Author Archives: www.infosecurity-magazine.com

VMware Plans $2.1bn Carbon Black Acquisition

VMware Plans $2.1bn Carbon Black Acquisition

Carbon Black has announced a definitive agreement to merge with VMware, with the virtualization company paying around $2.1bn for the endpoint protection vendor.

With a view to create a “highly differentiated, intrinsic security cloud,” the deal will see VMware be better positioned to better protect enterprise workloads and clients through Big Data, behavioral analytics and AI.

“By bringing Carbon Black into the VMware family, we are now taking a huge step forward in security and delivering an enterprise-grade platform to administer and protect workloads, applications and networks,” said Pat Gelsinger, CEO, VMware.

The combination of Carbon Black’s solutions with VMware’s security offerings, including AppDefense, Workspace ONE, NSX and SecureState, will create a modern security cloud platform for any application, running on any cloud, on any device, the company said. “This combined offering will provide customers advanced threat detection and in-depth application behavior insight to stop sophisticated attacks and accelerate responses,” a statement read.  

Patrick Morley, CEO of Carbon Black, said in a blog post that this was “a massive opportunity” as there is an “opportunity here for Carbon Black to truly disrupt the security industry — and ultimately help more customers stay safe from cyber-attacks.”

Morley added: “VMware has a vision to create a modern security platform for any app, running on any cloud, delivered to any device – essentially, to build security into the fabric of the compute stack. Carbon Black’s cloud-native platform, our ability to see and stop attackers by leveraging the power of our rich data and behavioral analytics, and our deep cybersecurity expertise are all truly differentiating. As a result, VMware approached Carbon Black to deliver on this vision.

“Our product strategy stays the same. Our roadmap stays the same. Our customer support stays the same. The entire product portfolio, cloud and on-premises, is included in the merger – now backed by the extensive global footprint and GTM resources from VMware. In fact, the plan is to invest more aggressively in Carbon Black and leverage our combined strengths to accelerate our growth and execute our vision for our customers.”

Carbon Black will exist as an independent business unit within VMware, and become VMware’s Security Business Unit. Launched in 2007 as Bit9, the company was known as Bit9 & Carbon Black after it acquired Carbon Black in February 2014, and officially assumed the company name Carbon Black in February 2016.

South Korea Exits Japanese Intel-Sharing Agreement

South Korea Exits Japanese Intel-Sharing Agreement

The South Korean government has said it will end a crucial intelligence-sharing arrangement with Japan, as a trade dispute between the two wartime foes deepens.

Kim You-geun, deputy director of the presidential National Security Council, said the move was a response to Tokyo’s decision to remove South Korea’s fast-track export status earlier this month.

“Under this situation, we have determined that it would not serve our national interest to maintain an agreement we signed with the aim of exchanging military information which is sensitive to security,” he reportedly told a news conference.

The General Security of Military Information Agreement (GSOMIA) was due for automatic renewal on Saturday. It enables the two Asian giants to directly share vital intelligence on North Korea’s nuclear and missile program.

In response, Japanese defense minister, Takeshi Iwaya has criticized Seoul for conflating trade and security matters.

“North Korea’s repeated missile tests threaten national security and cooperating between Japan and South Korea and with the US is crucial,” he’s reported to have said. “We strongly urge them to make a wise decision.”

Bilateral relations between the countries started to deteriorate after a South Korean court ruled last year that Japanese companies like Mitsubishi must pay compensation for their use of forced labor during Japan’s occupation of the country from 1910-45.

Japan seemed to respond by placing restrictions on the materials needed by South Korean chip-makers like Samsung to build semiconductors. Seoul came back tit-for-tat by removing Japan from a whitelist of trusted trade partners.

Commentators have argued that the spat has worrying echoes of American policy under the Trump administration: more focused on country first at the expense of vital security partnerships on the world stage.

The news could not come at a worse time, given the growing might of China in the region and its burgeoning military alliance with Russia, as well as the continued threat from North Korea.

There is an increasingly cyber-focused dimension to military alliances and warfare today. In 2017, NATO confirmed it was establishing cyber as a legitimate military domain in light of the North Korean WannaCry and Russia NotPetya attacks.

Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Cryptocurrency exchange bitFlyer has announced that it is adding Ethereum (ETH) to its Buy/Sell trading platform.

BitFlyer Buy/Sell users in Europe and US will now be able to send and receive ETH while ensuring they adhere to the robust regulatory standards bitFlyer guarantees for Bitcoin (BTC) transactions.

Andy Bryant, co-head and COO, bitFlyer Europe, said: “At bitFlyer, we want to offer not just the most popular coins, but the most respected ones too, which makes ETH a logical choice to expand our service offering. Not only has ETH proved itself as a useful altcoin, particularly in relation to smart contracts, it has an incredibly strong community that surrounds it. We’re committed to offering the best customer experience whilst prioritizing security and regulatory standards, and we’re proud to say Buy/Sell now offers this capability with ETH.”

Hailey Lennon, head of legal and regulatory affairs at bitFlyer USA, explained that crypto-regulation is evolving, and bitFlyer works to ensure that everything listed on its exchange complies with the global regulatory standards. “We’re excited for today’s announcement, adding Ether to our growing portfolio of coins with NYDFS approval, and we’re looking forward to launching more coins in the coming months,” she added.

bitFlyer is the only cryptocurrency exchange to be licensed in Japan, the US and Europe combined.

Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Ukrainian security service (SBU) agents have arrested several nuclear power plant employees in the country after they misguidedly tried to use their facility’s IT systems to mine for cryptocurrency.

Local media reports this week said the incident occurred on July 10 at the plant in Yuzhnoukrainsk in the south of the country.

The workers are said to have hooked up a supercomputer, which was kept air-gapped at the power plant, to the internet. In so doing, it’s claimed they unwittingly disclosed information on the physical security measures in place at the nuclear facility, which is a state secret.

The SBU officers seized unauthorized computer equipment which had been used to build a separate LAN designed to mine for cryptocurrency.

They reportedly took six Radeon RX 470 video cards, extension cords and cabling, various switches, a motherboard, a USB flash drive, a hard drive and even the metal frame on which was mounted the other items.

Equipment was also seized after separate searches were carried out at other parts of the facility, including premises used by a Ukrainian military unit stationed there.

This isn’t the first time such an incident has been discovered. In February 2018 it emerged that engineers at the Russian Federal Nuclear Center had been arrested for trying to mine Bitcoin with one of the country’s largest supercomputers.

“This is a great example of 'trust but verify',” argued Phil Neray, VP of industrial cybersecurity at CyberX. “Even with the strictest policies and regulations in the world, it's all theoretical if you aren't continuously monitoring for unusual or unauthorized activity.”

The news comes as new research from Kaspersky this week revealed human error was behind over half (52%) of cybersecurity incidents detected by the AV vendor in industrial environments last year.

City of London Hit by One Million Cyber-Attacks Per Month

City of London Hit by One Million Cyber-Attacks Per Month

The City of London Corporation has suffered nearly one million cyber-attacks each month for the first quarter of 2019, according to Freedom of Information (FOI) data obtained by Centrify.

The security vendor wanted to find out more about the cyber-risks facing the local authority, which governs the part of the capital housing much of the UK’s financial center.

It found that the governing body was hit by nearly 2.8 million attacks in the first three months of the year: an average of 927,000 per month. That’s up significantly (90%) from the 489,000 per month recorded in April-December 2018.

In total, the City of London suffered 7.2 million attacks from April 2018 to March 2019, of which, the vast majority (6.9 million) were classed as spam.

The second highest category was “spoof mail,” at 244,293 attacks — presumably related to phishing attempts. There were also 17,556 detections of “top malware.”

The findings could either be interpreted as a worrying rise in attacks, or proof that detection methods are getting better.

As well as 10,000 residents, the City of London welcomes millions of annual tourists thanks to attractions like the Tower of London and hundreds of thousands of daily commuters who work in one of the world’s biggest financial hubs.

“The high volume of sensitive public information contained within the systems and databases of organisations like the City of London Corporation make it a top target for cyber-criminals. Malicious email scams such as phishing and malware attacks form a substantial part of the wider cyber threat facing councils across the country, in London and beyond,” warned Centrify VP, Andy Heather.

“With so many attacks taking place every day, it’s vital that all organizations adopt a zero trust approach to user activity, to prevent hackers gaining access to council systems using legitimate log-in details that may have been stolen or purchased on the dark web.”

In 2016 it emerged that the City was being hit by more ransomware attacks than many countries.

Crackdown on Fake LinkedIn Profiles

Crackdown on Fake LinkedIn Profiles

People have been turning to LinkedIn since 2002 as a way to develop their network of business contacts. The professional social networking site has 645 million users in over 200 countries and territories around the world, who spend an average of 17 minutes on the site per month. 

While using LinkedIn may be preferable to eating stale croissants and swapping business cards at yet another networking breakfast event, it has one major downside: fake profiles.

Fake profiles are typically characterized by poor spelling and grammar, a lack of engagement, a limited number of connections and a suspicious or incomplete work history. 

It’s also not unusual for the photo in a fake profile to depict someone who, if they were really that good looking, would be making a living from modeling underwear on a beach somewhere rather than heading up a small HR team at a recruitment firm in Croydon. 

The faux profiles, which are often duplicated, are used to contact genuine professionals to fish for information such as how to get hired at a particular company. Spam of this type can be a frequent and extremely irritating problem for executives bugged daily by multiple connection requests from fake profiles.

LinkedIn is aware of the problem and has been making a concerted effort to rid the site of its pretenders.

Paul Rockwell, LinkedIn’s head of trust and safety, said: “Our teams are working to keep LinkedIn a safe place for professionals by proactively finding fake profiles then removing them and any content they share. Between January and June 2019, we took action on 21.6 million fake accounts.”

LinkedIn managed to prevent 19.5 million fake accounts from being created by automatically halting the registration process. The other 2 million fake accounts were restricted after the company paired human review with AI, machine learning and reports of fake accounts made by genuine members.  

Automation plays a key part in LinkedIn’s defense against the incoming wave of fakers. According to Rockwell, automated defenses, including AI and machine learning, prevented or took down 98% of all fake accounts. The rest were captured through manual review. 

Rockwell said: “When we stop fake accounts, we start more chances for economic opportunity."

Fortnite Cheats Get Cheated

Fortnite Cheats Get Cheated

In an Aesop's fable for the digital age, Fortnite players who try to cheat are themselves being duped by ransomware disguised as a game hack.

Research conducted by cloud security specialists Cyren has found that a cheat tool claiming to improve the accuracy of a player's aim (known as an aimbot) is in reality a piece of malware designed to cause data loss. 

Roughly 250 million players of the online video game were targeted by the ransomware, which has the filename "SydneyFortniteHacks.exe" and is known as Syrk. 

Players who download Syrk in the misguided belief that they've stumbled across a sneaky way to up their game end up with a 12MB executable file. When the file is executed, the ransomware beast awakens and starts encrypting images, videos, music and documents stored on the player's computer. The encrypted files are marked with a .syrk file extension.

The unlucky player is then sent a threatening message demanding payment in return for a decryption password. The message includes an email address that the player must contact to discover how to make the payment.

The player is warned that if payment isn't received within two hours, files in their photo folder will be deleted, followed by files on their desktop. To underline the time-sensitive nature of the threat, the menacing message is unsubtly accompanied by a giant countdown clock. 

This nasty little piece of open source ransomware was built with tools readily available on the internet. And, in a doubly deceptive move, its creators built Syrk by reworking an existing piece of ransomware called Hidden-Cry. The source code for Hidden-Cry was shared on Github last year.

Fortunately, the files to decrypt the encrypted files can be found in machines infected with the ransomware. The file dh35s3h8d69s3b1k.exe – the Hidden-Cry decrypting tool – is one of the resources embedded in the main malware. 

The discovery of Syrk follows news earlier this month that Fortnite players had been targeted by malware named Baldr, also hidden in cheat hacks distributed as links via YouTube. The moral of the story is "don't cheat," but with a $30 million prize pool for the recent Fortnite World Cup, it's easy to see how players fall victim to temptation.

Alaska is the Most Scammed State in America

Alaska is the Most Scammed State in America

An annual report on cybercrime by the Federal Bureau of Investigation has revealed Alaska to be the most scammed state in America for the second year running. 

With more than $450 million stolen, sunny California lost more money than any other state, but at 21.67 victims per 10,000 residents, Alaska had the highest per capita victim count.

Although more people were scammed in The Last Frontier State than in any other US state, Alaskans lost the least amount of money per person, with each victim being conned out of $2,256.30 on average. 

Across the state, the total number of people targeted by cyber-thieves was 1,606, based on the number of complaints received. Overall, the state's total losses in 2018 from internet scams was a painful $3.62 million. 

At the other end of the scale, the state with the fewest victims per capita for the second year in a row was South Dakota. The Midwestern state, known for the Black Hills into which the faces of four presidents have been carved, had just 5.3 victims per 10,000. 

Nearly $650 million was stolen from people aged 60 and over, who the report showed are the preferred prey for scammers. This age group is particularly vulnerable to confidence/relationship fraud, which occurs when scammers convince victims to send money to someone who appears to be a trustworthy person from a recognized brand, potential romantic partner or long-lost relative. 

The total losses to internet scams across the United States in 2018 exceeded $2.7 billion. 

The statistics are based on a total of 351,936 complaints received in 2018 by the FBI's Internet Crime Complaint Center (IC3). The real totals regarding the number of victims and the amount of money stolen through internet scams could potentially be much higher. 

Many of the scams were executed over social media but most of the money was stolen through the use of fake emails. Business email compromise (BEC) and Email account compromise (EAC) schemes accounted for more than $1 billion in losses. 

Matt Gorham, assistant director of the bureau’s cyber division, said: “The most prevalent crime types reported by victims were nonpayment/nondelivery, extortion and personal data breach. The top three crime types with the highest reported loss were BEC, confidence/romance fraud and nonpayment/nondelivery."

#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

Today, August 8, marks GCSE Results Day and shows a significant drop in the number of students taking Computing and ICT exams, with a clear gender gap also apparent.

The 2019 GCSE results indicated that 68,965 male students and 20,577 female students took Computing and ICT this year, compared to 94,587 (males) and 35,623 (females) in 2018. That represents an overall drop of 40,668 fewer students.

These figures are particularly concerning given the current skills gap that the cybersecurity industry is facing. In fact, global certification association (ISC)2 has estimated that the cybersecurity industry is suffering from a workforce shortage of 2.9 million employees

“It’s worrying to see less and less students are taking Computing and ICT subjects at GCSE, said Agata Nowakowska, AVP at Skillsoft. “Last year we saw 9000 fewer students take the exams, this year it’s 40,668 fewer. We need to take action now to turn this around.”

The digital skills gap in industry is fast expanding and already at a level that can't be filled quickly enough, Nowakowska added, and so encouraging more students to take these exams isn’t enough.

“We need to focus on getting them in and keeping them there – encouraging more students to pursue these subjects through to A-Levels, degrees and beyond. The current picture is bleak and goes much deeper than exam numbers.

“The challenge is changing the ingrained unconscious biases that say these subjects are dull, boring or just for boys. Whilst it is of course disappointing to see the gender gap continue in these subjects, what is more concerning is that these results are reflective of the lack of female role models in technology and STEM as a whole. Young girls have claimed in the past that they are put off of subjects such as Computing because they see them as ‘too difficult,’ but a large number of young women have also admitted to regretting not pursing these subjects for longer. There is an opportunity here for a paradigm shift that we are simply not taking."

Nowakowska therefore argued that the onus is on parents, teachers and business leaders to show that there is a place for girls in technology.

“There are so many programs aimed at getting girls interested in these areas, but we need to go further to challenge and eradicate the old fashioned views that are clearly still very much ingrained in the public consciousness.”

IT Security Pros: Encryption Backdoors Are Election Hacking Risk

IT Security Pros: Encryption Backdoors Are Election Hacking Risk

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research.

The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr.

Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes.

Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users.

This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

Now the IT security community is arguing that backdoors would also expose countries to the threat of cyber-attacks on election infrastructure — an increasingly important issue as the 2020 Presidential election comes into view.

While 80% agreed with this sentiment, 74% said countries with government-mandated encryption backdoors are more susceptible to nation-state attacks, 72% claimed they don’t reduce the terrorist threat and 70% argued they put countries at a distinct economic disadvantage.

Last month a Senate report revealed that voting infrastructure in all 50 states was most likely compromised by Russian hackers ahead of the 2016 election. It warns that if Russia’s preferred candidate doesn’t win in 2020, it could seek to use this access to de-legitimize the result.

“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.

“On a consumer level, people want technology that prioritizes the security and privacy of their personal data. This kind of trust is priceless. Encryption backdoors would not only make us much less safe at a national level, they also clearly have the potential to inflict significant economic and political damage.”

Over a Third of Firms Have Suffered a Cloud Attack

Over a Third of Firms Have Suffered a Cloud Attack

Over a third of organizations have already suffered an attack on their cloud systems, yet many are failing to eradicate potential security blind spots, according to a new poll from Outpost24.

The cyber-assessment vendor interviewed 300 attendees at this year’s Infosecurity Europe show in London in June.

It found that while 37% admitted suffering a cloud attack, over a quarter (27%) said they don’t know how quickly they could tell if their cloud data has been compromised.

This lack of visibility into cloud environments also extends to testing: 11% claimed they never run any kind of testing in the cloud, while nearly a fifth (19%) said they only do so annually.

Given these findings it’s perhaps not surprising that nearly half of respondents (42%) said they believe on-premises data is more secure than that hosted in the cloud.

Despite these misgivings, a third (34%) of businesses said that more than half of their products/apps are running in the cloud, while 15% said all their assets were.

Bob Egner, VP at Outpost24, argued that cloud environments offer major cost and scalability benefits, but security can get more complex when firms start to use multiple clouds across different providers.

“Organizations should treat their cloud assets just as they would their on-premises assets and apply all the same security principles of vulnerability and application security assessment, plus checks for cloud misconfigurations and security posture,” he added.

“It is extremely important to understand the shared responsibility model and what cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure can and cannot offer in terms of security. Ultimately the responsibility of protecting your data and cloud workloads lies with you, the organizations using cloud services.”

Cloud misconfiguration is a particular challenge, with hackers now stepping up efforts to find exposed databases via automated scans. The Cloud Security Alliance recently put this on its “egregious 11” list of top threats to cloud computing.

IT Teams Urged Not to Prioritize Patches Using CVSS

IT Teams Urged Not to Prioritize Patches Using CVSS

Organizations that prioritize patch updates primarily according to compliance requirements and use the Common Vulnerability Scoring System (CVSS) struggle with their vulnerability management programs, according to new research.

Cyber risk firm Kenna Security commissioned the Cyentia Institute to analyze data from its own platform related to the patching challenges facing over 100 organizations.

Perhaps unsurprisingly it found that those with high performing vulnerability management programs tended to use specific tools to prioritize patches based on cyber-risk.

However, those that based their decisions on which vulnerabilities to prioritize based mainly on the CVSS performed worse than those organizations that simply ignored it, the report claimed.

Although the impact was less serious, there was also a correlation between using compliance requirements as a primary driver in prioritizing vulnerabilities and lower coverage rates.

“Compliance is oftentimes a necessary and important method for prioritization but using compliance as the primary remediation tactic correlated with reduction of overall coverage of high-risk vulnerabilities,” Kenna Security CTO, Ed Bellis, told Infosecurity.

“We believe using a remediation strategy that focuses on both the likelihood of the vulnerability being exploited along with the impact of the exploitation (high risk) to be the optimal approach. CVSS and some other methodologies are not a good measure of exploitation likelihood and can result in companies doing much more work or missing high risk vulnerabilities altogether.”

Elsewhere, the report found that companies which dedicate discrete teams to patch specific areas of the technology stack tend to fare better in vulnerability management. Defining service-level agreements (SLAs) for fixing vulnerabilities also improves the speed and overall performance of remediation, it claimed.

Bigger budgets correlated with an increased ability to remediate more bugs at a faster rate.

According to one vendor, over 22,000 vulnerabilities were publicly disclosed last year, a third of which received a CVSSv2 score of 7 or above.

Companies Act to Defend Privacy of Kazakhstanis

Companies Act to Defend Privacy of Kazakhstanis

Google and Mozilla today took action to protect the online security and privacy of internet users in Kazakhstan following credible reports that the Kazakhstan government was intercepting internet traffic within the country.

report published on Censoredplanet.org presented evidence that Kazakhstan’s internet providers were requiring users to download and install a government-issued certificate on all devices and in every browser in order to access the internet.

Once a user downloads the certificate, the government is able to intercept account information and passwords belonging to that user and can decrypt and read everything the user types and posts. This style of attack is known as a man-in-the-middle (MitM).

The HTTPS connections targeted by Kazakhstan’s government read like the list of websites an anxious parent might search when trying to track down their unruly teenager. They include Instagram, Facebook, Twitter, YouTube, Google Hangouts and Russian social network OK.RU. 

The Censored Planet reported stated that “although the interception is not yet occurring country-wide, it appears the government is both willing and potentially capable of widespread HTTPS interception in the near future.”

Browser companies Google and Mozilla deployed technical solutions within Chrome and Firefox to block the Kazakhstan government’s ability to intercept internet traffic within the country. 

Marshall Erwin, senior director of trust and security at Mozilla, said: “Protecting our users and the integrity of the web is the reason Firefox exists.” 

Speaking on behalf of Chrome, Parisa Tabriz, senior engineering director, said: “We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users’ data.”

What the Kazakhstan government lacks in subtlety when it comes to spying on the online activity of its citizens, it makes up for in persistence. 

The Kazakhstan government put in a request with Mozilla back in 2015 to have a root certificate included in the company’s trusted root store program. The request was denied when Mozilla discovered that the government intended to use the certificate to intercept users’ data. 

Undeterred, the government tried to force its citizens to manually install the certificate, but its ruse failed when organizations took legal action.  

China is Spying on Cancer Research

China is Spying on Cancer Research

The healthcare industry has many ailments: financial pressures, a lack of skilled healthcare providers, uncertainties around reform and, in many cases, an increasingly unhealthy populace. But that’s not all it has to deal with.

A new report, Beyond Compliance: Cyber Threats and Healthcare, released today by intelligence-led security company FireEye has highlighted common cyber-threats to healthcare organizations. 

The report identifies cyber-espionage as being one of the top three most-common threats. Making up the triad of terror are data theft and disruptive and destructive threats. 

An interesting finding made by FireEye was the large number of healthcare-associated databases observed for sale online between October 1, 2018, and March 31, 2019. 

The databases – the majority of which could be bought for under $2,000 – contained personally identifiable information (PII) and protected health information (PHI), such as patients' ZIP codes, email addresses, driver’s licenses and health insurance details associated with healthcare institutions in the US, the UK, Canada, Australia and India. Some data sets were on sale for as little as $200.

Luke McNamara, a principle analyst at FireEye Intelligence, said: “The large number of data sets being sold and the low prices you can purchase the sets for shows how ubiquitous access to them is.”

The report acknowledged that “buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common" and predicted that this scenario was unlikely to change given the data’s "utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures.” 

Thefts of valuable research and mass records were observed being carried out by nation-states as well as by individuals. 

FireEye witnessed the deployment of multiple advanced persistent threat (APT) attack campaigns by several different countries, including China, Vietnam and Russia. China attracted special mention in the report for showing a particular interest in mining data linked to cancer research.  

Asked if China was the biggest culprit when it came to cyber-espionage, McNamara said: “I think so, from what we have seen over the years. They have shown the most concerted interest in the space. 

“There are well-known groups like APT 32 from Vietnam who targeted the UK and many one-offs, but China by far makes up most of the activity.”  

Healthcare organizations will continue to be attractive targets for cyber-criminals because of the nature and quantity of the data with which they are associated. At least with this report, they have some idea of what’s lurking in the shadows. 

McNamara said: “By putting this report out there we hope to get organizations to understand the range of threats out there.”

Who’s in Town Denies Instagram Block

Who's in Town Denies Instagram Block

A tracking app has hit back against recent reports that it has been blocked on social media giants Instagram and Facebook.

An article published last Tuesday on the Business Insider website reported that Facebook recently sent a cease-and-desist letter to the company behind the app Who’s in Town and took action to disable the personal Facebook account of the app’s creator Erick Barto. 

Speaking exclusively to Infosecurity Magazine, Barto confirmed that although he had received a cease-and-desist letter from legal firm Perkins Coie representing Facebook, the Who’s in Town app was still very much active. 

Barto said: “The Who’s in Town app is still up and running and statements about Facebook blocking it are untrue. 

“I had a couple of apps in the Facebook developer dashboard that were very old from 2013. They were legacy apps in my account. Facebook closed them and they closed my Facebook account and blocked my personal Instagram account.”

Asked whether What’s in Town would be complying with the cease-and-desist letter, Barto said that the company “would reply, not comply,” in an effort to start a conversation with Facebook about the safe handling of data.

The Who’s in Town app allows users to monitor the movements of people they follow on Instagram. It works by collecting geotag data shared publicly on Instagram and displaying the data in an interactive map.

Barto designed the app to highlight the amount of data people are constantly sharing online and show how easily such data can be collected and misused. With this point now made and a cease-and-desist letter from Facebook hanging over Who’s in Town’s head, you could be forgiven for thinking the outlook for the app is somewhat bleak. According to Barto, this is not the case.   

Barto said: “We want more people to know about it because in the past with other projects we have made we have had more reach. As soon as we feel we have made our point with Who’s in Town we want to propose a solution to the problem, to work with Facebook on how to use data safely.”

Asked if he was nervous about taking Facebook on, Barto said: “Not if the outcome is worth it.”

Account Takeover Cases Hitting UK Courts Soar 57%

Account Takeover Cases Hitting UK Courts Soar 57%

The number of account takeover (ATO) cases going to court in the UK climbed 57% in the first half of 2019 as cybercrime continues to professionalize, according to KPMG.

The consulting giant’s biannual Fraud Barometer report has been analyzing crime trends in the UK over the past 30 years, specifically major fraud cases being heard in Crown Courts, where charges top £100,000.

It claimed hackers are using a variety of techniques to grab personal identity data which then allows them to hijack victims’ online bank and credit card accounts: across email, SMS and mobile apps.

However, the law is slowly catching up – at least when it comes to bank account takeover.

The Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956) entered into force in June, and requires banks to repay funds to customers stolen as a result of account takeover,” explained KPMG's UK head of investigations, Roy Waligora. “Whilst this is a very positive step for the customer, we all need to remain vigilant as consumers will continue to bear such costs indirectly.”

ATO is also rife across consumers’ digital lives, of course, with hackers using phishing, credential stuffing and brute forcing techniques to crack everything from email inboxes to Uber and Netflix accounts.

The report also highlighted the continued commercialization of cybercrime, facilitated by the underground economy and dark web-based partnerships.

In one case, a Tyneside man was jailed for 28 months at Newcastle Crown Court after fronting a classic tech support scam designed to trick panicked users into handing over their bank account details.

Victims lost hundreds of thousands of pounds in the international campaign, which used India-based ‘call center’ scammers.

“Although awareness or cyber-criminality has increased, with a fifth of the public believing that cybercrime is the biggest challenge facing the UK today, this hasn’t been enough to stem the tide in account takeovers,” warned Rob Norris, VP enterprise and cybersecurity at Fujitsu.

“While potential attacks are not always easy to spot, a broader education on how to detect fraudulent emails is key not just to consumers’ own finances, but their employers as well; what a consumer intentionally or not exposes themselves to at home, they are also likely to do at work. The finances of consumers and success of businesses depend on this rigorous education.”

UK Boardrooms Falling Short on Cyber Expertise

UK Boardrooms Falling Short on Cyber Expertise

More than two-thirds (67%) of UK firms believe security concerns are holding back their efforts to grow through digital innovation, with many blaming a lack of engagement at a board level, according to Ernst & Young (EY).

The global consultancy polled 175 C-suite executives at UK-based organizations, split fairly evenly between business (CEO, CFO, COO etc.) and IT (CIO, CISO) roles, in order to compile its report, Cybersecurity for competitive advantages.

While 42% claimed to be behind their competitors in adoption of new technology, cloud computing and IoT topped the list of tech perceived to pose the greatest risk to the business.

Overcoming these concerns may require closer boardroom alignment and ownership of the problem.

Some 57% of business leaders and half (50%) of technology leaders cited a lack of business sponsorship as the biggest barrier to improving their organization’s cybersecurity.

However, strategic views diverged significantly after that. Most tech leaders (58%) said that giving an individual board member overall responsibility for cybersecurity would have the greatest impact, while the majority (64%) of business leaders said the biggest gains would come from making cybersecurity more of a strategic priority.

Yet unfortunately, over half (57%) of those surveyed don’t currently have a board member with direct expertise in cybersecurity and even more (67%) don’t think one is needed.

EY’s EMEIA advisory cybersecurity leader, Mike Maddison, argued that while direct security experience may not be essential, there needs to be better understanding at a board level of cyber-related risk.

“In recent years, the rate and pace of technological advances, regulatory change, cyber-attacks and data breaches have moved cybersecurity rapidly up the corporate agenda,” he added.

“Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organizations need to start thinking differently about cybersecurity. Business leaders need to make the leap from seeing cybersecurity as only a protective measure, to it also being a strategic value driver.”

Two sectors leading by example are tech, media and telecoms (TMT) and retail. TMT respondents had the highest levels of board awareness, the largest planned investments in cybersecurity and the fewest concerns around security as a barrier to tech adoption, while all retail respondents believe a “cyber-secure” brand is important for competitive advantage.

War Against Fraudsters Looks Winnable, Report Says

War Against Fraudsters Looks Winnable, Report Says

Since 2017, digital ad spending has increased while fraud losses have declined, according to the fourth annual Bot Baseline Report, published by White Ops and the Association of National Advertisers (ANA).

The report found that for the first time more fraud will be stopped than will succeed, suggesting that defenders are gaining ground in the battle against fraudsters, potentially because it has become increasingly more costly for criminals to purchase realistic bot traffic.

According to the report, 2019 saw an improvement in monetary losses. While the 2017 study reported $6.5 billion in losses, this year’s report reflects an 11% decline over the past two years despite digital ad spending having increased by 25.4% between 2017 and 2019.

Only 8% of display advertising impressions were fraudulent, which was a decrease of 9% from 2017, and only 14% of video ads were fake, down from 22% in 2017, the report found.

The report also noted that the majority of fraudulent impressions are actually invalidated by demand-side platforms (DSPs) or supply-side platforms (SSPs), filtered as SIVT before being paid for or invalidated later via clawbacks (the recovery of ad spend after a campaign has run). These measures are estimated to have mitigated nearly $14 billion in fraud losses annually.

“What appears to be a decline in digital ad fraud could be a temporary lull as bad actors sharpen their saws while avoiding detection. Recently, there’s been a spate of malware attacks on online retailers and publishers, where the malware are agnostic to platform and can change characteristics in order to escape detection by pattern- or signature-based defenses,” said Usman Rahim, digital security and operations manager for The Media Trust.

“Make no mistake, today’s malware are engineering feats that require a great deal of skill and collaboration. The economics of attacks is encouraging criminals to band together. Battling these attacks demands the same. This means aligning brands, technology partners and premium publishers with consumers’ needs – in the post-GDPR world, that includes their privacy and safety. More important, it means working together on keeping out bad actors and changing our practices before the regulators force us to.”

Nearly Half of US Orgs Not Ready for CCPA

Nearly Half of US Orgs Not Ready for CCPA

In advance of the California Consumer Privacy Act (CCPA) going into effect January 1, 2020, researchers analyzed how prepared US organizations are for the new regulations and found that nearly half of all companies will not be ready to comply with CCPA.

According to research conducted by the International Association of Privacy Professionals (IAPP) and OneTrust, reputation and consumer privacy are the biggest drivers for CCPA compliance, yet only 55% of companies report that they will be ready by the January effective date.

"Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA,” said Rita Heimes, IAPP research director and data protection officer, said in a press release. “Nevertheless, they seem to think it’s not likely to be replaced by a federal law any time soon.”

Though nearly half of those organizations surveyed will not be ready for the initial effective date, an additional 25% claimed they will be in compliance by the enforceable date of July 1, 2020.

“The CCPA is a major moment for the U.S. privacy landscape, and our research reveals companies that didn’t need to overhaul privacy practices for GDPR compliance are now struggling to meet the CCPA’s 2020 deadline,” said Kabir Barday, OneTrust CEO and fellow of information privacy (FIP), in the release.

The report did find a correlation between those organizations that are already in compliance with the EU’s General Data Protection Regulation (GDPR) and their readiness for CCPA to take effect.

“GDPR ‘raised the bar’ for data privacy awareness for companies in the US because the regulation put privacy controls in the hands of the consumer,” Jonathan Deveaux, head of enterprise data protection at comforte AG. “CCPA is similar in this regard, as the law will require organizations to provide consumers with legal ‘rights’ based on the data collected.

“Part of the lack of confidence in CCPA readiness for many organizations surrounds the use of data. The vast amounts of data collected and used for monetization and business growth have added to the complexity of managing and securing data. Organizations need to determine what kind of data they have, where it is, how they are using it and who has access to it.”

Senate Passed Fed Cyber Workforce Program Act

Senate Passed Fed Cyber Workforce Program Act

In an effort to address the cybersecurity skills gap and create a more resourceful and effective cybersecurity workforce, the US Senate has passed the Federal Rotational Cyber Workforce Program Act of 2019.  

In 2017 the Government Accountability Office (GAO) determined that the country’s cyber workforce challenges posed high risk and reported that “the federal government needs to expand its cyber workforce planning and training efforts. Federal agencies need to enhance efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities.”

The act, which was unanimously passed on May 1, is intended “to create a rotational cyber workforce program in which Federal employees in cyber workforce positions can be detailed to another agency to perform cyber functions. This program will enable Federal cyber workforce employees to enhance their cyber skills with experience from executing the cyber missions of other agencies.”

Enabling the mobility of cybersecurity practitioners will allow them to serve in various roles across different entities, which Keenan Skelly, VP of global partnerships at Circadence, said is critical in order for this government to address the cybersecurity skills gap that exists not just in the US but globally.

“Allowing cybersecurity professionals to gain experience in multiple agencies, both government and private sector, will strengthen our overall cybersecurity posture,” Skelly said.

An additional goal of the act is to develop cybersecurity skills so that America can maintain its competitive edge in cybersecurity. As such, the act provides that “the United States Government must also recognize and reward the country’s highest-performing cybersecurity practitioners and teams.”  

Because the concept of rewards is often lost in the job of a cyber defender, Skelly said, “we must encourage and recognize those who go above and beyond.   

“The aptitude for cybersecurity lies not only in the technical fields but across the entire workforce. Most of the best cyber defenders I know started life out as something completely different. We need that diversity of thinking and skill, both technical and soft skills, to combat today’s hackers.”

Experts Warn of Office 365 Account Takeover Surge

Experts Warn of Office 365 Account Takeover Surge

Over 1.5 million malicious and spam emails were sent from thousands of compromised Office 365 accounts in just one month thanks to a surge in account takeovers (ATOs), according to Barracuda Networks.

The security vendor yesterday revealed new findings from an analysis of cloud-based email accounts under fire from ATO attempts in March.

It claimed over a quarter (29%) of organizations it monitored had Office 365 accounts compromised by attackers, often via credential stuffing using previously breached credentials, stolen passwords from the same user’s personal email account, brute force attacks, and other web and application channels.

One of the most popular tactics is phishing emails which impersonate Microsoft and request Office 365 log-ins from the unwitting recipient.

“With more than half of all global businesses already using Office 365 and adoption continuing to grow quickly, hackers have set their sights on taking over accounts because they serve as a gateway to an organization and its data — a lucrative payoff for the criminals,” warned Barracuda Networks VP of content security services, Asaf Cidon.

Once an account has been taken over, hackers don’t usually launch an attack from it immediately.

“Instead, they monitor email and track activity in the company, to maximize the chances of executing a successful attack,” Cidon explained.

“As part of their reconnaissance, scammers often set up mailbox rules to hide or delete any emails they send from the compromised account. In the March 2019 analysis performed by Barracuda researchers, hackers set up malicious rules to hide their activity in 34% of the nearly 4000 compromised accounts.”

The attackers then use their reconnaissance to target high value accounts in the organization such as executives and finance bosses, which could be used to facilitate BEC scams.

“Hackers also use compromised accounts to monetize attacks by stealing personal, financial, and confidential data and using it to commit identity theft, fraud, and other crimes,” Cidon claimed.

“Compromised accounts are also used to launch external attacks targeting partners and customers. With conversation hijacking, hackers insert themselves into important conversations or threads, such as during a wire transfer or other financial transaction.”

He urged the use of MFA to protect accounts, alongside tools to monitor inbox rules and suspicious activity, staff training, ATO protection and AI tools to better spot BEC and spear-phishing.

BYOD Risks Grow as Half of Firms Fail on Policies

BYOD Risks Grow as Half of Firms Fail on Policies

BYOD is increasingly popular in the workplace, but half of organizations are exposing themselves to unnecessary extra risks by not implementing a clear policy on usage, according to Bitglass.

The security vendor polled 150 IT and security professionals at Cloud Expo Europe in London earlier this year.

It revealed that 74% are allowing employees to use their personal devices at work, but 47% either don’t have a policy in place to manage them, or don’t know if one existed.

Particularly baffling were the findings that unmanaged devices were considered the top blind spot for data leakage, with 31% agreeing. However, just 16% cited this as a top security priority for the coming year. Instead, malware protection (26%) came top.

Also concerning was the fact that over a quarter of respondents (28%) claimed they don’t enforce any multi-factor authentication (MFA) to protect personal devices.

Steve Armstrong, regional director at Bitglass, argued that BYOD can drive improved productivity, cost savings and talent retention, but in so doing may increase the risk of data loss if proper policies and security controls aren’t put in place.

“In order to securely reap the benefits of BYOD, organizations need advanced tools such as user and entity behavior analytics (UEBA) and data loss prevention (DLP),” he added.

“Additionally, they must be able to selectively wipe corporate data from personal devices without affecting the personal data therein. However, for deployments to be successful, these capabilities need to be implemented through an agentless solution that won’t hinder user privacy or device functionality.”

A study from 2018 revealed that 61% of UK small businesses experienced a cybersecurity incident following their introduction of BYOD.

A government breaches survey from earlier this year claimed that the use of personal devices “tend to be less commonly covered” by cybersecurity policies.

Europol: Two More Dark Web Marketplaces Seized

Europol: Two More Dark Web Marketplaces Seized

Europol is claiming victory after announcing the shut down of two more dark web marketplaces and several arrests.

The law enforcement organization said German police shut Wall Street Market, which it claimed was the world’s second largest dark web market, while earlier this year Finnish customs put paid to Silkkitie, aka the Valhalla Marketplace.

It was also revealed that German police arrested three suspects and seized €550,000 in cash, along with six-digit sums of cryptocurrency, vehicles, computers, storage devices and other evidence. US authorities arrested two alleged major drug dealers operating on the site.

The Finnish authorities are also said to have made a major Bitcoin seizure when they shut down the main server hosting Silkkitie, which has been running since 2013. It was claimed that illegal traders were monitored as they moved to other dark web sites following the seizure, although it’s unclear whether they were arrested.

“These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think,” said Europol executive director, Catherine De Bolle.

It’s unclear whether the law enforcement activity was linked to the recent news that the site’s admins were attempting an exit scam.

At the time, one moderator was threatening to release the details of any user who sent their address in plain text as part of disputes or tickets, unless they paid a fee.

That same moderator, “Med3l1n,” reportedly posted their Wall Street Market logins and server IP address to Dread, a Reddit-like site for the dark web. That would have given law enforcers vital intelligence to shut down the operation and go after some of the most prolific traders on the site.

In a final irony, the world’s biggest market, Dream Market, which many users left after it said it was going to move to a “partner site,” appears to still be up and running.

TinyPOS: Handcrafted Malware in Assembly Code

TinyPOS: Handcrafted Malware in Assembly Code

Legacy software vulnerabilities have created opportunities for hackers to steal credit card data and other personal information using tiny point of sale (POS) malware, according to research published by Forcepoint.

Researchers reportedly analyzed 2,000 samples of POS malware and found that many are handcrafted, written in assembly code and very small; thus, researchers aptly named the malware TinyPOS.

Of the samples analyzed, 95% were loaders used to distribute malware to systems. In addition, researchers found that system compromises can go months without detection due to the small code size (2.7kb). Though researchers suggested that protecting against these attacks is not difficult, the issue for many organizations is that they are using old, outdated POS software and hardware that can do a lot of damage. 

The samples were grouped into four categories: loaders, mappers, scrapers and cleaners, wrote Robert Neumann, senior security researcher at Forcepoint. “The most probable initial vector would be a remote hack into the POS system to deliver the Loaders. Other options could include physical access (unlikely) or a rogue auto-update to deliver a compromised file to the POS operating system.”

That attackers are targeting POS systems is nothing new, particularly because they collect large amounts of personal data. Because of their vulnerabilities, Ryan Wilk, VP of customer success for NuData Security, a Mastercard company, said POS systems have long been a prime target for cyber-criminals.

“This latest credit card–stealing malware is extremely stealth and hard to detect, making some retailers even more vulnerable. Storing data securely is another basic security tenant. If merchants store credit card information offline and don’t encrypt it, it is sure to be stolen and abused,” Wilk said.

“However, once the credit card information is stolen, businesses can combat fraudulent online transactions through verification frameworks that can confirm the identity of users and prevent this type of fraud. Analyzing their online behavior, combined with hundreds of other identifiers that hackers can't imitate or steal, is the best protection against fraud, once the user data has been leaked.”

New Exploits Target Components of SAP Applications

New Exploits Target Components of SAP Applications

New exploits have been targeting SAP systems, allowing attackers to fully compromise the platform and delete all business application data, according to new research from Onapsis Inc.

The exploits, dubbed 10KBLAZE, can potentially compromise all NetWeaver Application Server (AS) and S/4HANA systems. “In exposed systems, the exploits can be executed by a remote, unauthenticated attacker having only network connectivity to the vulnerable systems. These exploits are not targeting vulnerabilities inherent in SAP code, but administrative misconfiguration of SAP NetWeaver installations,” the report said.

Attackers could also modify or extract highly sensitive and regulated information in what Onapsis called a serious threat, given that an estimated 50,000 companies and one million systems are configured using SAP NetWeaver and S/4HANA.

Misconfigurations in access control lists (ACLs) could leave systems vulnerable. Based on research collected over the past decade, the report estimated that nearly 90% of these systems suffer from the misconfigurations for which these exploits are now publicly available.“The lack of one of these ACLs being properly protected is enough for an attacker to successfully exploit it. Customers must secure both of the ACL configurations in Gateway and Message Server to stay protected,” the report said.

“This risk to SAP customers can represent a weakness in affected publicly traded organizations that may result in material misstatements of the company's annual financial statements (form 10-K). Further, a breach against these business-critical applications would likely result in the need for disclosure, given the recent SEC's Cybersecurity Disclosure Guidance,” said Larry Harrington, former chairman of the board of the Institute of Internal Auditors (IIA), in a press release.

“SAP released relevant security notes and guidance to help customers secure these critical configurations several years ago. The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems. This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes,” said Mariano Nunez, CEO and co-founder, Onapsis, in the press release.

Putin Signs Law to ‘Stabilize’ Russian Internet

Putin Signs Law to 'Stabilize' Russian Internet

In the event that Russia should ever be disconnected from the global infrastructure of the World Wide Web, Russian president Vladimir Putin has signed a law to stabilize the operation of the Russian internet, dubbed Runet, according to Tass, a Russian news agency.

Infosecurity Magazine reported last month on the then-proposed law, which was has been seen as part of Russia’s plan to cut access to the global internet. The final draft of the bill reportedly prepares for the unlikely event that – should anything threaten the stable, safe and integral operation of the Russian internet on Russian territory – “the Federal Service for Supervision of Communications, Information Technology and Mass Media will be able to carry out 'the centralized operation of the general communications network,'" Tass reported.

The law essentially lays the groundwork for Russia to develop an alternate domain name system (DNS), which would reportedly force all internet service providers to “disconnect from any foreign servers, relying on Russia's DNS instead,” according to Forbes.

We’re disappointed to see this request from Roskomnadzor. OpenVPN cannot in good conscience support censorship; I’ve personally experienced it and know the damage it can cause. We stand by our belief that open, secure access to the internet is a human right,” said Francis Dinha, CEO and co-founder of OpenVPN.

OpenVPN is a protocol and technology, and Dinha said it does not believe the law will impact its B2B services, unless Russia decides to block the OpenVPN protocol. Though the company has a consumer VPN service, it does not have any servers in Russia.

“OpenVPN is committed to our users and customers by protecting them against cyber-threats and providing secure and private access to their information from anywhere in the world. State governments and institutions may have the right to create policies and restrict its citizens from accessing certain content. However, OpenVPN will continue to provide access to our software and services to people no matter where they live or travel to. OpenVPN can’t compromise and must protect the security and privacy of those we serve.”

UK IT Bosses Failing on Password Best Practices

UK IT Bosses Failing on Password Best Practices

UK IT managers are exposing their organizations to unnecessary risk by failing to adhere to best practices around password security, according to OneLogin research.

Released on World Password Day today, the poll of 300 IT decision makers revealed a worrying gap between perception and reality.

Although nearly all respondents (98%) had company guidelines in place to protect passwords and a similar number (95%) claimed such measures were adequate, the research highlighted several shortcomings.

For example, two-thirds (66%) admitted they don’t check employee passwords against common credential lists, and even more (78%) don’t check for password complexity.

What’s more, just 53% require single sign-on (SSO) and less than half require numbers (47%) and upper and lower-case characters (37%).

"This report should be a reminder to every business leader in the UK to carefully review their password management," said OneLogin CTO, Thomas Pedersen. "Cyber-criminals thrive on companies overlooking fundamental security requirements, which becomes an open invitation for any hacker on the hunt for easy passwords."

Experts used the awareness-raising day to call for an end to static credentials.

“Maybe it’s time to retire ‘World Password Day’ in favor of ‘World Authentication Day’,” argued Tripwire VP of product management, Tim Erlin.

“The password is the least secure component in most authentication systems, and passwords alone are no longer sufficient. World Password Day is a good day to set up multi-factor authentication (MFA) everywhere you can.”

Colin Truran, principal technology strategist at Quest, welcomed the growing popularity of MFA but argued that firms need to go further.

“Today things are starting to change and I am encouraged to hear many more organizations turning to multiple levels of biometric identification, including government bodies,” he added.

“Of course, it’s a huge responsibility to hold such biometric information in our consumer and user base, so this information must itself be protected by something better than a password! Let’s try to make this day a day of remembrance rather than a reminder of our reluctance to let go of an outmoded concept.”

UK Government Intros Landmark IoT Security Proposals

UK Government Intros Landmark IoT Security Proposals

The UK government has introduced a proposed new law designed to improve IoT security-by-design and demand that retailers can only sell devices featuring an explanatory label for consumers.

The new rules build on a voluntary code of practice introduced last year which was intended to force manufacturers to build security protections into products at the design stage.

The government is now consulting on how to go further, in an attempt to improve the baseline security of products and consumers’ ability to differentiate between those on the shelves.

Also mooted are proposals to make the main elements of the code of practice mandatory, including requirements that: IoT device passwords be unique and can’t be reset to factory defaults; manufacturers provide a vulnerable disclosure policy and public point of contact; and manufacturers state the minimum length of time during which the device will receive security updates.

Although the labeling scheme will initially be voluntary, the plans have been billed as another milestone in the government’s efforts to make the UK a global leader in online safety.

“This is an important first step in creating flexible and purposeful regulation that stamps out poor security practices, which techUK’s research shows can act as significant barriers on the take-up of consumer IoT devices,” said techUK CEO, Julian David.

“The proposals set out have the potential to positively impact the security of devices made across the world and it is good to see the government is working with international partners to ensure a consistent approach to IoT security. TechUK looks forward to responding to this consultation on behalf of our members.”

F-Secure principal consultant, Tom Gaffney, said the security vendor was critical of the code of conduct as it was voluntary, but added that “by proposing a legal framework the UK government is taking a step in the right direction.”

“As many as one third of IoT attacks abuse weak passwords and legislating to fix this basic issue can only be a good thing,” he argued.

Katie Vickery, partner at international law firm Osborne Clarke, said even the voluntary code of conduct was intended to alter the legal liability framework for IoT products.

“This proposed new legislation would make that shift absolutely clear – manufacturers would have to meet minimum security standards on all IoT devices sold in the UK,” she added. “The use of voluntary labeling will also encourage compliance, as consumers seek out those devices that give them some added assurance.”

Tim Rawlins, director and senior adviser at NCC Group, argued that the proposed laws would put pressure on manufacturers to improve baseline security.

“But there needs to be a continuing focus on driving improvements in security in IoT products across the design and manufacturing industry. Security needs to be a firm focus well before any of these IoT devices end up in users’ hands,” he added.

UK Defense Secretary Sacked Over Huawei Leak

UK Defense Secretary Sacked Over Huawei Leak

Opposition parties are calling for a criminal inquiry after the UK defense secretary was sacked for allegedly leaking news of the government’s decision to allow Huawei to supply parts of its 5G network.

Gavin Williamson reportedly refused to resign when confronted with evidence suggesting he leaked details of the highly sensitive decision made by the National Security Council to a Daily Telegraph journalist.

Prime Minister Theresa May duly sacked him, although Williamson has since gone on the offensive, claiming his firing was a “witch hunt” and that he was tried “in a kangaroo court with summary execution.”

Although he admitted speaking to a journalist from the paper in question for 11 minutes on the day of the leak, he maintains it came from outside his team.

Now Labour and Liberal Democrat leaders are calling for a criminal investigation into whether the Official Secrets Act was broken.

“This story cannot begin and end with dismissal from office,” Lib Dem leader Vince Cable is reported as saying. “What is at stake is the capacity of our security services to give advice at the highest level.”

Williamson was one of several cabinet ministers said to have raised concerns about Theresa May’s decision to allow Huawei to provide “non-core” equipment for Britain’s 5G networks.

The security services have continuously sought to downplay the risk of Chinese intelligence interference in its kit going forward, although they have highlighted serious issues with the quality of the engineering and coding, which could itself be exploited by spies.

A Bloomberg report this week claimed that Vodafone found hidden backdoors in Huawei kit in 2011 and 2012 “that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy.”

However, Vodafone itself denied the claims, stating that the incident was “nothing more than a failure to remove a diagnostic function after development.”

"The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” the statement continued.

"Bloomberg is incorrect in saying that this 'could have given Huawei unauthorised access to the carrier's fixed-line network in Italy'.”

The journalist has since taken to Twitter to defend his story, saying:

“Vodafone found a non-documented Telnet Service built by Huawei with hardcoded credentials on a non-standard port that was re-added after being found a first time through security testing and removed, according to Vodafone IT Incident Report. Vodafone called it ‘Telnet Backdoor’.”

If nothing else, the incidents highlight the high stakes for national governments when deciding whether to allow Chinese companies to compete for what will be an essential part of critical infrastructure for many years.

Cyber-Attacks in UK Grew by 140% in 2018

Cyber-Attacks in UK Grew by 140% in 2018

Cyber-attacks in the UK grew by an alarming 140% in 2018, according to a cyber-threat landscape report by eSentire that discusses the most impacted industries in the UK and which types of attacks were the most successful.

Attacks on IoT devices have also seen significant growth, with “a growing trend in IoT exploits targeting cameras, door controllers, surveillance equipment and media devices throughout our global customer base. In the UK, the vast majority of the observed exploits specifically impacted devices manufactured by AVTech, a leading manufacturer of video surveillance and monitoring equipment.”

The researchers found that attackers were keen to use Dropbox-theme phishing lures. However, the report found that employees in the UK are better than their global counterparts at preventing malicious attacks, including phishing attacks, despite evidence that organizations in the UK had a higher percentage of exploit attacks than the global average.

“In the UK, this increase in global botnet activity drove significant increases in the number of exploit (10%), malware (45%) and scanning (15%) detections observed by eSentire during 2018. The only attack type to see a decline was phishing, which while still a significant threat to UK businesses, saw roughly 20 percent decrease in observed incidents,” the report said.

While no industry is without its risk, marketing and manufacturing were reportedly the industries most impacted by cyber-attacks. “Marketing agencies received a significant number of Apple-related lures in 2018. This concentration of Apple lures in an industry perceived to have a high number of Apple desktops and laptops reveals that threat actors are customizing lures to specific sectors in an attempt to improve their success rate,” the report said.  

The report also found that email is one of the most common attack vectors and that “reducing this attack surface will protect UK organizations from both phishing and email-borne malware.”

Brute-Force Attempts More Common on Edge Devices

Brute-Force Attempts More Common on Edge Devices

As edge devices continue to be the target of malicious attacks, security experts have found an increase in brute-force attempts, according to a new white paper released by the Cyber Threat Alliance (CTA).

Based on a compilation of research from several contributors, the white paper notes that CTA members have seen “a quiet but growing threat to edge devices since 2016. These devices are deployed at the boundaries between interconnected networks. The resulting impact of these devices – such as routers, switches and firewalls – on an enterprise and to the connected digital ecosystem can be significant.”

Edge devices are not only used to develop infrastructure for future attacks, but they are also used to monitor traffic and to establish persistent access, targeting networks or systems in order to steal data and even to put offensive cyber-attacks that deny, degrade, disrupt, or destroy into operation, according to an April 30 CTA blog post.

What’s concerning, according to CTA members, is that while attacks against edge devices continue to increase, basic protections for these devices are not keeping pace.

“This is often due to a lack of built-in security and a 'set it and forget it' mentality by owners. This report describes the security challenges for edge devices and highlights five case studies to illustrate how attackers have taken advantage of weaknesses in the systems themselves and poor security practices common to the use of edge devices,” the blog said.

According to research from Sophos, which was contributed to the white paper, “most of the attacks we saw involved a simple brute-force attempt to pass default or common username/password credentials to a selection of services, including web-based content management systems, the remote access VNC or RDP protocols, remote terminals over telnet or SSH, Internet telephony adapters, or database servers. But there were several others that sent us down a rabbit hole.”

US DHS Issues Cybersecurity Vulnerability Directive

US DHS Issues Cybersecurity Vulnerability Directive

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued binding operative directive (BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, which requires federal agencies to remediate critical security vulnerabilities within 15 days from the initial detection.

CISA explained, "A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.”

This new directive supersedes BOD 15-01, which required federal agencies to review and remediate any critical vulnerabilities on internet-facing systems identified by the National Cybersecurity and Communications Integration Center (NCCIC) within 30 days of receiving the weekly Cyber Hygiene report, according to the April 29 CISA post.

Per the directive, CISA will continue to provide all federal agencies with Cyber Hygiene reports, which agencies must review. Critical vulnerabilities must then be remediated within 15 calendar days of initial detection, while those categorized as high vulnerability must be remediated within 30 days of initial detection.

“If vulnerabilities are not remediated within the specified timeframes, CISA will send a partially populated remediation plan identifying all overdue, in-scope vulnerabilities to the agency POCs for validation and population. Agencies shall return the completed remediation plan within three working days of receipt,” the agency wrote.

“This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third-party scanning services. It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry,” said Mounir Hahad, head of Juniper Networks' Juniper Threat Labs.

“I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”

Consumers Revolt Over IoT Security Shortcomings

Consumers Revolt Over IoT Security Shortcomings

The Internet Society is urging IoT manufacturers to build stronger security measures into devices after releasing new research revealing that nearly two-thirds (64%) of British consumers have concerns over the way they collect personal data.

The non-profit polled over 1300 adults in the UK as part of global research into the fast-growing market for connected devices.

With the majority of consumers now owning such devices, there appears to be a growing gap between their expectations regarding security and privacy and what is being provided by device makers.

Nearly half of Brits don’t trust their device to protect their privacy (48%) or handle their information responsibly (49%), while 59% think their IoT device is “creepy,” the research found.

Global respondents believe that IoT security and privacy is a shared responsibility between consumers (60%), regulators (88%), manufacturers (81%) and retailers (80%).

“Consumers have told us they accept that they have some responsibility for the security and privacy of their IoT products but that isn’t the end of the story. They, and we, want to see tangible action from manufacturers, retailers, and governments on this issue. It has to be a collective effort, not the responsibility of one group,” argued Helena Leurent, director general of Consumers International.

“We are exploring this conversation with progressive manufacturers. Together we are looking at the opportunity to create person-centered technology, that people not only enjoy using, but feel safe and secure doing so. By doing this business can address the concerns of those not engaging with this tech, and open up the benefits of the Internet of Things to everyone.”

The majority of British consumers agree, with 85% arguing manufacturers should only produce secure and privacy-protecting kit, while a similar number (86%) said retailers have a responsibility to only sell hardware that meets these standards.

The ability of consumers and retailers to differentiate between secure and potentially vulnerable IoT devices received a boost earlier this year when the European Telecommunications Standards Institute (ETSI) introduced a new globally applicable standard.

The ETSI TS 103 645 standard is based on a UK government industry code of practice introduced last year and should encourage more manufacturers to improve baseline security whilst providing buyers with a clear label of quality to look out for.

It comes a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.

Most Firms Rely on Trust Alone for Supply Chain Security

Most Firms Rely on Trust Alone for Supply Chain Security

Around 70% of global organizations could be at risk from supply chain attacks because they don’t have enough visibility into their partners’ security posture, according to new Accenture research.

The consulting giant polled over 6600 IT and business executives in 27 countries worldwide to compile its findings as part of the Tech Vision report.

It revealed that just 29% of global companies know enough about their suppliers’ approach to cybersecurity. Even worse, over half (56%) claimed to rely on trust alone to satisfy any question marks over cyber-risk.

The UK was aligned with the global average, with just 29% of business and IT execs having insight into partner security processes, although the figure dropped to less than half that in China (11%) and Japan (14%).

The US (35%) and Germany (30%) boasted among the largest number of companies with supply chain insight. However, at still only around a third, many organizations would seem to be exposed to third-party attacks such as “island hopping,” which led to major breaches at the likes of US retailer Target and the US Office of Personnel Management (OPM).

Chinese state-sponsored hackers were behind another major supply chain attack in recent years: Cloud Hopper targeted firms through their managed service providers (MSPs) in what has been described by British investigators as “one of the largest ever sustained global cyber-espionage campaigns.”

Accenture warned that supply chain attacks like this could account for around a quarter of the total value at risk from cybercrime over the next five years.

“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks. But the days of doing business in this medieval way are well and truly over” said Nick Taylor, cybersecurity lead for Accenture UK. “Now, business structures resemble something more like the London Underground, with thousands of entry points. Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means of infiltrating larger organizations.”

He urged organizations to collaborate more with other firms and reach out to governments to help manage these risks better.

CISOs should be included in new business discussions from the start, threat modelling must be improved by anticipating where hackers may strike, and processes should be designed to continuously assess risk as suppliers are on- and offboarded, Accenture argued.

US Church Hit in $1.8m BEC Scam

US Church Hit in $1.8m BEC Scam

A US church has been hit by a major Business Email Compromise (BEC) attack, losing almost $1.8m after fraudsters tricked staff into changing a contractor’s payment details.

Saint Ambrose Catholic Parish — based in Brunswick, Ohio — is currently renovating its church in a Vision 2020 project. However, BEC scammers recently targeted the large monthly payments it makes to a local construction firm.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totalling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed,” explained father Bob Stec.

“Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions. The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened. Needless to say, this was very distressing information.”

Hackers are said to have compromised two email accounts to “deceive the parish and perpetrate the fraud.” It’s unclear how, although phishing is the most likely tactic.

“After reviewing our systems, to the best of our knowledge, only the email system was breached/compromised,” said Stec. “Our parish database is stored in a secure cloud-based system. This allows for many layers of security/protection of our parish database information.”

The church has submitted an urgent insurance claim in order to recoup the funds and pay its construction company, although there’s no guarantee that the policy will pay out.

The news comes a few days after an annual FBI report revealed that BEC attacks caused more losses than any other cyber-threat reported to its Internet Crime Complaint Center in 2018: a total of nearly $1.3bn.

Corin Imai, senior security advisor at DomainTools, argued the Saint Ambrose case highlights that no organization is safe from such scams.

“In addition to email filtering systems, those responsible for organizational finances should take the time to cross reference any emails they receive with those from addresses known to be genuine,” she added. “It’s better to make a legitimate transfer late than a fraudulent one promptly.”

Not Managing Open Source Opens Door for Hackers

Not Managing Open Source Opens Door for Hackers

Organizations continue to face challenges with managing open source risk, according to a new report published today by Black Duck by Synopsys.

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).

While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.

“At the end of the day, all software is vulnerable to attack – without exception – and the nature of open source software is to shine a light on the issues it has, leading to increased visibility of bugs, not an increase in bugs,” said Cody Brocious, hacker and head of hacker education at HackerOne.

“The security risk is significantly diminished by increasing visibility. If you’re not using open source components, you’d be using closed source components – either commercially available or hand-rolled – that have just as high of a likelihood of being vulnerable. Except that you just don't know about the bugs, unlike with open source components.

“There are a multitude of tools which can be used to scan your codebase to determine which open source components (and versions) are in use, and check this against various vulnerability databases. Example tools include Dependency-check from OWASP, and commercial tools such as SourceClear and Snyk.”

Data Dispersion Yields More Off-Prem Risk

Data Dispersion Yields More Off-Prem Risk

The vast majority (84%) of global organizations host critical or sensitive assets with third-party vendors, according to a comprehensive study published by The Cyentia Institute and commissioned by RiskRecon.

The study analyzed the third- and fourth-party cyber risks of 18,000 organizations across 200 countries and found that the average firm has 22 internet-facing hosts, while some maintain more than 100,000 hosts. “That matters because protecting a large internet presence is a different ballgame than protecting a tiny one, regardless of any other factors,” the report said.

Additional findings revealed that 27% of companies host their assets with at least 10 external providers. Overall, 65% are hosted on a netblock that is owned by an external entity, with 57% of firms using hosts in multiple countries.   

The growth of data dispersion has been enabled by the cloud, yet global companies are starting to see that putting sensitive enterprise and consumer data in the hands of external players creates vulnerabilities. In addition, high-value assets are three times as likely to have severe findings off-premise than on-premise, the report found.

“Since a huge portion of a modern organization’s value-generating activities relies on internet-enabled processes and 3rd party relationships, that surface is much more extensive than one might expect. In this section, we identify and measure key aspects of the internet risk surface through the data sample collected,” the report said.

“Your risk surface is anywhere your ability to operate, your reputation, your assets, your legal obligations or your regulatory compliance is at risk,” explained Kelly White, RiskRecon’s CEO and co-founder, in a press release.

“The digital transformation has moved the enterprise risk surface well beyond the internal enterprise network, with 65% of all enterprise internet-facing systems hosted with third-party providers. The data show that enterprises are not keeping up, with the security of internally hosted systems being much better managed than third-party hosted systems. This dilemma has now become critical because organizations are failing to understand how to manage their entire risk surface based on the volume of external digital exposure they face.”

Developer Reveals Phishing Exploit in Chrome

Developer Reveals Phishing Exploit in Chrome

In a proof-of-concept (PoC) blog post published earlier this week, developer James Fisher disclosed a new phishing method in Chrome for mobile on Android in which the browser hides the URL bar.

After hiding the URL bar, the browser “passes the URL bar’s screen space to the web page. Because the user associates this screen space with 'trustworthy browser UI,' a phishing site can then use it to pose as a different site, by displaying its own fake URL bar – the inception bar,” Fisher wrote.

“In my proof-of-concept, I’ve just screen shotted Chrome’s URL bar on the HSBC website, then inserted that into this webpage. With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser. With yet more effort, the inception bar could be made interactive. Even if the user isn’t fooled by the current page, you can get another try after the user enters 'gmail.com' in the inception bar!”

Still, Fisher’s post has gotten a variety of responses on Twitter, with several noting that they are unable to get the PoC working on Chrome.

"Whilst the proof of concept by Mr. Fisher isn't perfect, Google and others should consider implementing mitigation techniques like the 'Line of Death' to make the demarcation between browser UI and web content more obvious," said Gavin Millard, VP of intelligence, Tenable.

"Users fall for fake websites constantly, hence the continued scourge of phishing sites, but this new approach could fool even the most cyber-savvy individual. Exploiting this could lead to confidential information disclosure and fraud.”

A Google spokesperson told Infosecurity, “Protecting users from phishing has always been important to us. We're constantly improving more holistic solutions to phishing like Safe Browsing, security keys, and Chrome’s password manager. Our team is aware of this issue and continues to explore solutions."

Credential Stuffing Costs Firms $4m Each Year

Credential Stuffing Costs Firms $4m Each Year

Credential stuffing attacks are costing EMEA businesses on average $4m each year, according to new research from Akamai.

The content delivery firm commissioned the Ponemon Institute to interview 544 IT security professionals in the region who are familiar with these attacks on their organization.

It found that companies are experiencing an average of 11 credential stuffing attempts each month, with each attack targeting 1041 user accounts.

Akamai calculated the $4m cost based on the financial impact of these attacks on application downtime ($1.2m), loss of customers ($1.6m), and the extra involvement of IT security ($1.2m) as well as the cost of follow-on fraud.

Complexity appears to be hampering efforts to contain credential stuffing. Surveyed companies had an average of 26.5 operational customer-facing websites for cyber-criminals to target via automated bot attacks.

Even more account takeover opportunities are presented by multiple log-in types across desktops, mobile web browsers, third-parties and mobile app users, it claimed.

Only a third (35%) said that they have good visibility into such attacks, while around the same number (36%) claimed they are able to quickly detect and remediate.

An overwhelming number of respondents (88%) agreed it’s difficult to differentiate real employees from imposters.

“Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing attacks — and keeping costs under control,” argued Akamai senior director, Jay Coley.

“Companies need bot management tools to monitor their behaviors and distinguish bots from genuine log-in attempts. Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device.”

Police Warn Schools About Money Mule Recruiters

Police Warn Schools About Money Mule Recruiters

Scottish police have written to every secondary school in the country warning parents and guardians that pupils are increasingly being recruited by cybercrime gangs as money mules.

Young people are typically approached online via social media ads or even WhatsApp messages, according to reports.

“People are enticed in with the belief it’s quick, easy money and assured nothing will happen to them. If you do enter into this agreement, you are breaking the law. It is a criminal offence and the effect on your life can be huge,” warned detective inspector Graeme Everest of the Organised Crime and Counter Terrorism Unit (OCCTU).

“The fraudsters involved in orchestrating mule accounts are often from serious organized crime groups and any involvement with them can be dangerous. There are victims affected by fraud across Scotland and this can have a devastating effect on people financially and emotionally. It isn’t a victimless crime and by laundering money gained from these victims, you are playing a part in this."

Money mules could be handed a sentence of up to 14 years behind bars for laundering funds on behalf of criminal gangs.

Yet the number of young people being recruited into this burgeoning part of the cybercrime underground is increasing.

Anti-fraud non-profit Cifas reported a 26% rise in reports of money mules aged 21 and under between 2017 and October 2018. In the first 10 months of last year alone, 9,636 money mule perpetrators under the age of 21 were identified in the UK by Cifas members.

“Money laundering is an insidious crime which helps criminals prosper from their illegal conduct,” argued Andrew Laing, deputy procurator fiscal for specialist casework.

““Parliament has viewed money laundering as a serious offence and offences of money laundering can attract long custodial sentences. [We have] been working closely with the police, other law enforcement agencies and the banks and we will take robust action against any person involved in money laundering where there is sufficient evidence to do so.”

UK Government Announces Cyber Security Ambassador

UK Government Announces Cyber Security Ambassador

The UK government has announced the appointment of a new cybersecurity ambassador to promote the nation’s expertise in the sector to potential export markets.

Henry Pearson joins the Department for International Trade (DIT) from previous stints as adviser for GCHQ’s National Cyber Security Centre (NCSC), the Ministry of Defence, and BAE Applied Intelligence’s Detica.

He’ll be tasked with working closely with UK cybersecurity businesses looking to sign overseas deals with governments and central banks. According to the DIT, his work will mainly be focused on the Gulf and south-east Asia.

“The UK’s reputation for cyber expertise is recognized worldwide and my department is committed to ensuring the UK fulfils its global potential, with cyber exports projected to be worth £2.6bn by 2021,” said international trade secretary Liam Fox, in a statement.

“Henry’s appointment will be instrumental in ensuring our world leading firms are able to compete on the global stage and our cutting-edge technology is the first port of call for overseas government’s looking to secure their critical national infrastructure.”

Pearson joins DIT as it faces an uphill task trying to engage meaningfully with foreign markets to soften the imminent blow of leaving the world’s largest trading bloc.

His boss, Liam Fox, has been widely pilloried in the press after promising to have 40 free trade deals ready to sign “immediately” after Britain leaves the EU, scheduled for later this year.

In fact, as of February he had secured just seven of the 69 countries the UK currently has preferential access to as part of the EU, covering only £16bn of a total £117bn in trade.

According to the latest government figures, over 840 firms provide cybersecurity services in the UK, generating £5.7bn in total revenue in 2015/16. Over the previous five years (2012-17) the number of new firms operating in the sector grew over 50%.

Google Bans Chinese Developer from Play Store

Google Bans Chinese Developer from Play Store

App developer DO Global, a Chinese developer partly owned by Baidu that generates over a half billion installs, has been banned from Google Play after the store received reports the apps were part of an ad fraud scheme, according to BuzzFeed News.

As of April 26, 46 apps from DO Global had reportedly been removed from the Play store. In addition, the news outlet reported that ad inventory for purchase through Google’s AdMob networks is no longer available in DO Global apps, “suggesting the ban has also been extended to the internet giant's ad products.”

After earlier reports that a cache of apps was part of an ad fraud scheme, Google investigated malicious behavior. “When we find violations, we take action, including the removal of a developer’s ability to monetize their app with AdMob or publish on Play," a Google spokesperson told BuzzFeed News.

On April 27, DO Global issued the following statement:

In the past week, we have noticed a series of reports about our apps by the media. We fully understand the seriousness of the allegations. As such, we immediately conducted an internal investigation on this matter. We regret to find irregularities in some of our products’ use of AdMob advertisements. Given this, we fully understand and accept Google's decision. Moreover, we have actively cooperated with them by doing a thorough examination of every app involved.

We would like to thank the media, our partners, and the public for their support. Moving forward, we will strictly follow relevant regulations and continue conducting a comprehensive review of our products. Lastly, during this process, we have caused misunderstandings and great concern due to our being unable to communicate in a timely manner and provide complete information. We offer our sincere apologies.

The news comes only weeks after Check Point researchers reported a clicker campaign that was using malware to conduct fraudulent activities against ad agencies in a series of infected applications from Google Play. Infosecurity has reached out to Google for comment, and this story will be updated if we receive a response.

Security Flaws in P2P Leave IoT Devices Vulnerable

Security Flaws in P2P Leave IoT Devices Vulnerable

Malicious actors could exploit critical security vulnerabilities in a peer-to-peer (P2P) communications technology used across millions of internet of things (IoT) devices, according to research first reported by KrebsonSecurity.

Security researcher Paul Marrapese initially reported the vulnerabilities to the device vendor on January 15, 2019, but received no response. Nor did the vendor respond to the second or third advisory notices with intent to disclose. After three months, the critical flaws were publicly disclosed on April 24.

Developed by Shenzhen Yunni Technology Company Inc., Ltd., iLnkP2P is one of several communications technology solutions often used by device manufacturers, according to Marrapese, adding that the vulnerabilities are specific to devices using the iLnkP2P solution.

On April 26, Marrapese published a blog in which he listed the prefixes of devices that are known to be vulnerable. Warning users that hackers could exploit the P2P connection and access IoT devices, including security cameras, without the owner’s knowledge, Marrapese wrote:

“Over 2 million vulnerable devices have been identified on the Internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.”

Marrapese also tweeted: “Millions of security cameras, baby monitors, and 'smart' doorbells have serious vulnerabilities that allow hackers to spy on their owners.”

Even if devices encrypt traffic, Marrapese said they are likely not free from the risk of being exploited. “Analysis of a wide range of devices has suggested that most devices do not employ encryption at all, or do so in an insecure fashion. Some vendors (notably VStarcam) have gone as far as outright lying about their use of encryption.”

FinServ Sees 60% Spike in Business Email Compromise

FinServ Sees 60% Spike in Business Email Compromise

Financial services organizations are increasingly targeted by attackers using impostor emails attempting to commit fraud, according to the 2019 Email Fraud in Financial Services report published by Proofpoint.

The study analyzed more than 160 billion emails sent from 2017 to 2018, according to research. Research revealed that these business email compromise (BEC) attacks have grown by an alarming 60% from the same time in 2017. All of the attacks reportedly shared a high degree of social engineering.

The malicious actors employed domain spoofing to send the nefarious messages. The messages, which appeared to come from trusted domain sources, most often requested payments using fake identities. In addition, most attackers dispersed the emails on Mondays from 7 a.m. to 2 p.m. so that they appeared more legitimate to unsuspecting employees.  

Of the financial services firms that were targeted, 56% reported that more than five employees were targeted by BEC attacks in the final quarter of 2018. “In other words, the identities of at least five of the companies’ employees were weaponized to target other employees within that organization. About 37% of companies were targeted using two to five spoofed employee identities,” the report said.

The subject lines used in BEC attacks on financial services organizations frequently have a payment-related subject line, but attackers also use shipment-related subject categories in these impostor attacks, the report said.

“While email fraud is not unique to financial services organizations, this industry’s employees hold the keys to one of the most potentially lucrative paydays for cyber-criminals. One wrong click can expose an entire brand and its customers to substantial risk and even bigger losses,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in an email.

“It is critical that organizations prioritize the implementation of solutions that defend against these attack methods, specifically against domain spoofing, display-name spoofing and lookalike domains and [that they] train employees to identify and report socially engineered attacks across email, social media and the web.”

Docker Hub Breach Exposes 190K Users

Docker Hub Breach Exposes 190K Users

Docker Hub has suffered a major security breach exposing around 190,000 accounts, the firm revealed to its users over the weekend.

According to an email to customers shared online, the world's largest container image library discovered unauthorized access to its platform last Thursday. The database in question is said to have stored a “subset of non-financial user data.”

“During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users),” the notice from director of Docker Support, Kent Lamb, continued.

“Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

The firm is now requiring affected users to change their password for Docker Hub, and any other accounts it may have been used to secure.

It said users can view security actions on their GitHub or Bitbucket accounts to check for any suspicious activity.

“For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place,” Lamb added.

With access to users’ autobuilds, hackers could theoretically add malware to containers, which could then be deployed in live environments.

Microsoft was quick to point out that its images weren’t affected by the incident.

This isn’t the first time Docker Hub has come under scrutiny for its security practices.

Last June, security vendor Kromtech claimed to have found 17 malicious docker images stored on Docker Hub for an entire year, resulting in over five million downloads which enabled the malware authors to make $90,000 from illegal cryptomining.

Magecart Skimming Code Found on GitHub

Magecart Skimming Code Found on GitHub

Security experts are warning e-commerce site webmasters to be prepared for more Magecart attacks after spotting skimming code uploaded to a GitHub page.

The hex-encoded piece of JavaScript code was uploaded on April 20 by user “momo33333,” who had joined the software development platform the same day.

“Most often the skimming code — written in JavaScript and obfuscated — is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted,” explained Malwarebytes head of threat intelligence, Jérôme Segura.

“However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.”

He warned that over 200 e-commerce sites have already been injected with this particular skimming code.

According to Segura, the compromised sites load the script within their source code right after the CDATA script and/or immediately before the tag.

Although the skimmer was quickly taken down after Malwarebytes informed GitHub, compromised Magento sites are still at risk of malicious injection in the future, he warned.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods,” Segura concluded. “Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.”

Back in October, a researcher warned that hackers were exploiting multiple zero-day vulnerabilities in Magento extensions which had not been patched by the vendor.

Multiple groups are using the Magecart code to covertly harvest payment card details from e-commerce sites as they are entered by unwitting consumers.

The latest, number 12, was discovered in January targeting French advertising agency Adverline with a plan to compromise its content delivery network via a digital supply chain attack.

Apple: We Banned Parental Control Apps for Security Reasons

Apple: We Banned Parental Control Apps for Security Reasons

Apple has claimed the reason for its controversial decision to pull rival parental control apps from its App Store was taken due to privacy and security concerns.

The tech giant had been accused of abusing its role as the gatekeeper of the iOS app marketplace by excluding third-party titles which help parents monitor and set limits on what their children can access online on their devices.

Last month, Russian AV vendor Kaspersky Lab announced it had filed an antitrust claim against the Cupertino giant in its home country, claiming that Apple’s decision to remove its app coincided with the US firm’s release of its own Screen Time app.

“By setting its own rules for that [App Store] channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player,” Kaspersky Lab argued.

However, Apple finally released a statement on Sunday explaining its decision, claiming that the offending apps contained mobile device management (MDM) capabilities which could introduce extra security risk.

“MDM does have legitimate uses. Businesses will sometimes install MDM on enterprise devices to keep better control over proprietary data and hardware. But it is incredibly risky — and a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device,” it argued.

“Beyond the control that the app itself can exert over the user's device, research has shown that MDM profiles could be used by hackers to gain access for malicious purposes.”

It claimed that several developers updated their software to remove the MDM elements, while those that didn’t had their titles removed from the App Store.

“Parents shouldn’t have to trade their fears of their children’s device usage for risks to privacy and security, and the App Store should not be a platform to force this choice,” Apple continued. “No one, except you, should have unrestricted access to manage your child’s device.”

Pros Feel Aligned with Board, Still Fear a Phish

Pros Feel Aligned with Board, Still Fear a Phish

After years of requesting a seat at the table, cybersecurity professionals are starting to feel that they see eye to eye with their stakeholders, according to a new report.

The AT&T cybersecurity report surveyed 733 security experts at the RSA 2019 conference and found that the vast majority of respondents feel mostly or somewhat in sync with their executive boards when it comes to cybersecurity.

However, the report noted, “When splitting the results out by company size, a slightly different picture emerges. While the bell curve remains consistent, we see that larger enterprises appear to have a far better alignment with their stakeholders than small or medium businesses (SMBs).”

In fact, while 26% of large enterprises said they were completely aligned with their stakeholders, only 18% of SMBs stated that they were completely on the same page.

“On the other side of the spectrum 10% of SMBs felt they were not at all in alignment with their stakeholders compared to just under 7% of large enterprises,” the report said.

The results were not entirely unexpected, given that large enterprises typically have a greater pool of resources to establish more robust security governance policies. In addition, SMBs usually have fewer stakeholders who aren’t able to devote time to governance because they are more focused on hitting targets, the report said.

When asked about the top threats that concerned them, nearly a third (29%) of respondents cited phishing as their greatest worry. “Phishing comes in different guises for different purposes. Sometimes phishing emails are used to deliver a malicious payload. Other times it’s to social engineer the recipient by gaining their trust or scaring them by posing as an authority to get them to make payments – as we often see in business email compromise (BEC) attacks,” the report said.

“Ultimately, this likely boils down to the fact that for most cyber threats, a technology solution is usually available to ward off attacks, but with phishing, most systems rely heavily on the email recipient being able to detect and respond appropriately.”

Amnesty International Hong Kong Attacked

Amnesty International Hong Kong Attacked

The Hong Kong branch of Amnesty International has reportedly been the target of a sophisticated state-sponsored attack believed to have been carried out by a group of hostile threat actors within the Chinese government.

An April 25 press release from Amnesty International said the cyber-attack was detected on March 15, 2019, after monitoring tools identified suspicious behavior in the IT systems of Amnesty International Hong Kong.

Though the organization is not able to give specific details about the suspected cyber-criminals, the indicators of compromise identified at this stage are consistent with a well-developed adversary, according to the press release. Initial findings of cyber-forensic investigators suggest that the attackers used similar tools and techniques known to be associated with advanced persistent threat (APT) groups within the Chinese government.

“This sophisticated cyber-attack underscores the dangers posed by state-sponsored hacking and the need to be ever-vigilant to the risk of such attacks. We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work,” said Man-kei Tam, director of Amnesty International Hong Kong, in the press release.

“The privacy and safety of all those we work with remains our priority. We took swift action to secure our systems and have provided guidance to help individuals ensure their personal data is protected. We take the privacy of our supporters’ information extremely seriously. We have contacted all individuals whose details may have been put at risk and urge anyone concerned to get in touch,” Tam said.

Human rights defenders have been the target of multiple attacks across the globe, and Amnesty International revealed that its staff members have been targeted with surveillance attempts in the aftermath of a 2016 law granted Chinese authorities to restrict the work of human rights activists, the press release said.

Data Protection Commission Investigates Facebook

Data Protection Commission Investigates Facebook

After Facebook alerted the Data Protection Commission (DPC) that it had found hundreds of millions of user passwords stored in its internal servers in plain text format, DPC launched an investigation to determine whether the company had acted in compliance with the General Data Protection Regulation (GDPR), according to an April 25 press release.

According to its website, the DPC is the Irish supervising authority for GDPR and is the national independent authority charged with data protection rights of individuals in the EU.

“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers. We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR,” a statement from the DPC said.

Though a Facebook spokesperson told Business Insider, “We are working with the IDPC on their inquiry. There is no evidence that these internally stored passwords were abused or improperly accessed," the accidental mishandling of these passwords could result in a multi-billion-dollar fine for the social media company, according to the news outlet.

The news comes only days after Facebook said it had unintentionally uploaded – without consent – the emails of 1.5 million users. Earlier this month, Infosecurity also reported that over half a billion Facebook records were leaked by third-party app developers.

Facebook announced on March 21, 2019, that it had found some passwords being stored in readable format on its internal data storage systems, and the company updated that post on April 18 to add: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

CISOs Consider Quitting Industry Over Surging Stress

CISOs Consider Quitting Industry Over Surging Stress

IT security leaders across Europe are considering quitting their job over the stress they’re suffering due to mounting threats, compliance pressures and growing complexity, according to Symantec.

The security giant teamed up with research consultancy Thread and Chris Brauer of Goldsmiths, University of London, to compile its High Alert study, based on interviews with 3000 security decision makers in the UK, Germany and France.

Some 82% claimed they felt burned out, with nearly two-thirds saying they’re thinking about leaving their job (64%) or quitting the industry altogether (63%).

Regulations like the GDPR and NIS Directive are the number one source of stress (86%), with two-fifths (40%) concerned that they would be held responsible in the event of a breach. Skills shortages (80%), the size and complexity of the IT environment (82%) and the growing volume of threats (82%) also ranked high.

Brauer, who is director of innovation at the London university, argued that stress can have a serious impact on decision making.

“It impairs your memory, disrupts rational thinking and negatively impacts every cognitive function you have. In an industry like cybersecurity, which requires focus, creative thinking, attention to detail and rational decisions in high pressure scenarios, stress can be crippling,” he added.

“Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already suffering a skills shortage, this kind of stress can present a significant risk.”

Tool bloat appears to be another major cause of this stress. Over three-quarters (79%) of respondents claimed that “too many products/vendors” is the cause of growing pressure at work, while 68% said they felt “paralyzed” by the huge volume of threat alerts deluging the department.

“The current patchwork approach to security tooling and strategy is creating more problems than it solves,” argued Symantec EMEA CTO, Darren Thomson. “There’s so much daily noise that it’s near impossible to work out what might be a false positive and what might be a sign of a stealthy targeted attack. Meanwhile the overlaps and gaps between defensive systems present hackers with new opportunities for exploitation.”

The findings of the report chime with a similar study from Nominet back in February, which revealed that nearly all (91%) of US and UK CISOs suffer from moderate or high stress.

#CYBERUK19: NCSC and ICO Clarify Roles to Assist Incident Response

#CYBERUK19: NCSC and ICO Clarify Roles to Assist Incident Response

The UK’s National Cyber Security Centre (NCSC) and regulator the Information Commissioner’s Office (ICO) have agreed to clarify their roles and improve coordination, in a move designed to make it easier for breached organizations to reach out to the right body.

At the CYBERUK conference in Glasgow yesterday, the two set out their distinct roles and responsibilities.

GCHQ body the NCSC is tasked with dealing with incidents of “national importance” and is on hand to help victim organizations in the immediate aftermath of an attack to better understand the incident.

Although it will encourage organizations to meet their requirements under the GDPR and NIS Directive, its free advice will be given confidentially, with no information shared with GDPR regulator the ICO without seeking consent first.

The ICO will then be on hand to help organizations take the right steps to mitigate any risks to individuals’ data, and ensure a proper investigation is set up and that legal responsibilities are met.

Both have agreed to share anonymized and aggregated info to better understand risk, and to amplify each other’s messages to provide consistent advice.

ICO deputy commissioner of operations, James Dipple-Johnstone, argued that organizations need to better understand what to expect if they suffer a breach.

“The NCSC has an important role to play in keeping UK organizations safe online, while our role reflects the impact cyber-incidents have on the people whose personal data is lost, stolen or compromised,” he clarified.

“Organizations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

Joseph Carson, chief security scientist at Thycotic, welcomed the NCSC’s commitment to confidentiality.

“Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber-incident when time is critical knowing it is the business’s responsibility to report the incident to the ICO,” he said.

“During a cyber-breach working with the NCSC can help the business potentially recover quickly and ensure it can be investigated, giving the business time to identify whether or not they are required to report the incident to the ICO.”

Attacks on Businesses Soar 235% in Q1

Attacks on Businesses Soar 235% in Q1

A surge in ransomware and trojans in the first three months of the year led to a massive 235% year-on-year increase in detected cyber-threats to businesses in Q1 2019, according to Malwarebytes.

The security vendor’s Cybercrime tactics and techniques report for the first quarter revealed a definite shift from consumers to businesses, which is apparently hitting SMBs with fewer IT resources particularly hard.

The more business-focused aims of hackers in 2019 were particularly noticeable in the ransomware category. Here, consumer detections decreased 10% from the previous quarter and 33% year-on-year, whereas attacks against corporate targets surged 195% from the previous quarter and over 500% from the same time last year.

In a similar way, consumer detections of cryptomining malware have now dropped to almost nothing, thanks in part to the decision by Coinhive to shut down its operations. However, attacks against businesses continue to rise, especially in APAC, the report revealed.

Malwarebytes claimed these increases could be due to the Troldesh strain, which was prolific in attacks against US organizations early on in the quarter.

Elsewhere, detections of trojans like Emotet on business endpoints increased by over 200% from the previous quarter and nearly 650% year-on-year.

Malware against Macs also spiked at the start of the year. Malwarebytes noted a 60% increase from Q4 2018 to Q1 2019, while adware increased by over 200% from the previous quarter.

On the plus side, there was a significant decline from the previous quarter in detections of backdoor (-80%) and hijacker (-73%) malware. The former can be accounted for by a decline in activity from the Backdoor.Bot campaign in APAC, the report claimed.

“Consumers might breathe a sigh of relief seeing that malware targeting them has dropped by nearly 40%, but that would be short-sighted,” said Adam Kujawa, director of Malwarebytes Labs.

“Consumer data is more easily available in bulk from business targets … Cyber-criminals are using increasingly clever means of attack to get even more value from targets through the use of sophisticated trojans, adware and ransomware.”

State of Washington Expands Breach Notice Laws

State of Washington Expands Breach Notice Laws

A new law in Washington expanded regulations that mandate when consumers must be notified if a malicious actor gains access to their private data, according to a press release from the state’s office of the attorney general (AG).

In response to AG Bob Ferguson’s request for legislators to strengthen the state’s data breach notification laws, lawmakers voted unanimously in favor of HB 1071-2019-20, which the speaker signed on April 24.

“Not only is the amount of data being collected and stored about consumers increasing, the number of breaches of secure storage of the data is increasing at an alarming rate as well," Rep. Shelley Kloba, who sponsored the bill, said in the press release.

“This bill updates our consumer protection laws to shorten the notification time from 45 days to 30 days, so that consumers are made aware of a breach more quickly and can take protective action. Additionally, companies who collect and store data will need to pay more attention to safeguarding it against internal and external threats.”

In addition to reducing the notification time frame, the consumer data breach notification requirements bill was expanded to include more types of consumer information, such as usernames, passwords and passport numbers. The earlier bill had only mandated that consumers be notified if a data breach exposed their names in addition to other personal information, such as social security or driver’s license numbers.

“My office has seen the number of Washingtonians impacted by data breaches increase year after year,” Ferguson said in the press release. “Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data.”

Two senators sponsored a companion bill, SB 5046-2019-20, which remains in the Senate committee; however, another bill that would give citizens the right to know the types of data that companies are collecting, storing and selling has yet to pass the state’s legislature, according to a Tripwire blog post.

“This bill overwhelmingly cleared Washington’s Senate floor earlier in 2019 after a vote of 46 to 1,” the blog said, but it has not yet arrived on the floor of the House.

Fake Social Accounts Multiply; Can Users ID Them?

Fake Social Accounts Multiply; Can Users ID Them?

Despite Facebook and Twitter repeatedly removing illegitimate accounts from their social media platforms, the number of impersonating accounts increased 56% from 2017 to 2018 and is projected to continue to grow by 30% in 2019, according to research from ZeroFOX.

Because of this rapid proliferation of fake accounts, it is becoming increasingly more difficult for users to distinguish between accounts that are real or fake, the research found. In an April 23 blog post, ZeroFOX’s Diana Parks wrote, “There is no denying that fake profiles run rampant on social media and digital platforms. Between October 2017 and September 2018, Facebook alone removed almost 2.8 billion illegitimate accounts worldwide. By some estimates, this accounts for between 25–35% of all Facebook accounts.”

While fake accounts online are inevitable, they are also highly problematic and pose security risks to individuals and organizations. Bad actors use fraudulent accounts to target individuals using social engineering. Others use fake accounts for scams or to distribute malicious content, phishing and malware, or even inappropriate content.

Still, not everyone can easily distinguish which social media accounts are fake. Despite a 2018 post offering users tips on how to spot a fake account, the number of impersonating profiles has increased across social networking sites. This continued growth promoted ZeroFOX to develop a quiz in which users are challenged to correctly identify the fake social media account.

In addition, research from the ZeroFOX Alpha team found that since 2017 there has been a steady growth in the number of both brand and executive impersonations. “Between 2017 and 2018, brand impersonations for ZeroFOX customers increased by 5%. Based on current projections, the ZeroFOX Alpha Team anticipates an estimated 17% increase in brand impersonations over the next year. The numbers are even more staggering for executive impersonations,” Parks said.

Fake accounts impersonating top executives and VIPs reportedly grew by over 300% between 2017 and 2018 and are expected to rise another 47% in 2019.

ASUS Not Alone in ShadowHammer Supply Chain Attack

ASUS Not Alone in ShadowHammer Supply Chain Attack

Researchers believe that in last month’s malware attack, dubbed Operation ShadowHammer, the network of Taiwanese technology giant ASUS was not the only company targeted by supply chain attacks. According to Kaspersky Lab, during the ShadowHammer hacking operation, there were at least six other organizations that the attackers infiltrated.

“In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia,” Kaspersky researchers wrote in a blog post. Electronics Extreme Co. Ltd., a game developer from Thailand, was among the vendors listed as having released digitally signed binaries of a video game called Infestation: Survivor Stories, which was reportedly taken offline in 2016.

“This weaponization of code signing is direct evidence that machine identities are a beachhead for cyber-criminals. The only way to protect against these kinds of attacks is for every software development organization to make sure they are properly protected,” said Michael Thelander, director of product marketing, at Venafi.

“No one should be surprised at how extensive this attack is. Due to their wide reach, bad actors target code-signing certificates in broad, deliberate campaigns and leverage them in large, multi-stage attacks.”

Supply chain attacks have become increasingly concerning, according to the 2019 Internet Security Threat Report, which found that supply chain attacks rose by 78% between 2017 and 2018, prompting US intelligence agencies to partner in designating April as Supply Chain Integrity Month.

“Software subversion attacks – such as the ASUS Live Update intrusions – are particularly difficult to thwart because they are incredibly sophisticated and highly targeted,” said Chris Duvall, senior director at The Chertoff Group.

“Unfortunately, due to the apparent success rate, we can expect to see a continued surge in the use of third-party applications as the back channel into networks. While not a panacea, we advise clients to help prevent these attacks by accessing file integrity whenever possible and maintaining good cyber hygiene through configuration hardening, vulnerability management, segmentation.”

IoT Set to Put Strain on Cyber Skills Market

IoT Set to Put Strain on Cyber Skills Market

UK demand for cybersecurity skills rose 10% year-on-year in the last quarter of 2018, with adoption of the Internet of Things (IoT) technologies set to put further strain on the market going forward, according to Experis.

The recruitment company’s latest Experis Industry Insiders report revealed a near 17% increase in advertised cybersecurity roles from the previous quarter, to 13,214.

However, average permanent salaries actually dropped slightly, by 2% year-on-year to £58,557, as employers sought out short-term solutions to fill their skills gaps. Contractor day rates jumped nearly 20% over the previous year, to £505.

In the IoT space, the number of new roles advertised jumped 49% quarter-on-quarter to Q4 2018. Permanent (1.5%) and contractor (4%) average salaries both increased.

“IoT offers huge opportunities for organizations, if they have the right cybersecurity foundations in place to take advantage of new innovations safely. We can see that there is a strong demand for top talent, but the market is struggling to keep pace,” argued Experis director of specialist markets, Martin Ewings.

“Businesses are having to be creative and take a blended approach to their talent acquisition strategies — tapping into the contractor market to build a hybrid team of permanent and temporary workers. In doing so, they can have fast access to the skills they need right now, while taking a longer-term view by building permanent capabilities and investing the time required to enable strategic development.”

However, building these permanent capabilities will be challenging given continued global shortfalls. Skills shortages in cybersecurity have reached nearly three million worldwide, including 142,000 in EMEA, according to (ISC)2.

Defense contractor Raytheon is doing its bit by announcing this week a new cyber-apprenticeships scheme as part of a £2m investment strategy which also includes a Cyber Academy to train university students.

The firm claimed there would be opportunities for 70 cyber-apprentices each year for the two-year program, which offers an alternative to three- and four-year degree courses. Plans are in place to certify around 280 apprentices over four years.

Dark Web’s Wall Street Market Suspected of Exit Scam

Dark Web’s Wall Street Market Suspected of Exit Scam

Dark web drugs marketplace Wall Street Market appears to have become the latest underground site to be hit by an exit scam, taking with it an estimated $30m of users’ money.

News has swirled for days that the site’s owners are about to pull the plug, with suspicions raised after an official moderator published a notice claiming that it had suffered a server crash. This meant it was unable to synchronize bitcoin wallets with the blockchain, the individual claimed.

“Due to this incident, we were forced to send crypto assets manually to the waiting list bitcoin wallet, as we have to wait for this process to complete, so that coins can be sent to the appropriate matching escrow wallet,” the post continued.

“Our technical advisors said that the platform will soon shift to the maintenance mode in order to prevent sending of more bitcoins, and they estimated the synchronization process to be successfully completed yesterday.”

However, multiple posts on dark web Reddit-like forum Dread claim this is merely a distraction designed to buy the administrators time while they drain funds, according to Deepdotweb.

Users have also taken to Reddit to complain about problems with the site, suggesting that its owners have decided to exit scam after a large influx of users and money that came from the recently shuttered Dream Market.

Exit scams typically occur when dark web sites stop shipping orders but continue to accept payment. Once a significant pot of money is built up in escrow, the administrators take it and close the site.

This latest incident highlights the continued uncertainty of doing business on the dark web. Law enforcers have done their best to disrupt some of the biggest marketplaces in recent years, notably with the take downs of Hansa and Alpha Bay in 2017.

Things had begun to stabilize since then, but exit scams are a constant concern and widely seen as a cost of doing business on the dark web.

It could be that the administrators of Wall Street Market decided to do a runner with the money rather than face the potential scrutiny of investigators.

Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

A new report from Blancco Technology Group has warned that those looking to make some money by selling used storage drives may be putting themselves at risk of falling victim to cybercrime.

As detailed in Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace, Blancco, in conjunction with Ontrack, analyzed 159 leading brand drives purchased through auction site eBay in the US, UK, Germany and Finland, discovering that almost half (42%) still held sensitive data.

What’s more, 15% of the drives assessed were found to contain personally identifiable information (PII), despite sellers surveyed by Blancco as part of the research stating they had used proper data sanitization methods to ensure no data was left behind. This worrying finding suggests that although sellers recognize the need to remove any data before looking to sell-on a storage drive, the methods they are using are inadequate.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data,” said Fredrik Forslund, VP, cloud and data erasure, Blancco. “By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members.”

It is also clear that there is confusion around the right methods of data erasure, Forslund added, as each seller was under the impression that data had been permanently removed.

“It’s critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime.”

“Deleting data is notoriously difficult,” added Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.

“Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can't be plugged in easily. The data, however, persists.

“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace ‘three times,’ which feels a little like overkill to laypeople. It does matter, though, when the data you have is in trust from and for other people.”

#CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

#CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

GCHQ boss Jeremy Fleming has revealed how the government listening post has improved its collaboration with UK businesses over the past year, to enable intelligence sharing within seconds.

Fleming told an audience of IT security professionals at the government’s CYBERUK conference in Glasgow yesterday that the agency is sharing intelligence with banks to enable real-time customer alerts, as well as the wider business community.

“In the last year we have made it simple for our analysts to share time critical, secret information in a matter of seconds. With just one click, this information is being shared and action is being taken,” he added.

“In the coming year, we will continue to scale this capability so — whether it's indicators of a nation state cyber actor, details of malware used by cyber-criminals or credit cards being sold on the dark web — we will declassify this information and get it back to those who can act on it.”

This is the result of the Industry100 initiative coordinated by GCHQ’s National Cyber Security Centre (NCSC). Fleming claimed it had been so successful that the project will be made permanent in the future.

Another sign of its effectiveness came in helping protect smaller firms against what appears to have been a Magecart campaign.

“This year, we identified over 1200 sites which were serving malicious code to illicitly copy credit card transactions,” said Fleming. “We were able to help these small businesses fix the problem and protect their customers and their reputation.”

The government’s vision to make the UK the safest place to live and work online will require a “national effort” to achieve — involving both public and private sectors and consumers, he claimed.

Sarah Armstrong-Smith, head of continuity & resilience at Fujitsu, agreed that public-private partnerships are key to tackling cyber-threats.

“By working collaboratively, organizations can share with each other, their partners and government, practical knowledge, intelligence and technological innovation that helps fight cybersecurity threats and increase resilience,” she added. “In order to make a stand and stop cyber-criminals, we must unite in our efforts to tackle the continuing challenge that we all face.”

Jake Moore, cyber security specialist at ESET, also welcomed the industry outreach efforts by GCHQ.

“GCHQ working more closely with banks and other businesses can’t come soon enough. Consumers have been in desperate need for help and support from law enforcement for quite some time as so few people are aware of how to protect themselves online,” he argued.

“Cybersecurity awareness is a national issue and those who are unaware of the magnitude of the problem require extra support. Sharing intelligence in real time with banks might be the difference between someone losing their life savings and being able to stop the attack in the first place.”

Insider Threats a Top Risk to Healthcare

Insider Threats a Top Risk to Healthcare

Across the healthcare sector, ransomware is reportedly no longer the most prevalent security threat, according to new research from Vectra that found attacks decreased during the second half of 2018.

The Vectra 2019 Spotlight Report on Healthcare found that internal human error and misuse occur much more frequently than hacking. In addition, a growing number of errors are the result of unmanaged devices and lateral movement of device-to-device communication.

Based on data from the Attacker Behavior Industry Report (2019 RSA Conference Edition), researchers also observed network behaviors from a sampling of 354 opt-in enterprise organizations in healthcare and eight other industries.

Among the findings, the report noted that attackers hide command-and-control communications in healthcare networks using HTTPS tunnels. “Hidden HTTPS tunnels are the most common behavior detected in healthcare. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic. When attackers hide their command-and-control communications in HTTPS tunnels, it often looks like service provider traffic,” the report said.

Researchers also found that hidden domain name system (DNS) tunnels were commonly used to mask data exfiltration behaviors, as these behaviors can also be caused by IT and security tools that use DNS communication.

The second most-common behavior consistent with data exfiltration in healthcare, according to the research, is the smash and grab. “This occurs when a large volume of data is sent to an external destination not commonly in use, in a short period of time.”

Security cameras are able to quickly send mass volumes of data to a hosted cloud site, but smash-and-grab behaviors can appear to be normal operation for an IoT device. As a result, low and slow attackers are able to use it for obfuscation.

“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.”

Magecart Swoops in to Strike Atlanta Hawks Shop

Magecart Swoops in to Strike Atlanta Hawks Shop

The online shop for the Atlanta Hawks currently states that it is temporarily down for maintenance, and according to Sanguine Security, the ecommerce site is the latest victim of a Magecart attack.

In the wild, hawks hold their place at the top of the food chain. On the court, the Atlanta Hawks boast 29 wins for the 2018–2019 season. The ecommerce store, though, reportedly has a weak link in its supply chain.

"Yesterday, we were alerted that the host site for HawksShop.com was subject to an isolated attack," a spokesperson for the Hawks organization said. "We take these matters of security and privacy extremely seriously. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident.

"At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed."

According to an April 23 post, Magecart thieves injected a payment skimmer in the online store of the Atlanta Hawks. 

As many online stores do, the Atlanta Hawks shop also runs Magento Commerce Cloud 2.2, a commonly used enterprise-grade e-commerce system, owned by Adobe. While Magento itself is quite secure, attackers often use insecure third-party components to gain access to the core of the shop system,” Sanguine Labs wrote.

Leveraging vulnerabilities in third parties has proven successful for the Magecart group, which is also reportedly responsible for infecting hundreds of websites via supply chains. “Cyber-criminals have found that this card-skimming malware is stealth and effective in securing credit card information off of websites. This payment card information can have a huge impact on customers, far beyond the unauthorized use of their cards,” said Ryan Zuk, VP of customer success for NuData Security, a Mastercard company.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. Using these real identities, and sometimes fake identities with valid credentials, allows cyber-criminals to take over accounts, apply for loans and much more. This is why more companies today are implementing user verification platforms that include passive biometrics that verify users based on more parameters than just their personally identifiable information.”

Sanguine Labs reported that the time frame for detection is small, with new attacks being discovered each week. In addition to using automation to identify and prevent attacks, “passive biometric technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it challenging for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behavior,” Zuk said.

Online Fitness Store Gets One-Upped by Hackers

Online Fitness Store Gets One-Upped by Hackers

Lifting weights might build strength for the body, but for customers of Bodybuilding.com, bulking up wasn’t enough to stop hackers from stealing their personal data. According to a security notice issued by the popular online fitness store, Bodybuilding.com recently experienced a security incident that may have affected customer information.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” according to the statement.

“On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.”

In the aftermath of discovering the incident, the company contacted law enforcement and brought in external forensic investigators. Additionally, the notice to customers said that the company will be forcing a password reset upon the next login for all of its customers.

The company does not store full credit or debit card information, but customers do have the option of storing card information in their accounts. In those cases, Bodybuilding.com only stores the last four digits of the card, and according to the statement, it never stores the full card number.

“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the company said, adding that much of the information in the BodySpace profile is already public.

“We’re never out of danger from a data breach of our personal information and passwords, as the Bodybuilding.com incident reminds us. Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures,” said Oscar Tovar, vulnerability verification specialist, WhiteHat Security.

“Since Bodybuilding.com’s breach was a phishing attack, this showcases the importance of ongoing security training for employees. Organizations’ people continue to be the single largest threat vector for successful breaches. In addition, this paints a large target on an organization making them an easy target for hackers, who can exploit them and gain access to sensitive information. Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern.”

FBI: BEC Losses Surged to $1.3bn in 2018

FBI: BEC Losses Surged to $1.3bn in 2018

The FBI dealt with cyber-attacks causing losses of over $2.7bn in 2018, nearly half of which were linked to Business Email Compromise (BEC) scams.

In total, there were over 20,000 victims of BEC/Email Account Compromise (EAC) last year, leading to losses of just under $1.3bn, the largest of any cybercrime type. The nearest to this were confidence fraud/romance scams ($362m) and investment cybercrime ($253m), according to the 2018 Internet Crime Report.

The FBI noted an increase in the number of gift card BEC scams, of the sort spotted by Agari recently. The security vendor claimed fraudsters are increasingly transferring their victims from email to mobile communications early on in the scam.

The largest group losing money to cyber-criminals was the over-60s ($649m), followed by the 50-59 age group ($495m). This could be partly explained by the continued prevalence of tech support scams which predominantly target the elderly. There were over 14,000 reported victims last year, linked to losses reaching almost $39m — a 161% increase from 2017.

Elsewhere, the number of reported ransomware victims dropped from 1783 to 1493 cases. However, the losses incurred by these victims rose from $2.3m to $3.6m. What’s more, these estimates don’t include lost business, wages, files, equipment, productivity or third-party remediation.

“In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents,” the report claimed.

Finally, the FBI also noted a strong surge in extortion-related attacks in 2018. The 51,000+ complaints it received accounted for losses of over $83m, a 242% increase on 2017 figures. These included DoS attacks, “hitman schemes,” sextortion, government impersonation schemes, loan schemes, and high-profile data breaches.

Online Thief Cracks Private Keys to Steal $54m in ETH

Online Thief Cracks Private Keys to Steal $54m in ETH

An individual or group of hackers have managed to amass over $54m in stolen digital currency by raiding digital wallets improperly secured with private keys, according to a new report.

Consultancy Independent Security Evaluators (ISE) claimed the “Blockchainbandit” had taken advantage of poorly implemented private keys to transfer nearly 38,000 in Ethereum (ETH) out of the targeted wallets to one under its control.

That was the figure as of January 13, 2018, but it may be many times greater today, the firm warned. In a test operation, it placed a dollar’s worth of ETH in a weak private key-derived wallet and saw it transferred out to the attacker within seconds.

In total, ISE claimed it was able to guess or duplicate 732 weak private keys in use on the Ethereum blockchain, highlighting a potential issue with key generation by developers.

The firm suggested that programming errors in the software generating these keys has made them easy to brute force.

It hypothesized that a 256-bit private key may have been truncated due to coding mistakes, meaning it’s insufficiently complex. Other possible errors suggested by the researchers included “error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors.”

It’s even possible that users were allowed to choose their own keys, it’s claimed.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” argued ISE executive Partner, Ted Harrington.

ISE urged developers to use well-known libraries or platform-specific modules for random number generation; use a cryptographically secure pseudo-random number generator; audit code for truncated keys; and use multiple sources of entropy. It also claimed developers should review NIST guidelines on cryptographic random number generation.

UK Government Allows Huawei to Provide ‘Non-Core’ 5G Kit

UK Government Allows Huawei to Provide ‘Non-Core’ 5G Kit

The British government has decided to allow Huawei to provide equipment for carriers’ 5G networks, but only ‘non-core’ technology, according to reports.

Prime Minister Theresa May made the decision after a meeting of the National Security Council (NSC), despite apparent concerns raised by foreign secretary Jeremy Hunt, home secretary Sajid Javid, defence secretary Gavin Williamson, and international development secretary Penny Mordaunt.

The partial ban will see the Shenzhen giant only able to provide equipment such as antennas, which are not deemed a potential national security risk. However, the distinction between what constitutes the 5G core and non-core has been questioned by intelligence chiefs.

Australian Signals Directorate director-general, Mike Burgess, warned in a speech last year: “The distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.”

For its part, GCHQ has been fairly measured in its treatment of Huawei, despite growing pressure from the US to follow its lead with an outright ban.

In a speech in Singapore earlier this year, director Jeremy Fleming, focused on the need for greater competition in the 5G market to improve cybersecurity. That echoed his counterpart at the National Cyber Security Centre (NCSC), Ciaran Martin, who argued that its evaluation center had found “serious problems with [Huawei’s] security and engineering processes.”

“As we said then, and repeat today, these problems are about standard of cybersecurity; they are not indicators of hostile activity by China,” he continued.

The UK decision will not go down well in Washington, which has already threatened allies such as Germany by claiming it will withhold intelligence information in the future if the country allows Huawei to build its 5G networks, fearing Chinese snoopers may be listening in.

Australia has stood by its Five Eyes partner the US in issuing a total ban on Huawei for 5G networks, while the New Zealand Government Communications Security Bureau is still deciding. The Chinese firm opened a transparency center in Brussels recently in a bid to convince local lawmakers that it poses no threat.

European Parliament Approves Mass ID Database Plans

European Parliament Approves Mass ID Database Plans

The European Parliament has approved plans to boost physical security by implementing a mass identity database, although privacy concerns persist.

The Common Identity Repository (CIR) will centralize the personal information of nearly all non-EU citizens in the EU’s visa-free Schengen region. The latter covers the vast majority of the EU except for Ireland and the UK, as well as Bulgaria, Croatia, Cyprus, and Romania.

The data — which will include fingerprints, names, addresses, photos and other info — will be consolidated from five separate systems, including databases of asylum seekers, short-stay visa applicants, and those with previous criminal convictions in the EU.

The idea is that it will enhance security in the region by minimizing information gaps and silos, helping law enforcers track terrorists and serious criminals who may otherwise be able to slip across borders undetected. Data on an estimated 300 million non-EU and some EU citizens will be stored in the CIR, according to reports.

“Global law enforcement agencies and border control personnel have been sharing information about people for decades, if not centuries,” argued John Gunn, CMO at OneSpan.

“CIR is a very positive move that will simply make the methods more timely, efficient, and effective resulting in speedier cross-border travels with less hassle and in greater safety for all as those with evil intent are more easily identified and stopped.”

However, other have voiced concerns that there are not enough safeguards to protect individual freedoms, and that the database could be a major target for hackers. EU privacy advisory body the Article 29 Working Party (WP29) explained these at length in a document last year.

“Regarding the Common Identity Repository (CIR), the WP29 is of the view that the cross-matching of various sources for identification and consolidating them in a new common database for the purpose of overall identification poses an additional interference with the rights to privacy and data protection,” it said.

“The WP29 is not convinced of the necessity and proportionality to establish such a mixed-purpose identification database including biometric data. Whether identity fraud is in practice such an essential threat to the internal security of the Union as to justify the central registering of biometric identifiers of all bona fide [third country nationals] TCN travellers, migrants and asylum seekers is not yet sufficiently established in terms of proportionality and therefore remain an issue of major concern.”

Addiction Center Patients Exposed in Privacy Snafu

Addiction Center Patients Exposed in Privacy Snafu

A large trove of personally identifiable information (PII) has been leaked by an addiction treatment center after researchers found another unsecured Elasticsearch database online.

Justin Paine, who is also a director of trust and safety at Cloudflare, blogged about his findings late last week, claiming to have found the offending database via a simple Shodan search.

As the data trove required no authentication to access, he was able to scroll through the 1.45GB of information. Although there were nearly five million documents contained in the database, they related in the end to around 146,000 unique patients.

Paine traced them back to Pennsylvania-based addiction treatment center Steps to Recovery.

“A leak of PII related to 146,316 unique patients would be bad on any day. It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.

“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”

After a few cursory Google searches, he was also able to determine with “high confidence” a patient’s age, birthdate, address, previous addresses, family members’ names, their political affiliation, phone numbers and email addresses.

Despite contacting the firm about the privacy snafu at the end of March, Paine had received no response as of April 15 and there are concerns that it has still not notified patients about the risk of identity theft. However, a message he sent to the hosting provider was received and access to the database subsequently restricted.

It’s just the latest in a long line of incidents involving misconfigured Elasticsearch instances. One revealed in November last year exposed the PII of nearly 82 million Americans.

Cyber Readiness Worsens as Attacks Soar

Cyber Readiness Worsens as Attacks Soar

The number of organizations in Europe and the US that have been hit by a cyber-attack over the past year has soared to over three-fifths (61%), according to a new report from Hiscox.

The global insurer today released the results of its Hiscox Cyber Readiness Report 2019, which is compiled from interviews with over 5300 cybersecurity professionals in the US, UK, Belgium, France, Germany, Spain and the Netherlands.

It revealed a sharp increase in the number of firms suffering an attack, up from 45% in the 2018 report. In the UK, the figure rose from 40% to 55%.

There was also a rise in the number of small (from 33% to 47%) and medium-sized businesses (36% to 63%) reporting an attack, across the US and Europe.

Two-thirds of firms (65%) on average claimed to have been hit by supply chain cyber incidents.

Average losses were also up by 61%: from $229,000 last year to $369,000 this, a figure exceeding $700,000 for large firms versus just $162,000 in 2018.

Although cybersecurity spending went up by 24% over the past year to reach $1.45m, only 10% of responding organizations were classed as “experts” in terms of their cyber-readiness, with nearly three-quarters (74%) described as unprepared “novices.” Disappointingly, there was a sizeable drop in the number of large US and German firms achieving “expert” scores.

Hiscox cyber CEO, Gareth Wharton, argued that cyber-attacks have become “the unavoidable cost of doing business today.” 

‘This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber-attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable,” he explained.

“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber-insurance policy.”

Singapore Responds to Recent Cybersecurity Attacks

Singapore Responds to Recent Cybersecurity Attacks

During a visit to San Francisco, Singapore foreign affairs minister Vivian Balakrishnan commented that the country cannot "go back to pen and paper. ... If people lose confidence in the integrity and security of the system, then all these aspirations cannot be fulfilled."

The comments follow information coming into the open regarding data breaches, one of which affected 14,200 individuals diagnosed with HIV up to January 2013. In a statement by the police, it was confirmed that the information was "in the possession of an unauthorized person" and had been illegally disclosed online.

The statement went on to say that the information was in the possession of Mikhy K. Farrera Brochez, a male US citizen residing in Singapore between January 2008 and June 2016. He was convicted of fraud and drug-related offences in March 2017, sentenced to 28 months in prison and deported from Singapore. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower in order to obtain and maintain his employment pass.

According to Bloomberg, Balakrishnan said the government’s response to recent cybersecurity attacks and human leaks has to be one where "it’s completely open." It follows the first meeting of the Public Sector Data Security Review Committee, which was held on April 18, 2019, according to a government statement. 

Bloomberg reported that attendees of the meeting "reviewed past data incidents" and broad approaches to raise the bar of security. The committee will submit its final report to the prime minister by the end of November 2019. 

Singapore has been trying to position itself as a "Smart Nation," with initiatives focusing on digital identity, smart urban mobility and e-payments. However, the data breaches have made many people nervous, especially with the ambitions of artificial intelligence (AI) clear. 

“The ability to deploy AI in our respective fields should be commoditized,” Balarkrishman said. “We will be one of the earliest adopters of these new technologies.”

WannaCry ‘Hero’ Pleads Guilty to Writing Malware in US Court

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

WannaCry “Hero” Pleads Guilty to Writing Malware in US Court

WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Password “123456” Used by 23.2 Million Users Worldwide

Password "123456" Used by 23.2 Million Users Worldwide

The National Cyber Security Centre (NCSC) expects 42% of Britain online users to lose money due to fraud, according to its first UK Cyber Survey

Released over the Easter weekend (April 21, 2019), the report also found that the most-used password from global cyber breaches was "123456," with "ashley" the most-used name as a password. The global password-risk list was published to disclose passwords already known to hackers.

Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

The polling was independently carried out on behalf of NCSC, a part of GCHQ and the Department for Digital, Culture, Media and Sport (DCMS). The findings, as well as 100,000 passwords already known to have been breached by hackers, were released ahead of NCSC's CYBERUK 2019 conference, which will be taking place in Glasgow this week.  These will inform government policy and guidance offered to the public.

Ian Levy, NCSC technical director, said: “We understand that cybersecurity can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.

“Password reuse is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band."

Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

According to the NCSC's announcement, the list was created after breached usernames and passwords were collected and published by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

The report also found that the proportions of respondents who felt they would be a victim of cybercrime in the next two years range from 12% having information stolen and a ransom demanded to 42% who feel they will have money stolen that will later be reimbursed. Only 51% feel that apps being accessed without consent will have a big personal impact, while 91% feel having money stolen without reimbursement would have a big impact.

Other findings included: 

  • Only 15% know a great deal about how to protect themselves from harmful activity.
  • The most regular concern is money being stolen, with 42% feeling it will likely happen to them by 2021.
  • 89% use the internet to make online purchases, with 39% on a weekly basis.
  • One in three rely to some extent on friends and family for help on cybersecurity.
  • Young people are more likely to be privacy conscious and careful of what details they share online.
  • 70% always use PINs and passwords for smartphones and tablets.
Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

Margot James, DMCS’ digital and creative industries minister, said, "Cybersecurity is a serious issue, but there are some simple actions everyone can take to better protect against hackers. We shouldn't make their lives easy, so choosing a strong and separate password for your email account is a great practical step. 

“Cyber-breaches can cause huge financial and emotional heartache through theft or loss of data, which we should all endeavor to prevent."

The NCSC‘s two-day CYBERUK 2019 conference will see 2,500 delegates come to Glasgow’s Scottish Exhibition Centre on April 24 and 25 for a range of speeches, workshops and interactive displays.

Mueller Report: Individuals Deleted Data During Investigation

Mueller Report: Individuals Deleted Data During Investigation

After two years of investigating, yesterday Robert S. Mueller III finally released his investigation, Report on the Investigation into Russian Interference in the 2016 Presidential Election. The 448-page report looks into Russian interference specifically but also into any individuals in the US that may have been involved. 

Appointed in May 2017 as Special Counsel to the investigation, Mueller found that Russia's interference in the 2016 election included social media activity, which related back to the Cambridge Analytica exposé in March 2018, and "a Russian intelligence service conducted computer-intrusion operations against entities, employees, and volunteers working on the Clinton Campaign and then released stolen documents."

"The Internet Research Agency (IRA) carried out the earliest Russian interference operations identified by the investigation – a social media campaign designed to provoke and amplify political and social discord in the United States," says the report. "The IRA was based in St. Petersburg, Russia, and received funding from Russian oligarch Yevgeniy Prigozhin and companies he controlled.

"At the same time that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking) and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) carried out these operations."

Interestingly, data loss was discussed in the report as "the Office" had learned that some of the individuals they had interviewed – including some associated with the Trump Campaign – had deleted relevant communications or communicated during the relevant period using encrypted applications. In some instances this hindered the investigation, according to Mueller. 

However, the report concludes, there isn't sufficient evidence to prove a crime had been committed in relation to the US election. 

"The Russian contacts consisted of business connections, offers of assistance to the campaign, invitations for candidate Trump and [Russian president Vladimir] Putin to meet in person, invitations for campaign officials and representatives of the Russian government to meet, and policy positions seeking improved US-Russian relations," says the report."While the investigation identified numerous links between individuals with ties to the Russian government and individuals associated with the Trump campaign, the evidence was not sufficient to support criminal charges."

It is also unclear what will happen next. According to BBC News, Attorney General William Barr is facing "heavy criticism" of his handling of the report's release, with some accusing him of misleading them with an earlier summary on whether President Trump obstructed justice. 

According to USA Today, the Kremlin hit back at Mueller's investigation: The report "does not present any reasonable proof at all that Russia allegedly meddled in the electoral process in the US," said Dmitry Peskov, spokesman for Russian president Vladimir Putin.

Cyber-Attack Knocks the Weather Channel Off the Air

Cyber-Attack Knocks the Weather Channel Off the Air

The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes. 

On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a "malicious software attack" on its network but as of press time hasn't released any specifics on the attack itself. When the AMHQ show should have started, viewers saw taped programming, Heavy Rescue. AMHQ's Twitter feed also confirmed that it was "experiencing technical difficulties." 

Around 90 minutes later, the show returned with its anchors informing of the cyber incident.

"The Weather Channel, sadly, has been the victim of a malicious software attack today," said anchor Jim Cantore.

"Yes, and it has affected our ability to bring you your weather information," added anchor Stephanie Abrams. "So we just wanted to say thank you again for your patience and we want to get right to today's severe weather."

While attacks on television networks do not always make mainstream news, many countries have fallen victim to them. In February 2018, a cyber-attack on the PyeongChang Olympic Games, attributed to Russia, took the official Olympic website offline for 12 hours and disrupted Wi-Fi and televisions at the PyeongChang Olympic stadium.

Also, in October 2018, the National Cyber Security Centre accused Russia's military intelligence services of targeting firms in Russia and Ukraine, the US Democratic Party and a small TV network in the UK.

Facebook Uploaded 1.5 Million Email Contacts Without Consent

Facebook Uploaded 1.5 Million Email Contacts Without Consent

Since 2016, Facebook has reportedly harvested email contacts of 1.5 million users without their consent. According to Business Insider, the media outlet that broke the story, the company had been collecting the contact lists of new users since May 2016. 

In a statement, Facebook confirmed that it had been unintentionally uploading this data when people were verifying their accounts. 

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," said the statement. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.

"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."

According to Business Insider, a security researcher realized that Facebook was asking some users to "enter their email passwords when they signed up for new accounts to verify their identities." The outlet then discovered that when a user entered their email password, "a message popped up saying it was 'importing' contacts, without asking for permission first."

A Facebook spokesperson also confirmed that these contacts were uploaded into Facebook's systems, where they were used to build "Facebook's web of social connections" and recommend friends. 

It's not known if these contacts were also used for ad-targeting purposes, similar to that of the Cambridge Analytica scandal that happened last year. The exposé, which was released by The Observer, had led to Facebook having to answer questions to the US Senate and the UK government. 

Infosecurity Magazine reported that at the beginning of April, over half a billion personal Facebook records were publicly exposed to the internet by two third-party app developers. UpGuard claimed to have found the two datasets stored in Amazon S3 buckets, which were configured to allow public download of files.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.

In regards to the latest data mishap, Facebook plans to notify the 1.5 million users affected and delete their contacts from the company's systems.

LinkedIn Data Found in Unsecured Databases

LinkedIn Data Found in Unsecured Databases

A security researcher identified eight unsecured databases that held "approximately 60 million records of LinkedIn user information."

GDI Foundation, where the security researcher is from, is a nonprofit organization with a mission to "defend the free and open Internet by trying to make it safer." The researcher, Sanyam Jain, contacted Bleeding Computer when he noticed "something strange." He was seeing unsecured databases containing the LinkedIn data "appearing and disappearing from the Internet under different IP addresses."

While the majority of the LinkedIn data was reportedly public, some of the data contained email addresses.

"According to my analysis the data has been removed every day and loaded on another IP. After some time the database becomes either inaccessible or I can no longer connect to the particular IP, which makes me think it was secured. It is very strange," Jain told Bleeding Computer. The total size of all of the databases was 229 GB, with each database ranging between 25 GB to 32 GB. 

As an experiment, Bleeding Computer editor Lawrence Abrams asked Jain pull his record from one of the databases and review it. According to the article, Abrams found the data contained in the record included "his LinkedIn profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated." 

The email address Abrams used when he registered his LinkedIn account was also included. The editor doesn't know how the information got onto this database as he "always had the LinkedIn privacy setting configured to not publicly display his email address."

Each profile also contains what appears to be internal values that describe the type of LinkedIn subscription the user has and whether they utilize a particular email provider, according to Bleeding Computer. These values were labeled "isProfessional," "isPersonal," "isGmail," "isHotmail" and "isOutlook."

Bleeding Computer contacted Amazon, who was hosting the databases, and as of April 15, 2019, the databases were secured and were no longer accessible via the internet.

LinkedIn's Paul Rockwell, head of trust and safety, told the website: "We are aware of claims of a scraped LinkedIn database. Our investigation indicates that a third-party company exposed a set of data aggregated from LinkedIn public profiles, as well as other, non-LinkedIn sources. We have no indication that LinkedIn has been breached."

LinkedIn also told the outlet that in some cases an email address could be public and provided a link to a privacy page that allows users to configure who can see a profile's email address.

TA505 Targets Financial and Retail Using ‘Undetectable’ Methods

TA505 Targets Financial and Retail Using 'Undetectable' Methods

A financially motivated gang is targeting retailers and financial institutions around the world using remote access software. 

CyberInt's Research Lab has found that TA505 is using tactics and an off-the-shelf commercial remote administration tool, developed by Russian-based company TektonIT. The group was behind attacks on the global financial industry between December 2018 and February 2019 and is using the same techniques, according to the company. 

Proofpoint says that according to its actor profile, "TA505 is responsible for the largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan and several others in very high volumes."

"Although they are using phishing and social engineering to get the software into the organisations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, senior strategic consultant and head of research at CyberInt. “They are still very much active and this is only the beginning of our deep-dive investigation.”

According to the report, TA505 tried its hand at payloads such as stealing back doors and remote access Trojans following the decline in the popularity of ransomware, likely due to mitigation tactics. However, the illegitimate software is throwing others off the scent and making the group undetectable. 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," says the CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

The report goes on to say that if the macro, if executed, subsequently attempts to download "malicious payloads from the threat actor’s C2 infrastructure that in most cases also masquerades as, or mimics, legitimate-looking domains such as using names and misspellings related to ‘Cloud’, ‘Microsoft Office 365’ or ‘Security.’"

Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy

Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy

Fraudsters are preying on the goodwill of people everywhere by using the tragic fire of Notre Dame to their advantage.

According to research by security company ZeroFOX, cyber-criminals are "spreading misinformation about the disaster," which includes fake donation pages and launching new phishing campaigns. The company says in a blog post that "preying on the sympathy of those wanting to help victims is nothing new, but the technical underpinnings of the internet and its social media platforms allow hackers and spammers to scale their efforts at an unprecedented rate."

The blog goes onto explain that these threat actors use a variety of tactics, such as: 

  • Using bots on Twitter to spread donation links leading to spam or malware sites
  • Impersonating websites and social media accounts of legitimate charity organizations
  • Sending fraudulent charity emails with bad links or attachments
  • Registering domains related to the disaster
  • Creating fake donation campaigns on crowdfunding sites
  • Using fraud messaging that includes vague victim stories, pressure to act quickly or promises of high payouts for a company involved in cleanup

Most worryingly, the crowdfunding tactics might work more than anything else. There is a rise of raising money this way for help people in need, especially around tragic events such as this. Sites such as JustGiving might be copied to set up fake donation sites. "People looking to donate quickly may easily mistake a fraudulent donation page for the real page – losing their money and putting money in the hands of bad actors, not those in need," says the blog post. 

One example the ZeroFox Alpha Team found was on justgiving.com, where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” "Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort," the post goes on to say. 

Another tactic targets social media users who follow trending hashtags. 

"In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy," explains the post.

"[This example of one such post] is looking to sell 'services' using the Notre Dame fire hashtag." Users need to be be careful, it goes on, of any seller using hijacked hashtags, as they are "typically associated with scams and malicious links."

Example of potential crowdfunding scam – note the warning signs.
Example of potential crowdfunding scam – note the warning signs.

When it comes to avoiding scams related to this disaster, ZeroFOX recommends the following:

  • Review suggestions from crowdfunding sites on how to identify legitimate campaigns.
  • Be cautious of unfamiliar individuals or organizations soliciting donations or investments through social media, email or phone.
  • Conduct thorough research on charity organizations and use a website that rates organizations, such as Charity Navigator or CharityWatch.
  • Be cautious of requests for donations or investments in cash, by gift card, or by wiring money, which are frequent methods of payment for scams.
  • Report potential scams to crowdfunding sites, and reach out for a potential refund in the case of a suspected scam.

Cloud Security Spending Set to Top $12bn by 2023

Cloud Security Spending Set to Top $12bn by 2023

Global spending on cloud security is set to grow nearly 18% to reach $12.7bn by 2023, with protection for public cloud deployments prioritized over the coming years, according to a new report from Forrester.

Organizations spent $178bn on public cloud services last year, a figure that will grow to $236bn by 2020 — making security increasingly important to protect mission critical systems and sensitive data.

Infrastructure decision makers are particularly concerned about cyber risk, with over half (54%) implementing cloud solutions, the analyst claimed in its report, Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global).

The sheer complexity of cloud deployments, often covering multiple providers and hybrid deployments, also requires enhanced security to monitor data, detect anomalies, and intercept threats.

Public cloud remains the biggest focus for security investment. Some $4bn was spent on public cloud native platform security in 2018, accounting for over 70% of total cloud security spend and this will be the fastest-growth area to 2023, when it will reach $9.7bn, Forrester claimed

The good news is that these efforts appear to be working: just 12% of breaches targeted public cloud environments, while 37% of global infrastructure decision makers cited improved security as an important reason to move to the public cloud, according to Forrester.

The analyst was also keen to point out that there’s no single solution which can meet all an organization’s cloud security needs.

As mentioned, public cloud native solutions are growing fastest. These cover areas like: data classification, categorization and segmentation; server access control; user IAM; encryption; and logging, auditing, and anomaly detection.

Then there are cloud workload solutions designed to centralize and automate cloud security across multiple platforms and environments. This market is set to grow at 17.3% CAGR to reach $1.9bn by 2023.

Finally, cloud security gateways succeed where traditional security tools fail by encrypting data before it’s sent to SaaS applications; detecting shadow IT; data loss prevention (DLP); malware detection; and cloud access anomaly detection.

Dark Web Fraudsters Defraud Each Other with Fraud Guides

Dark Web Fraudsters Defraud Each Other with Fraud Guides

Cyber-criminals are doing a roaring trade in “how-to” fraud guides for their fellow scammers, although many are out-of-date and incomplete, according to new dark web research from Terbium Labs.

The cyber-intelligence firm analyzed nearly 30,000 of these guides to compile its latest report, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data.

These online documents typically include instructions on specific fraud capabilities such as account takeover, phishing, cashing out, doxing, synthetic fraud, account creation and so on.

They could feature instructions, personal notes from the author on their experiences of what works and what doesn’t, social engineering and technical advice, and more.

However, while it appears to be an ominously thriving industry, it’s unclear exactly how much value these guides are offering to the typical fraudster.  

According to Terbium Labs, over a quarter (26%) of guides are more than a decade old, and there are more out there from 2010 than 2017 and 2018 combined.

“Any guidance or information from within a few years is bound to still be helpful for criminals looking to get started, but once we get five or 10 years out, the value certainly decreases,” Terbium Labs VP of research, Emily Wilson, told Infosecurity.

“If buyers think they’re getting the most up-to-date methods in these major fraud collections, they’re going to be surprised and disappointed. These collections represent the information gathered over a couple of decades, rather than a highly curated group of the most recent materials.”

What’s more, three-quarters (75%) of those analyzed were found to be duplicates which have simply been repackaged and resold, at an average of £6 each.

“What we see here is a criminal community gathering information over time, and then doing what vendors do best: repackaging it and reselling it under their own name, looking for a new way to turn a profit,” Wilson continued.

“These guides require little work to gather, and even less work to throw into a zip file and market under your own brand. They’re in business to make money, and what better way to make money than to repackage someone else’s work and pass it off as your own?”

In addition, some 11% of fraud guide purchases the researchers attempted to make on the dark web turned out to be scams, the report revealed.

However, despite all the scams and the old and incomplete data found in many guides, the info gathered by the dark web intelligence vendor could still be useful for organizations trying to get inside the fraudster’s head. It could even be used by risk teams to help evaluate current fraud controls and detection services, for example.

Terbium Labs also ran a check on the appearance of personal and financial information in the guides to see what was of greatest interest to fraudsters.

Surprisingly, email addresses came out top, ahead of payment card data and other PII, according to the report.

DNS Hijackers Target Middle East Governments

DNS Hijackers Target Middle East Governments

Security experts are warning of a new state-sponsored DNS hijacking campaign affecting at least 40 organizations across 13 countries.

Cisco Talos revealed in a blog post yesterday that the “Sea Turtle” campaign began back in January 2017 and has been active until the first quarter of this year, targeting mainly public and private sector organizations in the Middle East and North Africa.

Attackers sought first to gain DNS credentials from target organizations, either by exploiting known vulnerabilities or sending spear-phishing emails. They then typically used these log-ins to target the firm’s registrar, accessing their DNS records and modifying them to point users to a malicious server under the hackers’ control.

The group then set-up a classic man-in-the-middle (MiTM) operation, impersonating legitimate services to harvest user credentials.

“Once these credentials were captured, the user would then be passed to the legitimate service. To evade detection, the actors performed ‘certificate impersonation,’ a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization,” explained Cisco.

“This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected "SSL padlock" in the URL bar.”

With access to the target’s network, the attackers then stole the organization’s SSL certificate, enabling them to perform more MiTM attacks to harvest other credentials, expanding their access. Stolen certs were used for just a day to maintain good OpSec.

Primary targets were military organizations, national security agencies, foreign affairs ministries and energy companies in Libya, Egypt, UAE, Cyprus, Lebanon, Iraq, Jordan, Turkey, Armenia, Syria and Albania.

Secondary targets, infiltrated to gain access to the former, were mainly based in the US and Sweden and included DNS infrastructure firms such as registrars, ISPs, telcos, and one registry. Swedish DNS firm Netnod was one of these.

“Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am,” Cisco continued. “Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.”

The firm warned that the group is highly capable and has continued in its operations, undeterred by media reports on some of its activity.

“Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains,” it concluded.

“The threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network.”

Cath Goulding, head of cybersecurity at .uk registry Nominet, claimed its infrastructure was secure thanks to it taking a layered approach.

“While two-factor authentication helps verify authenticity, Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA. We are continually monitoring the situation, and would reassure the majority of consumers trying to access .UK domain names,” she said.

“For businesses that have their own DNS provisions, we would recommend checking your DNS settings manually to ensure they are still pointing to legitimate servers. The issue with this sort of attack is that it’s incredibly difficult to spot. We would recommend implementing stringent access protocols for your DNS settings, such as multi-factor authentication, as this additional layer of security makes it much harder for hackers to gain access to your systems.”

The group is not connected to the DNSpionage attacks revealed in November last year, according to Cisco.

DCMS Shares UK Journalists Emails, Potential GDPR Breach

DCMS Shares UK Journalists Emails, Potential GDPR Breach

The government department that is responsible for implementing the General Data Protection Regulation (GDPR) has committed an email faux pas with UK journalists which could also mean it has broken its own rules. 

Flagged by Guardian journalist Alex Hern on Twitter, the email was regarding its announcement on age verification rules on online pornography. Hern tweeted: "DCMS has just announced that the porn filters are coming online on July 15, in an email that cc's every media and technology journalist in Britain." 

According to the Information Commissioner's Office (ICO)'s website, "The GDPR applies wherever you are processing ‘personal data.' If the email addresses make obvious the name, such as 'initials.lastname@company.com,' GDPR will apply."

Furthermore, the GDPR protects people from being cold-emailed or spammed requiring explicit consent from individuals. If anyone on the mailing list didn't consent to being on it, there might be a breach.

What counts as consent?

  • Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data
  • Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity
  • You must make it easy for people to withdraw consent at any time they choose

While DCMS is a high-profile organization, breaches due to human error are not uncommon. In the last two years of reports of UK data breaches to the ICO, just 12% were the result of malicious attacks, according to Kroll. This means that 88% were the result of human error.

"Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks," said Kroll managing director, Andrew Beckett, to Infosecurity Magazine in September 2018. "The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures."

The ICO confirmed it was aware of the incident, commenting: "We are in contact with the Department for Digital, Culture, Media and Sport regarding today’s email incident."

UK To Become First Country To Bring in Age-Verification for Online Pornography

UK To Become First Country To Bring in Age-Verification for Online Pornography

The UK will become "the first country in the world" to bring in age verification for online pornography, according to the Department for Digital, Culture, Media and Sport (DCMS). The measures, which come into force on July 15, 2019, mean that commercial providers of online pornography will be required by law to carry out robust age-verification checks on users to ensure they are 18 or over.

In its announcement this morning, the DCMS says "the move is backed by 88% of UK parents with children aged 7–17, who agree there should be robust age-verification controls in place to stop children seeing pornography online." It has also said that websites that fail to implement age-verification technology face having payment services withdrawn or being blocked for UK users.

Minister for digital Margot James said, "Adult content is currently far too easy for children to access online. The introduction of mandatory age-verification is a world-first, and we’ve taken the time to balance privacy concerns with the need to protect children from inappropriate content. We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this."

The change in law is part of the government’s commitment to making the UK "the safest place in the world to be online, especially for children." It follows the publication of a whitepaper by the government department last week, which also referenced social media companies being more accountable for content on their sites.

The British Board of Film Classification (BBFC) will be responsible for ensuring compliance with the new laws.

Online pornography websites have also been a goldmine for stealing user credentials. In 2018, 850,000 attempts were made to steal porn credentials according to a report by Kaspersky Labs. The attacks had been focused on paid accounts for only two sites, Pornhub and XNXX.

Ransomware has also affected users of these sites, making underage users vulnerable. According to Kaspersky's report, ransomware poses as an application. Once in use it locks the screen of the device and shows a message stating that illegal content (usually child porn) has been detected on the device, and the device has been locked. In order to unlock the device, the victim has to pay a ransom.

Scranos Goes Global After Targeting China

Scranos Goes Global After Targeting China

A new password and data stealing operation that has been targeting China has started to infect users worldwide, according to Bitdefender Cyber Threat Intelligence Lab. 

Using a rootkit driver, which is believed to have been a possibly stolen certificate, the attack is still a work in progress with many components in the early stage of development, say the researchers behind the company's latest report, Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation.

"We discovered that the operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components," according to the report. "The various components can serve different purposes or take different approaches to achieve their goals."

Some of these components identified include:

  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser
  • Steal a user’s payment accounts from Facebook, Amazon and Airbnb webpages
  • Send friend requests to other accounts, from the user’s Facebook account
  • Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well
  • Steal login credentials for the user’s account on Steam

Bitdefender's research reveals that the malware spreads via Trojanized applications "disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers or even antimalware products." When executed, the rootkit driver is installed to cloak the malware and ensure persistence. The malware then phones home and is told what other components to download and install.

"Our telemetry shows the adware has a global presence, but it seems more prevalent in India, Romania, Brazil, France, Italy and Indonesia," continues the report. "All identified samples confirm that this operation is in a consolidation stage: the oldest samples identified date back to November 2018, with a massive spike in December and January. However, in March 2019, the command and control servers started pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per-install schemes."

The rootkit driver, at the time the report was written, contains a valid digital signature with a certificate issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd.

"The most likely scenario is that an impersonator obtained this certificate fraudulently, even if the company is not a software vendor," the report deduces. 

The rootkit sets up and creates a device named \Device\VideoDriver and serves three main purposes, according to the report:

  1. Decrypts and injects the downloader in a svchost.exe process with system authority
  2. Deletes a specified file using low-level file system operations
  3. Registers an IRP_MJ_SHUTDOWN function which is used to ensure the persistence of this rootkit in the infected system by rewriting itself on disk and in the registry at every shutdown, in case it was deleted

Fifth of Web Traffic Comes from Malicious Bots

Fifth of Web Traffic Comes from Malicious Bots

Around a fifth of all web traffic last year was linked to malicious bot activity, with financial services hit more than any other sector, according to Distil Networks.

The security vendor compiled its 2019 Bad Bot Report from analysis of a global network covering thousands of anonymized domains.

It claimed to have discovered hundreds of billions of “bad bot” requests across this network, enabling large-scale, automated malicious activity including: web scraping, competitive data mining, personal and financial data harvesting, brute-force login and digital ad fraud, spam, transaction fraud and more.

The report revealed 20.4% of traffic to be linked to this kind of activity. Although this was a slight drop from last year, nearly three-quarters (74%) of these bots are classified as “Advanced Persistent Bots” (APBs) which are able “to cycle through random IP addresses, enter through anonymous proxies, change their identities, and mimic human behavior.”

In terms of ISPs, bad bot traffic was most likely to originate from Amazon (18%), while geographically, most traffic originated in the US (53%), according to the report. However Russia and Ukraine accounted for nearly half (48%) of blocking requests from Distil customers, given their notoriety.

Financial services had the highest percentage of malicious bot traffic (42%) thanks mainly to the uptick in credential stuffing designed to access and/or hijack user accounts. Between May and December 2018 Akamai tracked over a billion credential stuffing attempts on financial services firms.

However, ticketing (39%), education (38%) and government sectors (30%) were also badly affected. Government is unusual in that the motivations of attackers in this sector are not solely driven by financial gain, but also election (voter registration account) interference.

“Bot operators and bot defenders are playing an incessant game of cat and mouse, and techniques used today, such as mimicking mouse movements, are more human-like than ever before,” said Tiffany Olson Kleemann, CEO of Distil Networks.

“As sophistication strengthens, so too does the breadth of industries impacted by bad bots. While bot activity on industries like airlines and ticketing are well-documented, no organization — large or small, public or private — is immune. When critical online activity, like voter registration, can be compromised as a result of bad bot activity, it no longer becomes a challenge to tackle tomorrow. Now is the time to understand what bots are capable of and now is the time to act.”

EU: We Have No Evidence Kaspersky Lab is Security Risk

EU: We Have No Evidence Kaspersky Lab is Security Risk

The European Commission has admitted it has no evidence that Kaspersky Lab products are a national security risk to member states, despite the European Parliament voting last summer for a ban on the Russian AV company.

The revelations come in response to a question from right-wing European Parliament member (MEP), Gerolf Annemans.

It refers to the non-binding resolution, passed on June 13 2018, which branded Kaspersky Lab as ‘malicious’ and ‘dangerous.’

“Does the Commission know of any reason other than certain press articles that justifies the labelling of Kaspersky as ‘dangerous’ or ‘malicious,” especially since Member States such as Germany, France and Belgium do not perceive any problems with cooperation with the firm concerned?” he asked.

The Belgian MEP also asked whether the Commission is aware “of any reports or opinions of cyber-experts or consultancies about Kaspersky Lab, and can it give me references to them?”

In response, the Commission said it is “not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products,” and that “it did not commission any reports” into the issue to find out more.

“The Commission is following closely debates and developments concerning the security of IT products and devices in general, including discussions about potential measures related to access to the EU market,” it added.

“The EU is an open market, which can be accessed by foreign companies in compliance with EU rules. In addition, Member States have the competence to decide whether to exclude companies from their markets for national security reasons.”

That would seem to suggest that too much weight was given to US moves to ban the Moscow-based vendor at the time of the vote, despite it not being able to produce any proof to back up its claims of the firm being a national security risk. The UK also issued a warning in December 2017 for agencies not to use its products for processing information classified SECRET and above.

The European Parliament motion in question was framed in general terms about cyber-defense, yet only Kaspersky Lab was named, adding weight to the notion that it was unfairly singled out.

It’s unclear why it took so long to gain clarification from the Commission on this.

Wipro Confirms Major Breach Investigation

Wipro Confirms Major Breach Investigation

IT services giant Wipro has revealed it is investigating a potential intrusion after a report named the firm as suffering an attack targeting a dozen customers,

India’s third largest IT outsourcer claimed to have spotted “potentially abnormal activity in a few employee accounts” after an “advanced phishing campaign” targeted the company.

“Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact,” it continued, according to ETtech.

“We are leveraging our industry-leading cybersecurity practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”

Security researcher Brian Krebs originally reported the incident, citing multiple unnamed sources who claimed a multi-month intrusion had taken place, with at least 11 or 12 customers affected.

One claimed to know this info from the forensics investigation in which folder names on the intruders’ back-end were found to have been named after those clients.

Another source claimed that Wipro is being forced to build a new private email network, as the current one was apparently no match for the assumed state-sponsored attackers.

IT services companies are a major target for hackers given the privileged access they can grant to large numbers of client networks.

Chinese state-sponsored attack group APT10 was called out in 2017 after a long-running campaign against MSPs described by British investigators as “one of the largest ever sustained global cyber-espionage campaigns.”

IOActive CTO, Cesar Cerrudo, argued the case is another example of how modern digital supply chains create extra risk for organizations.

“These types of attacks are incredibly difficult to defend against, as trust is an essential part of any partnership. However, companies should be careful to ensure that they have the right controls in place to ensure that even if a hacker does gain access to an employee's credentials, this doesn’t mean they have the keys to the kingdom,” he added.

“If an organization isn't looking for security risks, then a threat actor doesn't need to launch a costly, complex or high-risk supply chain attack to compromise the organization. If the worst happens, and systems are compromised, then having a swift and effective response is essential. Organizations need to be sure they are able to identify the compromise fast (ideally before customers are impacted) and that they can quickly assert which customers may have been impacted and notify them of the potential risk to stop things from spiralling down the supply chain.”