal action has been filed in Portugal by Facebook and Facebook Ireland against two individuals working for application/extension development company Oink and Stuff.

The firm claims its software products, available for Chrome, Firefox, Edge, Opera and Android, have over one million active users.

However, the two misled users into downloading their Chrome extensions by claiming in a privacy policy that they did not collect any personal information, alleged Facebook director of platform enforcement and litigation, Jessica Romero.

She highlighted four extensions, Web for Instagram plus DM, Blue Messenger, Emoji keyboard and Green Messenger, that contained code which Facebook claims are malicious and effectively act like spyware.

“When people installed these extensions on their browsers, they were installing concealed code designed to scrape their information from the Facebook website, but also information from the users’ browsers unrelated to Facebook — all without their knowledge,” argued Romero.

“If the user visited the Facebook website, the browser extensions were programmed to scrape their name, user ID, gender, relationship status, age group and other information related to their account. The defendants did not compromise Facebook’s security systems. Instead, they used the extensions on the users’ devices to collect information.”

Facebook is seeking a permanent injunction against the defendants, demanding they delete all Facebook data in their possession.

This is just one of many cases brought by the social network against third parties it accuses of impacting user privacy, a push that began in earnest following the Cambridge Analytica scandal.

In September 2019, the firm revealed it had filed suits against LionMobi and JediMobi, two companies that used apps to infect users’ devices with click injection fraud malware, South Korean data analytics firm Rankwave and Ukrainians Gleb Sluchevsky and Andrey Gorbachov, who used quiz apps to scrape user data.

Automated “Classiscam” Operation Made $6.5m in 2020

Automated “Classiscam” Operation Made $6.5m in 2020

An e-commerce “scam-as-a-service” operation tried-and-tested in Russia has expanded to multiple European countries in 2020, making cybercrime groups over $6.5m in the process, Group-IB has warned.

The Singapore-based cybersecurity company claimed in a new report that “Classiscam” first appeared in Russia in the summer of 2019, but soon migrated west and hit a peak of activity over 2020 as remote workers surged online to shop.

There are now at least 40 active groups using the scam packages to con internet users out of their hard-earned cash.

“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3000 pages,” said Yaroslav Kargalev, deputy head of CERT-GIB.

“We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time that Russia has served as a testing ground for cyber-criminals with global ambitions.”

The groups publish ads for popular products on marketplaces and classified websites, with prices marked down to spark interest from buyers. Consumer electronics such as cameras, game consoles, laptops and smartphones are often listed.

Once the buyer gets in touch, the scammer typically takes the conversation off the marketplace to WhatsApp or other messenger channels, using local phone numbers to add authenticity.

The fraudster then asks for the victim’s delivery and contact information and sends a phishing link mimicking the real marketplace, which takes the user to a fake payment page.

Telegram bots are used to generate the ready-to-use phishing pages, streamlining the process and lowering the bar to entry for non-techie cyber-criminals.

Cybercrime groups using the service typically include three types of operative: admins, workers and callers.

Admins are responsible for recruiting new members, creating the scam pages and taking action when a bank blocks the victim’s transaction. Workers communicate directly with victims, while callers pretend to be tech support specialists.

Group-IB estimated that the most active groups make as much as $522,000 per month.

“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” said Dmitriy Tiunkin, head of Group-IB Digital Risk Protection Department, Europe.

“Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.”

Fujitsu: High Risk of #COVID19 Vaccine Disinformation Campaigns

Fujitsu: High Risk of #COVID19 Vaccine Disinformation Campaigns

There is a high risk of disinformation campaigns designed to spread panic and fear about the COVID-19 crisis, according to IT firm Fujitsu. In particular, it expects social engineering attacks to focus on fuelling uncertainty and doubt surrounding the effectiveness of COVID-19 vaccines as they begin to be rolled out across the world.

The company said that both criminal gangs and nation state actors will focus on controversial aspects of vaccine programs, including mandatory vaccination, health passports, mass immunity testing and lockdowns in these campaigns. These will target both businesses and individuals through a range of attack vectors, with phishing the most prominent.

There has been a huge rise in phishing campaigns observed since the start of the pandemic last year, with cyber-villains frequently using COVID-19 topics as lures.

The most sophisticated of these attacks will sow division between opposing sides, leading to more polarization and mistrust of information sources. This has been evident during recent elections such as the Brexit referendum in 2016 and the US elections last year.

Fujitsu added that it is already seeing malicious actors leverage issues around personal liberty linked to the pandemic, such as restrictions on movements and requirements to wear a facemask.

Paul McEvatt, head of cybersecurity innovation at Fujitsu, commented: “Phishing is at the heart of these attacks – the targeting of individuals based on their beliefs, or their circumstances, to socially engineer them into a compromised situation. People are more likely to fall for a phish when related to a topic they believe in or identify with. Today, the coronavirus pandemic is a global issue and a highly-emotional one, too, especially since it involves personal liberties and factors such as restriction on movement. There has probably never been a bigger topic for a disinformation attack.”

Earlier today, the European Medicines Agency revealed that documents related to COVID-19 medicines and vaccines have been leaked online following a cyber-attack on the regulator in December.

Convicted Hacker Allegedly Commits Fraud While Awaiting Release

Convicted Hacker Allegedly Commits Fraud While Awaiting Release

A Kosovan hacker, granted compassionate release after being convicted of providing personally identifiable information of over 1,000 US government personnel to ISIS, has been charged with committing further crimes while in federal prison.

The US sentenced Ardit Ferizi to 20 years in prison in September 2016 after the hacker admitted accessing a protected computer without authorization and providing material support to a designated foreign terrorist organization.

In December 2020, Federal Judge Leonie Brinkema of the Eastern District of Virginia reduced Ferizi’s sentence to time served, plus 10 years of supervised release to be served in Kosovo after the 25-year-old submitted a handwritten motion stating that his obesity and asthma made him vulnerable to COVID-19. 

According to a federal complaint filed against Ferizi and unsealed on January 12, Ferizi was awaiting deportation back to his native Kosovo when the FBI determined that he had committed multiple new federal offenses. At the time of the alleged offenses, Ferizi was incarcerated at the Federal Correctional Institute in Terre Haute, Indiana.

“We allege Ferizi provided access to personal information of US citizens, even as he was serving his prison sentence for providing similar information to ISIS,” said US Attorney David L. Anderson. 

According to the FBI, in 2017 and 2018 Ferizi became involved in multiple fraudulent schemes while locked up in prison by coordinating with a family member who was operating Ferizi’s email accounts. At least one email account included large databases of stolen personally identifiable information, extensive lists of stolen email accounts, partial credit card numbers, passwords, and other confidential information, accumulated through Ferizi's criminal hacking activity.

"Based on an IP address resolving to Kosovo, login activity to Ferizi’s other e-mail accounts, and other investigative information, it was determined the family member downloaded the databases of stolen information to liquidate the proceeds of Ferizi’s previous criminal hacking activity," said the Department of Justice.  

Ferizi and his family member are alleged to have used the electronic services of Google, PayPal, and Coinbase to carry out these new crimes.

Ferizi, known online as Th3Dir3ctorY, is charged with one count of aggravated identity theft and one count of wire fraud in violation. If convicted of both charges, he faces a maximum penalty of 22 years in prison and a fine of $250,000.  

2020 Saw 6% Rise in Number of CVEs Reported

2020 Saw 6% Rise in Number of CVEs Reported

New analysis of the 2020 vulnerability and threat landscape has found that the total number of Common Vulnerabilities and Exposures (CVEs) reported last year was 6% higher than the total reported in 2019.

A year-in-review report from Tenable’s Security Response Team found that 18,358 CVEs were reported in 2020, while only 17,305 were reported the previous year. 

While the increase between 2019 and 2020 may seem slight, the team found that from 2015 to 2020, the number of CVEs reported rose 183%, from 6,487 to 18,358.

"For the last three years, we have seen over 16,000 CVEs reported annually—reflecting a new normal for vulnerability disclosures," noted researchers. 

Among the 2020 vulnerabilities disclosed were 29 Tenable identified as net-new zero-day vulnerabilities. Of the 29 vulnerabilities, over 35% were browser-related vulnerabilities, while nearly 29% were within operating systems. Font libraries were also popular, accounting for nearly 15% of zero-day vulnerabilities.

Reviewing at which points in the year critical CVEs were reported, researchers uncovered what they termed a "CVE Season" that coincided with summertime.

"Summer 2020—from June to August—was particularly unique for both the sheer volume and number of critical CVE disclosures," noted researchers. "547 flaws were disclosed in the summer months, including major disclosures in F5, Palo Alto Networks, PulseSecure, vBulletin and more."

An analysis of the CVE data for breach trends found that from January through October 2020, 730 publicly disclosed events resulted in the exposure of over 22 billion records. Of the industries impacted by breaches, healthcare and education made up the largest share, accounting for 25% and 13% of the breaches. 

Government and the technology industry were also popular targets, accounting for 12.5% and 15.5% of the breaches respectively.

Ransomware was found to be the most popular attack vector in 2020, being cited in 259 incidents. Email compromise was the cause of 105 breaches, while unsecured data led to 83 security incidents. For 179 data breaches, the root cause was unknown. 

The coronavirus pandemic was used time and again by cyber-attackers to lure their victims. By the first two weeks of April, 41% of organizations had experienced at least one business-impacting cyber-attack resulting from COVID-19 malware or phishing schemes.

Hy-Vee Data Breach Settlement Proposed

Hy-Vee Data Breach Settlement Proposed

A preliminary settlement agreement regarding a data breach that impacted customers of Iowa-based grocery store chain Hy-Vee has been proposed. 

Hy-Vee launched an investigation after detecting unauthorized activity on some of its payment processing systems on July 29, 2019.

The investigation found that malware designed to access and steal payment card data from cards used on point-of-sale (POS) devices had been installed at certain Hy-Vee fuel pumps and drive-thru coffee shops. 

Restaurants were also impacted, including Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses, and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at the chain's West Des Moines corporate office. 

According to a statement released by Hy-Vee in October 2019, the specific timeframes when data from cards used at these locations may have been accessed varies by location. However, the company said that in general, fuel pumps were impacted from December 14, 2018, to July 29, 2019, whereas restaurants and drive-thru coffee shops were affected beginning January 15, 2019, to July 29, 2019.

"There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019," stated the company.

Hy-Vee concerns in Iowa, Illinois, Kansas, Missouri, Montana, Nebraska, South Dakota, and Wisconsin were impacted by the breach. Data stolen in the prolonged attack included customer names, credit and debit card numbers, card expiration dates, and verification codes.

In October and November 2019, lawsuits were filed over the breach by several customers in Illinois, Missouri, and Wisconsin whose data had been compromised. These customers later teamed up to file a class-action complaint against Hy-Vee at the end of November 2019.  

On January 12, a settlement agreement was proposed that would allow those affected by the breach to submit reimbursement claims for a maximum of $225. The plaintiffs who are named in the suit are earmarked to receive an additional $2,000 "incentive award."

Under the proposal, customers who faced "extraordinary expenses" because of the data breach, such as hefty, unreimbursed fraudulent charges, may claim up to $5,000.

NTT DATA and Conferma Pay Partner to Deliver Secure, Virtual Payment Comms to Hotels

NTT DATA and Conferma Pay Partner to Deliver Secure, Virtual Payment Comms to Hotels

Global IT innovator NTT DATA and payments technology provider Conferma Pay have announced a partnership to bring secure, digital virtual payment communications to hotels.

The news comes at a time when more and more companies are seeking to implement contact-free payment processes to help reduce the spread of COVID-19 whilst also bolstering payment security and safety.

NTT DATA and Conferma Pay said they have combined to ensure virtual payments reach hotels securely in a digital manner, removing the reliance on traditional paper-based methods such as faxing.

Reception desks will be directed to a digital billing portal when confirming rooms booked with virtual payments, automating the virtual card delivery, removing the need for manual offline chargebacks, eliminating card exposure and tightening payment security.

Furthermore, hotel staff will no longer manually process payments or key card numbers into their merchant terminals. The check-in and check-out process is streamlined with a simplified, touchless experience.

Akihiro Ishizuka, head of global payments and services division at NTT DATA, said: “Payment innovation has accelerated like never before, creating the opportunity for a more efficient and highly secure virtual payment model. Partnering with Conferma Pay is a step forward in our commitment to provide travelers with a frictionless payment experience during check-in. This new integration will streamline the process considerably by reducing manual rekeying of payment data.”

Kelly Cleeton, senior director, global business development at Conferma Pay, added: “The solution we developed with the help of NTT DATA provides another layer of security and enhances the payment experience for our partner travel management companies and their clients.”

Ring Rolls-Out End-to-End Encryption to Bolster Privacy

Ring Rolls-Out End-to-End Encryption to Bolster Privacy

Controversial connected device company Ring has added video end-to-end encryption (E2EE) to some of its products in a bid to boost user privacy and security.

The Amazon-owned maker of smart doorbells first flagged the move last autumn, but will begin the roll-out this week as part of a “technical preview.

“By default, Ring already encrypts videos when they are uploaded to the cloud (in transit) and stored on Ring’s servers (at rest),” the firm explained in a blog post yesterday.

“With end-to-end encryption, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer’s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device.”

That will go some way to assuaging customer concerns over who is viewing the videos shot by their doorbell camera.

Around a year ago, four Ring employees were fired after violating company policy when they were caught watching users’ videos.

“Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions,” Amazon said at the time.

Privacy concerns have also been raised over Ring’s decision to partner with hundreds of police forces across the US — although law enforcers have to request access to users’ videos within a certain time frame and geographic area.

The new E2EE feature will be available on the: Ring Video Doorbell Pro, Ring Video Doorbell Elite, Ring Floodlight Cam, Ring Spotlight Cam Wired, Stick Up Cam Plug In, Stick Up Cam Elite and Indoor Cam.

The move follows a roll-out of two-factor authentication (2FA) to all users in early 2020, to help mitigate the risk of strangers hijacking users’ cameras.

Last month, a new legal case was formed by joining together complaints filed by over 30 users in 15 families who say that their devices were hacked and used to harass them. They’re arguing, among other things, that Ring should have mandated 2FA and the use of strong passwords out-of-the-box.