Author Archives: www.infosecurity-magazine.com

A Third of UK Unis Hit By Ransomware in Last 10 Years

A Third of UK Unis Hit By Ransomware in Last 10 Years

Around a third (33%) of UK universities have been targeted with ransomware, freedom of information (FOI) requests submitted by the agency TopLine Comms have revealed.

Of the 134 universities the requests were sent to, 105 responded. Of these, 35 (33%) revealed they had been subjected to attack while 25 (24%) said they hadn’t. The remaining 43 (45%) refused to answer, with the main concern being that admission of attack could lead to further targeting.

Those that refused to answer the FOI added that no inference should be drawn from the refusal as to whether they’d been attacked or not.

Of the 35 universities that admitted to having faced ransomware attack, 34 confirmed they did not pay ransoms, with just one, Liverpool John Moores, refusing to disclose whether they had paid a ransom or not.

Whilst most attacks were isolated incidents, Sheffield Hallam University stood out as it had reported 42 ransomware attacks since 2013. It was followed by City, University of London, which has been targeted seven times since 2014.

The years in which the greatest total number of incidents occurred were in 2015 (31%), 2016 (34%) and 2017 (23%).

Ransomware attacks on universities has been brought into sharper focus recently following the admission by University of California San Francisco in June that it had paid over $1.14m to criminals after discovering that critical academic data related to its COVID-19 research had been encrypted.

Luke Budka, head of digital PR and SEO at TopLine Comms, said: “The recent revelation that hackers extorted $1.14m from the University of California prompted us to submit requests to UK universities asking for details on ransomware attacks and ransom amounts paid. We were naturally most interested in Russell Group universities as their research focus suggests they’ve got the most valuable intellectual property.

“Of the 18 Russell Group universities that responded, all but three refused to answer the questions submitted. The University of Manchester admitted it had been attacked but said it didn’t record when; The University of Sheffield was attacked in 2015 and The University of Edinburgh stated it had not been attacked in the last ten years.”

Speaking to Infosecurity about the findings, Steven Furnell, professor of cybersecurity at the University of Nottingham, commented: “The fact that a third indicated that they had been ‘subject to an attack’ really just serves to confirm the prevalence of the threat – which in itself is not a surprise, as we know ransomware has been a significant element of the threat landscape for the last few years.”

He noted that universities are potentially particularly vulnerable to ransomware attack because of the varied mix of users connecting into the networks across a wide range of devices, including students’ personal devices.

Furnell added: “In terms of what they ought to doing to protect themselves, it is essentially the same as other large organizations – ensuring an effective combination of technical safeguards to detect and prevent the incidents, alongside awareness-raising for staff and students in order to reduce the chances of them inadvertently assisting the threat or losing their own data if a breach was to occur.”

Australian Jailed for Stealing XRP Crypto

Australian Jailed for Stealing XRP Crypto

An Australian woman has been jailed for her part in the theft of XRP cryptocurrency worth nearly $400,000. 

Kathryn Nguyen was arrested in October 2018 for pulling off a crypto-heist with an associate. The 25-year-old was one of the first people in Australia to be charged with the theft of cryptocurrency.

The theft of 100,000 XRP tokens took place in January 2018, when the value of the currency  was at an all-time high of $3.84 per token. Currently, the tokens are worth approximately $0.30 each. 

Along with her accomplice, Nguyen stole the tokens from the account of a 56-year-old man with whom she shared the same last name. She then swapped the two-factor authentication to her own cell phone. 

Nguyen reportedly used a Chinese cryptocurrency exchange to swap the tokens for Bitcoin (BTC). In what may have been an attempt to launder the stolen funds, the Bitcoin was distributed across multiple wallets.

Police raided Nguyen’s home in the Sydney suburb of Epping in 2019, seizing phones, computers, and money. In August last year, the former Bitcoin trader turned handbag and shoe repairer pleaded guilty to fraud.

Today, Nguyen was sentenced to a maximum of two years and three months behind bars. She will be eligible for parole in October 2021. 

Presiding judge Chris Craigie said it was a “difficult and troubling decision” to hand Nguyen a jail sentence. According to News Corp, character references given regarding Nguyen portrayed her as having a “generous and hardworking personality.”

“A common thread was the offender’s willingness to help others,” Craigie said. “This takes on a different meaning in her willingly participating and assisting in a criminal enterprise.”

Craigie shared the opinion that the defendant's “moral judgement was distorted” when she committed the crime. 

The investigation into Nguyen was launched after the victim told police that he had been locked out of his cryptocurrency trading account. Police then spent nearly a year building the case against Nguyen.

Commander of NSW Cybercrime Squad, Detective Superintendent Matthew Craft, said cybercrimes in Australia often went unreported.

“The problem we have nationally—not just in New South Wales—is that the reporting rate for cyber-related crimes is very low,” Craft said.

Cyber-Harassment Charges Dropped Against Nutley Cop Photo Tweeters

Cyber-Harassment Charges Dropped Against Nutley Cop Photo Tweeters

Cyber-harassment charges brought against five people who sought to publicly identify a New Jersey cop on Twitter have been dropped.

The defendants were accused of causing Nutley Police Detective PJ Sandomenico to fear that harm would come to himself, his family, and his property by sharing a photograph of the officer performing his duties at a Black Lives Matter protest on June 26. 

An image of Sandomenico wearing a face mask that read "blue lives matter" was posted on Twitter by Kevin Alfaro of Belleville under the username kevi7 along with the comment "If anyone knows who this b***h is throw his info under this tweet." 

The post was subsequently retweeted by four other people, including Nutley resident Andrew Koslecki; Belleville residents Diana Lubizaca and Kamila Mikulec; and Queens Village, New York, resident Georgana Sziszak. 

Six weeks later, the defendants, all of whom were aged between 18 and 21, received summonses in the mail. If convicted of cyber-harassment in New Jersey, each of the Twitter users could have been slapped with a $10,000 fine and served 18 months in state prison for committing a fourth-degree felony.

Speaking on Friday, August 7, Katherine Carter, a spokeswoman for the prosecutor's office, said: "After reviewing the cases, we concluded there was insufficient evidence to sustain our burden of proof. Consequently, we moved today to dismiss all charges."

After receiving her summons, Sziszak started a GoFundMe page to foot her legal bills and raised nearly $10k. 

Commenting on her decision to re-tweet the post featuring Sandomenico, Sziszak said on her page: "On Friday, June 26, my friend attended a BLM solidarity ride out/protest. At the protest, they were met with anti-BLM counter-protestors; separated by a wall comprised of officers from the Police Department. 

"I physically did not attend this protest but shared my support by RETWEETING his tweet. His tweet was a picture of the cop turning his back and his badge # was NOT VISIBLE. My friend stated that he felt threatened by this cop and attempted to specifically identify this cop via tweeting.  

"The purpose of this tweet was to find out the officer's information, to hold him accountable.”

Public Sector Outperforming Private in Data Management Although Challenges Remain

Public Sector Outperforming Private in Data Management Although Challenges Remain

The public sector is ahead of other industries when it comes to data efficiency and usability, according to a study by Veritas Technologies.

Whilst 30% of the data stored by public sector organizations has a known value, just 15% falls into this category in general industry. In addition, public sector data considered redundant, obsolete and trivial (ROT) is half that of private sector companies.

However, substantial data challenges remain in the public sector, which has the same rate of dark data stored as industry counterparts (50%). This means significant public money is being spent on backing up data with unknown value.

Worryingly, in the survey of 100 public sector IT leaders, more than a quarter (27%) said they never tag data, mainly due to the belief that it is a laborious and expensive process.

Andy Warren, UK&I director, public sector, at Veritas Technologies, commented: “The average survey respondent was spending as much as £696,460 a year on data storage, half of which is dark. Tagging data, as basic as it sounds, is the first step in getting control of it, and can very effectively form the foundation to a program that reduces cost and increases efficiency.”

An apparent reluctance to store data in the cloud could also be preventing efforts to improve data efficiency, with just 17% of public sector information currently held on this platform.

Nevertheless, there is growing awareness of the need to improve data management across the sector; the study found that a high proportion of public sector IT leaders consider increasing internal data visibility (68%) and improved data sharing between teams (59%) to be priorities.

Warren added: “The challenge is real, and so much progress has already been made in the public sector in spite of cost limitations and large swathes of extremely sensitive data. However, provable cost savings can still be realized by consolidating infrastructure, understanding the data estate and deleting what isn’t needed. The technology is now available to reduce costs, improve efficiency and aid compliance.”

Data Breach at Illinois Healthcare System

Data Breach at Illinois Healthcare System

Illinois healthcare system FHN has notified patients of a data breach that took place in February. 

An investigation was launched by the Freeport-based healthcare provider after it transpired that the email accounts of a number of employees had been compromised. 

According to a notice issued by FHN, the alarm was raised when suspicious activity was spotted within the compromised email accounts. FHN responded by securing the accounts and hiring a "leading computer forensic firm" to determine what had occurred. 

The investigation into the incident concluded on April 30 and determined that an unauthorized person accessed the accounts between February 12 and February 13. 

FHN stated: "The investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts. Out of an abundance of caution, we reviewed the emails and attachments contained in the email accounts to identify patient information that may have been accessible to the unauthorized person."

After reviewing the emails and attachments that were compromised in the incident, FHN found that sensitive data belonging to some patients had been accessible to the unauthorized third party. 

Information exposed in the data breach included some patients’ names, dates of birth, medical record or patient account numbers, health insurance information, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information.

In some instances, patients’ health insurance information and/or Social Security numbers were also identified in the compromised email accounts. 

"This incident did not affect all FHN patients, but only those patients whose information was contained in the affected email accounts," stated FHN.

FHN is offering complimentary credit monitoring and identity protection services to those patients whose Social Security numbers and/or drivers’ license numbers were exposed in the incident.

FHN announced on July 31 that patients had been notified of the data breach. The company said it was taking steps to prevent future cyber-incidents. 

"To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multi-factor authentication," stated FHN.

British MSPs Apply for Government Furlough Scheme

British MSPs Apply for Government Furlough Scheme

UK managed services providers (MSPs) have applied for government financial relief in the wake of the COVID-19 pandemic, with 74% receiving the help they needed.

According to a survey of 500 MSPs by Solarwinds, 45% of UK MSPs have had to furlough staff, and 50% said they had applied for government financial relief.

However, whilst 65% of MSPs do not anticipate making any pricing changes to their managed services package in the long-term, 19% have reduced their services to fit shrinking customer budgets and 13% intend to increase their prices following the pandemic.

The survey also found that the majority of businesses (with a revenue up to $10m) did not think that it was likely they would engage in a merger or acquisition to support expansion. However, for MSPs with a revenue over $10m, 40% said it was likely they would engage in a merger or acquisition, while 37% said it was not likely and 23% said they were not sure.

Colin Knox, vice-president of community, SolarWinds MSP, said the overwhelming majority of MSPs retaining their staff “during a time period characterized by uncertainty is truly heartening.”

He said: “This crisis has re-enforced the value MSPs bring to businesses. Without MSPs as an extension of the team — focused on risk mitigation and business continuity — many businesses would have been lost, and wouldn’t have been able to support remote working on such a vast, immediate scale. The knowledge, expertise, and skillset of MSPs has been crucial in this changing climate. They have truly become essential.”

In an email to Infosecurity, Brian Honan, CEO of BH Consulting, said staff being furloughed is a worrying trend as it may highlight many MSSPs do not have the financial stability to survive in the long-term. He said: “Good security staff may not wish to work for a MSSP that is struggling financially and may seek better job stability elsewhere, leaving lesser skilled staff working in the MSSP. If your company’s security relies on a MSSP provider that is not financially stable you could be facing potential service delivery and service quality issues in the medium to long-term.

“It is also worth noting that criminals could take advantage of a MSSP that is furloughing their staff. Staff that are suffering financially are more susceptible to bribery which criminals will exploit. It can be cheaper and more effective to bribe an insider than it is to hack the organization.”

Honan also raised concerns about the numbers of MSPs that have staff working remotely. “Remember that some of the most sensitive data in an organization could be passed over to an MSSP,” he said. “If an MSSP had moved to a remote working environment then how secure are their remote workers? Many MSSPs traditionally have their operations center physically secured and isolated, both physically and logically, from the rest of their business to ensure the security of their clients’ networks. Can the MSSPs offer the same level of security from the homes of their remote workers?”

He also made the point that in the rush to support remote working, have those MSSPs spent enough time and resources to ensure their systems are properly secured for the new work environment?

“Let’s not forget that criminals will look to take advantage of any weakness in a company’s security,” Honan said. “We have seen attacks in the past targeting MSSP providers to use them as a stepping stone to attack the MSSP’s own customers. Alternatively criminals could take advantage of any security holes in the MSSP’s new remote working solution by attacking the MSSP to cover an attack against one or more of its customers.”

Honan also said the market has been flooded with new MSPs who see the opportunity to make money, and the coming months may see some of the smaller and non-security specialist players drop from the field as they face financial difficulties.

Experts Warn of ‘Consultants’ Promising to Secure Fake COVID Aid

Experts Warn of ‘Consultants’ Promising to Secure Fake COVID Aid

US consumer rights experts are warning of a new wave of fraudulent services claiming to help individuals and businesses get free money from government COVID-19 aid programs.

The Better Business Bureau (BBB) claimed that victims can be snared via dishonest social media ads, search results and even recommendations from unwitting friends and family.

If they click through to the scam site, fake ‘consultants’ will promise to secure government aid money where in the past an application may have been denied — for example from the US Small Business Association.

“To get started, all you have to do is fill out some paperwork. This typically requires sharing sensitive, personal information, such as your full name, home address, and government ID numbers. Next, the ‘consultant’ will ask you for an upfront payment for their services. You may also be required to pay a portion of the government aid funds you receive directly to the company, which they will likely also ask for up front,” the BBB explained.

“Most of the time, these ‘consultants’ don’t really have any special information on government aid programs. Instead, they are simply hoping to get your personal information and an initial payment. Once you’ve paid, the consultant will disappear and the company will become unreachable.”

Victims will not only lose their money but, if they’ve handed over any personal information, may be at risk of follow-on identity fraud, the BBB warned.

The non-profit urged individuals and business owners never to give out personal details to strangers and to beware of promises that sound too good to be true.

It advised would-be applicants to visit government websites direct and, if dealing with a third-party, to research them and their claims thoroughly before proceeding. The BBB has a list of accredited businesses, for example.

DDoS Attacks Triple in Q2 to Target #COVID19 Home Workers

DDoS Attacks Triple in Q2 to Target #COVID19 Home Workers

The volume of distributed denial of service (DDoS) attacks in the second quarter of 2020 increased three-fold from the same period last year, according to new data from Kaspersky.

The Russian cybersecurity vendor claimed in its Kaspersky Q2 2020 DDoS attacks report that it detected and blocked 217% more DDoS attempts than in Q2 2019.

This appears to run counter to usual seasonal trends, which see DDoS attacks peak at the start of the year and then decline through late spring and summer, it said. The volume of detected attacks fell 39% from Q1 2019 to Q2 2019, for example, and by 34% for the same period in 2018.

However, this year, the volume of detected attacks increased by 30% from the first to the second quarters, according to Kaspersky.

What’s more, the highest number of attacks per day reached nearly 300 in the second quarter (on April 9), while in Q1 2020 the record was 242.

Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team, argued that the uptick in DDoS activity may be tied to the impact of the pandemic on computer users.

“This year, people have not been able to enjoy a normal holiday season as many regions have kept COVID-19 lockdown measures in place. This has left more people than usual still depending on online resources for both personal and work-related activities, making this summer a busy period for online businesses and information resources,” he explained.

“As a result, we saw unprecedented activity in the DDoS market. And so far, there is no reason to predict a decline.”

The firm urged organizations to ensure they have round-the-clock support in place to manage critical web resources, validate agreements and contact info with ISPs to support rapid response, and to choose effective DDoS prevention from a proven provider.

HaveIBeenPwned Set to Go Open Source

HaveIBeenPwned Set to Go Open Source

Popular breach notification site HaveIBeenPwned (HIBP) is going open source to ensure the long-term viability of the project, according to founder Troy Hunt.

The Australian Microsoft regional director and MVP made the announcement in a blog post on Friday, saying that the decision came as a result of his failed attempt to find a buyer for the site earlier this year.

“The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn't changed; the project cannot be solely dependent on me,” he revealed. “Yet that's where we are today and if I disappear, HIBP quickly withers and dies.”

The move to open source the site will go a long way to allay privacy concerns over how HIBP operates, by enhancing code transparency and demonstrating that data searches aren’t being logged internally, Hunt continued.

However, the main aim is to make the site “a more sustainable, more robustly featured community service.”

Hunt said he is currently in discussions with Azure and .NET experts to transition HIBP from completely closed to completely open. The process will be worked through incrementally but there’s no clear timeline as yet. Hunt will likely remain a major part of the project for some time to come.

As if to emphasize the importance of HIBP to the security industry and breach victims, Hunt revealed that in the past two weeks alone, over 96 million breached records had been added to the site, from 16 separate incidents.

A k-anonymity API, designed by a CloudFlare engineer, means that services provided by the likes of Okta, LastPass, 1Password, Apple and Google can take advantage of the trove of breached data in HIBP to notify customers if their credentials have been compromised.

Utah Family Tormented in “Stalking on Steroids” Case

Utah Family Tormented in "Stalking on Steroids" Case

A Hawaii man has admitted sending over 500 unwanted visitors to the home of a Utah family in a case police have described as "stalking on steroids."

Loren M. Okamura was arrested in December 2019 on charges of cyber-stalking, making interstate threats, and transporting a person over state lines for the purpose of prostitution. The 44-year-old entered a guilty plea in US District Court on July 27.

Okamura admitted sending a string of unwanted service providers to the North Salt Lake home of Walt Gilmore and his family. Unwanted visitors turned away by the Gilmores as a result of Okamura's actions included plumbers, locksmiths, food delivery workers, electricians, and sex workers.

When arranging the unwanted services, Okamura used apps to obscure his identity and phone location data. 

The family's stalking experience began in August 2018 when a tow-truck company employee turned up on their doorstep with false instructions to remove a car from the Gilmore's driveway. 

For the next seven months, the family turned away up to 20 people a day who had been sent to their house by Okamura under false pretenses. 

The arrival of misled service providers at the Gilmore family home became so frequent that the family resorted to erecting a sign in their front yard warning of the hoax. 

“This is stalking on steroids. It’s pretty vicious,” North Salt Lake police told the Deseret News in March 2019.

Gilmore said that the family was plagued by unwanted visitors at all hours of the day and night.

"They have police records. Criminals. Felons. Active warrants for their arrests coming to my home. They’re looking for drugs. They’re offering prostitution," Gilmore told the Deseret News

"These are individuals who come to our home in the middle of the night—10, 11 o’clock, 1, 2, 3 in the morning."

Local police parked a patrol car in the family's driveway to deter people scammed by Okamura from knocking on the front door. Police estimate that the companies Okamura scammed have lost over $20k in staff hours and uncollected service fees.

Walt Gilmore said that his adult daughter had known Okamura at one point but no longer had any contact with the cyber-stalker. 

Okamura's sentencing is scheduled for October 5.

Alleged Soccer Leaks Source Released from Custody

Alleged Soccer Leaks Source Released from Custody

A Portuguese computer whiz accused of leaking a series of confidential documents belonging to various soccer clubs has been released from custody.

Rui Pinto has been moved to a safe house in Portugal after spending 18 months behind lock and key while he awaits his trial before a Portuguese court. 

The 32-year-old was arrested in Hungary in March 2019 on charges related to hacking, violation of correspondence, computer sabotage, illegitimate access, and attempted extortion. Pinto had been resident in Hungary for four years at the time of his arrest.

Portugal state broadcaster RTP and other media reported that Pinto was released from police custody in Lisbon late Friday.

Pinto's removal to a safe house at the behest of Judge Margarida Alves follows intervention in the defendant's case by Luís Neves, the head of Portugal's Policia Judiciaria. 

In a June interview with Diário de Notícias, Neves described Pinto as a young man with serious concerns for society. The police chief then called for a change to the law to protect whistleblowers who cooperate with the justice system to expose organized crime and corruption.

Further support for Pinto's cause came from Albano Pinto, director of the central department of criminal investigation and penal action (DCIAP). In July, Albano Pinto, who is no relation of Rui Pinto, praised the accused for his “total availability and spontaneity to get to the truth.”

The Observador reported that Pinto cooperated with Portuguese police by unlocking access codes for all the electronic devices to which he had access. 

Pinto was initially accused by Portugal's Public Ministry of committing 147 crimes, but following his collaboration with DCIAP, some of the charges against Rui Pinto were dropped.

The accused is currently awaiting trial for 90 crimes, including 6 counts of illegitimate access, one count of computer sabotage, 14 counts of violation of correspondence, 68 counts of undue access and one count of attempted extortion.

The prosecutor in Pinto's case disagreed with Judge Alves' decision to release the defendant. According to Observador, the prosecutor fears that by having access to the internet, Pinto "may destroy evidence or even continue criminal activity."

Europe Cookie Law Comparison Tool Launched

Europe Cookie Law Comparison Tool Launched

Global law firm Dentons has created a free tool to help users understand their obligations regarding the use of internet cookies across 28 European countries. 

The Europe Cookie Law Comparison tool was launched today with the support of the Nextlaw Referral Network. Its authors hope the tool will bring users greater clarity with respect to their legal and data privacy responsibilities in an ever-changing regulatory context.

Inspiration for the tool came partly from the frustration of trying to navigate the requirements for obtaining consent for the use of cookies, a grievance experienced by both website owners and visitors. Current confusion concerning cookies comes from the fact that different countries have introduced different regulations regarding their use.

“Pending the adoption of the new e-Privacy Regulation, various European data protection authorities have decided to take autonomous action on cookies by issuing additional specific local guidelines and measures,” commented Giangiacomo Olivi, Dentons partner and co-head of its Europe Data Privacy and Security team.

"The tool will help to navigate the fragmented regulations across 28 countries in Europe."

Users of the tool are able to compare and contrast the regulations set by up to three countries at a time and immediately share the results with their colleagues via email. The tool has been designed to draw from up-to-the-minute information to keep up with the fast pace of regulatory change. 

“We see this tool as the first point of call for the legal and compliance personnel of globally active companies, who need to comply with privacy and other laws applicable to cookies and similar technologies across multiple jurisdictions in Europe,” said Dentons partner and co-head of the firm's Europe Data Privacy and Security team, Marc Elshof.

Dentons lawyers contributed the legal analysis for Belgium, the Czech Republic, France, Germany, Hungary, Italy, Luxembourg, the Netherlands, Poland, Romania, Slovakia, Spain, and the UK. In addition, several law firms from the Nextlaw Referral Network contributed content for specific jurisdictions: CHSH (Austria), Wolf Theiss (Bulgaria), Antoniou McCollum & Co. (Cyprus), Cacic & Partners (Croatia), Lundgrens (Denmark), Derling (Estonia), Krogerus (Finland), Kyriakides Georgopoulos (Greece), LK Shields (Ireland), Kronbergs Čukste Levin (Latvia), Ellex Valiunas (Lithuania), GVZH Advocates (Malta), PLMJ (Portugal), Karanovic & Partners (Slovenia), and Setterwalls (Sweden).

Under Half of Teachers Think Schools Have “Done Enough” to Tackle Cybersecurity Issues

Under Half of Teachers Think Schools Have “Done Enough” to Tackle Cybersecurity Issues

Over half (51%) of UK school teachers are either unsure or disagree that their school is well-equipped to tackle cybersecurity issues, according to a new study published by ESET.

This follows a period in which many schools have provided online classes with most pupils unable to attend in person due to COVID-19 lockdown restrictions which were introduced in the UK since 23 March.

Yet in a survey of 1000 teachers conducted by Internet Matters, just 49% felt that their school had “done enough” to avoid problems. More than a third (36%) said they’ve had no information from schools on cybersecurity in the past year, while just 20% have received training after lockdown began.

Additionally, 31% have not had any training on how to talk to children about data and identity protection issues and more than a quarter (26%) had not been given any guidance on cybersecurity best practice in the past year.

Nearly half (45%) even feel their pupils had a better knowledge of cybersecurity issues than they do.

The findings suggest that there should be a much greater focus on educating teachers about cybersecurity issues – particularly as 96% of those who have received such training found it useful.

Julian Roberts, head of marketing at ESET, said: “Now, more than ever, tackling cybersecurity needs to be a top priority for schools as they may be increasingly forced to turn to the online world to support their pupils and their educational needs.

“Cyber-criminals are constantly evolving their methods and organizations that oversee young people using technology must be fully equipped to not just tackle potential issues but educate as well.

“With education entering the virtual world, whether in the physical classroom or at home, we would advise that cybersecurity training for teachers and pupils is crucial and that teachers are equipped by their school or IT teams with the right tools and advice to provide to parents too.”

ESET and Internet Matters are currently collaborating to provide guidance on the most effective ways of delivering online safety advice to parents and children within the school environment.

#DEFCON: How the International Space Station Enables Cybersecurity

#DEFCON: How the International Space Station Enables Cybersecurity

Like any other IT environment, there are potential cyber-risks to the International Space Station (ISS), though the station is quite literally like no environment on Earth.

In a session on August 9 at the Aerospace Village within the DEFCON virtual security conference, former NASA astronaut Pamela Melroy outlined the cybersecurity lessons learned from human spaceflight and what still remains a risk. Melroy flew on two space shuttle missions during her tenure at NASA and visited ISS. Hurtling high above the Earth, ISS is loaded full of computing systems designed to control the station, conduct experiments and communicate with the ground.

“Space is incredibly important in our daily lives,” Melroy said.

She noted that GPS, weather tracking and communications are reliant on space-based technology. In Melroy’s view, the space industry has had somewhat of a complacent attitude about satellite security, because physical access was basically impossible once the satellite was launched.

“Now we know that our key infrastructure is at risk on the ground as it is in space, from both physical and cyber-threats,” Melroy stated.

The Real Threats to Space Today

Attacks against space-based infrastructure including satellites are not theoretical either.

Melroy noted that the simplest type of attack is a Denial of Service (DoS) which is essentially a signal jamming activity. She added that it already happens now, sometimes inadvertently, that a space-based signal is blocked. There is also a more limited risk that a data transmission could be intercepted and manipulated by an attacker.

What isn’t particularly likely though is some kind of attack where an adversary attempts to direct one satellite to hit another. That said, Melory said that there could be a risk from misconfiguring a control system that would trigger a satellite to overheat or shut down.

How the ISS Secures its Network

During her presentation, Melroy outlined the many different steps that NASA and its international partners have taken to help secure the IT systems on-board ISS.

The entire network by which NASA controllers at Mission Control communicate with ISS is a private network, operated by NASA. Melroy emphasized that the control does not go over the open internet at any point.

There is also a very rigorous verification system for any commands and data communications that are sent from the ground to ISS. Melroy noted that the primary idea behind the verification is not necessarily about malicious hacking, but rather about limiting the risk of a ground controller sending a bad command to space.

“There’s a very rigorous certification process required for controllers in the International Space Station Mission Control Center (MCC) to allow them to send commands to the space station,” she explained. “In addition there are screening protocols both before a message ever leaves MCC going up to the ISS and once it’s on board ISS, to check and make sure that the command will not inadvertently do some damage to the station.”

Using Twitter in Space

ISS also makes use of a highly distributed architecture such that different sets of systems and networks are isolated from one another.

For station operations, Melroy said that astronauts make use of technology known as Portable Computer Systems (PCS) which are essentially remote terminals to send commands to the station’s primary computing units.

There is also a local area network on the station with support computers used for limited internet access including email and social media like Twitter. While the local ISS network has internet access, it is not directly connected to the public internet.

Melroy explained that there is a proxy computer inside the firewall at the Johnson Space Center, in Houston, Texas, that is connected with ISS. As such, the space station support computers talk to the proxy computer, which then goes out onto the public internet.

“Now of course, just like any computer, it’s still subject potentially to malware,” Melory said. “However, the most important thing is that the station support computers in no way shape or form are networked to the actual commanding of the station, they’re completely separate systems and they don’t talk to each other.”

Areas of Concern for Spaceflight Security

While ISS has multiple layers of security, Melroy commented that there are still some areas of concern for spaceflight and space cybersecurity.

For satellites, she noted that the uplink and downlink to most satellites is encrypted, though the data on-board the satellite often is not. Additionally, she expressed concern about ground-based control systems for satellites. Melroy explained that satellite ground systems have the same cybersecurity risks as any enterprise IT system.

“The most serious problem I think we have in space is complacency, many people in space think that their systems are not vulnerable to cyber-attacks,” Melroy said. “We are going to have to figure out how to insert cybersecurity and an awareness of that into the values and the culture of aerospace, all the way from the beginning in design and through to operations.”

Travelex Forced into Administration After Ransomware Attack

Travelex Forced into Administration After Ransomware Attack

Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go.

PwC announced late last week that it had been appointed join administrators of the currency exchange business.

Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring.

“The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news.

The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.

Unconfirmed reports at the time suggested that a critical unpatched vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored.

It’s still unclear exactly how much these mistakes ended up costing the firm although reports suggested that the REvil gang was demanding a $6m (£4.6m) ransom in return for the decryption key and deletion of stolen customer data.

Parent company Finablr revealed in March that a combination of the cyber-attack and the hit to business from COVID-19 was predicted to cost the firm £25m in Q1 2020, although it also claimed that cyber-insurance would cover a large part of its outgoings.

PwC remained upbeat about the future of the company, following its £84 million restructuring.

“The completion of this transaction has safeguarded 1802 jobs in the UK and a further 3635 globally, and ensured the continuation of a globally recognized brand,” said joint administrator, Toby Banfield.

TikTok Ban Could Spur Legal Action Against Trump

TikTok Ban Could Spur Legal Action Against Trump

TikTik looks set to sue the US government after Presidential Executive Orders issued on Friday effectively banned it and messaging app WeChat in the country.

A statement from the Chinese-owned social media app expressed exasperation at the decision, which it said was made without any “due process or adherence to the law.

“For nearly a year, we have sought to engage with the US government in good faith to provide a constructive solution to the concerns that have been expressed,” it argued.

“What we encountered instead was that the administration paid no attention to facts, dictated terms of an agreement without going through standard legal processes, and tried to insert itself into negotiations between private businesses.”

The Executive Order has been viewed by many as a deliberate attempt to force a sale of TikTok’s US operations to a domestic tech firm. Microsoft currently appears to be in the driving seat although reports suggest Twitter is also interested. Donald Trump has reportedly claimed the US Treasury should get a cut of the sale for helping to enable the deal.

“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage,” the Executive Order alleged.

“TikTok also reportedly censors content that the Chinese Communist Party deems politically sensitive, such as content concerning protests in Hong Kong and China’s treatment of Uyghurs and other Muslim minorities. This mobile application may also be used for disinformation campaigns that benefit the Chinese Communist Party, such as when TikTok videos spread debunked conspiracy theories about the origins of the 2019 Novel Coronavirus.”

TikTok denies having ever censored content or shared data with the Chinese government, and argued that the decision threatens to undermine business trust in America’s commitment to the rule of law.

Reports suggest it could be ready to file a suit against the Trump administration as early as Tuesday.

A separate order was issued on Friday which effectively bans the use of Chinese messaging giant WeChat in the US.

Mishcon de Reya’s cyber-intelligence director, Mark Tibbs, said the orders could spark a significant backlash, both by the Chinese government and among user groups.

“Considering the scale of usage of both apps in the US and globally, these executive orders will undoubtedly cause substantial impacts for both users, communities and in some instances, businesses which rely on the apps to market goods and services, or promote their brands,” he argued.

“The orders may also stimulate the development of various technical workarounds by users to be able to use the apps, and indeed the development of similar apps to fill the niche which will exist. Larger US technology companies will likely see the announcements as an opportunity for future acquisition or launching and promotion of their own alternatives.”

Intel Investigates as 20GB of Internal Data is Leaked

Intel Investigates as 20GB of Internal Data is Leaked

Intel is currently looking into how 20GB of sensitive internal data came to find its way online.

The range of documents — some marked “confidential,” “under NDA” or “restricted secret”— were uploaded to file hosting service MEGA by Swiss Android developer Till Kottmann.

Before his account was suspended by Twitter, Kottmann explained on the site that “most of the things here have not been published anywhere before.”

They include details on chip roadmaps, development and debugging tools, schematics, training videos, process simulator ADKs, sample code, Bringup guides and much more.

Affected platforms include Kaby Lake, Snow Ridge, Elkhart Lake and the unreleased 10nm Tiger Lake architecture.

Kottmann claimed to have received this data from a third party who found it on an unsecured server via a simple nmap scan. Many of the zip files were reportedly protected with easy-to-guess or crack passwords.

However, Intel doesn’t believe the data came from a network breach, and said in a brief statement that it is urgently investigating what may have happened.

“The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access,” it continued. “We believe an individual with access downloaded and shared this data."

Although there appears to have been no personally identifiable information (PII) exposed in the breach, the compromise of so many sensitive internal documents will be ringing alarm bells at the chipmaker’s HQ — especially as more leaks have been promised.

Erich Kron, security awareness advocate at KnowBe4, said the incident highlights supply chain cyber-risk.

“There is always a risk when sharing potentially sensitive information to these business partners, however, this is often an unavoidable part of doing business,” he added.

“Whenever providing intellectual property access to another organization or individual, it is important to log not only who has access, but when and what data they are accessing. Even better, as in this case with Intel, ensuring that you know where the documents have been shared by potentially marking the document itself, can be very valuable when hunting potential misuse as appears to have occurred here."

#DEFCON: Bypassing Biometric Scanners with 3D Printed Fingerprints

#DEFCON: Bypassing Biometric Scanners with 3D Printed Fingerprints

Biometric authentication, including facial recognition and fingerprint scanners, is increasingly common, but that doesn’t mean they are safe from hackers.

At the DEFCON virtual security conference on August 8, security researcher Yamila Levalle from Dreamlab Technologies outlined how she was able to bypass biometric authentication for a number of different types of fingerprint scanners. During her session, Levalle explained various methods of bypass including using a budget 3D printer, which yielded positive results.

“Biometrics is the science of establishing or determining an identity, based on the physical or behavioral traits of an individual,” Levalle explained. “Biometric systems are essentially pattern recognition systems that read as input biometric data, then extract the feature set from such data, and finally compare it with a template stored in a database.”

Attacks Against Biometric Systems

There are multiple types of attacks that are possible against biometric systems.

There are physical attacks against the sensors and there are presentation and spoofing attacks. Levalle noted that she was focused on the spoofing attacks: attempting to trick a system into believing a fraudulent fingerprint was in fact authentic.

Attacks against biometric systems are not hypothetical either and happen in the real world, which is what inspired Levalle to conduct her research. In her home country of Argentina, six employees of the Aerolineas Argentinas airline were caught in 2019 for falsifying work attendance. The airline employees allegedly used silicon fingerprints to check-in others that were not at work.

Tricking Fingerprint Scanners with 3D Printed Molds

Levalle explained that a fingerprint scanner doesn’t have to find the entire pattern of distinctive features in a human fingerprint in order to work. Rather, she noted it simply has to find a sufficient number of features and patterns that the two prints have in common.

As part of her research to see if it was possible to use a 3D printed fingerprint that can trick the majority of scanners, she said that a UV Resin type 3D printer is needed. For her research, she made use of the budget-friendly Anycubic Photon 3D printer, as it can print to a resolution of 25 microns. Levalle said that the human fingerprint ridges can have a height of between 20 to 60 microns.

The first step in her research was to lift the latent fingerprint with a digital camera that had macro image functionality. The image was then digitally enhanced with an open source python tool to optimize the fingerprint. The next step was to bring the image into a 3D modelling tool, like TinkerCAD, to create the actual model.

The hardest part of the process according to Levalle was configuring the fingerprint length and width to the same size as the original, which was no easy task since she didn’t have a digital microscope to take the measurements. Ultimately, after more than 10 tries, she was successful in 3D printing a fingerprint that could trick scanners.

“It’s not easy to duplicate the fingerprint, it takes time and experience, but it can be done,” she said.

Blackbaud Breach Impacts National Trust Volunteers

Blackbaud Breach Impacts National Trust Volunteers

Britain's National Trust has warned volunteers of a data breach linked to a cyber-attack on US cloud computing and software provider Blackbaud in May.

The charity and membership organization for heritage conservation in England, Wales, and Northern Ireland has been contacting volunteers by email to notify them of the breach.

National Trust data exposed as a result of the ransomware attack on Blackbaud belongs to past and present volunteers and applicants for the trust's volunteer program. 

Compromised information includes name, date of birth, gender, address, and contact details. The Trust assured its volunteers that while some sensitive information pertaining to equality monitoring was affected, no financial data was exposed. 

In an August 7 email to users of its volunteer program, the National Trust's CIO, Jon Townsend, wrote: "Our membership systems and data were not affected."

Townsend said Blackbaud reached out to the Trust in July to inform them about the cyber-attack. The company said that all the data stolen in the attack related to Blackbaud's systems only and has since been destroyed. 

The National Trust has reported the incident to the Information Commissioner’s Office, the UK’s regulator for data protection. The organization has set up an email address that any concerned volunteers can contact for more information about the data breach.

In the August 7 breach notification email, Townsend wrote: "On 16 July 2020 we were contacted by Blackbaud, the company that holds some of our volunteering data, to tell us that they’d been the victim of a cyber-attack."

Townsend told Trust volunteers that no action was required from them and apologized for any concern that may have been caused by the breach.

"We take data protection extremely seriously at the National Trust," wrote Townsend. "We’re looking again at the security of how data is managed and working closely with Blackbaud to discover exactly what happened."

Cybrary Releases Free Cybersecurity Courses

Cybrary Releases Free Cybersecurity Courses

The world’s largest online cybersecurity career development platform has released a second installment of free educational courses

Cybrary made a clutch of courses free in July in a bid to support people who are considering a career in cybersecurity and those impacted professionally by the ongoing COVID-19 pandemic. 

A Cybrary spokesperson said: "These free courses aim to encourage continued training and resumé building for current cyber professionals, recent graduates, and those looking to transition into the security and IT industry."

This month, a second wave of free online courses was released that will be available to users until September 1. Courses range in length from one to nine hours and cover topics ranging from cloud architecture foundations to DNSTwist fundamentals. 

Newcomers to cybersecurity are catered to with courses on command-line basics and the fundamentals of cybersecurity architecture, while the more advanced might choose to study physical penetration testing.

"As part of our mission to provide opportunity for personal and professional growth—something that has only become more important in the challenging employment landscape we are currently facing—we hope these free course offerings encourage and empower individuals to expand their cyber and IT skill set," said Cybrary co-founder and CEO Ryan Corey. 

"These additional free courses help address the current skills gap, while also providing the necessary knowledge and resources for those working toward building future careers in the cybersecurity or IT field."

The seven free courses released by Cybrary last month were Cyber Network Security, Intro to Cyber Threat Intel, Advanced Cyber Threat Intel, Web Defense Fundamentals, Kali Linux Fundamentals, CCSK, and Microsoft 365 Fundamentals.

Corey said that by making the courses free to everyone who can access the internet, Cybrary hoped "to help build a more secure digital world by providing learning opportunities available to everyone.”

Since being founded in 2015, Cybrary has attracted a community of nearly 3 million users, including multiple Fortune 100 companies. The American company is headquartered in College Park, Maryland. 

The monthly release of free courses follows the April launch of the Cybrary Scholars Program, which gives participants a free year of Cybrary’s Insider Pro membership, a CompTIA exam voucher, and a year of mentorship with an experienced Cybrary community mentor.

Pirate Subscription Services Now a Billion-Dollar Industry in US

Pirate Subscription Services Now a Billion-Dollar Industry in US

Illegal TV subscription services in the United States have grown into a billion-dollar industry, according to new research jointly released yesterday by Digital Citizens Alliance and NAGRA.

The investigative report Money for Nothing reveals the existence of a sophisticated piracy ecosystem made up of thousands of retailers and wholesalers. This nefarious network steals from creators and circumvents legitimate TV operators to provide illegal subscription services to millions of US households. 

According to the report, the most virulent and fastest-growing illegal streaming enterprise is the pirate subscription Internet Protocol Television (PS IPTV) Service. This type of service typically costs just $10 to $15 a month and mimics the practices of legitimate streaming services.

The report found that an estimated 9 million fixed broadband subscribers in the US use a pirate subscription IPTV service. However, the ecosystem relies on legitimate businesses, including hosting services, payment processors, and social media, to market their stolen content.

Researchers noted that the illegal subscription providers sell their wares via "at least 3,500 US-facing storefront websites, social media pages, and stores within online marketplaces that sell services."

Selling illegal subscriptions is highly lucrative since the providers pay nothing for the programming that makes up their core products. Researchers estimated that providers operate with estimated profit margins that range from 56% for retailers to 85% for wholesalers. 

While piracy subscriptions alone are a billion-dollar industry, researchers found criminals also make money by selling screen time to advertisers and vending stolen streaming devices used to receive the snatched content.

On the surface, consumers of illegal subscription services might think they are getting a great deal. But the report found that pirates generate revenue by partnering with hackers to install malware within free apps that expose consumers to risk of theft of their personal and financial data, cryptocurrency mining, adware, ransomware, and botnets using computers to perform distributed denial-of-service (DoS) attacks.

“When it comes to piracy, the scope of the risk to consumers, small businesses and others is in direct proportion to the size of the industry, which is why we need to stop the reach and depth of this ecosystem before it grows even bigger,” said Digital Citizens Alliance executive director Tom Galvin.

Major Retailer at Risk of Attack Due to VPN Vulnerabilities

Major Retailer at Risk of Attack Due to VPN Vulnerabilities

Clothing retailer Monsoon Accessorize has been using VPN servers that have critical vulnerabilities, putting it at risk of hacking or ransomware attack, according to an analysis by VPNpro.

The researchers discovered that Monsoon has been utilizing unpatched Pulse Connect Secure VPN servers, known to contain vulnerabilities that enable cyber-criminals to see active users on the company’s VPN as well as their plaintext passwords.

This information can then be used to access the servers and attack the companies in various ways.

The biggest threat to organizations which have this vulnerability is having their servers locked down with ransomware, according to VPNpro. It is a similar vulnerability to the one that enabled the attack on global currency exchange business Travelex on New Year’s Eve, which forced the company to take its systems offline as a precautionary measure.

VPNpro said that “our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.”

Among the data accessed included a sample file containing 10,000 customer records including names, email addresses, phone numbers and mailing and billing addresses.

The cybersecurity firm added it has contacted Monsoon “multiple times” to inform it of the vulnerability, but have received no response as of yet and the vulnerability remains.

VPNpro recommends that Monsoon customers should monitor their data to make sure their personal information has not been leaked.

Hugo van der Toorn, manager offensive security at Outpost24, told Infosecurity: “This showcases the importance of truly understanding your network perimeter and your vulnerabilities therein. It is pivotal that organizations try to minimize their exposure to the internet and to understand and secure that what is exposed. As proven in this research, scanning the entire internet for specific vulnerabilities can be done with relative ease and happens every time a new critical vulnerability becomes known to the public. Scan everything and see where an attacker can get in, this works both defensively and offensively.

“The safest thing is to not expose anything directly to the internet, unless it is needed for performing daily business. A good example is a VPN; those are meant to allow employees to connect back to the office network and access internal resources. It is important for every device/service that is exposed to the internet to have clear visibility of this system: What software is in use, what components, which versions of those, what ports are open and on what hardware is it running.”

Javvad Malik, security awareness advocate at KnowBe4 added: "Attackers will try to leverage any way they can into organisations. In recent times, we've seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It's why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or settings that could be leveraged by criminals to gain access."

NCSC Offers Seven-Question Guidance on Cyber Insurance

NCSC Offers Seven-Question Guidance on Cyber Insurance

New guidance has been produced on cyber insurance to help organizations considering investing in cover.

Published by the National Cyber Security Center (NCSC), the guidance highlights seven key cybersecurity questions for businesses to address to help them make more informed decisions around cyber insurance.

The NCSC said, after calls for expert technical advice on the growing cyber insurance market, it made the decision to offer the following questions for senior leaders within organizations:

  1. What existing cybersecurity defenses do you already have in place?
  2. How do you bring expertise together to assess a policy?
  3. Do you fully understand the potential impacts of a cyber-incident?
  4. What does the cyber insurance policy cover (or not cover)?
  5. What cybersecurity services are included in the policy, and do you need them?
  6. Does the policy include support during (or after) a cybersecurity incident?
  7. What must be in place to claim against (or renew) your cyber insurance policy?

Sarah Lyons, deputy director for economy and society engagement at the NCSC, said: “Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance, there simply hasn’t been enough information up to now. That’s why it’s so important for the NCSC, as the UK’s leading cyber-authority, to offer its support by providing some clarity on the key issues to consider to ensure cybersecurity.

“Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”

The guidance was welcomed by two UK insurance associations, the British Insurance Brokers’ Association (BIBA), and the Association of British Insurers (ABI), while Andrea García Beltrán, cyber-manager (underwriting) at the UK & International Division of RSA Commercial, said organizations are increasingly considering the purchase of cyber insurance as part of their cyber-risk management approach. 

“As a result, the NCSC is frequently asked about cyber insurance by customers, however, they cannot provide advice on insurance solutions or products, so they have decided to create guidance considering a wider approach to cyber-risk management by focusing on the cybersecurity elements of cyber insurance,” she said.

“From our perspective, we welcome the guidance specially because not all buyers are sophisticated and we cannot provide advice either.”

She said this will help organizations to have a better understanding of: 

  • Actions needed from the risk management point of view prior to transferring the risk to insurers
  • What to expect during the insurance purchase process
  • Who needs to be involved from the company side; ultimately cyber is an enterprise risk 
  • Role of the insurance broker or agent
  • Overall information needed by insurers to be able to assess the risk

“Last but not least, this guide helps to clarify that cyber insurance is part of a robust cybersecurity resilient strategy and not the only solution to the evolving risk and exposure,” she added.

Steve Durbin, managing director of the Information Security Forum, said: “Cyber-risk is a growing concern for organizations around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount. Risk management as an effective way of addressing these concerns is absolutely key for all organizations during these times of pandemic and recession – many of the secure architectures and structures previously adopted may have changed and ensuring that the way of working today has been risk assessed is a key task for security professionals.

“Increasingly we have seen companies turning to insurance as a means of mitigating costs associated with breaches and the rise in ransomware amongst other threats has pushed many boards into considering cyber insurance. However, insurance is no excuse for poor security and focus should first be on ensuring a robust security posture that reflects the needs of the organization before rushing headlong into taking out insurance as a means of mitigating risk.”

Dubrin recommended organizations adopt a robust, scalable and repeatable process to address information risk – obtaining assurance proportionate to the risk faced in which insurance may play a role. “Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling,” he said. 

#BHUSA: Researchers Reveal Attacks Against Email Sender Authentication

#BHUSA: Researchers Reveal Attacks Against Email Sender Authentication

The ‘from’ address field in an email is supposed to identify the person that sent an email, but unfortunately that’s not always the case. In a Black Hat USA 2020 virtual conference session researchers outlined 18 different attacks against email sender authentication systems.

Jianjun Chen, postdoctoral researcher at the International Computer Science Institute (ICSI), explained that the original Simple Mail Transfer Protocol (SMTP) – which is used by the world’s email systems to send email – once had no built-in authentication mechanisms. As such, in the early days of the internet, it was trivially easy for anyone to spoof any identity for the ‘from’ address in an email.

That situation changed with the debut of a trio of sender authentication protocols that have been advanced over the past decade. Among those protocols is Sender Policy Framework (SPF) which verifies the IP address of the sending domain. DomainKeys Identified Mail (DKIM) is a standard that verifies that the email is signed by the sending domain. Finally, Domain Message Authentication, Reporting and Conformance (DMARC), brings SPF and DKIM together into a policy framework approach.

Bypassing Email Sender Authentication

However, in a series of slides revealing specific details, Chen, along with his co-presenters Jian Jiang, senior director of engineering at Shape Security and Vern Paxons, professor at UC Berkeley, outlined how it is possible to get around the enforcement that DMARC is supposed to provide for email sender authentication.

Chen noted that the key idea behind attacks of this nature is to take advantage of inconsistencies between different components of DMARC as well as Mail User Agent (MUA) software, which is what end users use to access email. In one scenario detailed by Chen, an attacker could potentially exploit how SPF and DKIM send results to DMARC, in order to trigger a ‘pass’ for email authentication.

Another scenario can exploit an ambiguity in how a receiving email server shows addresses and how the same address is displayed in an email client. For example, the RFC 5322 specification that defines how email messages should be constructed specifies that messages with multiple ‘from’ headers should be rejected. In practice, the researchers found that 19 out of 29 MUAs in fact accepted multiple ‘from’ addresses.

In summing up the different attacks, Jiang noted that when there are multiple identifiers in the email protocol it is easy to have discrepancies and inconsistencies about which identifier to use. He added that email messages are processed by multiple components and all of the components need to have some kind of agreement on the recognized identifiers in order to accurately enforce email sender authorization policies.

How to Defend Against Email Authentication Bypass

Jiang noted that, generally speaking, when the email authentication protocols are parsing emails they should be set up for strict compliance and reject any kind of suspicious formats.

For end users, Jiang suggested to never blindly trust the email address displayed in an email client, even though it’s typically difficult to verify trust. Jiang commented that the researchers overall found that the user interface of email clients is not sufficient to provide any kind of real security assurance about the authenticity of an email.

“So even for a security professional, it’s not easy for them to use any kind of security indicators to show if an email is trustable or not,” Jiang said. “So there is plenty of space to improve in that direction.”

#BHUSA: Lack of Electronic Medical Record Security Amplified Opioid Crisis

#BHUSA: Lack of Electronic Medical Record Security Amplified Opioid Crisis

The opioid crisis in the US has had a devastating toll, impacting tens of thousands of families.

According to Mitchell Parker, CISO at Indiana University Health, a small part of the human suffering could have potentially been alleviated, if there was better control and security for Electronic Medical Record (EMR) systems. Parker presented his views during a session at the Black Hat USA 2020 virtual conference, where he outlined what has gone wrong with EMR systems and what can be done to make them more secure.

One of the drivers of the opioid crisis was the underhanded manipulation of an EMR system, that is intended to be used to assist physicians in prescribing medications. In January 2020, EMR vendor Practice Fusion was fined $145m by the US Department of Justice for receiving kickback cash payments from an opioid vendor to influence physician prescription activities. Practice Fusion provides a cloud-based EMR that is advertisement supported.

“People died and became addicted because of this manipulation and this subversive manipulation we’re talking about is a security issue,” Parker said.

How EMRs Work

Parker explained that an EMR is essentially a digital version of the paper charts found in a doctor’s office, including a patient’s medical treatment history. An EMR allows doctors to track data over time and the system can also be used to identify when preventive screenings and checkups are needed.

In the Practice Fusion case, opioid vendors were buying advertisements to influence physicians, but that’s not the limit of the security risk that exists with EMR systems. Parker noted that while EMR systems need to be certified for use to store patient record data, there are a variety of security holes that certification doesn’t consider.

One risk comes from pretexting attacks, where a criminal claims to be a government regulatory agency or a professional association and calls up medical offices asking staff for information.

“It's not difficult to get personal information using this method,” Parker said.

Parker noted that in his experience many vendors and service providers are doing a reasonably good job protecting against malware and ransomware, but are not protecting against identity theft and manipulation.

How to Improve EMR Security

Among the recommendations that Parker shared to help improve EMR systems is for vendors and users to deploy and enforce two-factor authentication methods for authentication, as well as for prescriptions.

Parker also suggested that medical offices limit access overall to a minimal number of users that can make changes of any type in the EMR. On top of that, he advised EMR vendors to make it easier to provide change reports when changes are made.

Parker noted that smaller medical groups are likely more susceptible to electronic subversion of their critical systems because of a lack of resources. He stated that he wanted to see those smaller groups partner with larger health systems to help manage EMR systems with the right governance and cybersecurity procedures.

“This [Practise Fusion] was a case of a company taking advantage of the fact they knew no one was looking and well, they did what they did with tragic consequences,” Parker said.

Capital One Fined $80m for 2019 Breach

Capital One Fined $80m for 2019 Breach

Capital One has been fined $80m following its breach last year.

According to a statement from the Office of the Comptroller of the Currency (OCC), these actions were taken against Capital One “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner”.

The breach occurred in March 2019, when a former employee of Capital One named Paige Thomson exfiltrated the data of 100 million people in the US and six million in Canada, exploiting a weakness in the configuration of perimeter security controls to gain access to sensitive files housed in its cloud storage.

Capital One blamed a “configuration vulnerability” as the customer data was exfiltrated from an AWS S3 data storage service and moved to a Github site. At the time, Capital One said the breached information “included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.”

In taking the financial action, the OCC said it considered the bank’s customer notification and remediation efforts, and while it “encourages responsible innovation” in all banks it supervises, “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”

Stuart Reed, UK director, Orange Cyberdefense, said: “The fine handed out to Capital One yesterday is another stark reminder of the financial implication of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from physical IT to the cloud, something that more and more organizations are seeking to do.”

Reed said the case against Capital One “underlines the expectation that organizations demonstrate best security practice at all times” and it is imperative that organizations recognize that the onus is on them to make sure they have done everything they can to protect customer data. “Otherwise, the consequences can be complex and extremely costly,” he said.

Mark Bower, senior vice-president at data security specialist comforte AG, said the fine “mirrors how we’ve seen industry regulators rip into ineffective controls over data protection.

“The signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data,” he added. “What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized (credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event.”

#BHUSA: How Nation States Hack Public Opinion

#BHUSA: How Nation States Hack Public Opinion

Nation state threat actors, including Russia and China, are using multiple techniques to effectively ‘hack’ public opinion around the world, according to Renée DiResta. DiResta expressed her views in a keynote session at the Black Hat USA 2020 virtual conference.

DiResta works at the Stanford Internet Observatory and has been actively researching how different nation states have attempted to influence policies and individuals. She explained how, over the last decade, state actors have recognized that they can advance their geopolitical goals with different types of misinformation, propaganda and influence campaigns that make use of social media platforms.

“As we move from just the idea of influence to the idea of information operations specifically, what you start to see is it goes from shaping public opinion to what we’re going to call hacking public opinion – using manipulative, misleading tactics,” DiResta said.

Distract, Persuade, Entrench and Divide

There are four primary approaches that nation state threat actors typically take to hack public opinion efforts including distraction, persuasion, entrenchment and division.

DiResta said a common goal is to have a distraction campaign, which is trying to make a target audience pay attention to something else. Another model is a persuasion campaign, which is trying to convince people to believe a certain fact, or feel a certain way. Entrenchment is another approach, and it is where the attackers create groups dedicated to particular types of identities in an attempt to advance a given position. Nation states are also often trying to highlight divisions between different groups of people, amplifying existing social fissures.

The process by which nation states achieve their public opinion influencing goals is relatively well-understood. DiResta explained that the first step is often just the creation of personas; that is fake social media profiles for different types of individuals. Those fake personas then create content, designed to achieve a particular goal. The content is then posted to various social media platforms and promoted to a target audience, via different means. The most successful efforts end up being shared organically by real users that unknowingly share messages created by the fake personas.

China and COVID-19

DiResta specifically outlined how China has attempted to hack public opinion, on a number of issues, including the democracy protests in Hong Kong as well as the COVID-19 pandemic. In August 2019, Twitter and Facebook suspended nearly 1000 user accounts that were associated with nation state sponsored disinformation campaigns.

“The Hong Kong protests attracted worldwide attention, and what you began to see was as Western media and others began to talk about them, these Twitter accounts would kind of come out of the woodwork to respond to the journalists to tell them they had it wrong,” DiResta said.

She noted that the same type of activities have now been happening in 2020 with China attempting to influence global opinion on its role in the COVID-19 pandemic. DiResta said that it’s clear that China has a committed strategy to influencing opinion online and it will continue to evolve its tactics.

Russia and the Hack and Leak Model

Russia has also been particularly effective in its attempts to hack public opinion, according to DiResta. One of the approaches that has worked well for Russia is a hack and leak approach, that makes use of network intrusion techniques as well social media influencing tactics.

“The hack and leak operations provide extraordinary collateral for driving the influence operations,” DiResta said.

Agents working on behalf of the Russian government hack into a site with confidential information and then transmit the collateral to one of their fake personas. The fake persona in turn pitches the leak to journalists, who then are used to help spread the information. That’s what happened in the Guccifer case back in 2016 that was tied to emails connected to the Democratic and Republican political parties in the US.

DiResta suggested that there are a variety of actions that can be taken to help mitigate the risk of nation state public opinion hacking. For one, she said that security professionals should be proactively thinking about the social medial ecosystem to identify what types of manipulation is possible.

“We need to increase communication between infosec professionals and information operations researchers with the goal of developing better understanding of how social network manipulation intersects with network infiltration,” she concluded.

Substantial Rise in Attacks on Orgs’ Web Apps Last Year

Substantial Rise in Attacks on Orgs' Web Apps Last Year

More than half (55%) of all cyber-attacks targeted organizations’ applications in 2019, which is a substantial increase compared to the previous few years, when these types of attacks made up around 30% of the total number.

This is according to data outlined in NTT’s Monthly Threat Report for August, which found that the apps most attacked globally in 2019 primarily related to supporting organizations’ web presence. About a third (33%) of all attacks were aimed at Joomla! (17%) and Apache products (16%) while 19% targeted other content management systems and supporting technologies.

Speaking to Infosecurity , Matt Gyde, CEO of the Security Division at NTT, said: “Since late 2018, there have been a number of significant vulnerabilities exposed in popular web frameworks and applications commonly used to develop and support an organization’s web presence. There was not a significant increase of new vulnerabilities, but there were new, exploitable vulnerabilities (we are seeing the re-activation of vulnerabilities that we thought were no longer in use), in some popular content management systems and related supporting technology.”

The report also revealed that in June 2020, attacks against networking products, such as Zyxel, Netis, Netcore, Netgear, Linksys, D-link and Cisco, accounted for 32% of all attacks, many of which were brute force or authentication attacks.

Another finding was that the amount of actual vulnerabilities being actively exploited is quite narrow, with the top 10 most attacked vulnerabilities in 2019 making up 84% of all attacks observed, while the top 20 most attacked vulnerabilities accounted for nearly 91% of all attacks. This indicates that threat actors are focusing on vulnerabilities that are known to give them success.

Additionally, just eight technologies made 41% of all attacks in June 2020, according to the report. These findings suggest that by focusing on the patching of a fairly narrow range of vulnerabilities, organizations can significantly lower the risk of attack.

Gyde added: “Many organizations simply do not have the appropriate infrastructure to track and manage vulnerabilities in an efficient manner, and are struggling to identify what priorities have the largest return on investment for their efforts.

“While many organizations would like to have an active patch management program, operational concerns, staff skills and priorities end up meaning that not everything gets patched all the time. The transitioning of security away from hardware to as-a-service and cloud-enabled has the potential to modernize systems which will allow for more consistent patching.”

A report published yesterday by Synopsys found that nearly half (48%) of organizations regularly push vulnerable code into production in their application security programs due to time pressures.

Louisiana Judicial Candidate Charged with Hacking

Louisiana Judicial Candidate Charged with Hacking

A judicial candidate in Louisiana has been charged with hacking into state computers and sharing confidential court documents with a friend.

Attorney Trina Chu allegedly committed the offenses while working as a law clerk to now retired Chief Judge Henry Brown in 2018. 

According to a statement released by Caddo Parish sheriff Steve Prator, Chu copied sensitive court documents from the Louisiana 2nd Circuit Court of Appeals onto a USB flash drive. 

Chu allegedly sent three confidential documents relating to a judgement made against her friend Hanh Williams from the drive to her own personal email account in July 2018. These documents were then forwarded directly to Williams. 

At the time of the alleged crimes, three judges were considering Williams' appeal from a district court's ruling against her.

"The documents concerned a case under consideration by the 2nd Circuit involving a judgement against her close friend Hanh Williams for over $460,000," said Prator. 

The court had ruled that financial adviser Williams owed $460,605 to the estate of a Caddo Parish man to whom she had been a financial adviser. 

In his will, Williams' client, Fred Houston, had named her as his executor. Williams' administration of the Fred L. Houston Inter Vivos Trust was then challenged by the will's chief beneficiary, Louisiana State University's veterinary school.

“The jury charged Ms. Williams with $1.1 million in damages for breach of duty to the Trust and determined she was liable to the Estate for $460,605,” according to the 2nd Circuit opinion handed down August 15, 2018.

The sheriff said that Chu's alleged criminal activity was exposed "after a thorough investigation involving search warrants served to email providers, digital forensic examinations, and in person interviews."

Forty-six-year-old Chu was arrested on Tuesday by members of the CPSO Warrants Unit on two felony charges—offense against intellectual property and trespass against state computers. She was released the same day after paying bonds of $10,000 issued for each count.

According to online records for Louisiana's secretary of state, Chu is currently challenging 2nd Circuit Court of Appeal Judge Jeanette Garrett in an election scheduled to take place on November 3.

On election campaign website chuforjudge.com, Chu is touted as a “hardworking” person who stands for “fairness, equality and justice for all.” Chu had pledged to donate 75% of her judicial salary to four Louisiana nonprofit groups if elected.  

Online Exam Tool Suffers Data Breach

Online Exam Tool Suffers Data Breach

An investigation is under way into a data breach that impacted an online examination tool used by educational establishments around the world.

The breach affected users of software made by American company ProctorU to provide live and automated online proctoring services for academic institutions and professional organizations. 

According to Honi Soit, a database of 440,000 ProctorU user records was published by hacker group ShinyHunters over the past week along with hundreds of millions of other user records. ProctorU user data exposed includes usernames, unencrypted passwords, legal names, and full residential addresses. 

Among the records are email addresses belonging to the University of Sydney, the University of New South Wales, the University of Melbourne, the University of Queensland, the University of Tasmania, James Cook University, Swinburne University of Technology, the University of Western Australia, Curtin University, and Adelaide University.

A spokesperson for the University of Sydney said that ProctorU had confirmed on Thursday that an investigation into the confidential data breach had been launched.

According to the spokesperson, the data exposed relates to ProctorU users who registered on or before 2014. 

"We met with ProctorU’s CEO and compliance officer today, who confirmed they are investigating a breach of confidential data relating to users of their service," said the spokesperson. 

"Any breach of security and privacy of this type is of course deeply concerning, and we will continue to work with ProctorU to understand the circumstances of the breach and determine whether any follow-up actions are required on our part."

The University of Sydney doesn't believe any current students are affected by the data breach, as the university only began using ProctorU's services in 2020 in response to the COVID-19 pandemic. However, after learning about the breach, the establishment will be "reviewing our experience of online exams and proctoring this year to inform our approach to assessments in 2021."

A spokesperson for Swinburne University of Technology in Victoria said that it has launched its own investigation into the breach, which has impacted a small number of its students.

US Cybersecurity Firms Partner to Protect Healthcare

US Cybersecurity Firms Partner to Protect Healthcare

Two California cybersecurity companies have joined forces to help protect healthcare networks from cyber-threats. 

CynergisTek and Awake Security announced yesterday that they are pooling resources to develop an online threat assessment program that healthcare organizations can use to identify attacker activity. 

Ben Denkers, CynergisTek SVP of security and privacy services, said the partnership was conceived after the outbreak of COVID-19 changed the medical world's working practices.

“As America’s hospitals scrambled to respond to the pandemic, the entire threat landscape and the associated attack surface completely changed, placing America’s hospitals squarely in the cross hairs for adversarial activity," said Denkers. 

"New vulnerabilities from telemedicine combined with an increased network footprint due to work-from-home employees means we have a perfect storm for increased cyber-attacks."

As part of the partnership, both companies are "assembling the best minds in networking, machine learning, data science, cybersecurity, privacy, and compliance to help healthcare organizations get a more complete view and understanding of their potential attack surface, including every user, medical device, and application on the network." 

The aim is to enable hospitals to track every asset in their network, whether it's moved on-premises or by remote users working in the cloud. Assistance will be given to help healthcare organizations identify high-risk incidents and compromised entities without the need for agents, manual configuration, or complex integrations.

"This partnership allows us to identify adversarial activity including reconnaissance in its early stages, allowing organizations to re-baseline their security posture as they return to normal operations,” said Denkers.

The new compromise assessment will be powered by Awake Security's network detection and response technology and offered to CynergisTek's customer base of more than 1,000 healthcare organizations. 

“Sensitive healthcare data is extremely valuable to hackers, and we know they aren’t sitting on the sidelines during the pandemic but are in fact attacking both hospitals and pharmaceutical companies during this volatile time,” said Rahul Kashyap, CEO of Awake Security. 

"In times like this, we’re excited to help healthcare entities for this ‘all-hands-on-deck’ moment to bolster their defenses and prevent crises from emerging and impacting patients.”

Half of Orgs Regularly Push Vulnerable Code in App Security Programs

Half of Orgs Regularly Push Vulnerable Code in App Security Programs

Nearly half (48%) of organizations regularly push vulnerable code into production in their application security programs due to time pressures, while 31% do so occasionally, according to a new report published by Synopsys entitled Modern Application Development Security.

As a result, 60% have reported production applications exploited by OWASP top-10 vulnerabilities in the past 12 months.

This is despite the fact most organizations believe their security programs are very good, with an average rating of 7.92 out of 10 given by 378 IT, cybersecurity and application development professionals surveyed by the Enterprise Strategy Group (ESG). More than two-thirds (69%) rated their security program as eight or above.

The study was commissioned to look at the convergence of application security tools, which is becoming increasingly complex, with 72% of organizations stating that they now utilize more than 10 of these tools.

As such, it was found that 43% of organizations believe that DevOps integration is the most important aspect of improving application security programs. Yet 23% of respondents said that poor integration with development/DevOps tools is a common challenge to achieving this, while 26% identified difficulty or lack of integration between different application security vendor tools.

Dave Gruber, senior ESG analyst, said: “DevSecOps has moved security front and center in the world of modern development; however, security and development teams are driven by different metrics, making objective alignment challenging.”

The biggest challenge highlighted was a lack of knowledge in mitigating issues identified on the part of developers (29%). This suggests there is currently insufficient developer security training taking place, and 35% of organizations revealed that less than half of their development teams are participating in formal training.

Speaking to Infosecurity, Patrick Carey, director of product marketing at Synopsys, commented: “As high velocity application development continues to grow in popularity through methodologies such as DevOps, it is critically important to ensure that security is considered throughout the software development lifecycle.

“That way, if the decision is consciously made to push vulnerable code due to time pressures, critical and high-risk vulnerabilities will have been resolved beforehand. By educating organizations on how to apply a holistic software security program and guiding them in their journey to implement DevSecOps cultures, we’ll see the prevalence of knowingly pushing vulnerable code drop. Enabling developers with security tools and training resources that in no way slow down their momentum is a highly beneficial step in that process.”

#BHUSA: How Public Standards Help to Enable Financial Fraud

#BHUSA: How Public Standards Help to Enable Financial Fraud

In a session at the Black Hat USA 2020 virtual conference on August 5, Kevin Perlow, technical intelligence team lead for one of the largest banks in the US, explained how cyber-attackers are using public standards for financial transactions to enable multiple forms of fraud.

One of the key standards used every day by all financial institutions around the world is ISO 8583, which defines how credit card transaction messages are sent and received. Perlow explained that anytime an individual goes to a bank machine or uses a point of sale device at a grocery store to do a self-checkout, ISO 8583 messages are created as part of the transaction.

“ISO 8583 is a standardized set of fields for transmitting the data from your card and for sending your transaction over to a payment switch and then from that payment switch to a bank to approve or reject the transaction that’s happening,” Perlow said.

The payment switch is a device that handles incoming messages from different types of payment devices, such as ATMs and POS devices, like those at a grocery store. The payment switch processes the messages and decides what to do with them. The payment switch is also a key target for attackers, as they look to take advantage of ISO 8583 with ‘FASTcash’ as well as other forms of malware.

How FASTCash Uses ISO 8583

The so-called FASTCash malware was first publicly disclosed back in 2018 and has remained active in the years since. Perlow noted that FASTCash is a subset of malware created and executed by threat actors from North Korea, sometimes referred to as the Lazarus Group.

The way that FASTCash works is it is injected by the attackers into a payment switch and fraudulently approves what appear to be legitimate ISO 8583 messages from the attackers sitting at bank machines, allowing them to withdraw money. During his presentation, Perlow described how ISO 8583 messages are constructed in a way that the FASTCash attackers have been able to emulate.

Perlow emphasized that, in order to create and properly execute the ISO 8583 messages, a lot of things need to go right for the attackers, since there is a lot of complexity. That’s why FASTCash has embedded logging information, to help monitor and adjust in order to execute its malicious payload.

ISO 8583 Isn’t the Real Problem

Given that attackers are making use of the ISO 8583 standard, it begs to reason that perhaps there is something wrong with the standard that should be changed – but that’s not the case, according to Perlow. He said that he would never recommend changing the ISO 8583 standard, and it would also be impossible to do so, even if he thought it was a good idea.

“The ISO 8583 standard is the card payment standard for absolutely everything,” he emphasized.

That said, he noted that there are different ways to do credit card transactions that could randomize the data. By randomizing, he explained that the goal would be to make it less predictable to know what message is supposed to be going back to a bank machine.

“Ultimately, what’s happening here is that the payment switch is compromised and there’s nothing wrong at all with the payment standard being used,” he said. “The ATMs are working the way they’re supposed to in a very real sense and they’re processing the messages.”

There are multiple ways the FASTCash attackers are getting onto the payment switches, including using rogue PowerShell scripts. Perlow suggested that the attack vectors involve things that IT professionals should be looking for as part of their endpoint detection activities.

“By the time it gets to the payment switch and as cash outs happens, you’ll know because  all your ATMs will be empty all of a sudden,” Perlow concluded. “The idea is to stop it before it gets to that point.”

#BHUSA: Android Phones at Risk of BlueRepli Bluetooth Attack

#BHUSA: Android Phones at Risk of BlueRepli Bluetooth Attack

There has been no shortage of Bluetooth related attacks disclosed in recent years, including BlueBorne and BadBlueTooth among numerous others. At the Black Hat USA 2020 virtual event on August 5, a new attack was added to the list of Bluetooth vulnerabilities, with the public disclosure of BlueRepli.

Security researchers Sourcell Xu and Xin Xin described the BlueRepli attack as a way to bypass Bluetooth authentication on Android phones, without detection. In a series of recorded demos, the researchers demonstrated how, with limited or no user interaction, they were able to abuse Bluetooth to steal a target device’s phone book as well as all of the SMS text messages it had received.

For reasons, not fully shared by the researchers, the BlueRepli attack does currently not work on Apple iOS devices. Additionally, the researchers noted that they had disclosed the issues to Google and the Android Open Source Project (AOSP), but according to them, to date the issue has not been patched.

At the core of the BlueRepli attack is an abuse of what are known as Bluetooth Profiles. Xu explained that Bluetooth Profiles detail specific application scenarios that can be used to enable connectivity. For example, there is the Phone Book Access Profile (PBAP) to enable access to a user’s phone book, while the Message Access Profile (MAP) provides access to text messages.

Xu noted that a Bluetooth vulnerability disclosed in 2019 dubbed “BadBlueTooth” also took advantage of Bluetooth Profiles. Although in that attack scenario, the victim needed to install a malicious app, whereas with BadRepli, nothing needs to be installed. Any Android device within Bluetooth range can potentially be at risk from the BadRepli attack.

To help demonstrate the attack and allow others to test, the researchers created a software project called BlueRepli Plus that is set to be  demonstrated during the Black Hat Arsenal tools demonstration on Augusrt 6.

How BlueRepli Works

Xu explained that there are several typical Bluetooth pairing scenarios that users are familiar with. Among the most common is when a user is presented with a yes/no dialog box to accept a connection, or gets a six digit series of numbers that needs to be entered.

There is, however, another option that is defined in the Bluetooth specification, known as ‘just works’ which, when triggered, can bypass the need for user interaction to enable a connection. With BlueRepli, the researchers claimed that it was possible to bypass the authentication in several ways including making use of the just works option.

Xu explained that in a deception-based attack, the attacker first gets the victim’s Bluetooth address by simple scanning. The attacker pretends to be a Bluetooth device and a well-known application name like Skype (for example) and requests the victim’s Android phone for a phone book or short messages. After the victim grants the attacker permission due to deception, the attacker can get the data.

The other attack that Xu described is a vulnerability-based attack where the attacker first obtains two Bluetooth device addresses by scanning. The first address is the victim’s Bluetooth address, while the second is an address that has obtained the access permission of the victim, like Bluetooth headsets that belong to the victim. The attacker changes his address to the second address, and then directly requests data (phone book and SMS) from the victim.

“Data will be passed back to the attacker without the victim’s knowledge,” Xu said.

INTERPOL: Cybercrime Growing at an “Alarming Pace” Due to #COVID19

INTERPOL: Cybercrime Growing at an “Alarming Pace” Due to #COVID19

Cybercrime is growing at an “alarming pace” as a result of the ongoing COVID-19 crisis and is expected to accelerate even further, a new report from INTERPOL has found.

It revealed the extent to which cyber-criminals are taking advantage of the increasing reliance on digital technology over recent months. This includes the rapid shift to home working undertaken by many organizations, which has involved the deployment of remote systems and networks, often insecurely.

Based on feedback from member countries, INTERPOL said that during the COVID-19 period, there has been a particularly large increase in malicious domains (22%), malware/ransomware (36%), phishing scams/fraud (59%) and fake news (14%).

Threat actors have revised their usual online scams and phishing schemes so that they are COVID-themed, playing on people’s economic and health fears.

The report also found that cyber-criminals have significantly shifted their targets away from individuals and small businesses to major corporations, governments and critical infrastructure.

Jürgen Stock, INTERPOL secretary general, said: “Cyber-criminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.

“The increased online dependency for people around the world is also creating new opportunities, with many businesses and individuals not ensuring their cyber-defenses are up-to-date.”

The study added that “a further increase in cybercrime is highly likely in the future.” This is primarily due to vulnerabilities related to remote working, a continued focus on COVID-themed online scams and, if and when a vaccination becomes available, another spike in phishing related to medical products.

Responding to the findings, Brian Honan, CEO of BH Consulting, said: “The COVID-19 pandemic is providing criminals with many opportunities as outlined in the INTERPOL report. Indeed, many organizations may be at increased risk of ransomware attacks due to having opened up remote access solutions, such as VPNS, to support remote working.

“These remote access points may not be properly configured and secured or, due to IT teams operating remotely, may not have the latest patches installed. In addition, staff may have had to use their own personal devices from home to work remotely which in turn poses challenges from a security point of view with regards to how to ensure those devices are secure.”

Jonathan Miles, head of strategic intelligence and security research at Mimecast, added: “It is important that organizations migrate away from a ‘keeping the lights on’ mentality and prioritize cybersecurity, especially at a time when threats aimed at a dispersed workforce are increasing. Failing to do so can lead to issues such as organizational downtime, data loss and a negative impact on employee productivity.”

Redcar and Cleveland Attack Recovery Cost Over £10m

Redcar and Cleveland Attack Recovery Cost Over £10m

A cyber-attack on Redcar & Cleveland Borough Council earlier this year has reportedly cost around £10m in recovery costs.

The attack, which took place in February, caused online public services to be unavailable for 135,000 locals for over a week. According to Teesside live, the local authority stated a figure of £10.4m in a budget update report provided to members of its cabinet.

Specifically, costs required for infrastructure and system recovery or replacement cost £2.4m, while the cost to individual council directorates was the worst hit, and accounted for £3.4m. There was also a cost impact of just under £1m as a result of a reduction in enforcement income and lower collection levels for both council tax and business rates towards the end of the 2019/20 financial year, caused by computer systems being out of action for a period.

The report also claimed the council acted quickly and effectively, working extremely hard to mitigate the effects on key services and most vulnerable residents, whilst it “permeated almost all functions of the council and the required response and consequential impact had an inevitable bearing on its finances.”

Whilst the council had industry standard tools deployed to secure its computer network at the time of the attack, which it said had been configured to provide optimum protection, it has since made additional improvements to its cyber-defenses, with further upgrades planned.

“We are also on the list of pilot authorities to enroll on a National Cyber Security Center (NCSC) scheme which will provide threat intelligence information exchange between the council and NCSC,” the report said. “The result of all of this is that the council’s cyber-defenses will be far more advanced than most peers in local government.”

Jake Moore, cybersecurity specialist at ESET, said that even though this was not confirmed to be ransomware, it is a persistent threat to businesses and organizations of all sizes, “yet some forget the importance of securing systems and protecting data from the inevitability of an attack.”

He added: “Regardless of its simplicity, this malware can cost millions, but when organizations are bailed out from either insurers or government, I fear the ever-needed lesson just won’t sink in. There are multiple ways to reduce the risks of attacks like this, such as cold storage backups and reduced user access – but complacently seems to remain in place for many.

“Despite huge emphasis on cybersecurity, large corporations still fail to secure the perimeter and in failing to do so many lose millions of pounds. It seems it is easier for organizations to find money when they are forced to get back up and running, rather than asking for much less in preparation and prevention.” 

Javvad Malik, security awareness advocate at KnowBe4, said: “With most organizations heavily reliant on digital systems, the impact of even a minor incident cannot be underestimated. Ransomware attacks are particularly devastating as they render all systems and data unusable, giving organizations few choices.

“Even if backups are available, there are costs associated with wiping systems, restoring them from backups, reporting to regulators, customers, and partners, and having alternate processes in place. 

“It’s therefore more important to have strong and layered security controls in place that can prevent attacks from being successful in the first place, or to be able to quickly detect and respond where they have been able to get into systems. Only then can organizations minimize the economic impact of cyber-attacks to a manageable level.”

#BHUSA: Can the US Election be Held During the Pandemic?

#BHUSA: Can the US Election be Held During the Pandemic?

The Black Hat USA 2020 virtual conference kicked off on August 5 with a keynote session exploring the challenges of modern election security in the US and the impact of the COVID-19 pandemic.

The keynote was delivered by Matt Blaze, McDevitt chair in computer science and law at Georgetown University in Washington DC. He is also the co-founder of the Voting Village at the DEFCON security conference that follows Black Hat. Blaze began his remarks but stating that technology and elections in the US are very heavily interrelated today, but that wasn’t always the case. In fact, he noted that early elections in the US had very little technology and relied on the simplicity of a paper ballot.

According to Blaze, the paper ballot approach works pretty well and voters can be confident that their vote is counted as it was cast. That is, as long as that ballot box didn’t get tampered with and the counting process had high integrity.

“It’s very important that we trust, not only the people who are involved in elections, but also the technology that we depend on for those elections to be secure, to have high integrity and to be genuinely reflective of how we voted,” Blaze said.

The Complexity of US Elections

Among the challenges of election security in the US is the fact that the elections themselves are exceedingly complicated.

Blaze explained that in practice, each state sets its own rules and requirements for the elections that are conducted in that state. In total, he noted that there are over 5000 different government entities that handle different aspects of elections and the whole process is a very decentralized operation.

“I don't think I’ve ever encountered a problem that is harder than the security and integrity of civil elections,” Blaze said. “It’s fundamentally orders of magnitude more difficult and more complex than almost anything else you can imagine.”

Technology to the Rescue?

Prior to the 2016 election, Blaze said that election officials had not really considered the impact of foreign state adversaries for election interference.

Technology can be used to both help as well as prevent potential mischief by those that might want to interfere in an election, according to Blaze. Fundamentally, modern elections have largely relied on technology, which means that technology needs to be trusted and secured, which is no easy task.

“The integrity of the election results depends on the integrity of software and hardware,” Blaze explained. “So the correctness of any software you’re depending on for that purpose is critically important.”

Blaze highlighted recent developments that can make a big difference in validating the integrity of election technology. One of them is the concept of software independence, which has been advocated by cryptographer Ron Rivest.

“This [software independence] is essentially a requirement for voting systems that you should design your voting system in a way that an undetected change or error in the software can’t cause an undetectable change or error in the election outcome,” Blaze said. “It doesn’t say you can’t use software, it says, you shouldn’t depend on software for the outcome in ways that you can’t detect.”

Thanks to the adoption of the software independence approach for voting systems, as well as enhanced scrutiny throughout the process, Blaze noted that there is reason for optimism. He added that if he were giving his keynote in February, he would end the presentation on that positive note. The reality though is different now, with the COVID-19 pandemic raising a new set of issues.

The Pandemic Election

There are already multiple mechanisms in the US election system that allow for elections to occur during times of disruption. Blaze outlined the absentee, mail-in ballot system used in the US and the various steps it integrates to help ensure authenticity.

A big challenge however is scaling that system for the current crisis when tens of millions more Americans will want to make use of the mail-in ballot system than ever before. Whether or not there will be enough printed ballots, systems to scan those ballots or the personnel needed to enable the process, are questions that will need to be answered.

“Time is really short and the election is less than 100 days away,” Blaze said. “For many of these problems, the logistical aspects of this are familiar to computing specialists.”

In Blaze’s view, there is a lot that the IT and the cybersecurity community can do to help local election officials with the challenges of running an election during a pandemic. He advocated for the Black Hat community to engage on this issue, contact election officials and find out how to help, whether it’s a need for poll workers, IT expertise or otherwise.

“I think we can do this but we have to want to and we have to all take responsibility for this,” Blaze concluded.

Researchers Name State with Fewest Data Breaches

Researchers Name State with Fewest Data Breaches

North Dakota has suffered fewer data breaches than any other American state over the past 15 years. 

Analysis of data breaches that have occurred in the United States since 2005 revealed California to be the state hit by the highest number of breaches. The Sunshine State was also found to have exposed the largest number of records, with 5.6 billion records compromised in 1,777 breaches.

At the lowest end of the results table, the Peace Garden State suffered just 19 data breaches over the same period, exposing a total of 440,698 records.

The analysis was carried out by tech research company Comparitech and published today. In total, researchers found that since 2005, 12,098 data breaches have occurred across the US involving more than 11.1 billion records.

2017 was the worst year for breaches, with 1,683 taking place during this 12-month period. However, more records were compromised in 2016, when a total of 4.6 billion records were exposed. 

While Oregon had a relatively low number of data breaches at just 182, the Beaver State was found to have exposed the second-highest number of records. Analysts said that the vast majority of the 1.37 billion records leaked came from one source, River City Media.

"The company’s breach in 2017 exposed 1.34 billion email accounts, representing one of the largest data breaches of all time. River City Media collected information on millions of individuals without their consent as part of its spam operation, and then failed to protect that data," wrote the analysts. 

Data exposed in the River City Media breach included email accounts, full names, IP addresses, and physical addresses.

Driving up the total number of exposed records in Maryland was the 2018 Marriott International breach that accounted for 383 million of the 388 million records exposed in the state over the last decade. 

California had over twice as many breaches as New York, the nearest runner up with 863 breaches experienced. The Empire State was closely followed by Texas, where 819 breaches have occurred since 2005. 

Other states where breaches were found to have been relatively rare were South Dakota, Wyoming, and West Virginia, where 21, 22, and 30 breaches have taken place respectively.

Silk Road Vendor Indicted on Narcotics Charges

Silk Road Vendor Indicted on Narcotics Charges

The US has charged two men for allegedly making millions of dollars by selling hundreds of thousands of opioid pills on the darknet. 

Costa Rican pharmacist Jose Luis Fung Hou and dual Costa Rican and American citizen David Brian Pate were indicted by a federal grand jury on Tuesday. The pair are accused of trafficking drugs including Oxycontin and morphine and laundering payments in the form of Bitcoin and international wire transfers. 

The indictment alleges that 44-year-old Pate illegally purchased pills from 38-year-old Fung, then sold the narcotics on multiple underground websites, including AlphaBay and the notorious marketplace Silk Road

Using various online monikers including “buyersclub” on darknet markets, online forums, and Bitcoin exchanges, Pate allegedly advertised that he was selling the “old formula” of Oxycontin. This version of the drug does not contain tamper-resistant features such as a crush-proof outside that prevents a user from inhaling or injecting the pills after pulverizing them. 

Pate is accused of hiding the pills in tourist souvenirs such as maracas that were sent in bulk from Costa Rica to co-conspirator re-shippers in the United States. Re-shippers were then sent a list of customer orders to fill along with the customers' names, shipping addresses, and how many pills they wanted. 

Once the shipments were received by the customers, the darknet market would release funds in Bitcoin, which were held in escrow until the transaction was completed, into Pate’s account on the darknet market. Customers reputedly paid Pate over 23,903 Bitcoin for these darknet market sales. 

The seven-count indictment charges Pate and Fung with counts of conspiring with persons to distribute controlled substances, distribution of controlled substances, conspiring with persons to import controlled substances, conspiring to launder money, and laundering of monetary instruments.

“Today’s case is a great example of how the DEA has infiltrated the darknet and, together with our law enforcement partners, proven that every criminal attempting to sell these deadly drugs is within the reach of the law,” said Special Agent in Charge Jesse R. Fong of the US Drug Enforcement Administration’s (DEA) Washington Field Division.

Malware Attacks Exploiting Machine Identities Double

Malware Attacks Exploiting Machine Identities Double

The number of commodity malware campaigns exploiting machine identities doubled between 2018 and 2019, according to new research.

The rapid increase in this particular type of cyber-scourge was unearthed by threat analysts at Venafi, who gathered data on the misuse of machine identities by analyzing security incidents and third-party reports in the public domain.

Among the attacks encountered by Venafi's Threat Intelligence Team were several high-profile campaigns, including TrickBot, Skidmap, Kerberods, and CryptoSink.

Overall, malware attacks utilizing machine identities were found to have grown eightfold during the last 10 years. Within the last five years, the number of attacks was found to have increased more rapidly. 

The findings are part of an ongoing threat research program focused on mapping the security risks connected with unprotected machine identities.

Campaigns exploiting machine identities were once the preserve of large-scale cyber-criminal operations but are now being used in off-the-shelf malware, according to Yana Blachman, threat intelligence researcher at Venafi.

“In the past, machine identity capabilities were reserved for high-profile and nation-state actors, but today we’re seeing a ‘trickle-down’ effect,” said Blachman. “Machine identity capabilities have become commoditized and are being added to off-the-shelf malware, making it more sophisticated and harder to detect.”

Blachman said these deceptively simple campaigns are far more dangerous than they appear. 

“Massive botnet campaigns abuse machine identities to get an initial foothold into a network and then move laterally to infect further targets,” said Blachman.

“In many recorded cases, bots download crypto-mining malware that hijacks a target’s resources and shuts down services. When successful, these seemingly simple and non-advanced attacks can inflict serious damage on an organization and its reputation.”

The millions of applications and billions of devices that exist in the world use machine identities made from cryptographic keys and digital certificates to authenticate themselves to each other so they can communicate securely.

“To protect our global economy, we need to provide machine identity management at machine speed and cloud scale,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. 

“Every organization needs to ensure they have full visibility and comprehensive intelligence over every authorized machine they are using in order to defend themselves against the rising tide of attacks.”