Feed aggregator

Infrastructure of APT Group Crouching Yeti Uncovered

Info Security - 6 hours 12 min ago
Infrastructure of APT Group Crouching Yeti Uncovered

The well-known Russian-speaking advanced persistent threat (APT) group Crouching Yeti, has long been targeting servers worldwide. But today Kaspersky Lab announced it has uncovered infrastructure used by the group, also known as Energetic Bear.

Since 2010, Kaspersky Lab has been tracking the APT group renowned for targeting energy facilities across the globe. The goal of the group has been to gain access to valuable data from victim systems, which they've done successfully most often by using watering hole attacks, where the attackers injected websites with a link redirecting visitors to a malicious server.

Multiple servers outside of the industrial sector from organizations in Russia, the US, Turkey and European countries had been compromised in 2016 and 2017 and used as intermediaries to conduct attacks on other resources.

"In the process of analyzing infected servers, researchers identified numerous websites and servers used by organizations in Russia, U.S., Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack. Some of the sites scanned may have been of interest to the attackers as candidates for waterhole," Kaspersky Lab wrote in a press release

Intruders scanned a wide range of websites and servers, using publicly available tools for analyzing servers, and researchers also discovered a modified sshd file with a preinstalled backdoor that was used to replace the original file and then authorized with a master password.

“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organizations through watering hole attacks, among other techniques. Our findings show that the group compromised servers not only for establishing watering holes but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” said Vladimir Dashchenko, head of vulnerability research group Kaspersky Lab ICS CERT.

“The group’s activities, such as initial data collection, the theft of authentication data and the scanning of resources, are used to launch further attacks. The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties,” Dashchenko added.

More details on this recent Crouching Yeti activity can be found on the Kaspersky Lab ICS CERT website.

Categories: Cyber Risk News

Gmail Spam Campaign Annoying, Not a Hack

Info Security - 6 hours 28 min ago
Gmail Spam Campaign Annoying, Not a Hack

When users take a look through their sent messages, they aren’t always searching for an email they sent. The security-minded user is looking for any messages that they did not send out. That’s how some Gmail users recently discovered a spam message campaign.  

Several users in a Gmail help forum reported that they had found spam emails distributed to unrecognized addresses with subject topics ranging from bitcoin and funeral insurance to weight loss and growth supplements for men. Despite what it seems, these accounts were not hacked. 

The accounts were spamming themselves with a trick spammers can use to bypass Gmail’s spam filters. In addition to the help forum, users also flocked to Twitter to let others know.  

One user reported changing their password only to have the spam messages sent again. Users who have two-factor authentication enabled reported the same issue. A Google spokesperson assured users that their accounts had not been hacked, reporting to Mashable that it was a “spam campaign impacting a small subset of Gmail users.” 

“This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident,” Google said. 

All of the emails have reportedly been sent via telus.com, a Canadian telecommunications company. When contacted, a TELUS spokesperson said, “We have identified spam emails being circulated that are disguised to appear as if they are coming from http://telus.com. We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server. We are working with our third-party vendors to resolve the issue and are advising our customers not to respond to any suspicious emails.” 

Users who find the messages should continue to report them as spam.

Categories: Cyber Risk News

A Quarter of UK Manufacturers Suffer Cyber-Attack Losses

Info Security - 10 hours 46 min ago
A Quarter of UK Manufacturers Suffer Cyber-Attack Losses

A quarter of UK manufacturers have suffered financial or other business losses stemming from a cyber-attack, according to a new study from industry body EEF.

The organization and AIG commissioned think tank the Royal United Services Institute (RUSI) to compile its Cyber-Security for Manufacturing report.

Of the 48% of manufacturers who claimed to have been struck by a cyber-incident, 24% said they suffered losses and the same number claimed their security processes were strong enough to repel any attack.

However, visibility into the scale of the problem appears to be a challenge. Some 41% claimed they don’t have access to enough information to assess their true risk exposure, while 12% said they don’t have the technical or managerial processes in place to assess risk.

A further 45% said they don’t have access to the right security tools.

The stats are concerning given that the manufacturing industry employs 2.6m people in the UK, accounting for 10% of the country’s output and 70% of its R&D, according to EEF.

Over a third (35%) of the vast majority (91%) of respondents who claimed they’re investing in digital transformation said cyber-risk was holding them back.

There’s also a clear and pressing need to demonstrate improvements in cybersecurity to increasingly demanding supply chain partners.

Over half (59%) of respondents said they’ve been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% have asked the same of a business within their supply chain.

A worrying 37% of manufacturers said they could not do this if asked today.

“The importance of the manufacturing sector to the security of the UK economy cannot be overstated,” said RUSI director general, Karin von Hippel. “Increasing digitization creates further opportunities, but also exposes us to potential vulnerabilities to cyber-attacks, whether from criminals or nation-state adversaries. The sector needs to recognize these risks and respond accordingly.”

Categories: Cyber Risk News

SunTrust Investigates Malicious Insider Breach

Info Security - 11 hours 24 min ago
SunTrust Investigates Malicious Insider Breach

US regional banking giant SunTrust is notifying 1.5 million customers that some of their personal data may have been stolen by a malicious insider.

The Atlanta-headquartered financial services firm issued a formal statement on Friday, claiming that it is offering ongoing identity protection from Experian free of charge for all current and new customers, following the discovery.

“The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed,” it explained.

“The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver's license information. SunTrust is also working with outside experts and coordinating with law enforcement.”

Chairman and CEO, Bill Rogers, apologized for the incident and claimed the company had “heightened” monitoring of users’ accounts and increased other unnamed security measures.

“While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result,” he said in a statement.

"Our priority is protecting our clients and maintaining their trust. Beyond this incident, we want to help all SunTrust clients combat the increasing concern about identity theft and fraud, wherever it may occur."

The Experian IDnotify package being offered to customers includes credit monitoring, dark web monitoring, identity “restoration assistance” and $1m identity theft insurance.

Insiders were blamed for over a quarter (28%) of breaches analyzed in the most recent Verizon Data Breach Investigations Report, although there was no breakdown of how many were malicious and what proportion was down to negligence.

However, over-three-quarters (76%) of breaches were said to be financially motivated.

Categories: Cyber Risk News

Kaspersky Lab Rails Against Twitter Ad Ban

Info Security - 11 hours 54 min ago
Kaspersky Lab Rails Against Twitter Ad Ban

Twitter has banned ads from Russian AV company Kaspersky Lab, claiming the firm’s business practices are at odds with the platform.

The decision was related in a short letter sent to the firm at the end of January, according to CEO Eugene Kaspersky.

“At Twitter we believe in freedom of expression and in speaking truth to power. We also want to ensure that people feel safe when they interact with our site, and that advertisers bring value to our users,” it read.

“Accordingly, Twitter has made the policy decision to off-board advertising from all accounts owned by Kaspersky Lab. This decision is based on our determination that Kaspersky Lab operates using a business model that inherently conflicts with acceptable Twitter Ads business practices.”

Although the firm is allowed to remain an organic user on the site, Kaspersky expressed disbelief at the decision and said he has been unable to get further clarification from Twitter on its reasoning.

“One thing I can say for sure is this: we haven’t violated any written — or unwritten — rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them,” he added. “What specific (or even non-specific) rules, standards and/or business practices we violated are not stated in the letter.”

Kaspersky likened the ban to online censorship and claimed Twitter’s actions were playing into the hands of cyber-criminals, as the firm’s tweets help to promote its research on breaking threats such as WannaCry.

Twitter subsequently told Reuters that its decision was also influenced by a Department of Homeland Security (DHS) assessment that Kaspersky Lab products may pose a national security threat.

In the past it has also banned ads from Kremlin-backed Russian media outlets Russia Today and Sputnik.

“You’re only shooting yourself in the foot when you cater to the geopolitical noise and start refusing to promote material on false pretences,” Kaspersky responded.

“No matter how this situation develops, we won’t be doing any more advertising on Twitter this year. The whole of the planned Twitter advertising budget for 2018 will instead be donated to the Electronic Frontier Foundation (EFF). They do a lot to fight censorship online.”

While Twitter has banned certain Russian companies from advertising on its platform, it still allows Kremlin-backed trolls to spread disinformation. A Whitehall report last week reportedly revealed a 4000% increase in activity from several accounts following the nerve agent attack in Salisbury.

Categories: Cyber Risk News

Irony of Leaky App at #RSAC Not Lost on Attendees

Info Security - Fri, 04/20/2018 - 16:40
Irony of Leaky App at #RSAC Not Lost on Attendees

Every once in a while, 280 characters can make people scratch their heads. Learning about a security flaw in a mobile app designed for a security conference is one of those things that people find puzzling. Or not. 

Many members of the cybersecurity community are feeling a wide range of emotions – from unsurprised to angry – in the aftermath of learning about a leaky RSAC app. Few, however, are really shocked by the reported breach. 

Sophos’s NakedSecurity reported that a Twitter user at RSAC 2018 discovered a security problem in the conference app. RSAC tweeted a confirmation of the breach confessing, Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.” 

The database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app. According to Twitter threads, the security researcher who discovered the flaw messaged RSAC to alert them to some security issues with their conference app. Only six hours later, the researcher thanked both Eventbase Tech and RSAC for quickly fixing the data leak, applauding the great response time and confirming that the attendee data was no longer accessible through the reported method. 

It's not uncommon for a conference to encourage attendees to use a mobile app to navigate their way through the exhibits, speakers, and additional events, even though the week's schedule and other pertinent details of the event are available on the conference website. Some conferences will advise downloading the app for "last-minute changes or updates." Many do, especially at a conference like RSAC, because there’s an inherent trust that the mobile app for a security conference is safe. But no technology is ever completely free from risk, which attendees learned the hard way back at RSAC 2014 when a mobile application exposed the personal information of attendees.

Ironically, a Google search for “RSA leaky conference app” resulted in a link to an RSAC presentation by a Kaspersky Labs security researcher who spoke earlier this week about leaking ads. The description of his talk? “Most developers currently use HTTPS to protect user data. But that doesn’t mean their apps are secure.”

Categories: Cyber Risk News

NIST Launches Search for Lightweight Cryptographic Champions

Info Security - Fri, 04/20/2018 - 15:37
NIST Launches Search for Lightweight Cryptographic Champions

The search for Lightweight Cryptographic Champions is on now that the National Institute of Standards and Technology (NIST) has launched a call for submissions of previously published and analyzed algorithms that will help set standards to better secure the entire market of the Internet of Things (IoT). 

Protecting the tiny networks within IoT devices demands a new class of lightweight cryptography, which is why NIST has kicked off its effort to find lightweight solutions to this heavyweight challenge of IoT security. 

One of the challenges in defending IoT devices is that most cryptographic systems were designed for desktops and servers, not the now-often-used smaller devices that have more limited computational resources. These devices, though, are everywhere, from critical infrastructure to medical devices to cars and common household electronics. In large part, they are vulnerable to cyberattacks because the are so difficult to secure. 

This week, NIST announced its push to establish viable solutions to the problem of securing data in the myriad gadgets across the IoT’s rather small and inexpensive networked devices. “Creating these defenses is the goal of NIST’s lightweight cryptography initiative, which aims to develop cyrptographic algorithm standards that can work within the confines of a simple electronic device,” NIST wrote in a blog post. 

“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” Matt Robshaw, a technical fellow at Impinj, told NIST. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.” 

NIST computer scientist Kerry McKay said, "The IoT is exploding, but there are tons of devices that have nothing for security. There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”

Still in its draft form, the Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process details the proposed requirements and evaluation process and will soon allow the community to weigh in on the draft guidelines. Feedback received on the draft will inform the final submission process. 

One specification NIST is looking for in the submitted algorithms is an authenticated encryption with associated data (AEAD) tool so that recipients can verify the integrity of both the encrypted and unencrypted information in a message. Additionally, in order to reduce costs, any hash function must share resources with the AEAD.

NIST will accept comments on the draft for 45 days before releasing a formal document, after which time it anticipates accepting submissions over a six-month period. 

Categories: Cyber Risk News

Google's Project Zero to Microsoft: 90 Days Are up to Fix Windows 10 Bug

Info Security - Fri, 04/20/2018 - 15:14
Google's Project Zero to Microsoft: 90 Days Are up to Fix Windows 10 Bug

In January 2018, a researcher at Google’s Project Zero reported a bug in Windows 10's lockdown policy that would allow an attacker to bypass a Windows 10 security feature. The 90-day window to patch the flaw has passed, and despite Microsoft’s multiple pleas to prolong the inevitable public disclosure, the deadline for patching the issue will not be extended.

According to the bug report issued by researcher James Forshaw, the medium-severity bug could allow an attacker to add register keys that “would load an arbitrary COM visible class under one of the allowed CLSIDs.” Forshaw provided two files as proof-of-concept code using a DotNetToJscript tool that enabled arbitrary code execution, something that Windows 10 S was specifically designed to prevent.

“This issue was not fixed in April patch Tuesday therefore it's going over deadline,” Forshaw wrote. “This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It's not an issue which can be exploited remotely, nor is it a privilege escalation.”

Because the vulnerability only affects systems with Device Guard enabled, it's ranked as a medium severity. In order to exploit the issue, an attacker would have to already have code running on the machine. Still, an attacker could get around that by exploiting another remote code execution bug in Microsoft Edge.

The two tech giants have a long history of rivalry when it comes to responsible disclosures. This is not the first time that Google has denied Microsoft a request for extension. In 2016 Microsoft criticized Google for putting customers at risk after publicly disclosing a bug only 10 days after reporting the Windows vulnerability.

Then in February of this year, the 90 days had lapsed before Microsoft was able to patch a security flaw in Microsoft Edge. Though Google awarded a 14-day grace period, the fix was more difficult than Microsoft had anticipated. After the grace period ended, Google went public with the disclosure.

While Project Zero's customary time frame for a developer to resolve an issue is 90 days, there are some special cases when a grace period is granted, which happens most often when a flaw is difficult to fix.

Categories: Cyber Risk News

LinkedIn Fixes User Data Leak Bug

Info Security - Fri, 04/20/2018 - 10:37
LinkedIn Fixes User Data Leak Bug

LinkedIn has quietly patched a vulnerability which could have allowed malicious third parties to steal members’ personal data.

The flaw revolves around the business networking platform’s AutoFill button, which allows third-party sites to autofill information including users’ name, email address, phone number, location, and job.

It has been a part of the LinkedIn Marketing Solutions offering for several years. However, according to security researcher, Jack Cable, the feature could be abused by hackers.

He discovered earlier this month that any sites could use the feature, styling the iframe so it takes up the entire page and is invisible to the user.

This means that if a visitor clicks anywhere on that site, LinkedIn interprets this as an AutoFill button being pressed and sends the relevant user data to the malicious webmaster.

LinkedIn fixed the feature a day after being informed, restricting it to whitelisted sites paying to host ads. However, this still left users potentially exposed. That’s because any of those whitelisted sites which have cross-site scripting vulnerabilities would have allowed hackers to run the same maliciously crafted iframe on them to harvest user details.

The Microsoft-owned firm then issued another patch, and a statement, as follows:

“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.”

The incident comes at a sensitive time for online firms which collect and share data on users with third parties, following the Cambridge Analytica scandal which unearthed serious deficiencies in Facebook’s terms of service agreements with app developers.

Categories: Cyber Risk News

Russian Twitter Trolls Spring into Action After Salisbury Attack

Info Security - Fri, 04/20/2018 - 10:10
Russian Twitter Trolls Spring into Action After Salisbury Attack

Russian Twitter trolls have been sent into action again, this time looking to spread disinformation following the Salisbury nerve agent attack, according to government sources.

A Whitehall analysis purports to have measured a 4000% increase in tweets from Russia-based accounts, many of them automated bots, since the attack over six weeks ago.

One identified bot account, @partisangirl, is said to have reached 61 million users with 2300 posts over a 12-day period from April 7.

The research reportedly reveals that many of these accounts also commented on the alleged Syrian chemical attack by President Bashar, which some are disputing despite government claims to the contrary.

Another account, @ian5678, was banned by Twitter before being unblocked recently. Reports suggest it sent 100 posts a day reaching 23 million users. A prolific account with 33,000 followers, it contains largely pro-Kremlin conspiracy theory and anti-West rhetoric masquerading but purports to be that of a truth-seeking stock market trader.

Primer Minister, Theresa May, is said to have briefed Five Eyes partners and Commonwealth leaders Malcolm Turnbull, Jacinda Ardern and Justin Trudeau on the Russian campaign earlier this week.

“Russia is using cyber as part of a wider effort to undermine the international system,” she said in a reported statement. “This disinformation campaign is not just aimed at social media and the UK — it is intended to undermine the actual institutions and processes of the rules-based system, such as the Organisation for the Prevention of Chemical Weapons. We must do all we can at every turn to challenge this.”

Back in February 2017, Russian defence minister, Sergey Shoigu, admitted for the first time the importance to the Kremlin of state propaganda efforts, claiming a specialized unit had been established in the military.

“The information operations forces have been established, that are expected to be a far more effective tool than all we used before for counter-propaganda purposes," he’s reported to have told the lower house. "Propaganda should be smart, competent and effective.”

Cyber-propaganda efforts have been called out as a major trend by the likes of Trend Micro and ThreatConnect in the past, threatening to destabilize democracy and influence elections.

Categories: Cyber Risk News

Atlanta City Splurges $2.7m in Ransomware Aftermath

Info Security - Fri, 04/20/2018 - 09:03
Atlanta City Splurges $2.7m in Ransomware Aftermath

Atlanta City has been forced to spend $2.7m in the aftermath of a major ransomware attack in March, in another sign of the ongoing threat posed by this class of malware.

Hackers demanded the equivalent of over $50,000 in Bitcoin when they struck a couple of months ago, putting key systems out of action including apps citizens use to pay their bills and access court information.

Mayor Keisha Lance Bottom is said to have claimed that paying the ransom was “up for discussion” although it’s unclear if any money exchanged hands.

However, local news reports now suggest that city officials have been forced to pay nearly $2.7m for eight emergency contracts.

These are said to include a $650,000 contract with SecureWorks to investigate and mitigate the initial damage caused by the attack, and two other contracts worth $1m with private companies to help with the city’s IT and court systems.

The city’s law department also signed a $600,000 contract with business consultants Ernst & Young, and Edelman PR's expertise was also sought for a hefty fee.

The revelations highlight the need for organizations to have effective and regularly tested incident responses plans in place. Being caught unprepared can lead to excessive unplanned expenditure down the road, as the City of Atlanta has found out the hard way.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge, argued controversially that in this case it may have been a better move to pay the ransom.

“Spending 50 times more money to remediate the consequences of the attack, instead of investing the same money into prevention of further incidents, is at least questionable,” he added.

“Of course, when evaluating the possible avenues of ransomware responses, one should take into consideration all relevant factors and circumstances. However, in some cases, paying a ransom - is the best scenario for a company and its economic interests.”

However, most experts will advise against paying up, especially as it only emboldens the black hats and may still not result in being able to regain access to corporate data.

A Trend Micro poll found that one in five UK organizations that paid up did not receive a decryption key.

Categories: Cyber Risk News

#RSAC: Infosecurity ‘Solutions’ Are Becoming the Problem

Info Security - Fri, 04/20/2018 - 00:50
#RSAC: Infosecurity ‘Solutions’ Are Becoming the Problem
Categories: Cyber Risk News

#RSAC: Panel Discussion on the Role of Machine Learning & AI in Cyber

Info Security - Thu, 04/19/2018 - 18:33
#RSAC: Panel Discussion on the Role of Machine Learning & AI in Cyber

A panel of industry experts gathered at RSA 2018 in San Francisco to explore the role that machine learning and artificial intelligence is playing in the current cyber landscape.

Moderator: Ira Winkler, president, Secure Mentem

Oliver Friedrichs, founder and CEO, Phantom
Dustin Hillard, CTO, Versive
Dr Ramesh Sepehrrad, VP of technology and business resiliency risk, Freddie Mac

After opening the discussion by asking the panel to each give their own definition of what machine learning is, Ira asked the speakers to define what types of applications are most appropriate for the use of machine learning and AI.

Hillard: The places where it is most mature is around speech and image processing, and also around fraud detection. “The technology should be an enabler to solving a problem but sometimes it gets lost in what’s being accomplished.”

Friedrichs: Most people have woken up to the fact that machine learning and AI are not the panacea that marketing tells us they are, but they can add to the feature set of a product. Particularly recently we are seeing it used for “augmenting our decision-making, being able to augment [data] to increase capacity.”

Ira then asked the panel about the potential social implications of the use of machine learning and AI, and whether there are issues that arise in that regard.

Sepehrrad: “I’m very worried that it’s the technology defining the user experience, and not the user defining the technology. These are the things we have to think about as technologists – this is not an innovation challenge, it’s not just a cool idea that’s going to make money; this is something that’s going to have generational impact beyond us.”

Moving the discussion on, Ira asked about scenarios in which machine learning and AI can be targeted and manipulated for malicious gain.

Friedrichs: There’s a whole domain called adversarial machine learning, which involves attacking “a machine learning algorithm to trick it into doing something different.” In terms of security, attackers “will attack these algorithms by either getting passed them or causing them to train on things that eventually allow them to evade and create evasion scenarios.”

Is there the possibility of a ‘Skynet-like’ future, Ira asked, in which machine learning might become autonomous in bad ways that we do not want.

Friedrichs: Algorithms can definitely fight other algorithms – “it’s entirely conceivable.”

Hillard: “There are some mirco examples of how an algorithm can go off the rails and how, without enough controls and transparency,” things can go wrong. “If an algorithm is left unattended it can go down a path that was not perceived by the original designer of it.”

Sepehrrad: “I’d want to take a step back and ask whose finger is on the keyboard. We have to think through what the problem we are trying to solve is, and you really have to think through what the motivation is, the potential goal and the drive to achieve that goal.”

To conclude, Ira asked whether there are things that machine learning and AI should not be used for.

Hillard: It should never be used in any place in which it “increases complexity without improving the outcome.”

Categories: Cyber Risk News

Still No. 1: Survey Says Cybersecurity Remains Top Concern for Risk Managers

Info Security - Thu, 04/19/2018 - 17:28
Still No. 1: Survey Says Cybersecurity Remains Top Concern for Risk Managers

For three years running, cybersecurity has remained the top threat to businesses across multiple categories, including infrastructure, geopolitical and emerging risks. That’s according to the 11th Annual Survey of Emerging Risks, conducted by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries' Joint Risk Management Section.

More than 200 risk managers, primarily based in North America, participated in the anonymous online survey, which revealed a key finding: Cyber continues to be a top current and emerging concern for 53% of respondents, followed by terrorism and technology.

Technology, the number three on the respondent’s top five list, saw a 3% increase in 2017. As innovation continues to change the threat landscape, technology risks continue to move up the rankings.

Cybersecurity in the interconnectedness of infrastructure ranked the number one emerging risk, while financial volatility fell out of the list of top five concerns. Cybersecurity risks around connected infrastructure have ranked as the top emerging risk since 2014, with financial volatility ranking second place, but for the first time the emerging threat of terrorism ranked second, knocking financial volatility out of the top five.

The survey also revealed that 42% of risk managers project good or strong global economic expectations for 2018, which is the highest ever recorded for this survey. Still, risks associated with natural disasters doubled in the aftermath of a tumultuous hurricane season and a heated political arena in the US.

Additionally, the category of geopolitical risks related to weapons of mass destruction, regional instability, and transnational crime and corruption ranked higher in 2017 than in years prior. The survey authors speculated that these results might have been impacted by the US election cycle.

The sentiment around cybersecurity risk is widespread, as evidenced in other reports released earlier this year. The World Economic Forum’s Global Risks Report 2018, released in January, placed cyber-attacks and massive data fraud among the year’s top five risks. In February, Microsoft's By the Numbers: Global Cyber Risk Perception Survey revealed that 56% of the more than 1,300 respondents said they would rank cyber risks as a top-five concern.

Each report reveals a growing consensus among risk managers that with a cyber-attack comes the risk of business interruption and damage to brand or reputation along with the potential of a data breach. 

Categories: Cyber Risk News

#RSAC: Reschma Saujani: We Can End Cyber Gender Imparity in a Decade

Info Security - Thu, 04/19/2018 - 17:05
#RSAC: Reschma Saujani: We Can End Cyber Gender Imparity in a Decade

Speaking at RSA 2018 in San Francisco Reshma Saujani, founder of Girls Who Code, said that she believes “the solution to the current tech talent deficit is women,” and that the industry has the potential to solve gender imparity in cyber within the next 10 years.

However, that will not be achieved without challenges, and there are changes that need to be made in our culture and policies to do so.

Saujani explained that for too long cyber and the tech industry has been presented to girls as an attractive career choice and something only suitable for males, and that we need to start showcasing the industry in the same way as the medical or law professions – both made up of at least 50% of women. 

“We’re turning girls off by the images that we’re showing them,” she argued. “We teach girls to be perfect, and we teach boys to be brave,” but if we want more girls to go into cyber, we have to change that, as coding is a skill that “teaches failure, over and over again. It teaches you how to be brave.”

The positive though is that, because the tech talent deficit problem is currently so bad, we can make a “big impact quickly,” and the important thing to remember is that it’s not simply about solving gender imbalance for parity’s sake, it’s about “giving girls the skills to code so that they can make a difference – because girls are change makers.”

“We have to change our culture,” Saujani said. “Culture matters, I really believe that culture can help change this and we can make that difference.” We also need to make changes in our policies, she added, and whether it’s in a classroom or in a company we have to “continue to track how we are doing in terms of race and gender – we can do better.”

“I am so proud [of what Girls Who Code has achieved] but we need more – we need more support, we need to teach more girls, we need more facilitators, more advocates and more male allies. I believe there has never been a better time to be a women, and there’s never been a better time to be a male advocate. We’re living in a really, really important time, and this is a problem that we can solve.”

Categories: Cyber Risk News

More Than 1.5 Billion Facebook Users Moved Beyond the Long Arm of GDPR

Info Security - Thu, 04/19/2018 - 16:48
More Than 1.5 Billion Facebook Users Moved Beyond the Long Arm of GDPR

More than 1.5 billion Facebook users will be beyond the long arm of the General Data Protection Regulations (GDPR), allowing Facebook to evade the soon-to-be-enforced data protection rules.

Though the current terms of service for Facebook’s more than 2 billion users are governed under Irish law, Reuters reports that more than 70% of those users will soon be on a site that is instead under the authority of the data collection and privacy regulations in the US. The shift lets Facebook go on unaffected by the EU’s new data protection laws. As of next month, the service agreements for users outside the US, Canada and the EU will shift to a site regulated by the social network’s main offices in California rather than its international headquarters in Ireland.

That doesn’t completely absolve the social network giant from adhering to the GDPR regulations, though. Given that nearly 30% of its users are within the European Union, Facebook may still be subject to fines of up to 4% of its global annual revenue for failing to properly collect and obtain permission to use the personal data of its EU users.

However, changes to their terms and conditions will mean that more than 1.5 billion Facebook users across the globe, from the US to Asia and Africa, won’t fall under the protections of GDPR, which eliminates the burden of financial responsibility should Facebook improperly handle the data of the vast majority of its users. 

The looming deadline of GDPR has many companies scrambling to prevent paying the hefty fines of failing to comply, and Facebook is not alone in its efforts to evade the financial consequences of any infractions. But Facebook’s recent Cambridge Analytica scandal and Mark Zuckerberg’s congress hearing have brought unwanted attention to the company’s privacy controls. 

Zuckerberg was smart when he testified before Congress saying that all Facebook users deserve good privacy controls. Taking great care in his word choice, he avoided promising GDPR protections and instead talked about privacy controls.

Moving users from Facebook Ireland allows Facebook some leniency in applying universal privacy protections. While Facebook publicly claims to adhere to the "spirit" of GDPR, this behind-the-scenes move does call into question the legitimacy of Zuckerberg’s guarantee that Facebook would work to enhance – rather than reduce – its privacy protections.

Categories: Cyber Risk News

New iOS Vulnerability Lets Attackers Hack iPhone, iPad

Info Security - Thu, 04/19/2018 - 16:27
New iOS Vulnerability Lets Attackers Hack iPhone, iPad

Syncing iTunes across devices via Wi-Fi is popular and convenient, but newly discovered attack scenarios could put iOS devices at risk. Symantec researchers discovered a flaw that if exploited would allow attackers to compromise devices.

Named “Trustjacking,” the flaw exploits the trust of victims. The attackers leverage the trust that users have in the security of their own devices in order to take control of the device. Rooted in the design of the “iTunes Wi-Fi sync,” the flaw creates a security issue once a device is connected and the sync feature is selected. After the sync feature is turned on, there’s potential for a hacker to take complete control over the device, according to Symantec researcher Roy Iarchy, head of research and modern OS security, who presented the vulnerability at RSA 2018.

When the setting is enabled, the computer owner has access to a paired iPhone over a Wi-Fi connection even after the device is disconnected, and that's where some social engineering comes into play. For the attacker ti gain access, the device owner first has to click on a malicious link – usually a pop-up message – which then delivers the malware that infects the workstation.

But it’s not only connecting to a work space that puts the device at risk. Symantec described an additional scenario common to many on-the-go users. An unassuming victim might need a battery boost while traveling, so they plug their phone into a free charger at an airport. Once the device is connected to a malicious charger, the user has to agree to trust the computer, which enables the attacker to turn on the Wi-Fi sync feature.

According to Symantec, when a user agrees to trust the computer, they grant permission for the malicious charger, workstation or laptop to communicate with the connected device. Then the attacker only needs to execute two steps: allow the device to connect to iTunes and then enable iTunes Wi-Fi sync, which can be automated through malware.

No additional approvals are required. Once communication is established through the iTunes application programming interface (APIs), the device doesn’t even need to remain connected for the attacker to leverage many features, allowing them remote access to the user’s private information.

Similar vulnerabilities, such as juice jacking and video jacking, have been disclosed on smartphones and earlier versions of iOS, but trustjacking is different in that it grants the attacker permanent access to the device and lets them retain the same abilities long after the device has been disconnected.

Categories: Cyber Risk News

#RSAC: Culture of Online Humiliation & Bullying Has to Stop, Says Monica Lewinsky

Info Security - Thu, 04/19/2018 - 16:15
#RSAC: Culture of Online Humiliation & Bullying Has to Stop, Says Monica Lewinsky

“A breach in data protection goes hand in hand with an invasion of privacy.”

These were the words of social activist, writer and public speaker Monica Lewinsky, who spoke at RSA 2018 in San Francisco, reflecting on her own experiences of online public shaming and assessed the current online culture of humiliation.

Lewinsky harked back to 1998, and said that “we had no way of knowing then where the brave new technology called the internet would take us.”

Since then, she added, it has connected people in unimaginable ways – joining lost siblings, saving lives, even launching revolutions. However, it has also given rise to “darkness, cyber-bullying and slut-shaming.”

Lewinsky argued that everyday online people are so publically-humiliated for various reasons that they “can’t imagine living to the next day, and some tragically don’t. There’s nothing virtual about that,” she said.

“Online we’ve seen a shift in the power of humiliation and invasion of privacy given the breadth of the internet’s reach. Online, technologically enhanced-shaming is amplified, uncontained and permanently accessible.”

The possible echo of embarrassment – that once would only extend as far as our families, school or community – has now grown to the online community too, Lewinsky explained.

“There is a very public price to public humiliation,” she said, “and the growth of the internet has jacked-up that price. For nearly two decades we have been sowing the seeds of shame and public humiliation in our cultural soil, both online and offline”

Lewinsky said that public humiliation online has become an industry, and we are in a dangerous cycle because the more we click on online gossip the more numb we become to the human lives behind it. “With every click, we make a choice,” she argued.

“The more we saturate our culture with public shaming the more accepted it becomes, and the more we’re going to see behavior like cyber-bullying, trolling, online harassment and some forms of hacking – because they all have humiliation at their cores.”

Lewinsky said that changing this behavior begins with changing our beliefs. “We need a cultural revolution, and public shaming as a blood sport has to stop. It’s time for an intervention on the internet and in our culture.”

We need to return to a value of compassion and empathy, she added, as online we have a compassion deficit and empathy crisis. Online, we need to become up-standers – which is to support someone with a positive comment, or step in to report a bully situation.

“We need to talk more about our responsibility to freedom of expression – we all want to be heard, but let’s acknowledge the difference between speaking up with intention and speaking up for attention. We need to communicate online with compassion, consume news with compassion and click with compassion, and we can together make a society where the sometimes distancing effect of technology doesn’t remove our fundamental humanity.” 

Categories: Cyber Risk News

Oracle CPU Fixes 254 Flaws this Quarter

Info Security - Thu, 04/19/2018 - 10:27
Oracle CPU Fixes 254 Flaws this Quarter

Oracle has released its latest quarterly security update which this time fixes a significant 254 vulnerabilities, the most since July 2017.

The April 2018 Critical Patch Update (CPU) will keep system administrators busy with 153 vulnerabilities in business-critical applications alone.

Oracle Fusion Middleware is the most affected family with 39 vulnerabilities, followed by Financial Services Applications (36) and MySQL (33).

According to analyst ERPScan, 30 of the Fusion Middleware bugs can be exploited over a network without even needing to enter user credentials, making them critical to patch.

In total, there are 42 critical vulnerabilities in this CPU with CVSS base score 9-10. They go up to several vulnerabilities with CVSS scores of 9.8 in Oracle’s products including Fusion Middleware, Financial Services, PeopleSoft, EBS, and Retail Applications.

Of these, CVE-2018-7489 is a flaw in the Oracle Financial Services Market Risk Measurement and Management component of Oracle Financial Services Applications which could allow an unauthenticated attacker with network access via HTTP to hijack the product.

CVE-2018-7489 is an easily exploited vulnerability in the Oracle Financial Services Hedge Management and IFRS Valuations component of Oracle Financial Services Applications which allows an unauthenticated attacker to do the same as above.

CVE-2018-2628 allows an unauthenticated attacker with network access via T3 to compromise a Oracle WebLogic Server, while CVE-2017-5645 could allow a hacker to remotely take over JD Edwards World Security.

CVE-2017-5645 allows an unauthenticated attacker with network access via HTTP to compromise the Oracle Retail Order Management System.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the tech giant claimed. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

The update follows last quarter’s CPU which fixed products affected by one of the recently disclosed Spectre processor vulnerabilities.

Categories: Cyber Risk News

Security Pros Claim Biggest DDoS Threat is to Customer Trust

Info Security - Thu, 04/19/2018 - 09:33
Security Pros Claim Biggest DDoS Threat is to Customer Trust

DDoS attacks cost businesses $50,000 per attack but lost revenue is not the most damaging impact, according to new research from Corero Network Security.

The vendor polled over 320 cybersecurity professionals from a variety of sectors including financial services, cloud, government, and online gaming.

The vast majority said a single attack could lead to $50,000 worth of lost business, plus the cost of mitigating the attack itself and lost productivity.

Over two-thirds (69%) claimed they experience the equivalent of one attack every day, or 20-50 per month.

Interestingly, the immediate financial impact was not ranked as the most damaging effect of DDoS. Respondents were most concerned about loss of customer trust (78%) followed by IP theft, and then the threat of malware infection, with lost revenue down in fourth place.

“Not all DDoS attacks will cost an organisation $50,000, but having your website taken offline can damage customer trust and confidence,” argued Corero Network Security CEO, Ashley Stephenson.

“It will also impact the ability of sales teams to acquire new customers in increasingly competitive markets. These attacks cause lasting damage to a company’s reputation and could have negative consequences for customer loyalty, churn and corporate profits.”

A majority (85%) also claimed that DDoS attacks are used to distract the IT team while attackers attempt to steal data, while 71% said that attacks in the past have demanded they pay a ransom to call off.

Attacks are a greater concern than they have been in the past, primarily because of the volume of unsecured IoT devices around, according to 83% of respondents.

In January, researchers spotted a new Mirai variant targeting ARC processors said to be shipped in 1.5bn devices per year.

Earlier this month, another Mirai-like botnet, IoTrooper, was spotted launching DDoS attacks against several financial services firms in what was believed to be the first such campaign of its type since Mirai.

Categories: Cyber Risk News