Feed aggregator

Airport Facial Recognition System Fooled

Info Security - Fri, 12/13/2019 - 18:05
Airport Facial Recognition System Fooled

Facial recognition technology used to secure airports and process payments has been fooled by photographs and 3D masks.

According to Fortune, multiple facial recognition systems in several countries were tricked in a series of tests carried out by San Diego artificial intelligence company Kneron.

Researchers at Kneron were able to access a self-boarding terminal at Amsterdam's Schiphol Airport by tricking the sensor with a photo on a phone screen. Using the same technique, the researchers managed to gain access to pay fares and board trains at several railway stations in China. 

In stores in Asia, where use of facial recognition technology is widespread, the Kneron team were able to trick payment systems AliPay and WeChat into allowing purchases to be made. All it took to assume someone's identity and make payments as them, was the donning of a high-quality 3D mask.

The elaborate masks were obtained from expert mask-makers in Japan and are not commonly available, but the experiment still raises concerns over the reliability of this increasingly popular technology in preventing fraud. 

Kneron's CEO Albert Liu said that solutions are available to fix the weaknesses in facial recognition technology that his company's tests were able to exploit, but companies are unwilling to pay for them.

"This shows the threat to the privacy of users with sub-par facial recognition that is masquerading as “AI”." said Liu, "The technology is available to fix these issues, but firms have not upgraded it. They are taking shortcuts at the expense of security."

Schiphol Airport, We Chat, and AliPay did not respond to Fortune's requests for comment about the effectiveness of their facial recognition technology.

Even with the cleverly wrought 3D masks, Kneron's researchers weren't able to fool all the facial recognition systems they tested and had to admit defeat against the tech used by Apple's iPhone X.

Kneron conducted their face-based experiments as part of the research and development process for a new type of facial recognition technology which they are creating. With the financial backing of high-profile investors including Qualcomm and Sequoia Capital, Kneron is developing a product called Edge AI which will not rely on cloud-based services to function.  

Categories: Cyber Risk News

Louisiana College Struck by Ransomware Attack

Info Security - Fri, 12/13/2019 - 16:57
Louisiana College Struck by Ransomware Attack

Louisiana has suffered another ransomware attack just weeks after threat actors used this pernicious strain of malware to disrupt state IT infrastructure. 

Cyber-criminals struck at the beleaguered southern state for a second time on Wednesday, launching a ransomware against Baton Rouge Community College (BRCC). By luck, the incident occurred just two days ahead of students' greatly anticipated commencement ceremonies, when the college's 8500 students were not on campus.  

Servers at the college were shut down and the Louisiana State Police Cyber Crime Unit were called in to investigate the incident. 

In a memo released to campus personnel, interim chancellor Willie Smith wrote: “The Louisiana State Police Cyber Crime Unit investigators responded immediately and collected evidence from the BRCC network, and have recently confirmed a cyber-intrusion and ransomware situation.

"Presently, the situation is being contained and representatives from the Office of Technology Services are assisting BRCC with network restoration efforts."

Exactly how much money was demanded from the college in the ransomware attack has not been disclosed, however Smith wrote in his memo that the college had not paid it.

Smith said the college was "not aware of any data loss," that had occurred as a result of the attack, but several computers had been affected.

"The investigation remains ongoing at this time, and the IT Department will be sharing additional information regarding cybersecurity efforts and the restoration of individuals PCs," wrote Smith.

BRCC spokesperson Kizzy Payton said on Wednesday that college graduation ceremonies scheduled to begin at 10am today in the college gymnasium would go ahead as planned.

"Nothing is impacting our commencement," said Payton.

Baton Rough Community College students are still able to access email accounts via a workaround method. However, as a result of the incident, college staff are having to manually enter students' grade from the last semester. 

Enrollments for next term, most of which have fortunately already been completed, are to be completed manually until the computer network is back online. 

Quintin Taylor, chief public affairs officer for Louisiana's Community and Technical College (LCTC), which oversees BRCC, said that no personal information relating to students, staff or faculty could have been impacted by the attack, as such data is stored in a separate system operated by LCTCS.

Categories: Cyber Risk News

Suspected Maze Ransomware Attack Disrupts Major US Wire Manufacturer

Info Security - Fri, 12/13/2019 - 15:43
Suspected Maze Ransomware Attack Disrupts Major US Wire Manufacturer

North America's largest wire and cable manufacturer is reeling after falling victim to a cyber-attack on Monday. 

Manufacturing and shipping were disrupted at Southwire Co. after the discovery of suspicious activity on the organization's computer network prompted a company-wide shut down. 

Some critical systems were brought back online early as Tuesday morning, however five days on from the attack, Southwire has been unable to fully resume normal business operations.

In a letter sent to the company's partners on December 11, Southwire president and CEO Rich Stinson said: "Southwire learned Monday morning that its network was affected by a cyber incident. After receiving a notification from our security monitoring system about suspicious activity on our network, we immediately implemented a self-quarantine and began a full investigation with our cyber security partner to assess the situation."

"Although many of our locations remained operational throughout the quarantine period, certain functions were impacted, and we apologize for the inconvenience this disruption has caused to our valued employees, customers and community and industry partners."

Southwire, which is based in Carrollton, Georgia, has been in business for almost 70 years and employs 7500 people. In a bitter dose of irony, the company produces wire for the very electrical lines that threat actors may have used to mount an attack against Southwire.

The company has not revealed the exact nature of the cybersecurity incident, which is currently under investigation.

On a web page specially created to answer queries regarding the attack, Southwire wrote: "We are in the very early stages of this process, but a full investigation is underway to determine what – if any – information was accessed. Southwire is working closely with its cyber security partner to assess the situation and its impact."

A Reddit user, claiming to be an employee at Southwire's Rancho Cucamonga plant in California, posted an image of a ransom note which implies that the company was attacked by Maze ransomware. 

In the note, threat actors state that company data has been exfiltrated and encrypted. A ransom of 850 bitcoins - roughly $6.1 million - is demanded for the safe return of the stolen data. Failure to pay will result in the publication of the stolen data. 

Categories: Cyber Risk News

SEC Charges Man With $42 Million Crypto Fraud Scheme

Info Security - Fri, 12/13/2019 - 10:30
SEC Charges Man With $42 Million Crypto Fraud Scheme

A US entrepreneur has been charged with defrauding investors in a cryptocurrency Initial Coin Offering (ICO) that raised more than $42 million.

The Securities and Exchange Commission (SEC) alleged that UnitedData founder Eran Eyal conducted a “fraudulent unregistered securities offering” by selling tokens for his Shopin business from August 2017 to April 2018.

It’s claimed that Eyal pocketed at least $500,000 of investor funds for rent, shopping, entertainment and even a dating service.

“Shopin aimed to use the funds from the sales of the Shopin Tokens to create universal shopper profiles, maintained on the blockchain, that would track customer purchase histories across online retailers and recommend products based on this information,” the SEC said.

“As alleged in the SEC's complaint, Shopin never created a functional platform. The complaint further alleges that Eyal and Shopin repeatedly lied to investors in connection with its offering, including misrepresentations about purported partnerships with certain well-known retailers and about the involvement of a prominent entrepreneur in the digital-asset space.”

Filed in a federal district court in Manhattan, the SEC complaint charges Eyal and Shopin with violating anti-fraud and registration securities laws, and seeks permanent injunctions and civil penalties, as well as preventing Eyal and Shopin from taking part in future digital-asset securities offerings.

The complaint comes in the same week that three men were charged for their part in an alleged cryptocurrency Ponzi scheme which defrauded investors out of $722 million.

The BitClub Network was a cryptocurrency mining operation that ran from April 2014 to December 2018 but never turned a profit.

The three were also charged by the SEC for failing to register the shares they were selling with the regulator.

The problem of cryptocurrency fraud schemes has become so acute that Twitter banned all ads related to ICOs and token sales last year.

Categories: Cyber Risk News

Over 100 Phishing Sites Spotted in Global Government Campaign

Info Security - Fri, 12/13/2019 - 10:20
Over 100 Phishing Sites Spotted in Global Government Campaign

Scores of domains and over 120 phishing sites have been detected as part of a major global campaign targeting government procurement services, according to Anomali.

The security vendor said the credential harvesting campaign featured spoofed sites for multiple international government departments, email services and two courier services, plus the usual email-based social engineering techniques.

The attached documents in these phishing emails contained links to the spoofed sites masquerading as legitimate login pages.

The US was the most targeted government, with over 50 phishing sites set up to harvest credentials from visitors. However, Canada, Japan, Poland, China, Sweden, Mexico, Australia and Peru were all affected, among other countries.

In total, 62 domains and 122 phishing sites were detected by Anomali. Although none of these sites were active at the time of writing, Anomali warned that the group behind them could restart operations in the future.

“This credential harvesting campaign has been primarily targeting government bidding and procurement services. The focus on these services suggests the threat actor(s) are interested in potential contractor(s) and/or supplier(s) for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long-term insight regarding the trust relationship between the potential supplier and the government in question,” explained the Anomali Threat Research Team.

“Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organization’s firewall will not know to block it. Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign.”

According to Microsoft, phishing attacks soared by 250% over 2018.

Categories: Cyber Risk News

Bad Santa: Smart Home Hacker Taunts Terrified Child

Info Security - Fri, 12/13/2019 - 09:40
Bad Santa: Smart Home Hacker Taunts Terrified Child

The security of smart home equipment has come under scrutiny again after a hacker compromised a US family’s connected camera system to spy on and talk to its 8-year-old daughter.

The Ring camera was only installed for four days in the girl’s room before the incident, according to local reports.

After remotely compromising the device, the male hacker appears to have taunted the child, encouraging her to destroy her room and playing unsettling music through the speaker.

“I'm Santa Claus. Don't you want to be my best friend?" he said at one point.

It’s likely that he managed to crack or guess the family’s account password, potentially through a credential stuffing attack.

“Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often re-use credentials stolen or leaked from one service on other services,” a statement from Ring noted.

“As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords."

Kiri Addison, head of data science overwatch at Mimecast, argued that international standards are lagging behind in regulating minimum mandatory security levels.

“Much like the early insufficient drone use standards originally introduced in the UK, this is an area which demands attention given the potential widespread vulnerabilities of such devices and the malicious uses they can be put to, as the Mirai botnet illustrates,” she continued.

“Children are uniquely vulnerable to influence or coercion via technology and this is something every parent should be conscious of as the sophistication of these often seemingly innocuous connectable devices increases”

In fact, standards are catching up, at least in Europe.

The ETSI TS 103 645 standard was introduced by the European Union in February to drive improvements in baseline security for consumer-grade Internet of Things (IoT) products. It came from a UK government proposal based on a code of practice it introduced last year. It also came a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.

Categories: Cyber Risk News

Emsisoft Declares Ransomware Crisis

Info Security - Thu, 12/12/2019 - 18:16
Emsisoft Declares Ransomware Crisis

Internationally renowned security software company Emsisoft has declared a ransomware crisis and called on governments to take immediate action to improve their security and mitigate risks. 

So serious is the threat posed by ransomware that the New Zealand company has published a report into the effects of the malware on the United States three weeks earlier than planned in an effort to prevent further attacks.

The State of Ransomware in the US: Report and Statistics 2019 was rushed out today along with a plea for urgent action. The publication date was revised following the recent $1 million Maze ransomware attack on the Florida city of Pensacola. 

"This report was originally scheduled to be published on January 1st, 2020. We have, however, decided to release it immediately due to a recent incident in which a ransomware attack may have resulted in a municipal government’s data falling into the hands of cyber-criminals," wrote Emsisoft researchers.

"We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.” 

So far this year, 948 government agencies, educational establishments and healthcare providers in the United States have been impacted by ransomware. According to the report, the potential cost of these attacks could exceed $7.5 billion.

As a result of the unprecedented swathe of attacks, emergency patients had to be redirected to other hospitals, medical records were lost, and surgeries were cancelled. Some attacks interrupted 911 services, forcing dispatch centers to rely on printed maps and paper logs to track emergency responders in the field. 

Emsisoft CTO Fabian Wosa said: “The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better."

The report cites research which has found that governments are failing to implement basic and well-established cybersecurity best practices, even when legally required to do so.

Emsisoft researchers have called for improved security standards and oversight, more guidance, better public-private sector cooperation and the implementation of legislative restrictions on ransom payments. They have also urged vendors and service providers to innovate and collaborate to win the ongoing fight against ransomware.

Categories: Cyber Risk News

Registration Opens for Girls' Free Cybersecurity Training

Info Security - Thu, 12/12/2019 - 17:26
Registration Opens for Girls' Free Cybersecurity Training

Girls in America are being invited to register for a free national cybersecurity training program that starts next year.

The 2020 Girls Go CyberStart challenge is being run in partnership with SANS Institute to encourage more young women to explore cybersecurity. The online training program is aimed at high school girls with the intention of encouraging them to consider a career in the increasingly understaffed cybersecurity industry. 

Girls Go CyberStart will set a series of challenges for girls who are aged 13 and over, in school grades 9 to 12. Areas in which the youngsters will be trained include cryptography, web vulnerabilities, open source intelligence gathering and computer forensics. 

The students will also be taught the basics of programming and have the chance to get to grips with the programming language Python and the Linux operating system.

The Girls Go CyberStart program was set up last year and so far, over 10,000 girls have participated. 

Although the learning unfolds through a series of games, girls who do well could be in with a chance to win a real-life scholarship from the program's organizers. Girls who won scholarships last year have gone on to secure internships in the cybersecurity industry. 

No prior experience in IT or cybersecurity is needed to participate and girls are invited to take part either from home or at school by joining a Girls Go Cyber Club. 

Play begins on January 13, 2020 but registration will stay open until the end of January.  

"Teamwork, persistence and determination are key," wrote the team behind the program on the girlsgocyberstart.org website, "Students who enjoy computing, STEM subjects or languages, plus students who love solving puzzles, often excel in this field. But so do people who prefer geography, history and drama."

Cybersecurity clubs in Utah, Montana, New Jersey, North Carolina, Idaho, Illinois and other states and U.S. territories have already signed on to participate in the free program.

According to the program's live leaderboard, the state with the highest interest from educational establishments so far is Texas, where 60 different schools have registered to take part in the 2020 challenge.

Categories: Cyber Risk News

Manhattan Hotel to Pilot Cyber-Safe Travel Program

Info Security - Thu, 12/12/2019 - 16:39
Manhattan Hotel to Pilot Cyber-Safe Travel Program

Guests at a historic New York hotel will soon be offered a new way to stay cyber-safe away from home. 

The Martinique New York on Broadway, which has been welcoming guests since 1897, is to pilot a new Cyber Safe Travel product designed to protect occupants' personal data from cyber-attackers. 

Designed by full-service risk management, cybersecurity and training company Cino Ltd, Cyber Safe Travel uses keystroke encryption, advanced login breach protection and sophisticated screen scraper technologies to protect hotel guests' mobile devices.

The product, which is powered StrikeForce Technologies’ military-grade technology, comes with a click-jacking attack warning feature to further help mitigate cyber threats.

StrikeForce CEO Mark Kay said: “Hackers are seizing every opportunity to trick travelers by installing keylogging spyware on devices when travelers go to use new or unfamiliar Wi-Fi services. Nobody thinks twice about jumping onto a Wi-Fi service, and that’s when they get you.”

For $3 a day, occupants of the 13-story Martinique can add Cyber Safe Travel protection to up to three mobile devices for three days. They will also be offered the option to purchase annual protection for $24.99.

Cino will compensate The Martinique for each of their guests who signs up for the Cyber Safe Travel protection.

“Providing our guests with an unparalleled travel experience is our top priority at the Martinique,” said Joseph Delgado, director of finance at the Martinique. 

“Offering a way to help protect them against one of today’s most pervasive threats —cyber thefts — is another way we can demonstrate our commitment to our guests’ best-in-class experience.”

Cyber Safe Travel was officially introduced at the October meeting of the Hotel Financial and Technology Professionals, New York Chapter, of which Cino is a member. 

Describing what inspired the creation of the new product, Cino CEO Joseph Saracino said: “Over the past several years, there have been several high-profile hotel data breaches affecting millions of guest records. Our solution was designed with the goal of addressing this vital need for hotels and their guests.”

According to StrikeForce, the plan is to roll out the product to airlines, cruise ships, trains, tour businesses and event/meeting planners following its launch within the hotel industry.

Categories: Cyber Risk News

Three Charged in $722 Crypto Ponzi Scheme

Info Security - Thu, 12/12/2019 - 11:20
Three Charged in $722 Crypto Ponzi Scheme

Three men have been arrested and charged in connection with a cryptocurrency conspiracy which defrauded investors out of at least $722 million.

Matthew Brent Goettsche, 37, of Lafayette, Colorado; Jobadiah Sinclair Weeks, 38, of Arvada, Colorado; and Joseph Frank Abel, 49, of Camarillo, California, have been charged with conspiracy to offer and sell unregistered securities, while the first two are also charged with conspiracy to commit wire fraud.

They sold shares in BitClub Network, a cryptocurrency mining operation they allegedly knew to be unprofitable, and manipulated data on “mining earnings” to convince members to invest further funds.

The scheme ran for over four years, April 2014 to December 2018, generating funds not only from the sale of shares in mining pools used to generate digital currency but also recruitment of new members, who were charged a $99 joining fee.

In email exchanges displayed in the indictment the men allegedly discussed that they were going after "the typical dumb MLM [multi-level marketing] investor” and that “we are building this whole model on the backs of idiots."

The US Securities and Exchange Commission (SEC) is also alleging that the trio didn’t register the shares they were selling with the regulator.

It claims that the men “encouraged US investors to utilize a VPN to obscure their true, US-based IP addresses so that BCN and the defendants could avoid detection and regulation by US law enforcement.”

“The indictment describes the defendants’ use of the complex world of cryptocurrency to take advantage of unsuspecting investors,” said US attorney Craig Carpenito.

“What they allegedly did amounts to little more than a modern, high-tech Ponzi scheme that defrauded victims of hundreds of millions of dollars. Working with our law enforcement partners here and across the country, we will ensure that these scammers are held to account for their crimes.”

Categories: Cyber Risk News

Over One Billion Email-Password Combos Leaked Online

Info Security - Thu, 12/12/2019 - 10:25
Over One Billion Email-Password Combos Leaked Online

Billions of email addresses and plain text passwords have been leaked online by an unnamed party, putting countless internet users at risk from credential stuffing and other attacks.

Security researcher Bob Diachenko discovered the unsecured Elasticsearch database on December 4, although it was first indexed by the BinaryEdge search engine and therefore publicly available from the very start of the month.

After he notified the US-based ISP hosting the IP address, access to the database was eventually disabled on December 9, giving potential hackers more than enough time to harvest the trove of log-in data.

In total, the database contained 2.7 billion email addresses, and plain text passwords for more than one billion of them — providing a perfect starting point for a credential stuffing campaign.

Working with Comparitech, Diachenko deduced that much of the data was harvested from a 2017 listing by a hacker known as “DoubleFlag.” Dubbed “The Big Asian Leak,” it included breached credentials from multiple internet companies from the region, including NetEase, Tencent, Sohu, and Sina.

The new 1.5TB leak features mainly emails from Chinese domains including qq.com, 139.com, 126.com, gfan.com, and game.sohu.com, although there are a smattering of Gmail and Yahoo addresses, according to Comparitech.

“Because many Chinese people have difficulty reading English characters, they often use their phone numbers or other numerical identifiers as usernames. Therefore, we can assume many of these email addresses also contain phone numbers,” wrote the firm’s privacy advocate, Paul Bischoff.

It’s unclear who the owner of the exposed database is; it could theoretically have been set up as the first stage in a credential stuffing or even a spam campaign.

The implications stretch beyond the security of victims’ personal accounts, according to Vinay Sridhara, CTO of Balbix.

“Since many employees share passwords between their work and personal accounts, this leak not only problematic for the individuals who own the accounts, but a big risk for enterprises globally as well,” he argued.

“Enterprises should use this as an opportunity to scan for password reuse immediately, and on an ongoing basis, to limit their exposure to this incident."

Categories: Cyber Risk News

North Korean Hackers Tap Power of New TrickBot Module

Info Security - Thu, 12/12/2019 - 10:24
North Korean Hackers Tap Power of New TrickBot Module

North Korea’s infamous Lazarus Group has been using a new stealth module developed by the group behind TrickBot for covert data theft, according to new research.

The Anchor module is a framework of tools designed “for targeted data extraction from secure environments and long-term persistency,” according to SentinelOne.

It includes memory scrapers, POS malware, backdoor installers and submodules enabling lateral movement, among other capabilities.

“The Anchor project combines a collection of tools — from the initial installation tool to the cleanup meant to scrub the existence of malware on the victim machine. In other words, Anchor presents as an all-in-one attack framework designed to compromise enterprise environments using both custom and existing toolage,” the firm’s SentinelLabs team wrote.

“Logically, this tool will be a very tempting acquisition for high-profile, possibly nation-state groups. However, the Anchor is also be used for large cyber heists and point-of-sale card theft operations leveraging its custom card scraping malware. Among the nation-state groups, only a few are interested in both data collection and financial gain, and one of them is Lazarus.”

Linking the two groups is the PowerRatankba PowerShell backdoor, previously associated with Lazarus but which is actually part of Anchor.

Lazarus isn’t the only customer of TrickBot’s Anchor module; it’s also being used in a “wave of targeted campaigns against financial, manufacturing and retail businesses” designed to steal card data from POS and other systems, according to Cybereason.

Those researchers pointed to a new Anchor_DNS variant which uses DNS tunneling to communicate covertly with C2 servers.

TrickBot is one of the most successful botnets ever built, used in a range of attacks, from banking trojans to ransomware and data theft. Threat intelligence firm Blueliv revealed last week that it detected a 283% increase in detections of the botnet across Q2-Q3 this year.

Categories: Cyber Risk News

Cybersecurity Requirements for US Defense Contracts Expected in 2020

Info Security - Thu, 12/12/2019 - 09:57
Cybersecurity Requirements for US Defense Contracts Expected in 2020

The US Department of Defense (DoD) is planning to protect its supply chain from threat actors by introducing a cybersecurity certification program for its contractors. 

Undersecretary of defense for acquisition and sustainment, Ellen Lord, said the new cybersecurity maturity model certification program will play a vital role in ensuring that the companies seeking to win DoD contracts meet stringent cybersecurity requirements.

"The cybersecurity maturity model certification, or CMMC program, establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard to secure the DoD supply chain," said Lord.

The certification program is expected to be up and running in June 2020, with cybersecurity requirements included as part of new requests for information. These requests typically form part of the opening stage of awarding a new defense contract.

Under the program, five different levels of certification will be established that correspond to the importance of a particular system or subsystem which a contractor is bidding to work on. 

"These levels will measure technical capabilities and process maturity," Lord said. 

The framework for the CMMC program, which will be made fully available in January, was developed in partnership with the defense industry and leadership on Capitol Hill. It was also shaped in part through engagement with the public.

Behind the program is the logical concept that any business applying to do contract work for the US government should be required to demonstrate that they have taken reasonable steps to secure the computer networks from cyber-attacks. Ensuring that the cybersecurity policies and practices of the companies are up to snuff will not be the government's responsibility but will be undertaken by an as yet unconfirmed third party.

"Cybersecurity is a threat for the DoD and for all of government, as well as critical U.S. business sectors, such as banking and healthcare," Lord said. 

Lord added that the DoD would be taking steps to assist small businesses to meet the requirements of the CMMC program. 

"We know that this can be a burden to small companies, particularly, and small companies is where the preponderance of our innovation comes from," Lord said. "So, we have been working with the primes, with the industry associations, with the mid-tiers, with the small companies on how we can most effectively roll this out, so it doesn't cause an enormous cost penalty for the industrial base."

Categories: Cyber Risk News

Healthcare Provider Agrees to Cough Up $6M to Settle Data Breach Lawsuit

Info Security - Wed, 12/11/2019 - 17:22
Healthcare Provider Agrees to Cough Up $6M to Settle Data Breach Lawsuit

American healthcare provider Banner Health has agreed to pay the alleged victims of a 2016 data breach $6 million. 

Banner Health operates 28 hospitals and specialized facilities across six states, providing jobs for over 50,000 people. The company, which is the largest single employer in Arizona, suffered a data breach in June 2016.

Threat actors accessed the private health data of 2.9 million individuals over a period of approximately two weeks.

Two months later, the alleged victims of the breach brought a class action lawsuit against the healthcare provider. According to documents filed in the US District Court of Arizona on December 5, 2019, that suit has now been settled with Banner Health agreeing to pay $6 million to the plaintiffs.

The lawsuit alleges that threat actors illegally accessed the computer systems of Banner Heath in a financially motivated hack, exfiltrating sensitive personal information of approximately 2.9 million patients. 

Entry into Banner Health's network was gained via a payment processing system used in the food and beverage outlets of the healthcare provider's hospitals.

Information said to be appropriated during the breach includes names, addresses, dates of birth, prescription information, medical histories and social security numbers. 

It is further alleged that the credit and debit card numbers of 30,000 individuals who had visited food and beverage outlets at Banner Health hospital sites were also stolen. According to the suit, malware was used to steal card details as purchases were made.

The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyber-attacks, such as firewalls, data encryption and multi-factor authentication. Some plaintiffs claimed that as a result of the breach, their identities had been stolen and used to commit fraud. 

Reimbursement claims for expenses accrued as a result of the data breach may be submitted by plaintiffs under the terms of the settlement. Individuals will not be allowed to claim more than $500 for standard expenses or more than $10,000 for extraordinary expenses. 

Banner Health has also offered alleged victims of the breach two years' worth of credit monitoring and identity theft protection. 

A motion for preliminary approval of the $6 million settlement has been filed by the plaintiffs. 

Categories: Cyber Risk News

US Software Testing Giant Buys AI Firm

Info Security - Wed, 12/11/2019 - 16:35
US Software Testing Giant Buys AI Firm

Software testing and quality assurance company Qualitest has announced the acquisition of an Israeli firm specializing in the creation of automated machine learning tools. 

AlgoTrace, which is based in Tel Aviv, uses artificial intelligence (AI) and machine learning (ML) to assist companies to improve their predictive analytic capabilities. The company was founded in 2016 and is best known for its tool AlgotraceML.

While news of the acquisition was shared yesterday, the financial details of the transaction remain under wraps. 

Ron Ritter, CEO at AlgoTrace, said: “We are thrilled to be joining with Qualitest. Following successful implementations with the company in the past, we have complete faith that we will help Qualitest change the testing paradigm forever – enhancing their quality engineering with machine learning. While there is a lot of hype surrounding AI, we’re deploying real, hard-nosed and practical tools that significantly change the rules.”

Qualitest and the team at AlgoTrace have been working together for over a year on multiple projects which have turned out to be successful. The software testing giant has been using AlgoTrace’s AI platform to power Qualitest’s market-leading test predictor tool, which applies pioneering autonomous AI capabilities and predictive modeling to unstructured data without the need for code or complex interfaces.

Norm Merritt, CEO of Qualitest, said: “Applying AI to quality engineering is a perfect fit. Just as software becomes increasingly complex, the companies producing it are under competitive pressure to increase the speed and frequency of their rollouts. 

"AI is the only way companies can scale software testing and quality engineering and the AlgoTrace team have shown that they understand this. In our view, companies that do not use AI to improve quality will be at a significant disadvantage.”

Qualitest's newest purchase marks the first step of a comprehensive growth strategy made possible by an investment from Bridgepoint earlier in the year. 

Through the acquisition, Qualitest hopes to expand the number of AI-powered testing solutions available to clients, as well as develop its capabilities in assisting companies test and launch new AI-powered solutions with greater confidence and speed.

Categories: Cyber Risk News

Microsoft Patches Just 36 Flaws in December

Info Security - Wed, 12/11/2019 - 10:51
Microsoft Patches Just 36 Flaws in December

Microsoft has taken pity on system administrators by ending the year with a relatively light patch load fixing just 36 vulnerabilities.

The update round includes seven critical flaws and one being actively exploited in the wild: CVE-2019-1458, a privilege escalation vulnerability in the Win32k component.

Although it’s only listed as “important,” security experts urge admins to prioritize a fix for that bug. Recorded Future intelligence analyst, Allan Liska explained that an exploit for a similar vulnerability, CVE-2019-0859, was found being sold on underground markets earlier this year.

Elsewhere, five of the seven critical vulnerabilities patched (CVE-2019-1354CVE-2019-1350CVE-2019-1352CVE-2019-1387, and CVE-2019-1349) are in Git for Visual Studio.

In this attack scenario an attacker would need to convince a developer to clone a malicious repository. This may be tricky, but the rewards are potentially big, according to Ivanti director of security solutions, Chris Goettl.

“This is a spear phishing escalation of privilege into the engineering group. Hypothetically a threat actor could target a software vendor or service provider. If they know enough about the vendor’s platform and have access to a list of email addresses for those developers, they could create a spear phishing campaign to target these users and attempt to convince them to access their malicious repository,” he explained.

“It is very common for developers to share code across or to ask someone to debug an issue they are seeing. If an unsuspecting developer connects to the repository from someone they think they trust, then an attacker can gain control of their development environment.”

Elsewhere yesterday, Google released an update for its Chrome browser which resolves 51 vulnerabilities, while Adobe fixed 21 flaws in its Reader product.

Experts were also keen to point out that there’s just one scheduled monthly patch update round left before Windows 7 and Server 2008/2008 R2 reach end-of-life. After that time, any organization still running the products without adequate security in place or with extended support from Microsoft will be at risk from newly discovered flaws.

Categories: Cyber Risk News

ISP 1&1 Hit With €9.6 Million GDPR Fine

Info Security - Wed, 12/11/2019 - 10:03
ISP 1&1 Hit With €9.6 Million GDPR Fine

Internet service provider (ISP) and hosting company 1&1 has been fined nearly €10 million ($11m) by Germany’s GDPR watchdog for data protection failures in its call centers.

The United Internet subsidiary, which operates across Europe and the Americas, will be appealing the €9.55 million ($10.6m) penalty from the German Federal Data Protection Authority (BfDI).

“Under GDPR organizations are obliged to put in place adequate technical and organizational measures (TOMs) to prevent unauthorized access to personal data. In this case the BfDi felt that 1&1 had not put adequate TOMs in place after callers were able to obtain information on customers simply by giving the name and date of birth of a customer,” explained compliance specialists Cordery.

“The German data protection authority said that the imposition of a fine was necessary because, whilst the infringement was limited to a small number of customers, it represented a risk for 1&1’s entire customer base. The BfDI took into account 1&1’s cooperation throughout to reduce the penalty.”

For its part, the ISP is arguing in its appeal that: the issue occurred in 2018 and its processes have since improved; only contractual info was exposed; and the method used to calculate the fine was inaccurate.

However, it has apparently agreed to introduce a new authentication process to make it harder for callers to access the personal data of others.

The fine came on the same day that the BfDI announced another financial penalty, this time of €10,000 ($11,100) against ISP Rapidata GmbH, for failing to appoint a data protection officer (DPO).

The latest regulatory moves illustrate that firms can no longer expect to get away with GDPR infractions, as was the case in the first few months of the new data protection regime.

The UK’s Information Commissioner’s Office (ICO), for example, issued even bigger fines earlier this year to BA (£183m) and Marriott International (£99m) in response to serious breaches at both companies.

Categories: Cyber Risk News

Connected Toys Expose Smart Homes: Report

Info Security - Wed, 12/11/2019 - 09:47
Connected Toys Expose Smart Homes: Report

Security experts have warned of several flaws in connected toys which could allow hackers to talk to the children using them or even launch attacks against the smart home.

British consumer advice group Which? enlisted the help of pen testing firm NCC Group to run the rule over seven smart toys from major retailers Amazon, Smyths, Argos and John Lewis.

Several, including the Singing Machine SMK250PP and TENVA’s pink karaoke microphone, don’t require session-based authentication for their Bluetooth connection. This could allow hackers to anonymously pair with and stream audio into them — potentially offensive or even “manipulative" messages exhorting the child using the device to go outside, NCC Group claimed.

A similar issue existed in KidiGear walkie talkies from Vtech.

“A pair of walkie talkies investigated as part of this security assessment allowed for children to communicate with each other, within a range of up to 150 meters. There was no mutual authentication between the pairs of walkie talkie devices,” NCC Group continued.

“This means that if an attacker purchased the same set of toys and was in range of an unpaired, powered-on walkie talkie, they would be able to successfully pair with it and engage in a two-way conversation with the child user under certain conditions.”

However, the chances of this happening are pretty slim, according to Vtech.

“The pairing of KidiGear Walkie Talkies cannot be initiated by a single device. Both devices have to start pairing at the same time within a short 30 second window in order to connect,” it clarified. Once paired, a handset cannot be paired with a third device owned by a stranger.

NCC Group also uncovered potential problems with the karaoke toys, which it said could be used to launch “second-order IoT attacks.”

“With the two karaoke toys investigated and their unauthenticated Bluetooth implementations, it was possible to connect to them when in range and issue digital assistant voice activation commands,” it said.

“While different smart home configurations will exist, it is not inconceivable that some homes might have digital assistants configured to open smart locks on front doors, for example. One can thus imagine an attacker outside of a property, connecting without authentication to a Bluetooth toy to stream audio commands to enact a second-order objective, such as ‘Alexa, unlock the front door’.”

A similar attack could enable hackers to order goods from the victim household’s Amazon account and intercept them, claimed Which?

“Smart toys are one of the key areas identified by the government’s drive to make connected products ‘secure by design’,” the group said. “We’re calling on the toys industry to ensure that unsecure products like the ones we’ve identified are either modified, or ideally made secure before being sold in the UK.”

Categories: Cyber Risk News

UK Government Issues Cybersecurity Warning to Charities

Info Security - Tue, 12/10/2019 - 17:11
UK Government Issues Cybersecurity Warning to Charities

The British government issued a cybersecurity alert to charities today warning of a spike in reported cases of mandate fraud in which scammers impersonate employees.

A spokesperson for the Charity Commission said: "We have received several reports from charities who have been targeted by fraudsters impersonating members of staff, specifically attempting to change employees bank details."

All the requests to change employee bank details were made via email. The Charity Commission urged all of the nation's charities to be on the lookout for similar requests to their HR department, finance department or staff with the authority to update employee bank details.

Such fake emails may be sent from spoofed email addresses that closely mimic the real email address of the member of staff being impersonated.

"With a strong social engineering element, the fraudster often states that they have changed their bank details or opened a new bank account," said a Charity Commission spokesperson.

Charities are advised not to open any attachments or click on any links contained within unexpected or unusual emails and to take action to verify the validity of any emails requesting changes to an employee's details.

"Check email addresses and telephone numbers when changes are requested. If in doubt, request clarification from an alternatively sourced email address or phone number," said ta Charity Commission spokesperson.

To help reduce the likelihood of becoming a target for fraudsters, the Charity Commission advised charities to think twice about how they handle sensitive information. 

"Sensitive information you post publicly, or dispose of incorrectly, can be used by fraudsters to perpetrate fraud against you. The more information they have about your charity and employees, the more convincingly they can appear to be one of your legitimate employees," said a Charity Commission spokesperson. 

A tip given by the Commission was to always shred confidential documents before throwing them away. 

The government Cyber Security Breaches Survey 2019 revealed that over two thirds of high income charities had recorded a cyber breach or attack in 2018. Of those charities affected, the vast majority (over 80%) had experienced a phishing attack.

Charities that have been targeted by mandate fraud are advised to report the incident to Action Fraud.

Categories: Cyber Risk News

Cyber Predator Arrests Double in New Jersey

Info Security - Tue, 12/10/2019 - 16:32
Cyber Predator Arrests Double in New Jersey

The number of people arrested for using the internet to exploit people for sexual and other purposes has grown by 2.5 times in just four years in the state of New Jersey.

In 2015, New Jersey law enforcement officers arrested 143 cyber predators. This year, the figure is expected to rise to over 360.

New Jersey attorney general Gurbir Grewal said action is being taken to crack down on individuals who stalk young children and teens online, but with criminals eschewing traditional chat rooms in favor of more elusive communication methods, catching predators was no easy task. 

“They’re using the chat features on games like Fortnite, they’re using the chat features on other social media apps, they’re using Tik Tok, they’re using a whole host of different tools to target young people,” said Grewal. 

The attorney general said that a cyber predator will use the anonymity granted by the internet to impersonate a young person when online. By presenting themselves in this way, they are able to win the trust of unsuspecting youngsters. 

Grewal said: “When young people have social media accounts, those are being targeted as well by people who are either pretending to be a kid, pretending to be somebody they’re not. There’s just so many more areas and avenues for these cyber-predators to attack young people.”

While law enforcement invests significant resources into fighting this particular type of crime, Grewal said parents must also do their part to help protect children and young people from cyber predators.

Using technology to track down the perpetrators is "resource intensive, it takes a long time, and we can’t do it alone," said Grewal, "So we do our part on the enforcement side, but the message that we want out there is that parents need to do their part as well."

Grewal urged parents to make sure that they know what apps their children are using on their smart phones and IoT devices and to disable chat features where necessary. 

He also emphasized the importance of telling children about the very real dangers of communicating with strangers online. Besides being groomed by sexual predators, children who share personal information online are at risk of having their identities stolen. 

Categories: Cyber Risk News