Category Archives: Expert Comments

Japan’s Cybersecurity Minister Admits He’s ‘Never Used A Computer’

Japan’s new cybersecurity minister has ‘never used a computer’–claiming to have delegated to staff and secretaries since he was 25. This is especially interesting because his duties include overseeing cyber-defense preparations for the 2020 Olympic Games in Tokyo. In addition, Sakurada allegedly struggled to answer a follow-up question about whether USB drives were in use at the country’s nuclear power stations.

With the total cost of cybercrime committed expected to cost global businesses over $2 trillion by 2019, this revelation has raised concern, and the impact could weigh on Japan’s state of cybersecurity.

Two cybersecurity experts have commented on the incident below.

Bryan Becker, Application Security Researcher at WhiteHat Security:

“With Japan’s new Cybersecurity Minister Yoshitaka Sakurada admitting he’s never used a computer in his life, we can expect to see some unusual developments coming from their end. Remember when Zuckerberg was interviewed by a special hearing, and senators asked him questions as if they had never used the internet before? Not to be outdone, Sakurada is going to be developing policy without even having used a computer before!

All of that aside, if Sakurada is going to be effective, one likely option would be for him to turn to the private sector for help. There are probably going to be some very lucrative contracts available for partnerships with the Japanese government in the near future.

On the other hand, there is something to be said of the security of a man who’s never used a computer in his life. You can’t hack something that’s not there!”

Jeremy Cheung, Vulnerability Verification Specialist at WhiteHat Security:

“Whereas it’s generally possible for someone to be in a managerial position, without holding any technical expertise, it isn’t ideal for achieving high-quality results. Due to the nature of the cybersecurity industry involving not only technical devices but private data and personally identifiable information, the ramifications of someone in this position not holding any hands-on industry experience are quite severe. Without having ever even used a computer, Sakurada’s knowledge of cybersecurity practices, exploits and remediation are theoretical at best, which greatly increases the chance of compromise and a potential repeat of the Pyeongchang Winter Olympic Games Cyberattack. In preparation for the 2020 Olympic Games, Sakurada should definitely get in the trenches with his staff and experience what goes on in building a secure cyber-defense plan. To stop a hacker, you have to try to think like a hacker!”

The ISBuzz Post: This Post Japan’s Cybersecurity Minister Admits He’s ‘Never Used A Computer’ appeared first on Information Security Buzz.

Nordstrom Data Breach

Following the news that that high-end retailer Nordstrom is in the process of notifying its employees their data may have been compromised in a breach, please see below comments from Martin Jartelius, CSO of Outpost24.

Martin Jartelius, CSO at Outpost24:

“It looks like this incident relates to a contractor unintentionally, or intentionally, incorrectly handling confidential employee information. This highlights the need for organisations to treat all employees as a potential risk and ensure security steps are taken to minimise the risks when incidents like these happen.

There is also a considerable amount of time which has passed from the detection of the breach to the information being made available to potential victims. Taking into account the data which was exposed, waiting over a month to notify employees is very significant.

This is also a good example of why GDPR is of importance to us all. We may not be protected from those recurring breaches, but customers and end users have a right to know when companies have failed to meet their obligation to protect our information.”

The ISBuzz Post: This Post Nordstrom Data Breach appeared first on Information Security Buzz.

French Film Company Pathe Loses €19m In BEC Scams

The Dutch branch of the French film production and distribution company Pathé has lost over 19 million euros to BEC scammers, Dutch News reported.

Information about how the scammers pulled it off has been gleaned from court documents relating to an unfair dismissal lawsuit brought against Pathé France by Edwin Slutter, the Dutch branch’s former chief financial officer.

Commenting on the news and offering advice are the following security professionals:

Javvad Malik, Security Advocate at AlienVault:

Javvad MalikBEC or CEO scams are very common tactics used by criminals. Because there is no malware, it relies purely on tricking the recipient. Therefore, employees should receive training in learning how to spot such emails, as well as knowing how and who to escalate suspicious emails to.

Segregation of duties would also have helped. The fact that only one employee was able to make such large payments was a process weakness that the criminals exploited.

Tim Sadler, Co-founder and CEO at Tessian:

“As this case indicates, fraudsters have a highly sophisticated understanding of the industry and individuals that they are targeting. This means that the email impersonation methods they use, such as spoofing trusted contacts – Pathé’s chief executive in this case – can be so advanced, that they are indiscernible to unsuspecting employees, including C-level executives.

Instances like this, where the attacker targets high profile employees to steal large sums of money or highly sensitive data, are known as whaling attacks. Senior executives are targeted because they have access to lucrative data, and they have the power to authorise high-value money transfers.

Human error is natural and inevitable. Therefore, if Pathé wishes to prevent whaling and phishing attacks and the significant financial and reputational damage they cause, it is imperative that the company implements a solution that doesn’t rely solely on employee vigilance and/or an existing rule-based security system(s) that has, up to this point, failed to protect the network. Hopefully, this incident will act as a wake-up call to the company: every employee is susceptible, regardless of their seniority, so every employee must be protected. Increasingly, organisations are protecting their people and data by applying machine intelligent technologies that automatically and comprehensively analyse the content and characteristics of inbound email to determine whether it is legitimate or a phishing email.”

The ISBuzz Post: This Post French Film Company Pathe Loses €19m In BEC Scams appeared first on Information Security Buzz.

Researchers Reveal Seven New Spectre And Meltdown Attacks

In response to the news that a team of nine academics has revealed today seven new CPU attacks, which are variations on Meltdown and impact AMD, ARM, and Intel CPUs to various degrees, please see below comments from Cody Brocious, researcher at HackerOne.

Cody Brocious, Researcher at HackerOne:

“As long as speculative execution is performed in processors, this type of bug will continue to be discovered.  It’s impossible to perform operations without side-effects on a hardware level, and abstractions that pretend such operations are side-effect-free and always going to cause security issues.”

The ISBuzz Post: This Post Researchers Reveal Seven New Spectre And Meltdown Attacks appeared first on Information Security Buzz.

Cyber-Attacks Is Now The Number One Business Risk

You’ve probably seen the recent news about how cyber-attacks are now the number one business risk in Europe, North America and East Asia and the Pacific, according to the latest report from World Economic Forum (WEF). Mick Bradley, EMEA VP at data protection vendor, Arcserve addressing the hot topic of cyber security in the boardroom commented below. 

Mick Bradley, EMEA VP at Arcserve:

“It’s no surprise that executives in the UK and Germany both place cyber-attacks as the number one risk to business. As we become more digitally connected, organisations are spending an increasing amount on cybersecurity software. But despite this, we are still witnessing an increase in hacks, outages and data breaches.

Our research has shown that the cost of downtime when cyber-attacks or outages happen is also a growing concern. Tolerance for data loss is also diminishing – 93% said their companies could only tolerate minimal, if any, data loss from their critical business applications yet just 26% feel extremely confident in their ability to recover quickly enough to avoid business disruption/loss of revenue. Despite this, more than half (56%) of organisations don’t have a recovery plan in place and nearly 70% of executives believe that cyber-attacks are a data security issue rather than recovery. However, it’s virtually impossible to completely eliminate security risks or weaknesses in systems despite how much is invested into security solutions, so executives need to also focus on recovery and resiliency in the fight against cyber criminals, to maintain business continuity when things inevitably go wrong.”

The ISBuzz Post: This Post Cyber-Attacks Is Now The Number One Business Risk appeared first on Information Security Buzz.

Cyberattacks The Top Business Concern Across The West Say World Economic Forum

The World Economic forum has released the results of a major study, which sheds light on business concerns across the west. The significant study of 12,000 executives concluded that in the west (North America and Europe) cybersecurity and cyberattacks are the top business risk.

Lisa Baergen, Director at NuData Security:

“This latest study from the World Economic Forum is somewhat bittersweet. While it’s a concern that cyberattacks are common and dangerous enough to top business leaders’ list of concerns, it’s undoubtedly a step in the right direction that his is at least being acknowledged. This means however that business leaders can no longer plead ignorance; They need to take appropriate measures to move beyond the traditional models of cybersecurity protection and account access if they hope to keep their businesses and customers safe.”

The ISBuzz Post: This Post Cyberattacks The Top Business Concern Across The West Say World Economic Forum appeared first on Information Security Buzz.

Albion Online DDoS attack

In response to the news that the popular online game, Albion Online, has been hit with a DDoS attack, please see below comments from Sean Newman, director product management at Corero Network Security.

Sean Newman, Director Product Management at Corero Network Security:

“Online multi-player games are prime targets for DDoS attacks, often from players of those games looking to gain advantage over other players.  Reports over the week-end of Albion online being impacted by three separate attacks over a period of twelve hours, or so, reinforces that providers of online applications and services now need to ensure that dedicated real-time automatic DDoS protection is an integral part of their security strategy.  The sophisticated state of the DDoS threat landscape, combined with the always-on expectations of today’s users, means relying on obscurity, believing you won’t get attacked, or using outdated technology just isn’t sufficient any longer.”

The ISBuzz Post: This Post Albion Online DDoS attack appeared first on Information Security Buzz.

Internet Traffic Hijack Disrupts Google Services

Yesterday it was reported that an internet traffic diversion rerouted data through Russia and China and disrupted Google services on Monday, including search, cloud-hosting services and its bundle of collaboration tools for businesses.

Following this, please see below for comment from Allan Liska, senior security architect at Recorded Future.

Allan Liska, Senior Security Architect at Recorded Future:

“BGP Hijacking is surprisingly common. According to the Internet Society, there were almost 14,000 BGP Hijacking incidents in 2017 alone (https://www.internetsociety.org/blog/2018/01/14000-incidents-2017-routing-security-year-review/) and that number has not slowed down in 2018. Most incidents are not noticed, it is only when a big name like Google, Amazon or Visa have their routes hijacked that people pay attention. Most of the time, BGP Hijacking incidents are the result of human error, rather than malicious intent and that may be the case here, especially knowing that all of Google’s traffic is encrypted so there is very little to gain by intentionally rerouting it, although meta data is always valuable to a nation state.

That being said, there does appear to be a disproportionally large number of hijacks originating from China Telecom. For comparison, the largest ISP in the world is Verizon, which has AS701 and has 2855 reported hijacks. China Telecom is the 4th largest ISP in the world and their primary ASN, AS4134, has 4413 reported hijacks. That is a significant difference.”

The ISBuzz Post: This Post Internet Traffic Hijack Disrupts Google Services appeared first on Information Security Buzz.

Reported Breaches In The First 9 Months Of 2018 Exposed 3.6 Billion Records

There have been 3,676 publicly disclosed data compromise events through September 30. Breach activity continues at a consistent pace for 2018, which although significant in level, will likely not reach the numbers we saw in 2017, according to the 2018 Q3 Data Breach QuickView report by Risk Based Security. “The number of reported breaches shows some improvement compared to 2017 and the number of records exposed has dropped dramatically,” said Inga Goddijn, Executive Vice President for Risk Based Security. “However, an improvement from 2017 is only part of the story, since 2018 is on track to have the second most reported breaches and the third most records exposed since 2005. Despite the decrease from 2017, the overall trend continues to be more breaches and more mega breaches impacting tens of millions, if not hundreds of millions, of records at once.”

Corin Imai, Senior Security Advisor at DomainTools:

“These statistics reflect the changing nature of the cybersecurity industry, and an increase in the size and diversity of the threats we’re seeing. While all breaches are concerning, the fact that more breaches are being disclosed is a positive step forward for the growth and transparency of the industry. This increase in breach disclosure and increase in cyber-education amongst employees, shifts our focus to protecting PII and building programs to support that shift.”

The ISBuzz Post: This Post Reported Breaches In The First 9 Months Of 2018 Exposed 3.6 Billion Records appeared first on Information Security Buzz.

HookAds Malvertising Campaign

The HookAds Malvertising campaign is on the loose again and is downloading various malware through the Fallout Exploit kit.

Mike Bittner, Digital Security & Operations Manager at The Media Trust:

“Bad actors behind the HookAds campaign appear to be switching their tactics and adding more weapons to their arsenal to make a clean sweep of their targets. It appears they have joined forces with distributors of Danabot, a banking trojan, either as part of a larger North American Danabot campaign that splits profits among various bad actors or as a renter of the malware. Other DanaBot campaigns in the region involved the use of eFax digital faxes. The Hook Ads malicious campaign makes use of an earlier campaign’s tactics: compromising adult websites and using an extensive network of rogue ad domains masquerading as legitimate advertising platforms. Two years ago, the campaign fed traffic into the RIG exploit, this year, it feeds traffic to the Fallout exploit kit. The tactical switch was likely done to target users who are less likely to update or patch legacy desktops used to conduct a wide array of personal transactions online, such as paying bills, shopping, etc. These machines likely store a lot of personal, sensitive information, so taking over them would give bad actors access to all of it. But to ensure they are able to scrape as much information as they can, they have also used Nocturnal Stealer to obtain passwords and information from Chrome and Firefox browsers, as well as rob cryptocurrency wallets.”

 

The ISBuzz Post: This Post HookAds Malvertising Campaign appeared first on Information Security Buzz.