Feed aggregator

UK authorities notified of Uber data breach 'by the media', says minister

Outlaw.com - Thu, 11/23/2017 - 16:36
Uber did not tell UK authorities about the data breach it has experienced prior to going public about the incident, the UK's digital minister has said.
Categories: Cyber Risk News

Awareness is the Key to Staying Safe on Black Friday

Info Security - Thu, 11/23/2017 - 16:30
Awareness is the Key to Staying Safe on Black Friday

The millions of employees in Europe and North America who will shop online at work for Black Friday deals will put their companies at risk of malicious malware and hacking, too. But with some awareness, victimhood can be avoided.

T-Systems, the cyber-security arm of Deutsche Telekom, said that over 40% of people shop from their desks at work on Black Friday—yet the risks from employees being unaware of the threats from lax personal email security are clear. In T-Systems research into the cybersecurity practices of 2,000 UK employees, over a third said they don’t know that their desktop computer can easily be infected with a virus from an email.

It also revealed that only a third of employees have had cybersecurity training in the past year (34%) and nearly 30% never had it at all.

“This week we should all expect an influx of hoax emails amongst the many legitimate Black Friday deals,” said Scott Cairns, head of the UK Cyber Security Practice at T-Systems. “Many will contain malicious code or phishing scams in an attempt to use Black Friday as a cover to persuade people to open unsolicited emails. Businesses tell their employees not to use their office PCs for personal use, but many will ignore this because they don’t realize the seriousness of the risk from opening such emails.”

Straightforward steps employers can take to reduce the risk include warning employees of the different types of cyber-threats and highlighting the severity of a potential cyber breach; where possible, they should provide examples of what possible malware-infected emails look like so that employees learn how to spot a potential threat.

Cybersecurity training meanwhile should be made compulsory for all new starters, and all employees should have annual cybersecurity refreshers to combat the evolving nature of cyber-threats. Cybersecurity protocols meanwhile need to be followed throughout the company, and training and refreshers should not be exclusive for new or junior employees but all the way up to C-Suite executives.

Categories: Cyber Risk News

UK Hails £5m Hardware Security Research Center

Info Security - Thu, 11/23/2017 - 12:01
UK Hails £5m Hardware Security Research Center

A new research institute was opened at Queen’s University Belfast yesterday with aspirations to become a world leading center in the field of hardware and embedded systems security.

The £5m ($6.7m) Research Institute in Secure Hardware and Embedded Systems (RISE) is located at the university’s Centre for Secure Information Technologies (CSIT).

However, projects will be led by experts at Queen’s as well as research partners from the University of Cambridge, University of Bristol and University of Birmingham.

It is being funded by the Engineering and Physical Sciences Research Council (EPSRC) and the National Cyber Security Centre (NCSC), with cryptography expert Maire O’Neill selected as its director.

“RISE is in an excellent position to become the go-to place for high quality hardware security research. A key aim is to bring together the hardware security community in the UK and build a strong network of national and international research partnerships,” she said in a statement.

“We will also work closely with leading UK-based industry partners and stakeholders, transforming research findings into products, services and business opportunities, which will benefit the UK economy.”

As one of four cybersecurity institutes in the UK, RISE is being touted as a future hub for global research and innovation in the field of hardware and embedded security.

There’s certainly a market demand for ways to improve security by design in such products.

The Mirai attacks of last year highlighted for the first time just how exposed many commercial IoT devices are to hackers — with potentially significant impacts.

Earlier this year, former Trend Micro CTO Raimund Genes called on the European Union to develop and enforce new smart device security standards for the region, after the vendor’s research revealed that millions of embedded and connected systems in the US are exposed to the public internet.

“I think that the inclusion of hardware-based security capabilities in commodity devices could be a game changer in our fight to reduce the harm of cyber-attacks and so I’m really pleased to see a strong set of initial research projects,” argued NCSC technical director, Ian Levy.

Categories: Cyber Risk News

Iranian National Indicted for $6m HBO Extortion Plot

Info Security - Thu, 11/23/2017 - 10:58
Iranian National Indicted for $6m HBO Extortion Plot

An Iranian national who tried to extort $6m from HBO whilst leaking stolen content online has been named in an unsealed indictment.

Behzad Mesri (aka Skote Vahshat) is a former Iranian military cyber operative and member of the hacking group Turk Black Hat security team, according to the Department of Justice.

Back in May, he began reconnaissance work on HBO, looking for restricted parts of the corporate network, before compromising multiple user accounts to obtain unauthorized access to the TV network’s servers.

The DoJ explained:

“Through the course of the intrusions into HBO’s systems, Mesri was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of ‘Barry’, ‘Ballers’, ‘Curb Your Enthusiasm’, ‘Room 104’, and ‘The Deuce’; (b) scripts and plot summaries for unaired programming, including but not limited to episodes of ‘Game of Thrones’; (c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts.”

Mesri is then said to have sent emails demanding $6m from the company and threatening to destroy data on its servers.

He then leaked content to the world via websites under his control and a Twitter account. In late August, this included information such as confidential plot summaries for the Game of Thrones season finale — sending statements to media outlets in an attempt to pressure HBO into paying.

The network, to its credit, never caved.

The 29-year-old hacker has been charged with wire fraud, computer hacking, threatening to impair the confidentiality of information, aggravated identity theft and transmission of an extortionate communication.

However, Mesri is unlikely to ever stand trial in the US, as he remains at large in Iran.

Categories: Cyber Risk News

Budget 2017: UK to enable driverless cars to be tested without 'a human safety operator'

Outlaw.com - Thu, 11/23/2017 - 09:48
UK legislation is to be updated to allow fully autonomous cars to be tested on UK roads without "a human safety operator" present in the vehicles, the government has announced.
Categories: Cyber Risk News

ICO: UK Users Were Hit by Uber Breach

Info Security - Thu, 11/23/2017 - 09:46
ICO: UK Users Were Hit by Uber Breach

The Information Commissioner’s Office (ICO) has confirmed that UK Uber users were affected by the breach of 57 million riders and drivers announced this week, and that it's investigating the incident.

In an official statement dated Wednesday, deputy information commissioner, James Dipple-Johnstone, claimed the breach and subsequent attempts to conceal it “raises huge concerns around its data protection policies and ethics.”

The privacy watchdog warned that deliberately concealing breaches from customers and regulators “could attract higher fines for companies”, although it can only currently go as high as £500,000.

“We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations,” said Dipple-Johnstone.

"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.”

Uber CEO, Dara Khosrowshahi, shocked users of the popular ride-hailing service across the globe yesterday when he revealed the firm had suffered a breach in “late 2016” which was never reported to the authorities.

Reports claimed the firm had paid hackers $100,000 for them to delete personal data on tens of millions of users, which they had accessed on Amazon Web Services via log-ins apparently found in a private Uber GitHub account.

The incident will not do Uber any favors as it tries to convince the London mayor to issue a new license to operate in the city, after TfL refused to renew it back in September.

Labour deputy leader, Tom Watson, has written to the company demanding to know more details of the incident, arguing that “the matter cannot be considered closed.”

He added:

“I note that when Transport for London announced that they would not be renewing Uber’s license to operate in London on 22 September Uber emailed its customers to ask them to protest against this decision the very same day. So far as I am aware, Uber has not yet made any efforts to contact customers about the compromise of their personal data. I expect that you will do so.”

Categories: Cyber Risk News

Trickbot Evolves with Account-Checking Activity

Info Security - Wed, 11/22/2017 - 22:42
Trickbot Evolves with Account-Checking Activity

While Trickbot has historically targeted the financial industry, it has now expanded its targeting of other industries via its account-checking activities, according to fresh analysis.

These kinds of attacks occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful—a capability that is now exhibited by the Trickbot gang.

“Considered to be the successor of the formidable Dyre banking trojan gang, the Trickbot banking trojan gang continues to evolve by adopting new attack methods and targeting various industries,” said Vitali Kremez, researcher at Flashpoint, in a blog. “The gang account-checking operation requires a steady stream of new and ‘clean’ proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account-checking proxies.”

Flashpoint noted that Trickbot’s new trick is being perpetrated through the backconnect SOCKS5 module, enlisting victims as proxies. From Aug. 17 to the present, analysts at the firm have observed close to 6,000 unique compromised machines associated with Trickbot SOCKS5 proxy module activities. Of these machines, more than 200 of them were actively enlisted for account-checking fraud activities at any one time.

“The Trickbot gang continues to search for ways to monetize infections by adopting a hybrid attack model, which utilizes both Trickbot modular payloads and knowledgeable fraud operators, along with account-checking activity; such attacks are a combination of malware expertise and knowledgeable human operators,” Kremez said. 

Categories: Cyber Risk News

Troldesh Nabs Top Ransomware Spot

Info Security - Wed, 11/22/2017 - 22:40
Troldesh Nabs Top Ransomware Spot

The most prolific ransomware strain these days is Troldesh, aka Crysis, which claims hundreds of sub-variants, according to analysis from Bitdefender.

In its latest report, based on trends in its global network of more than 500 million sensors and honeypots, Bitdefender found that during 2017 alone, the number of new major ransomware families surpassed 160, with dozens or even hundreds of variations per family.

GlobeImposter, another extremely prolific ransomware family, competes head-to-head with Troldesh in the number of released sub-variants.

“The commercial malware ecosystem is intensely focused on developing and planting ransomware,” Bitdefender said. “Our stats show that one in six spam email messages comes bundled with some form of ransomware (link to drive-by download sites, attachments rigged with ransomware or even JavaScript/VBS downloaders for ransomware).”

Ransomware specifically aimed at companies has also emerged.

“Since the re-emergence this March of the Troldesh ransomware family, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers,” the report noted. “Ransomware like Troldesh and GlobeImposter have lateral movement tools (such as Mimikatz) to infect the organization and log clean-up mechanisms to cover their tracks.”

There’s also a new wrinkle in the threat landscape: In the past few months, traditional threats, such as generic trojans, ransomware and spambots, have been massively complemented by data destructors. According to Bitdefender, this amounts to a “dramatic reshaping” of the scene.

The firm noted that much of this shift has been powered by military-grade code allegedly leaked from the NSA.

“Both WannaCry and GoldenEye wrought havoc throughout Q2 and Q3, shutting down businesses and causing unprecedented operating losses,” the report noted. “Novel lateral movement vectors have complemented zero-day exploits such as EternalBlue and EternalRomance to take over the enterprise space. Other significant trends in 2017 are the increased focus on freeware or open-source tools, stitched together by custom-built code to weaponize them to support the attacker’s agenda.”

Meanwhile, the firm’s APT and targeted attack investigations in 2017 revealed that free tools such as password recovery utilities from Nirsoft and legitimate encryption utilities such as DiskCryptor are making detection and remediation increasingly difficult.

“These targeted attacks are reshaping the corporate and government security landscape, and causing fallout in the consumer space, as commercial cybercriminals rush to adopt leaked exploits and advanced lateral movement technologies into their own payloads,” Bitdefender said.

Another spectacular development in the 2017 threat landscape is the re-emergence of Qbot (also known as Brresmon or Emotet), a multi-purpose, network-aware worm with backdoor capabilities that has been around for years. It has largely re-emerged with a significant redesign of the command and control infrastructure and, more importantly, with a cloud-based polymorphic engine that allows it to take a virtually unlimited number of forms to avoid AV detection.

And finally, crypto-currency miners have taken multiple shapes and approaches in 2017. Traditional illicit coin miners have rushed to adopt lateral movement tactics such as the EternalBlue and EternalRomance exploits, to infect computers in organizations and increase mining efforts. Bitdefender pointed out that representative of this category is the Monero miner Adylkuzz, which appeared in early May, roughly at the same time as WannaCry. Another notable development is attackers’ move to integrate mining code in compromised web sites to reach a broader audience and increase the mining yield.

Categories: Cyber Risk News

BUDGET 2017: life sciences companies stand to benefit if plans to spur pension funds' investment in innovative businesses work, says expert

Outlaw.com - Wed, 11/22/2017 - 17:15
Plans to encourage pension funds to make long term investments in innovative UK businesses have been outlined by the UK government.
Categories: Cyber Risk News

Top Sites Expose Visitors to Breaches by Tracking Keystrokes

Info Security - Wed, 11/22/2017 - 11:15
Top Sites Expose Visitors to Breaches by Tracking Keystrokes

Hundreds of the world’s top sites are recording users’ keystrokes in real-time and sending them to third-party servers, exposing potentially sensitive data to the risk of theft, according to new research.

Princeton researchers Steven Englehardt, Gunes Acar and Arvind Narayanan investigated the widespread use of session replay scripts used by website owners to record keystrokes, mouse movements and scrolling behavior, along with the entire content of visited pages.

These scripts, provided by third-party analytics companies, are intended to record full browsing sessions, which can be played back by the web owner to learn how their site is being used and how it can be improved.

This means that even information subsequently deleted by the user is recorded and can be played back.

“However, the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user,” Englehardt wrote.

“This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.”

The trio studied seven of the top session replay companies — Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam — and found their services in use on 482 of the Alexa top 50,000 sites.

The issue is that sensitive information entered by a user — including info on medical conditions, credit card details and more — could end up leaking to the third-party provider’s servers.

“This may expose users to identity theft, online scams, and other unwanted behavior,” Engelhardt added. “The same is true for the collection of user inputs during checkout and registration processes."

The researchers highlighted four vulnerabilities: attempts to automatically excluding password input fields from recordings often failed, sensitive data is often redacted in a partial and imperfect way, recording services increase exposure to data breaches and session recording companies expect sites to manually label all PII, which doesn’t happen.

“The replay services offer a combination of manual and automatic redaction tools that allow publishers to exclude sensitive information from recordings. However, in order for leaks to be avoided, publishers would need to diligently check and scrub all pages which display or accept user information,” explained Engelhardt.

“For dynamically generated sites, this process would involve inspecting the underlying web application’s server-side code. Further, this process would need to be repeated every time a site is updated or the web application that powers the site is changed.”

Paul Edon, director at Tripwire, claimed this activity is little different from that of cyber-criminals and could even breach regulatory requirements such as PCI DSS and the forthcoming GDPR.

“If these websites do not alert the user to the fact that they are recording keystrokes, then I would class this under ‘nefarious activity’ as it is being less than honest, and the information is being collected without the user's knowledge,” he argued.

“The collection and storage of information not submitted by a potential customer will definitely be a breach of the EU GDPR, as permission to collect, store and process the data has not been given.”

Categories: Cyber Risk News

Uber Shock: Firm Hid Breach of 57 Million Users

Info Security - Wed, 11/22/2017 - 10:04
Uber Shock: Firm Hid Breach of 57 Million Users

The information security industry is in shock after Uber confessed to a massive data breach affecting 57 million customers and drivers around the globe, which it concealed last year by paying off the hackers.

CEO Dara Khosrowshahi claimed the incident happened in late 2016 when two individuals “inappropriately accessed user data stored on a third-party cloud-based service that we use.”

Data stolen included the names, email addresses and mobile phone numbers of 57 million Uber users globally, including 600,000 US drivers, who had their names and driver’s license numbers taken.

He said in a statement yesterday:

“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded…

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Khosrowshahi has taken firm action related to the controversial company’s attempts to hush the incident up last year, including sacking its chief security officer, Joe Sullivan, and a deputy.

He’s currently asking former NSA general counsel Matt Olsen, now a consultant, for help with Uber’s security strategy, and has notified and provided affected drivers with free credit monitoring and ID protection. No such protection is being offered for riders, although Uber says it is monitoring affected accounts.

The attack occurred after two hackers managed to access a private GitHub coding site used by Uber engineers, and then used log-ins they found there to access the Amazon Web Services repository that handled “computing tasks” for the company, according to Bloomberg. From there, they pivoted to the highly prized customer/driver data.

Khosrowshahi concluded:

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Following the revelations, New York Attorney General Eric Schneiderman has launched an investigation and class action lawsuits are said to have already been filed for alleged negligence.

Jeremiah Grossman, chief of security strategy at SentinelOne, argued that GitHub is a major source of risk for firms.

“It's difficult, if not impossible, for an organization to lock down this vector. Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed,” he added. “While traditional security controls remain crucial to organizational security, it's no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others.”

Others argued the incident proves why password-based systems are no longer fit-for-purpose.

“A serious error on Uber’s part was storing the keys to its data store on a GitHub code repository which the attackers could access,” said Avecto senior security engineer, James Maude. “This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.”

Jason Hart, CTO of data protection at Gemalto, claimed two things should have been done better by Uber: “faster disclosure and better use of encryption for the entire data lifecycle”.

“Delay in disclosing erodes trust, and it belies the fact that breaches like this, that access your data via cloud services, are inevitable,” he added.

There are also question marks around whether the hackers have kept their word and deleted all the stolen data, according to Webroot director of threat research, David Kennerley

“The fact is there is absolutely no guarantee the hackers didn't create multiple copies of the stolen data for future extortion or to sell on further down the line,” he argued.

Trend Micro VP of security research, Rik Ferguson agreed, explaining that “digital theft does not work the same way as in the physical world, you can never ‘buy back the negatives’ once data has been stolen”.

“I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s ‘corporate systems and infrastructure’ from the ‘third-party cloud-based service’ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business are corporate systems and infrastructure and from a security perspective should be treated as such,” he added.

“You can’t outsource accountability."

Many others have warned that Uber would be on the hook for huge fines had the incident happened after May 25 next year, when the GDPR comes into force.

Dean Armstrong, barrister at Setfords Solicitors, said “the UK and Europe are adopting stricter rules on personal data protection for precisely this kind of event.”

“As Uber hasn't released its figures we can't speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations it would likely be in the tens of millions,” he added.

Categories: Cyber Risk News

DMARC Implementation Lags as Email Fraud Surges

Info Security - Tue, 11/21/2017 - 19:07
DMARC Implementation Lags as Email Fraud Surges

As spam dominates email traffic, most domain owners still have not attempted to implement fraud protection through the latest and most complete form of protection, DMARC.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a standard that ensures only authorized senders can use an organization’s domain name in their emails.

ValiMail’s 2017 Email Fraud Landscape Report shows that email fraud is a pervasive threat: One in five messages sent today come from unauthorized senders, many representing fraudulent activity. Yet, virtually all domains lack adequate protection. Just 0.5% of the top million domains have protected themselves from impersonation by email authentication, leaving 99.5% vulnerable, the report found.

Over three-fourths (76%) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist. However, incorrect DMARC deployments often prevent email protection. Over three-fourths (77%) of domains that have deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy. Overall, only 15% to 25% of companies that attempt DMARC succeed at achieving protection from fraud, depending on category.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” said Alexander García-Tobar, CEO and co-founder of ValiMail. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

The report postulated that implementing email authentication would save the average company $8.1 million per year in cybercrime costs—$16.2 billion annually across the Fortune 2000.

“ValiMail’s research demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” said Shehzad Mirza, the director of operations for the Global Cyber Alliance. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face. In order to truly protect our inboxes, we must drive greater adoption of cybersecurity technologies and protocols such as DMARC.”

The good news is that DMARC’s influence and adoption rates are steadily growing. In October 2017, the Department of Homeland Security announced it would begin requiring federal agencies to implement DMARC within 90 days. Right now, only 38% of the top government agencies have DMARC records and only 14% have reject/quarantine enforcement in advance of the of January 14, 2018 deadline, the report added. 

Categories: Cyber Risk News

Cyber-criminals' Industry Targets Shift in Q3

Info Security - Tue, 11/21/2017 - 19:04
Cyber-criminals' Industry Targets Shift in Q3

There have been notable changes in attack types, vectors and industry targets in the third quarter, including ramped-up efforts to compromise new verticals.

According to eSentire’s 2017 Q3 Quarterly Threat Report, providing a snapshot of threat events investigated by its Security Operations Center (SOC) from July thru September of this year, the quarter saw a rise in attacks against accounting, biopharma, retail, biotech and pharmaceuticals. That’s a change from trends spotted earlier in the year, when the momentum went against finance, legal and healthcare.

These attacks were mostly scanning and exploitation based, the firm said—which demonstrates that these industries are being targeted for their lucrative data and broad attack surface.

Information-gathering especially had a high representation in the biopharma, biotech and pharmaceuticals industries, where there is likely an interest in intellectual property and a propensity for non-standard internet devices to be connected to the network. In all, information gathering leads overall traffic volume.

“These industries also have more device-based infrastructure to support lab-based research and development,” the report detailed. “Consequently, these devices can increase exposure to networks they’re connected to. They often rely on outdated operating systems, which can increase vulnerability and make them an attractive target for opportunistic attacks that rely on established tools and dated vulnerabilities.”

That’s not to say other verticals don’t remain in the cross-hairs. Phishing attacks occurred most frequently in the healthcare industry. eSentire postulated that this could be due to the high volume of patients that staff in the healthcare industry must interact with, obscuring malicious transactions. It could also pertain to weak policies around phishing and a lack of awareness and training among healthcare employees.

On the general trend front, the analysis also uncovered a rise in availability attacks, usually in the form of DDoS attacks. These types of attacks are often used by political activists in an attempt to silence or disrupt political opponents, but they can also be used as incentive to pay a ransom.

Finally, the third quarter also was marked by a surge in OpenSSL detections, according to the report. The most- targeted vulnerability existed in OpenSSL (CVE-2014- 0160); runners up included an ASUS Router exploit (CVE-2014- 9583), an Apache Struts exploit (CVE-2017-5638), an exploit of the Invision Board (CVE-2002-1149), Microsoft IIS (CVE-2000-0778, CVE-2000-0071 and CVE-1999-1538), Trivial FTP (CVE-1999-0183), and Microsoft Exchange (CVE-2015-1631).

“With the exception of Apache Struts, all of these vulnerabilities are at least three years old,” the report noted. “And in most cases, they’ve been patched across the commercial sector. However, many vulnerabilities haven’t been patched due to conflicting software dependencies and isolation practices. When an endpoint that has not been connected to the network is eventually connected, all of its vulnerabilities become exposed in the time it takes to update the system. Opportunistic attacks that are constantly scanning and attempting exploits on these systems must be yielding successful results as attempts on them remain a large portion of malicious traffic.”

Categories: Cyber Risk News

BankBot Android Trojan Re-emerges Globally

Info Security - Tue, 11/21/2017 - 18:47
BankBot Android Trojan Re-emerges Globally

A new version of the BankBot Android mobile banking malware has snuck into Google Play, targeting apps of large banks including WellsFargo, Chase, DiBa and Citibank.

A mobile threat intelligence collaboration between Avast, ESET and SfyLabs found that the apps target users in the US, Australia, Germany, Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, Dominican Republic, Singapore and the Philippines, looking to spy on users, collect their bank login details and steal their money.

“The new version of BankBot has been hiding in apps that pose as supposedly trustworthy flashlight apps, tricking users into downloading them, in a first campaign,” explained SfyLabs’ Niels Croese and ESET’s Lukas Stefanko, in a joint blog. “In a second campaign, the solitaire games and a cleaner app have been dropping additional kinds of malware besides BankBot, including Mazar and Red Alert.”

Affected apps include Tornado FlashLight, Lamp For DarkNess and Sea FlashLight; Google removed some of the BankBot-carrying apps from the Play Store within days, but several versions remained active until November 17th—long enough for the apps to infect thousands of users, the researchers said.

They also explained that while Google scans and has measures in place for all apps submitted to the Play Store, the authors of mobile banking trojans have started to use special techniques to circumvent those automated detections.

For instance, they have started “commencing malicious activities two hours after the user gave device administrator rights to the app,” the researchers noted. “Also, they published the apps under different developer names which is a common technique used to circumvent Google’s checks.”

Once active, BankBot functions much like other trojans: It overlays a fake user interface on top of the clean banking app when it’s opened by the user. As soon as the user’s bank details are entered, they are then collected by the criminals, and used to carry out bank transfers on the user's behalf.

Further, the BankBot operators can also intercept their victims’ two-factor authentication text messages.

To stay protected, users should deactivate the option in Google Play to download apps from other sources, and before downloading a new app, check its user ratings. Users should also pay attention to the permissions that an app requests: If a flashlight app requests access to contacts, photos and media files, that should be seen as a red flag.

Categories: Cyber Risk News

Crypto-Currency Firm Tether Loses $30m to Hackers

Info Security - Tue, 11/21/2017 - 11:14
Crypto-Currency Firm Tether Loses $30m to Hackers

Crypto-currency firm Tether has become the latest to suffer a damaging cyber-attack, claiming hackers have made off with over $30m worth of tokens.

The crypto-currency stolen is USDT, a US dollar-based asset issued by Tether on the Bitcoin blockchain via the Omni Layer Protocol.

Because each unit of USDT is backed by an actual dollar held by Tether, it’s favored by speculators who want to occasionally trade out of full fat crypto-currency to something less risky, whilst still keeping their funds in the same exchanges.

Tether made the following critical announcement:

“$30,950,010 USDT was removed from the Tether Treasury wallet on November 19, 2017 and sent to an unauthorized bitcoin address. As Tether is the issuer of the USDT managed asset, we will not redeem any of the stolen tokens, and we are in the process of attempting token recovery to prevent them from entering the broader ecosystem. The attacker is holding funds in the following address: 16tg2RJuEPtZooy18Wxn2me2RhUdC94N7r. If you receive any USDT tokens from the above address, or from any downstream address that receives these tokens, do not accept them, as they have been flagged and will not be redeemable by Tether for USD.”

Tether claims to have suspended its tether.to back-end wallet service while an investigation is underway, and is providing new builds of Omni Core to the community which will result in a de facto temporary hard fork.

“These builds should prevent any movement of the stolen coins from the attacker’s address. We strongly urge all Tether integrators to install this software immediately to prevent the coins from entering the ecosystem,” said the firm. “Again, any tokens from the attacker’s address will not be redeemed. Accordingly, any and all exchanges, wallets, and other Tether integrators should install this software immediately in order to prevent loss.”

The firm was at pains to point out that Tether issuances have not been affected by this attack, and that all Tether tokens remain fully backed by assets in the firm’s reserve.

Tyler Moffitt, senior threat research analyst at Webroot, said the attack could still prove costly to the firm’s reputation. 

“It looks like Tether will not recognize the tokens stolen by the hackers and will ‘hard fork’ to redistribute,” he said. “Hard forking a currency is a big deal as it always shakes the trust of those using it.”

There are also question marks surrounding the rapid increase in supply of USDT in the Tether coffers, apparently soaring $200m so far in November alone, and its relationship with controversial British Virgin Islands-based exchange Bitfinex.

Categories: Cyber Risk News

Chinese CA StartCom Set to Close Down

Info Security - Tue, 11/21/2017 - 10:40
Chinese CA StartCom Set to Close Down

Controversial Chinese certificate authority (CA) StartCom has decided to close, after several major browser makers lost confidence in the company.

Over the past year, Mozilla, Google, Microsoft and Apple have all begun the process of distrusting certificates from the firm and its parent company WoSign, removing their root certificates and refusing to accept newly issued certs.

The firm had this in a statement:

“Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority (CA).

From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1, 2018. Starting 2020, all remaining valid certificates will be revoked.”

The browser makers made their decision after uncovering poor standards of practice at WoSign and StartCom. Microsoft said that this included “back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations”.

Kevin Bocek, chief cybersecurity strategist at Venafi, argued that the two firms have “made a mockery of the global system of trust” on which the internet is based.

"As with CNNIC before it, reliance on StartCom certificates left businesses and consumers vulnerable. This is a reminder for businesses as to why having automated systems to blacklist and eliminate untrusted CAs from their applications, networks, and clouds is so important,” he added.

“Moreover, speed and agility in protecting machine identities — being able to take control and immediately and automatically change out affected certificates — is needed now more than ever.”

The Chinese CAs aren’t the only ones affected by big decisions like these from the browser makers.

Google is in the process of removing trust from Symantec certificates, a decision which forced the security giant to sell its certificates business this year to DigiCert.

Categories: Cyber Risk News

Insider Data Theft Court Cases Climb 25%

Info Security - Tue, 11/21/2017 - 10:06
Insider Data Theft Court Cases Climb 25%

The number of High Court cases in which sensitive corporate data has been stolen by employees has increased by 25% in a year, according to a London law firm.

EMW senior solicitor, Felix Dodd, claimed that an increase in staff turnover could be the cause of the rise, from 40 cases in 2015 to 50 last year.

In other words, malicious insiders are deliberately taking customer databases, sensitive financial information and the like with them to help with their new roles.

He added that the ubiquity of smartphones and cloud storage platforms has made the process far simpler without raising suspicion.

In the financial services sector, firms need to guard their proprietary algorithms with care, while recruiters and estate agents are more likely to be affected by the loss of client databases, said Dodd.

“Theft of confidential data has become such a widespread concern for firms in the City that many of them ban their employees from sending work emails to their personal accounts, and some now even disable some functions on their employees’ smartphones,” he explained.

“Bigger businesses should have the systems in place to be able to monitor activity like this effectively, but a lot of smaller businesses might not have the budget or skills to track what their employees are doing with sensitive data.”

This year a former employee of aviation cleaning company, OCS Group UK, was jailed after sending confidential information to his personal email address, breaking the terms of a court order. Meanwhile, investment management firm, Marathon Asset Management, won a case against two former employees who breached their contracts by copying and retaining key files.

Head of employment at Lennons, Leah Waller, argued that the increase in High Court cases could be down to the fact that firms can now apply for compensation by way of damages rather than being forced to bring a criminal action for theft.

“With technology advancing at an incredible speed, and the majority of information now being stored electronically with easy access, the instances of employees, especially those that leave on bad terms, taking confidential information is likely to continue to increase and as such the number of claims in the High Court will continue to rise,” she added.

David Emm, principal security researcher at Kaspersky Lab, argued that the insider threat is one of the biggest challenges facing businesses.

“Employees rank at the very top of the list of threats to data and systems,” he added.

“Their motivations are often hard to predict and anticipate, ranging from a desire for financial gain to disaffection, coercion and simple carelessness. When insider-assisted attacks do occur, the impact of such attacks can be devastating as they provide a direct route to the most valuable information – customer data.”

To mitigate the threat, Emm recommended a combination of staff education, threat intelligence services, restricted access to key systems and regular security audits.

Categories: Cyber Risk News

Rewards Points Theft is a Growing Piece of the Cybercrime Pie

Info Security - Mon, 11/20/2017 - 18:37
Rewards Points Theft is a Growing Piece of the Cybercrime Pie

The already lucrative market in stolen rewards points is significantly growing.

According to Flashpoint, a number of factors are coalescing to drive this criminal segment forward.

For one, fraudulent “booking services” that use stolen points in Russian-language forums are gaining popularity, including one that has gone as far as to establish its own group of members dedicated to cybercrime targeting hotel bookings. One such member has been advertising their travel “booking service” on two lower-tier forums since December 2014; grateful customers regularly post photos taken on trips purchased through the actor’s offerings. Interestingly, tickets can be to anywhere in the world, except domestic flights within Russia.

“This typically occurs via compromised user accounts—particularly those associated with rewards points credit cards,” Flashpoint explained, in a blog. “Actors then use these points to purchase hotel rooms, flights, and car rentals through online booking services.”

There is also widespread points abuse among English and Spanish-speaking cyber-criminals.

“These [Spanish and English] listings drove high demand—3,601 customers purchased one actor’s illicit hotel and car rental services between March 2015 and December 2016,” Flashpoint said. “To cash in on this trend, at least one vendor who was active on lower-tier Russian-language forums is known to have expanded their operations to AlphaBay Market in September 2016. Today, similar services are available on various other English-language marketplaces.”

There is also an evolution underway in the methods by which rewards points are stolen and some other ways in which they are used.

“Cyber-criminal abuse of rewards points has also been facilitated by the development of brute-forcing software, which can be used to systematically check a large number of possible password combinations until the correct one is determined,” said the firm. “After obtaining a user’s password through brute forcing, cyber-criminals can potentially access any rewards points associated with the compromised accounts. A symbiotic relationship exists between the expanding presence of these tools and the marketplace for compromised credentials.”

The good news is that businesses and individuals can protect themselves with one simple step: practicing stringent password hygiene.

“Since brute-forcing tools often used to access rewards points automatically test countless combinations of characters with the goal of identifying and entering the correct password, the difficulty of guessing a password increases exponentially along with its character length and complexity,” Flashpoint explained. 

Categories: Cyber Risk News

Nevada Tops the List of Worst States for Cyberbullying

Info Security - Mon, 11/20/2017 - 18:26
Nevada Tops the List of Worst States for Cyberbullying

When it comes to the worst US states for cyberbullying across the US, Nevada tops the list.

Research by Website Builder Expert investigated the extent of online bullying across the 50 states by cross-referencing data for the percentage of hostile comments, the percentage of people who have claimed online harassment, and whether or not each state has legislation in place to protect citizens against cyberbullying.

Individual rankings from these factors were then combined to expose the states with the biggest cyberbullying problem and where victims suffer the most due to loose or ineffective laws for punishing perpetrators.

Nevada was revealed as the state with the most toxic online bullies, where claims of online harassment or violent threats are some of the highest in the country. Interestingly, Nevada does have a law against cyberbullying, but the high level of malicious online behavior seen in the state suggests that this does little to dissuade people from posting aggressive content.

In fact, the study found that five of the ten worst states in the ranking—which includes Florida, Illinois and New York—already legislate against cyberbullying, further proving the inefficacy of current legislation.

Surprisingly, California, often perceived as more liberal and tech-tolerant, ranked in the top 10 worst states for cyberbullying, performing poorly for the volume of online abuse claims (sixth), despite cyberbullying being classified as a criminal misdemeanor.

Vermont and Maryland were revealed as two of the worst offenders for not adequately protecting their citizens, with little to no legal protection for victims. Vermont had the highest rate of hostile comments across the study, yet no cyberbullying law to penalize online offenders. Similarly, Maryland had the highest percentage of online harassment claimants but no legislation to help them get justice.

“The insurgence of ‘keyboard warriors’ and internet trolls shows just how badly the current legislature around digital behaviors is failing,” said Alex English, lead research at Website Builder Expert. “Unfortunately, in this digital age, it is easier than ever to post inflammatory comments online and seemingly, get away with it. We are in desperate need of new laws which bridge the gap between the real and virtual world.”

Categories: Cyber Risk News

DDoS Attacks Nearly Double Since January

Info Security - Mon, 11/20/2017 - 18:13
DDoS Attacks Nearly Double Since January

Organizations experienced an average of 237 DDoS attack attempts per month during the third quarter (equivalent to eight DDoS attack attempts every day), which represents a 35% increase in monthly attempts compared to the previous quarter, and a 91% increase in monthly attack attempts compared to Q1.

That’s according to the latest DDoS Trends and Analysis report from Corero Network Security, which found that the rate of attacks, which is based on DDoS attack attempts against Corero customers, is being spurred along by the growing availability of DDoS-for-hire services, and the proliferation of unsecured internet of things (IoT) devices.

For example, the Reaper botnet is known to have already infected thousands of devices, and is believed to be particularly dangerous due to its ability to utilize known security flaws in the code of those insecure machines. Like a computer worm, it hacks into IoT devices and then hunts for new devices to infect in order to spread itself further.

 “The growing availability of DDoS-for-hire services is causing an explosion of attacks, and puts anyone and everyone into the crosshairs,” said Ashley Stephenson, CEO at Corero. “These services have lowered the barriers to entry in terms of both technical competence and price, allowing anyone to systematically attack and attempt to take down a company for less than $100. Alongside this trend is an attacker arms race to infect vulnerable devices, effectively thwarting other attackers from commandeering the device.  Cyber-criminals try to harness more and more internet-connected devices to build ever larger botnets.  The potential scale and power of IoT botnets has the ability to create internet chaos and dire results for target victims.”

In addition to the frequency of attacks, the Corero data reveals that hackers are using sophisticated, quick-fire, multi-vector attacks against an organization’s security. A fifth of the DDoS attack attempts recorded by Corero during Q2 2017 used multiple attack vectors. These attacks utilize several techniques in the hope that one, or the combination of a few, can penetrate the target network’s security defenses.

Stephenson added, “Despite the industry fascination with large-scale, internet-crippling DDoS attacks, the reality is that they don’t represent the biggest threat posed by DDoS attacks today. Cyber-criminals have evolved their techniques from simple volumetric attacks to sophisticated multi-vector DDoS attacks. Often lasting just a few minutes, these quick-fire attacks evade security teams and can sometimes be accompanied by malware and other data exfiltration threats. We believe they are often used in conjunction with other cyber-attacks, and organizations that miss them do so at their peril.”

Corero also observed a return of ransom denial of service, or RDoS, in the third quarter. A widespread wave of ransom DDoS threats from hacker group Phantom Squad started in September, targeting companies throughout the US, Europe and Asia. The extortion campaign spanned a variety of industries—from banking and financial institutions, to hosting providers, online gaming services and SaaS organizations—and threatened to launch attacks unless a Bitcoin payment was made.

 “Ransom is one of the oldest tricks in the cyber-criminal’s book, and with cryptocurrency, is an anonymous way for them to turn a profit,” said Stephenson. “As IoT botnets continue to rise, we may soon see hackers put on more dramatic RDoS displays to demonstrate the strength of their cyber firepower, so that their future demands for ransom will have to be taken more seriously. Paying the ransom is rarely the best defense, as it just encourages these demands to spread like wildfire. It is proven that with proper protection in place to automatically eliminate the DDoS threat, organizations will be in a much stronger position.”

Categories: Cyber Risk News