Category Archives: Expert Comments

Girl Scouts Of America Offering Cybersecurity Badges

It has been reported that the Girl Scouts of America is now offering girls as young as five a badge in cybersecurity. It’s part of a drive to get more girls involved in science, technology engineering and mathematics from a young age. An event in Silicon Valley gave scouts an opportunity to earn the first patch in the activity.

Cristina Roa, VP International at Securonix:

“The Girl Scouts initiative is an investment in the future of cybersecurity, and it will help to boost interest and participation in an industry in which women are not only traditionally underrepresented but an industry that is also facing a severe skills shortage.

The initiative offers girls the chance to learn about data privacy, online safety, coding and even how to become a white hat hacker. It is immensely important that initiatives, such as this one, continue to gain funding and support from the cybersecurity industry and governments. This will help drive awareness around cybersecurity, encourage more females to get into the industry and ensure that we have the resources in the future to combat an exponentially growing problem.”

The ISBuzz Post: This Post Girl Scouts Of America Offering Cybersecurity Badges appeared first on Information Security Buzz.

WordPress PlugIn Was Hacked By Former Employee

In a serious case of insider threat, CyberScoop reported that the website of popular WordPress plugin WPML had a former employee exploit an old password and a hidden vulnerability the employee previously inserted into the site to gain access after leaving the company. The employee appeared to use his access to post a message on a website and spam the same message to WPML clients.

WPML said the incident caused it to lose client data, forced it to rebuild its server from scratch and prompted it to reset all customers’ passwords. OnTheGoSystems said that the plugin itself was not vulnerable and that payment information had not been exposed.

Expert Comments Below:

Bill Evans, a VP at One Identity:

 “This is as much an issue with provisioning as it is with segregation of duties. Organisations need to ensure that users – which include both admins and developers – have the *right* access which means they have only the access they need to do their jobs – nothing more and nothing less.  In the case of this developer, they likely had access to a privileged account password, a database password or an administrator password that was shared by many employees for the purpose of doing maintenance on critical systems. This is the latest incident that shows the importance of employing basic privileged access management practices — like using a password vault, modern session management, and behaviour analytics — so that there are no hidden “old passwords” lurking in the code or in DevOps configuration files that employees can use.”

The ISBuzz Post: This Post WordPress PlugIn Was Hacked By Former Employee appeared first on Information Security Buzz.

Experts Comments On First FDPR Fine Of $57 Million To Google

CNIL, the French data protection watchdog, issued its first GDPR fine of $57 million to Google, claiming that they failed to comply with GDPR when new Android users set up a new phone and follow Android’s onboarding process.

Experts Comments Below:

Anurag Kahol, CTO and Co-founder at Bitglass:

“Google being fined for its noncompliance with GDPR will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law. Until this point, data protection authorities have been incredibly patient with companies – GDPR has been in full effect for nearly a year now. However, it seems this grace period is more or less passing. While Google may be able to absorb this financial penalty, other companies are likely not large or successful enough to do so. This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.”

Jonathan Bensen, interim CISO at Balbix:

“CNIL’s decision to fine Google does not seem to be aimed towards solving the issue, but towards making money. Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.

If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”

Dr Guy Bunker, SVP of Products at Clearswift:

“The key thing to take from this news is that this is a substantial fine in the name of GDPR. It’s nowhere near the maximum available fine, but it is enough to make organisations sit up and take note. It also shows that no organisation is above the law and the regulators will go after big names.

“For businesses now fearing the risk of substantial fines to their own organisations, the key to compliance centres on three aspects. People, processes and technology are vital areas that organisation’s need to review to gain visibility and control of critical data in order to comply with the GDPR.  The board should be working together with middle management on their organisation’s GDPR compliance to maintain a clear understanding of the state of their organisation’s data security status.”

Ouad Khalil, Vice President of Compliance at SecurityScorecard:

“The new year is upon us as is GDPR enforcement and fines. Companies that have sat back and watched the privacy tidal wave hoping that it will miss them, should reconsider. As with any new regulation, most companies scramble to comply once they realise the ramifications are real!! We are learning that no one is beyond GDPR reach – Google was fined 50 million euros on January 21, 2019 due to people “not sufficiently informed” about how Google collected data to personalise advertising.

This is the first large fine by a GDPR regulator. Given the fact that it was the French privacy watchdog (CNIL) that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.

The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.

In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.”

Matt Lock, Director of Sales Engineering at Varonis:

“The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“This could be one of the first high profile tests of GDPR and how it pans out in the real world.

The fine can be summed up into a lack of transparency. Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case, CNIL has decided that Google was neither transparent, nor clear with users – resulting in users making misinformed choices.

Customer data of all sorts, whether that be PII, or even metadata should be considered carefully by companies. Before storing or processing information about customers, companies should ask themselves two questions. First, what purpose the data is being used for and for how long, and secondly, have the users truly given informed consent – if the answer to either is unclear, then they should not go ahead with it.”

Matt Walmsley, EMEA Director at Vectra:

“And so CNIL, the French Supervisory Authority flexes its muscles and Google is the first big scalp for GDPR fines. Others will follow!

User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.”

The ISBuzz Post: This Post Experts Comments On First FDPR Fine Of $57 Million To Google appeared first on Information Security Buzz.

108M Records Exposed via Misconfigured ElasticSearch Server

ZDNet reported that a password-less ElasticSearch server belonging to a variety of online casinos has compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more. The payment card details indexed in the server were partially redacted however, meaning that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline today and is not accessible anymore.

Experts Comments Below:

Mark Weiner, CMO at Balbix:

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks such as the VOIPo and Oklahoma Securities Commission’s latest incidents. 108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.

Organizations must understand that proper, organization-wide cybersecurity is no longer a human-scale task, and it is mathematically impossible for people alone to constantly monitor and assess all IT assets and infrastructure to stay ahead of 200+ attack vectors for potential vulnerabilities. Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.”

Rich Campagna, CMO at Bitglass:

“This breach is yet another example of a company that exposed massive amounts of consumer data due to a simple security mistake. Leaving a server publicly accessible is unacceptable – even smaller companies with limited IT resources must ensure that they are properly securing data. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.

Companies that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive – not to mention the cost of losing the trust of their customers. In fact, Google was just fined $57 million by CNIL, the French data protection watchdog, for failing to comply with GDPR’s transparency and consent laws.”

Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:

“Merry belated Christmas, millennials. By the way, your data was exposed… Of the 4 million intern applications unprotected, a company rep claims only 40 of the records were actually exposed.

No matter what the count is, it just goes to continue prove a major point… companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organizations need to do more. Even just following the basics sometimes, would help. Even though this company is a Non-profit organization, GDPR fines may still apply.  If “Taylor Smith” was tokenized and protected as “FSLIDB ZPMDQ” we wouldn’t be having this issue.”

Carl Wright, CCO at AttackIQ:

“Lately we have seen a proliferation of protection failures resulting in massive data leakages. Almost all of these instances would have been preventable if the affected organizations understood that their security stack was misconfigured.  It is time that enterprises test their respective security posture proactively rather than waiting for cyber attackers to thwart any existing, or lack of, cyber defense.  There is no excuse for deploying security controls that are not properly configured, therefore resulting in protection failures.”

The ISBuzz Post: This Post 108M Records Exposed via Misconfigured ElasticSearch Server appeared first on Information Security Buzz.

Brexit May Mean Shortage Of Cyber Talent – We Should Be Looking To Our Own Students

Following Theresa May’s defeat in Parliament earlier in the week, the Brexit process looks to be in a state of confusion. With that confusion comes the question of how the cybersecurity industry in the UK will keep its reputation of a world-class workforce when visas and potentially employees not wishing to stay in the UK comes to pass.

James Lyne, Head of Research and Development at SANS Institute, and creator of the Cyber Discovery programme, believe that we should be doing far more to nurture homegrown cybersecurity talent in the UK – as it may be the only way to plug the skills gap we are currently facing.

Expert Comments:

James Lyne, Head of Research and Development at SANS Institute:  

“Whatever the ultimate outcome following this week’s parliamentary vote, one thing is certain: it is more important than ever that we develop our own home-grown talent, especially when it comes to cybersecurity, rather than relying on other nations to provide that expertise. According to the National Cyber Security Index 2018, the UK ranked 8th in a country-by-country assessment of cybersecurity capabilities. While appearing in the top 10 out of a list of 100 is a definite positive, a departure from the EU could affect our ability to defend against cyberattack, with reports claiming that the UK will lose out on vital funding for tech innovation and research.

“Amid the ongoing uncertainty, a new report from the World Economic Forum has identified cyber as ‘one of the top risks to stability in the world.’ It’s another reason why it’s so important for industry to collaborate and to work with Government on initiatives that focus on nurturing homegrown cybersecurity talent. Indeed, there is now wider industry acknowledgement that we need to do more to engage the younger generation in cyber security at an early age in order to help plug the cyber security skills gap. Programmes such as Cyber Discovery, which is being delivered by SANS for the UK Government as part of its Cyber First initiative, are beginning to address this lack of engagement. The programme aims to spark interest and aptitude in cybersecurity among 14-18-year-olds, arming the workforce of tomorrow with the tools they need now to help make Britain more competitive and more secure.”

The ISBuzz Post: This Post Brexit May Mean Shortage Of Cyber Talent – We Should Be Looking To Our Own Students appeared first on Information Security Buzz.

BlackRouter Ransomware Promoted As A RaaS By Iranian Developers

Ransomware called BlackRouter has been discovered being promoted as a Ransomware-as-a-Service on Telegram by an Iranian developer. This same actor previously distributed another ransomware called Blackheart and promotes other infections such as a RAT. BlackRouter was originally spotted in May 2018 and had its moment of fame when TrendMicro discovered it dropping the AnyDesk remote access program and keyloggers on victim’s computers.

Israel Barak, CISO at Cybereason:

“Ransomware is one of the most effective and successful forms of cybercrime, yet attacks have slowed considerably in the past few years. But as long hackers find it simple to construct and deploy, it will be a low-risk, high-reward business model for monetizing malware.

There are some basic best practices to follow to mitigate ransomware risk:

-Back up files and regularly verify that the backups can be restored

-Don’t download software from dubious sources

-Don’t open email attachments from unknown / unexpected senders

-Train users on best practices and how to spot phishing emails

-Review cyber insurance plans – make sure they are in line with the level of risk you want from ransomware – request a “ransomware clause” for cyber extortion that would eliminate the inability to publicly disclose and adjust the unrealistic high deductible to be more in line with current ransom demands.”

The ISBuzz Post: This Post BlackRouter Ransomware Promoted As A RaaS By Iranian Developers appeared first on Information Security Buzz.

Implications Of No-Deal Brexit On Cross-Border Data Flow

Elizabeth Denham, Information Commissioner, has advised businesses to consider “alternative data transfer mechanisms” in the event of a no-deal Brexit, which might have implications on cross-border data flow.

Ian Smith, founder and CEO of Gospel Technology commented below, whose data security platform harnesses permissioned DLT to allow organisations to securely share critical data with third parties outside their perimeter of control.

Ian Smith, CEO at Gospel Technology:

Brian NeSmithWhatever the outcome of the Brexit negotiation, it’s crucial to the ongoing relationship between the UK and its European counterparts that information is able to move across borders seamlessly and securely. If the UK ends up leaving the European Union without a deal, one of the main concerns is that data flow will slow to a crawl as organisations work their way through the new security and structural implications. This could potentially take a considerable toll on business efficiency and profitability.

However, this potential issue could be addressed by the implementation of distributed data architectures. With consensus algorithms such as permissioned distributed ledger, security is embedded at a data level, without impacting the agility of data transfer. Cross-border collaboration could continue unimpeded, underpinned by a system that allows organisations to maintain visibility and control of how information is used, even when shared outside the perimeter of their control.

Commissioner Elizabeth Denham is right to call for the consideration of “alternative transfer mechanisms”. A greater focus on new data management techniques will mean the UK can enjoy the benefits of the ‘digital-first’ age without having to worry about the exposure of sensitive information, or increased friction in data flow following Brexit.

The ISBuzz Post: This Post Implications Of No-Deal Brexit On Cross-Border Data Flow appeared first on Information Security Buzz.

Android ES File Explorer Vulnerability Exposes All User Data To Attackers On The Same Network

A serious vulnerability in a popular Android file has been discovered and exposes all the user’s data to attackers on the same network. In essence, the victim would only need to open the app once. This bug was found by researching Elliot Alderson, who posted about it on Twitter.

Expert Comments below:

Craig Young, Security Researcher at Tripwire:

“The ES File Explorer ‘Open Port’ vulnerability is far more serious than originally reported. The truth is that attackers do not need to be on the same network as the victim phone thanks to DNS rebinding. With this attack model, a web site loaded on the phone or by any user on the same network can directly interact with the vulnerable HTTP server. This enables a remote attacker to harvest files and system information from vulnerable devices. An attack could be launched through hacked web pages, malicious advertising, or even a tweeted video.”

The ISBuzz Post: This Post Android ES File Explorer Vulnerability Exposes All User Data To Attackers On The Same Network appeared first on Information Security Buzz.

Emotet Banking Trojan Resurfaces With New Spam Avoidance Capabilities

It’s been discovered that the infamous Emotet Trojan has resurfaced with a new capability – it can check IPs on infected machines to see if malicious email senders are on spam lists, allowing hackers to send malware from an email address that’s guaranteed to get through. This is further proof that organisations need to be bolstering defenses as hackers continue to find ways to slip through the net of traditional AV and detection-based tools.

Expert Comments below:

Fraser Kyne, EMEA CTO at Bromium:

“The Emotet Banking Trojan is one of the most notorious pieces of malware in the wild, so its return comes as little surprise. Hackers are notoriously resourceful and can find ways to improve known attacks to breach the enterprise. Previously, we’ve seen cybercriminals apply polymorphic wrapping to Emotet to evade detection. Now it has gained the ability to check if the infected IP where the malicious email is being sent from is already on a spam list, allowing them to deliver more emails to inboxes without being rejected. This continuous development shows that hackers are looking to maximise financial gain to improve their ROI, helping to keep successful malware strains like Emotet an ever-present danger for the enterprise. Companies need to adopt layered cybersecurity defences that utilise virtualisation to isolate tasks within virtual machines. This renders attacks like Emotet harmless; even if an employee has opened a file, as the hacker will have nowhere to go and nothing to steal, keeping critical IP protected and helping organisations stay one-step ahead of new techniques being deployed by cybercriminals.”

The ISBuzz Post: This Post Emotet Banking Trojan Resurfaces With New Spam Avoidance Capabilities appeared first on Information Security Buzz.

New Magecart Attacks On Ad Supply Chain

A new Magecart attack aimed at French advertising agency Adverline, has been discovered by RiskIQ. This new Magecart attack steals customer credit card details by compromising a content delivery network for ads so that any website loading the script from the ad agency’s ad tag would also be loading the digital skimmer at the same time.

Experts Comments below:

Mike Bittner, Digital Security and Operations Manager at The Media Trust:

“This new malware strain is just one more indication of how sophisticated and organized bad actors have become. It has not only affected the French ad agency, but at least two large digital ad technology vendors, who saw a malicious domain pop up in their payment pages, but were able to thwart the infection by continuously monitoring their digital ecosystem for unauthorized code and terminating the malware at its source. Other players along the supply chain should be just as vigilant, especially retail sites at the receiving end of infected ads and whose users will inevitably be affected. If EU consumer information is stolen, affected companies could face GDPR fines.”

Matan Or-El, Co-Founder and CEO at Panorays:

“This new attack underscores the need for enterprises to constantly assess and manage the risk from third parties and the supply chain. A crucial tool for enterprises would be a system that automates this process and shines the light on those vendors and partners who pose the biggest threat to an enterprise data.”

The ISBuzz Post: This Post New Magecart Attacks On Ad Supply Chain appeared first on Information Security Buzz.

Collection #1 Breach Comments

A security researcherdiscoveredmore than 772 million unique email address and over 21 million unique passwords were posted to a hacking forum. The data dump showcases the importance of having strong, unique passwords for every account.

Expert Comments Below:

Sandor Palfy, CTO at LastPass:

“This Collection #1 data dump is yet another example indicating the importance of practicing good password behavior. Despite the fact that weak, reused and compromised passwords are the cause behind many breaches, people continue to display pretty risky password behavior. In fact, in our in our recentPsychology of Passwordssurvey we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so. In most breaches the attacker usually just gets the hashes of the passwords and they need to crack or brute force to get the actual passwords. The longer and more complex the password is, the harder it becomes to crack, or brute-force attack which simply means it takes longer for a computer to correctly guess it.

It’s crucial that people create a unique, strong password that hasn’t been used on other online accounts, for every online account they have. If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, more important accounts, likely even before you learn about the breach. Even if a password is brute forced, the damage is less if it’s unique, as then it will impact only that account. It’s also worth turning on two-factor authentication where possible as this adds an additional layer of protection that will ensure an attacker won’t be able to access an account even if they do obtain the password.

While this might sound like a daunting task, the good news is there’s an easy fix. Password managers, like LastPass, will create and save complex and unique passwords for each of your accounts, and recall them automatically the next time you log in to those accounts. This makes life easier for the user, and much more difficult for hackers.”

The ISBuzz Post: This Post Collection #1 Breach Comments appeared first on Information Security Buzz.

Major Vulnerabilities Discovered Across Top Web Hosting Sites

Security researchers testing web hostingsecurity have found at least one client-side vulnerability in all the platforms that were tested, with some allowing account takeover when the victim clicks a link or visits a malicious website. Websites hostedonBluehost, Dreamhost, HostGator, OVH, or iPagewere tested.

Expert Comments below.

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik

“The nature of software is such that nothing will ever be perfectly secure, and that includes web hosting. Companies should approach web hosting in the same way they would approach any third party or cloud provider. This includes having a thorough due diligence process to seek assurance that the web host is taking the right steps to try and identify and mitigate issues in a timely manner. Finally, companies should have their own incident response plans in place, separate to those of the web host.”

The ISBuzz Post: This Post Major Vulnerabilities Discovered Across Top Web Hosting Sites appeared first on Information Security Buzz.

Latest Bitcoin Scam Takes Victims To Fake BBC News Page

A new Bitcoin scam has surfaced and appears to be delivered mostly via email by exploiting weaknesses in Hotmail or Live mail accounts. Victims receive a legitimate-looking email that will usually mimic an email they are expecting to receive, making the scam seem even more real. A link in the email redirects the victim either to an extremely genuine looking BBC news webpage or simply to a page asking for a password. 

Martin Jartelius, CSO at Outpost24:

“This is traditional phishing. The BBC is not to blame, and already by reaching out with information, they are doing plenty. Users should stay alert and always verify that the website they are visiting has a certificate issued to the expected organization. However, it is best to simply ask relevant questions such as is this reasonable, and is this something I expected or requested to receive? If it sounds too good to be true, it probably is. The general population need to apply basic skepticism and assess the situation. We cannot keep pushing that responsibility on others and must learn how to spot deception.”

The ISBuzz Post: This Post Latest Bitcoin Scam Takes Victims To Fake BBC News Page appeared first on Information Security Buzz.

Hackers Tricking Employees To Handover Payroll Data In Latest BEC Scam

Hackers have been found to be impersonating HR staff to gain employee credentials to access employee payroll accounts and banking details. 

Expert Comments below:

Felix Rosbach, Product Manager at comforte AG:

“Here we have yet another example of how easy it is to steal someone’s identity – given there are no countermeasures in place.

The reason for this is simple: most hackers aren’t geniuses, but neither is the average employee. We’re only human after all. Sometimes we make mistakes. Sometimes we get complacent or distracted and, unfortunately, our tendency to slip up every once in a while leaves us open to exploitation. That’s why you always have to have the human element in mind when thinking about security.

So the question is: how do we protect our organization from the phishing scheme du jour?

With an increasing attack surface and an endless number of ways to get access to a company, the name of the game is sophisticated identity access management coupled with verification from an actual human. And last but not least, having solid data protection will act as a fail-safe to minimize the damage in the event of a breach.”

The ISBuzz Post: This Post Hackers Tricking Employees To Handover Payroll Data In Latest BEC Scam appeared first on Information Security Buzz.

Largest Collection Of Breached Data Discovered

Today it has been reported that the largest collection of breached data has been discovered in a popular hacking forum. The 87Gb of data discovered by security researcher Troy Hunt  contains 770m email addresses and passwords.

Experts Comments below:

Ed Macnair, CEO at CensorNet:

macnair-

“Following data breaches, its common to find stolen details up for sale on the internet as it’s a hugely lucrative business, but the size of this haul is staggering. Although, this was probably always going to happen as enterprising criminals have got pretty good at streamlining their processes.

“Credential theft has been the leading cause of data breaches for a number of years and people still don’t seem willing to take action and put in place steps to ensure their accounts are less likely to be compromised. It isn’t just consumers, businesses around the world suffer the same problem of employees using the same combination of user names and passwords across multiple accounts and, given the size of this database, there’s a very good chance corporate information is included.

“The same advice as ever stands. Use unique passwords for different accounts and, for consumers, a password manager to help create and store those details. Businesses should also have in place comprehensive security to prevent hacks, alongside additional authentication requirements so that an employee’s identity is guaranteed when they are logging into company resources. It really is about time this message sinks in.”

The ISBuzz Post: This Post Largest Collection Of Breached Data Discovered appeared first on Information Security Buzz.

Emotet Returns From The Holidays With New Tricks

Following a short period of low activity during the holiday, Emotet operators are back at distributing through malicious email campaigns a new strain of their payload that carries new tricks.

The message spurts target users speaking different languages, luring them into opening an attached document laced with code that pulls in and installs the malware.

The malware is under constant development and this new variant can check if the recipient’s/victim’s IP address is blacklisted or on a spam list maintained by services like Spamhaus, SpamCop, or SORBS. “This could allow attackers to deliver more emails to users’ inboxes without any push back from spam filters,” researchers at Cisco Talos say in a blog post.

Expert Comments below:

Maor Hizkiev, CTO and Co-founder at BitDam:

“Like many malware strains, Emotet is learning from experience in order to improve and become more effective. In this case, the Emotet variant has developed a new capability that means it can fly under the radar and bypass common spam filters.

In addition to a previous update, which enables the malicious actor to take control of email accounts and send seemingly legitimate emails to dupe the recipient into opening malicious files, Emotet malware is becoming progressively potent, destructive and costly to both organisations and individual users.

The only real means of protecting against a mutable attack vector like this is to implement a solution that specialises in detecting content-borne attacks by analysing the file regardless of the meta-data that comprises it, such as sender and IP address. By doing so, organisations can continue to detect and block malicious code and links, even as they change and develop.”

The ISBuzz Post: This Post Emotet Returns From The Holidays With New Tricks appeared first on Information Security Buzz.

DNS Hijacking Campaign Targeting Infrastructure And Telecomms Discovered

FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave ofDNS hijackingthat has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While theydo not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success.

Expert Comments below:

Emily Hacker, Security Researcher at DomainTools:

“DNS hijacking is a particularly dangerous attack technique due to the wide variety of malicious activity that it can facilitate. Whether the redirected traffic is used for phishing purposes, or in order to provide targeted advertisements to people using specific websites, it can be a powerful malicious tool in the wrong hands. The fact that these websites are associated with government and infrastructure targets and the attribution points in the direction of Iran, it is fairly likely that the aim of this hijacking campaign is espionage. This should be taken extremely seriously, and the organisations whose websites have been affected should take the necessary preventative measures in order to avoid further situations such as this.”

The ISBuzz Post: This Post DNS Hijacking Campaign Targeting Infrastructure And Telecomms Discovered appeared first on Information Security Buzz.

Mitigating Breach Costs

The average cost of a cyber breach for companies now exceeds one-million dollars according to a new report by Radware.

Justin Jett, Director of Audit and Compliance at Plixer:

“The numbers reflect the reality that breaches are inevitable and expensive. However, both sides of that equation can be mitigated if companies can locate forensic data quickly to find and mitigate attacks. Specifically, IT professionals need network traffic analytics to fully understand where these attacks are coming from and how the attacks were possible. By looking at all of the data, network and security teams can work together to see the completed puzzle and help make future attacks more difficult for malicious actors to achieve. By analyzing network traffic patterns, many attacks are spotted easily and require much fewer resources to resolve than if no forensic data is available, or if teams have to manually comb through logs to gather data. With cyberattacks looking to exceed $1 million, organizations should immediately deploy a security and network intelligence platform to aid them when breaches to occur.”

The ISBuzz Post: This Post Mitigating Breach Costs appeared first on Information Security Buzz.

US Carriers Promise Again To Stop Selling Customer Location Data

Everyone knows that major mobile service providers such as AT&T, T-Mobile, and Sprint are actively collecting their customers’ location data, but not many know that they’re also selling it to the highest bidder.As discovered by Motherboard’sJoseph Cox, you can locate anyone as long as you know their phone number and, of course, if you are willing to pay for it.$300 – the price to locate a phone in the U.S.

Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:

“With the latest news regarding several US mobile service providers actively collecting and selling location data to the highest bidder, can we actually believe Apple’s statement? Maybe Apple’s statementremains true for some data, but when it comes to the location of the phone, maybe not so much. The emergence of Big Data has enabled mobile service providers to more easily capture, analyze, and monetize what happens on mobile phones. Location data specifically does have some clear benefits for emergency responders, for fraud prevention, and even for roadside assistance. Additional benefits which have been monetized prove to provide huge value to some businesses, such as target marketing for retailers, and the use of location data in customer service situations. But, location data made available for a fee may also open up the potential for malicious acts, such as stalking or theft. The big question is if the mobile service providers said they were going to stop collecting and selling data, but then they continue to do so, what happens next? Especially, since this is not the first time it has been reported and that they said they would stop. From a consumer point of view, I don’t mind if they know when I’m in Vegas, but hopefully not much more!”

The ISBuzz Post: This Post US Carriers Promise Again To Stop Selling Customer Location Data appeared first on Information Security Buzz.

South Korean Defense Agency Breached

ZDNet is reporting that hackers breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country’s military forces.

Local press reported that hackers breached 30 computers and stole internal documents from at least ten computers in October 2018.It’s believed that the stolen documents contain information about arms procurement for the country’s next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack.The breached organization is South Korea’s Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense.

Expert Comments below:

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari

“The hack of a South Korean database that contains weapons and munitions data for the country’s military is not much of a surprise. Likely, even in times of detente, you would expect both China and North Korea to be vigorously banging on the cyber front door in South Korea. What’s surprising is that the South Korean data was so easily stolen and that the attackers were able to escalate permissions to administrator level access.

In today’s environment for commercial business, let alone government security and defense agencies, the de rigueur approach for cyber security necessarily includes end-to-end encryption, single sign-on, and two-factor authentication, at minimum. End-to-end encrypted data, otherwise known as “edge” or Zero Trust encryption, expects an attacker to penetrate the networks over time, but protects the data by encrypting it at all times. That is, the data is protected with encryption while in the database, file stores, in use, in transit, through middleware and through database and application API’s.

Finally, administrator access can be managed through ticketing systems that deeply authenticate the administrator, and then issue a one-time token for them to use to access the systems that require their attention. So each time an admin wants to use the power of their position, they are required to re-authenticate. Unfortunately, none of these cyber defense best practices were in place in the South Korean defense department.”

The ISBuzz Post: This Post South Korean Defense Agency Breached appeared first on Information Security Buzz.

MEGA Data Breach

newly revealed trove of 772,904,991 unique email addresses and more than 21 million unique passwords that have been aggregated from over 2,000 leaked databases was recently discovered by Troy Hunt, the security researcher who maintains HaveIBeenPwned. The records were stored on one of the most popular cloud storage sites, MEGA, until it got taken down, and then on a public hacking site. The credentials were not even for sale; they were just available for anyone to take. In total, 1,160,253,228 unique combinations of email addresses and passwords were exposed.

Experts Comments below:

Ruchika Mishra, Director of Products and Solutions at Balbix:

“In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point while it was stored on MEGA, or the following hacking forum where it lived after MEGA took it down. This information could be used for credential stuffing attacks which can harm businesses and individual users alike. Most enterprises today do not have the foresight and visibility into the hundreds of attack vectors that could be exploited, such as employees using credentials across personal and business accounts. Weak passwords, default passwords, password reuse, passwords stored incorrectly on disk, or transmitted in the clear on the network are all various flavors of the “Password Misuse Risk” attack vector and according to the Verizon Data Breach Report from 2017, more than 80% of breaches involve password issues at some stage of the breach.

To best combat the chances of further breaches, organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”

Jacob Serpa, Product Marketing Manager at Bitglass:

“When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe – obviously, having this data fall into the wrong hands can be incredibly dangerous for those who are affected. This recently uncovered cache of unique email addresses and passwords was aggregated from more than 2,000 hacked databases. This means that the organizations that were originally responsible for this information failed in their responsibility to secure it.

Leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords. Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless behavior. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are. Fortunately, security technologies like data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and encryption of data at rest can help ensure that enterprise data is truly safe.”

The ISBuzz Post: This Post MEGA Data Breach appeared first on Information Security Buzz.

What Does Brexit Mean For Cybersecurity?

Following last night’s failed Brexit deal vote, and the instability it has caused, Corin Imai, senior security advisor at DomainTools has given her views on where Britain’s exit from the European Union leaves the cybersecurity industry.

Corin Imai, Senior Security Advisor at DomainTools:

“The UK is likely to face a plethora of cybersecurity challenges once article 50 is triggered. Information sharing across borders is already a tricky subject, and for the UK to leave its current arrangement with the European Union this will become even more difficult, damaging international law enforcement investigations and operations into cybercrime. Furthermore, the already mammoth task of hiring security professionals could be affected, as nobody really knows what shape a post-Brexit immigration policy is liable to take. The UK is taking an enormous step into the unknown, and the cybersecurity industry based there is doing exactly the same.

While it’s of course difficult to make predictions about something which as yet has no clear perimeters or boundaries, the UK’s departure from the EU is likely to leave it significantly weaker on the world stage. This may mean that hostile, anti-Western powers such as Russia, Iran and North Korea may feel more confident to launch more invasive cyberattacks, without fear of international reprisal. However, the UK remains a nation with one of the best connected, funded and staffed intelligence networks on the planet, and would therefore remain in a comparatively strong position to defend itself from cyberattacks.”

The ISBuzz Post: This Post What Does Brexit Mean For Cybersecurity? appeared first on Information Security Buzz.

BEC Scammers Targeting Payroll Diversion

News broketodaythatBEC scammers have responded to the flurry of attention brought on their practices in 2018 by moving towards a different tactic; impersonating an employee and issuing a fraudulent request to change their bank account details with the HR department.

Corin Imai, Senior Security Advisor at DomainTools:

“As public awareness of BEC scams has grown in the past year, it is only natural for scammers to pivot towards a different entry point. While HR departments have always been a highly valued target for fraudsters due to the readily accessible PII and financial details, diverting funds by pretending to be an employee is a relatively new tactic, which makes sense; Employees changing bank accounts is a relatively common occurrence, and making sure people get paid is a top priority for any HR department, which may lead them to overlook tell-tale signs of a fraudulent email. The advice remains the same when it comes to BEC fraud: Check with the individual involved and follow organisational protocol. It’s better to be slightly later in paying than to willingly pay a criminal. Don’t let yourself become the human vulnerability!”

The ISBuzz Post: This Post BEC Scammers Targeting Payroll Diversion appeared first on Information Security Buzz.

Cyber Threats Among Biggest Risks In 2019, World Economic Forum Warns

According toreports, evolving cyber threats are among the biggest risks in 2019, the World Economic Forum (WEF) has warned.The WEF’sglobal risks report– ahead of its annual gathering of world leaders and business figures in Davos next week – called for greater collaboration between nations. A survey of 1,000 decision-makers from the public and private sectors as well as academia found that the threat oflarge data thefts and large-scale cyber attacks were a large risk.

Expert Comments below:

Renaud Deraison, Co-founder and CTO at Tenable:

“In the World Economic Forum’s 2019 Global Risk Report, data fraud/theft and large-scale cyberattacks landed in the top five global risks in terms of likelihood for the second year in a row. Technological and environmental risks were the only categories to make it into the top five, signaling a global consensus of the power and potential damage created by the digital and natural worlds.

The report also found that the vast majority of respondents expected increased risks in 2019 of cyberattacks leading to data/money theft (82%) and the disruption of operations (80%). Given the near daily headline-grabbing data breaches and widespread fears of nation-state attacks, these findings should come as no surprise.

Cybersecurity also made its way to the top 10 global risks in terms of impact. Cyberattacks and the breakdown of critical information infrastructure and networks were ranked seventh and eighth for the potential damage they could cause. This indicates that people not only understand the sheer frequency of cyberattacks, but they also appreciate the risk they pose to our digital economy and our very way of life. These rankings reflect the global impact WannaCry, Equifax and the hundreds of other successful cyberattacks have had on our global psyche.

But while cyber risks have made their way to the global stage, the big question is how will organisations respond? Acceptance of the problems we face is the first step. The next step must be action. We must hold global leaders and executives accountable for managing cyber risk responsibly — we as a society must demand it and as customers, we deserve it. We must shift our thinking away from whom can we blame — from nation-states to 15-year-old hackers in their parents’ basement — to how do we stop them? We must collectively come to terms with the reality of a digital economy — everything is connected, which means every aspect of today’s business opens us up to a potential attack. We must develop security strategies that address the new risks created by digital transformation. Failure to do so will lead to a watershed moment that might have irreparable consequences.”

The ISBuzz Post: This Post Cyber Threats Among Biggest Risks In 2019, World Economic Forum Warns appeared first on Information Security Buzz.

Less Than Half Of Firms Able To Detect IoT Breaches

A new research that has revealed less than half of firms are able to detect IoT breaches.  Only 48% of European firms can detect when any of their internet-connected devices have been breached, a survey shows.

In the UK, this figure drops to 42%, the second lowest in Europe after France, where only 36% of companies polled said they can detect if any of their devices making up the internet of things (IoT) suffers a breach, according to the study. It goes on to suggest blockchain as a means of securing the IoT.

Experts Comments below:

Barry Shteiman, VP Research and Innovation at Exabeam on why monitoring IoT devices and understanding their normal behaviour will help get an early indication of when the device has been hijacked:

“One thing is clear, as more devices become “smart” and also internet-enabled, they often are given the ability to send, query, or process information that resides elsewhere in the office, via network or cloud. To do so, these IoT devices often use embedded accounts that are difficult to monitor and may also have hard-coded passwords. The combination of smart devices with credentials to access external systems, via unmonitored, privileged accounts means that IoT represents a risky and unwatched channel for data theft or larger participation in botnet attacks. The best way to illuminate this attack risk is to monitor the behaviour of office IoT devices in much the same way as actual human users. By understanding what normal behaviour for these devices looks like, it’s possible to get an early indication of when a device has been highjacked by hackers and is likely being used to access and steal data. IoT will continue to grow and gain greater access to data; already a simple and lucrative target for attackers.”

Todd Kelly, CSO at Cradlepoint, found it surprising that there was such apprehension around IoT technology security concerns:

“Cybersecurity concerns are real but by using expert cloud-based management platforms and software-defined perimeter technologies, they can be effectively addressed. There will always be devices that are compromised and vulnerabilities that are exposed but just as we’ve built these technologies, we’ve also built the safety constructs to protect them. If we commit to tried and true security practices while adopting new approaches that leverage wireless, software-defined and cloud technologies we don’t have to let our concerns unduly impact our progress.”

Jan van Vliet, VP EMEA at Digital Guardian discusses the risk of default credentials and insecure configurations and protocols, making IoT devices easy to compromise:

“The reality is that a huge number of the IoT devices currently in operation are extremely vulnerable to cyber attack. Why? In their rush to surf the crest of the IoT popularity wave over the last few years, manufacturers and vendors were creating and selling millions of IoT devices as fast as they could, with device security seen as little more than an afterthought. As a result, the majority of devices out there today have default credentials, use insecure configurations and protocols, and are notoriously hard to upgrade, making them extremely easy to compromise.

“To make matters worse, the appearance of low-level protocol hacks are providing attackers with new ways to bypass and compromise IoT infrastructure and inject or manipulate data found within devices. This will have serious implications if the devices need to synchronise or receive control messages from a cloud application, with manipulated data potentially sending incorrect settings or actions back to the device.”

The ISBuzz Post: This Post Less Than Half Of Firms Able To Detect IoT Breaches appeared first on Information Security Buzz.