Cyber Risk News

7,900 Vulnerabilities Didn't Make It into the CVE Database in 2017

Info Security - Fri, 02/16/2018 - 20:58
7,900 Vulnerabilities Didn't Make It into the CVE Database in 2017

Last year broke the previous all-time record for the highest number of reported vulnerabilities, with 20,832 of them cataloged.

According to an analysis of its own VulnDB, Risk Based Security discovered that 7,900 flew under the radar and weren’t reported to MITRE’s Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD).

“Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures,” said Brian Martin, vice president of vulnerability intelligence for Risk Based Security. He added, “Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government-funded organization falling short year after year. While some argue that the CVE/NVD solution is ‘good enough,’ that simply isn’t the case. Just look at the number of web and computer hacking data breaches reported on a regular basis. In addition to a false sense of security, the ‘good enough’ mindset often leads some to believe that the important vulnerabilities are covered, and that isn’t the case either.”

In addition, of the more than 18,000 CVE IDs that were assigned or allotted to CVE Numbering Authorities (CNAs), almost 7,000 were in reserved status, despite 1,342 of them having a public disclosure.

About 39.3% of reported vulnerabilities received Common Vulnerability Scoring System (CVSS) scores above 7.0. This means that not only has the number of vulnerabilities been increasing but also that the CVSS scores have been trending higher over the last five years. In 2017, web-related issues accounted for over 50% of all vulnerabilities disclosed, 31.5% had public exploits, and 24.1% had no solution at the time of the report.

The VulnDB QuickView report also revealed that while relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors was relatively consistent at 44.8%, compared to 45.6% in 2016.

“From operating systems and software installed on client and server systems to IoT and SCADA devices, vulnerabilities continue to be a major concern,” said Carsten Eiram, chief research officer, Risk Based Security. “Using metrics to help determine which vendors and products are putting your organization at risk needs to be a key part of your vendor risk management and procurement process. The ability to properly use vulnerability data to help with the decision making process is important and we have ensured this is built into our VulnDB solution.”

Categories: Cyber Risk News

Spam Ticked Downward in 2017, but Phishing Was Up

Info Security - Fri, 02/16/2018 - 20:55
Spam Ticked Downward in 2017, but Phishing Was Up

The spam and phishing scene last year was a mixed bag: The average amount of spam in 2017 decreased to 56.63%, which is 1.68% less than in 2016. However, the number of phishing attacks increased – the Kaspersky Lab anti-phishing system was triggered 246 million times on the computers of Kaspersky Lab users, which is 59% higher than in 2016.

According to Kaspersky Lab’s Spam and Phishing in 2017 report, spammers have shown themselves to be thoughtful actors, instantly monitoring global issues and major events worldwide with one main purpose: to capture and capitalize on their victim’s attention. These cybercriminals have been following a global agenda by using hot topics such as the FIFA World Cup and Bitcoin to fool users and steal their money or personal information in the last 12 months.

For instance, while the world was intensively preparing for the World Cup last year, spammers were actively spreading related emails, sending victims fraudulent messages with official logos of the event, including organizers and sponsor brand information, notifying users about lottery wins and even promising free tickets.

Another hot spam and phishing topic in 2017 was cryptocurrency – as Bitcoin’s price drastically increased. Kaspersky Lab researchers had previously recorded a growth in blockchain-themed tricks in the third quarter of 2017. For instance, criminals have been using tricks such as websites disguised as cryptocurrency exchanges or fake services offering cloud mining (e.g., the use of specialized data centers for rent). But in all cases, users became victims, losing money instead of earning any profit.

In more traditional fraud schemes, such as fake lottery winnings, criminals have also started to use Bitcoin as bait. In addition to targeted address databases advertised through spam, databases with emails for cryptocurrency users have also been offered for purchase, promising great opportunities.

Moreover, criminals have distributed different types of malware in spam emails, under the guise of utilities for earning Bitcoins or instructions for cryptocurrency trading. However, importantly, CryptoLocker, whose creators demanded a Bitcoin ransom, have been detected in spam letters less than in the previous year.

“In 2017 we saw a slight decrease in spam activities, but throughout the year, spammers haven’t missed any reason to steal users’ personal information, keeping their eyes on what’s happening in the world. As sports events such as the upcoming FIFA World Cup and others take place, their activity will only increase,” said Darya Gudkova, spam analyst expert, Kaspersky Lab. “Moreover, in 2018 we expect further development and growth of cryptocurrency-related spam and phishing, with more cryptocurrency diversity besides Bitcoin, which was widely used in the previous year, and with 'pump and dump' schemes.”

The most popular source of spam was the US (13.21%), followed by China (11.25%) and Vietnam (9.85%). Others in the top 10 include India, Germany, Russia, Brazil, France and Italy. Also, the country most targeted by malicious mailshots was Germany (16.25%), showing a slight increase (2.12%) compared to 2016. Others in the top 10 include China, Russia, Japan, UK, Italy, Brazil, Vietnam, France and UAE. However, the largest percentage of users affected by phishing was in Brazil (29.02%). Overall, 15.9% unique users of Kaspersky Lab products worldwide were attacked by phishing during the year.

Categories: Cyber Risk News

Siemens, Airbus and Others Ink Charter on Critical Infrastructure, IoT

Info Security - Fri, 02/16/2018 - 20:44
Siemens, Airbus and Others Ink Charter on Critical Infrastructure, IoT

A group of nine industrial giants have signed a charter on cybersecurity, focused on developing binding rules and standards around critical infrastructure and the internet of things (IoT).

Siemens, Airbus, Allianz, Daimler Group, IBM, the Munich Security Conference, NXP, SGS and Deutsche Telekom have signed the Charter of Trust. The group outlines 10 action areas, and it has agreed to pioneer independent certification for infrastructure. It’s also calling for dedicated government ministries and CISOs to be put in place.

“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens president and CEO Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”

The initiative calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a CISO at companies. It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – especially where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, security and data protection functions are to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The charter’s signatories also call for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives.

“Secure digital networks are the critical infrastructure underpinning our interconnected world,” said Canadian foreign minister Chrystia Freeland. “Canada welcomes the efforts of these key industry players to help create a safer cyber-space. Cybersecurity will certainly be a focus of Canada’s G7 presidency year.‎”‎

Wolfgang Ischinger, chairman of the Munich Security Conference, added: “Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said. “But the companies that are in the forefront of envisioning and designing the future of cyber-space must develop and implement the standards. That’s why the charter is so important. Together with our partners, we want to advance the topic and help define its content.”

Categories: Cyber Risk News

Children's digital health records in England – the new standard

Outlaw.com - Fri, 02/16/2018 - 12:45
ANALYSIS: The creation of a standardised digital health record for every child in England should ensure that in future children receive better, more consistent and coordinated health care in a way that is transparent to parents and guardians. However, if this initiative is to be success, it is vital that privacy risks are effectively managed.
Categories: Cyber Risk News

AV Evasion Mastermind Gets Two Years

Info Security - Fri, 02/16/2018 - 11:34
AV Evasion Mastermind Gets Two Years

An Essex man has been given two years in jail for running a website which allowed would-be hackers to test whether their malware could bypass AV filters.

Goncalo Esteves, of Cape Close, Colchester, operated the reFUD.me site which charged visitors to test their tools against anti-malware scanners.

Using the pseudonym 'KillaMuvz', he also sold custom-made malware-disguising products and offered technical support to users.

These products are known as 'crypters' — tools which can be used by black hats to help evade AV.

Esteves sold his Cryptex Lite product for $7.99/month, while a lifetime license for Cryptex Reborn cost $90. He also provided support via a dedicated Skype account and accepted payment in conventional currency, Bitcoin or even Amazon vouchers.

His PayPal account alone netted him £32,000 between 2011 and 2015, although the amount received in Bitcoin and Amazon vouchers is unknown.

“Esteves helped hackers to sharpen their knives before going after their victims. His clients were most likely preparing to target businesses and ordinary people with fraud and extortion attempts,” argued Mike Hulett, head of operations at the National Crime Agency’s National Cyber Crime Unit (NCA NCCU).

“He made a fair bit of money, but he’d probably have made much more, and certainly for longer, if he’d pursued a legitimate career in cybersecurity.”

The NCA also thanked Trend Micro, which helped conduct a joint operation with the agency to catch Esteves.

This came after the two parties signed an MoU in 2015 formalizing their co-operation in the form of a ‘virtual team’ comprising members of the NCCU and Trend Micro’s Forward Looking Threat Research team (FTR).

Esteves was sentenced at Blackfriars Crown Court in relation to two charges under the Computer Misuse Act.

Categories: Cyber Risk News

Malware Spikes Coincided with 2017 Geopolitical Incidents

Info Security - Fri, 02/16/2018 - 11:06
Malware Spikes Coincided with 2017 Geopolitical Incidents

A new report has linked outbreaks of malware activity to geopolitical events and tensions.

Comodo Threat Research LabsGlobal Malware Report 2017 was compiled by former NSA analyst, Kenneth Geers and utilizes the company’s malware monitoring capabilities in over 190 countries worldwide, including North Korea.

The top three categories of malware discovered over the past year were: trojans (41%), applications exhibiting malicious, unsafe, or undesirable behavior (24%) and backdoors (10%).

Russia hosted the highest number of trojans (9%), backdoors (19%) and worms (19%), whilst the US had the highest volume of malicious applications (3%), as well as viruses (9%) and malware packers (2%).

However, the real interest came in the correlation between geopolitical events and malware spikes around the world.

In the US on October 24 last year, Comodo spotted a large jump in Kryptik trojan detections, numbering almost 300,000. The vast majority (94%) were located in Virginia, which was at the time the scene of a close-fought gubernatorial election.

On the global stage, Comodo observed a spike of 20,000 viruses during Chinese president Xi Jinping’s visit to Mar-a-Lago and North Korean missile tests. Trojan attacks numbering over 30,000 were launched in early-mid May during heightened North Korea/China tensions and the Silk Road summit in Beijing.

Also, 40,000 trojans were spotted after a US/China naval spat in the South China Sea on August 8 and on September 2 during a North Korea nuclear test.

Trojan activity inside North Korea also spiked there on September 19 when President Trump threatened at the UN to “totally destroy” the country.

In fact, malware was not limited to trojans, as Comodo explained:

"In-depth Comodo analysis of all of these malware detections suggests that North Korean network administrators are attempting to protect computer systems running unlicensed copies of Windows 7, using a variety of means including the use of remote access tools to monitor user activity and by trying to bypass Windows User Account Control (UAC)."

The good news is that detection rate for trojans, worms, unsafe applications and malware packers are down, whilst those for applications, unwanted applications and viruses are holding steady.

However, enterprises should be aware that backdoors are on the rise in 2018, the report warned.

Categories: Cyber Risk News

WikiLeaks Chat Reportedly Reveals GOP Bias

Info Security - Fri, 02/16/2018 - 10:03
WikiLeaks Chat Reportedly Reveals GOP Bias

Leaked conversations from a private WikiLeaks chat group reportedly reveal founder Julian Assange as favoring a Republican Party candidate in the last US presidential election.

Rumors have been swirling for some time that the whistleblowing site in some way colluded with Russia over the leaking of hacked Democratic Party emails during the race for the White House.

Special counsel Robert Mueller is also investigating possible collusion between the Trump campaign and Russian intelligence, which is said by the CIA, NSA and others to have leaked the damaging emails under the “Guccifer 2.0” moniker.

Hillary Clinton has described the efforts of “Russian WikiLeaks” as contributing to her election loss.

The leaked transcripts from the direct message group chat would seem to support her suspicions.

“We believe it would be much better for GOP to win,” Assange is reported to have written. “[Clinton]’s a bright, well connected, sadistic sociopath.”

The private group chat with several WikiLeaks supporters was leaked to The Intercept by the person who originally set it up in 2015; someone who goes by the pseudonym 'Hazelpress'.

That person is said to have decided to go public after reports were published claiming that Donald Trump Jr had secretly contacted the site ahead of the election, during which correspondence he was advised to tell his father to reject the results as rigged if he lost and to ask if he could get Assange an Australian ambassadorship.

WikiLeaks claims to be a neutral transparency organization.

The leaked transcripts also reveal an underlying current of misogyny and anti-Semitism.

There's no direct evidence that Assange penned the WikiLeaks entries in the chat log, although as founder he’s widely believed to be in control of the site’s Twitter feed.

He’s currently holed up in the Ecuadorian embassy in London, where he’s been hiding from the police since 2012.

Categories: Cyber Risk News

FedEx S3 Bucket Exposes Private Details on Thousands Worldwide

Info Security - Thu, 02/15/2018 - 21:13
FedEx S3 Bucket Exposes Private Details on Thousands Worldwide

Personal information for thousands of FedEx customers worldwide has been exposed after a legacy Amazon Web Services (AWS) cloud storage server was left open to public access without a password.

Kromtech Security Center researchers stumbled upon the AWS S3 bucket, finding that it contained more than 119,000 scanned documents, including passports, drivers’ licenses and Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes.

The victims include citizens of countries around the globe, including Australia, Canada, China, EU countries, Japan, Kuwait, Malaysia, Mexico, Saudi Arabia and others.

The server turned out to be an inherited one, with information from Bongo International – a company that FedEx bought in 2014. Bob Diachenko, head of communications at Kromtech, noted that the shipping giant relaunched Bongo in 2016 as FedEx Cross Border International, to enable international shipping delivery and logistics. That service was closed down last April, but the bucket remained exposed.

"Technically, anybody who used Bongo International services back in 2009–2012 is at risk of having his/her documents scanned and available online for so many years,” Diachenko said. “Seems like [the] bucket has been available for public access for many years in a row. Applications are dated within [the] 2009–2012 range, and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014."

FedEx has now removed the server from public access and issued a statement saying that there’s no evidence that the data fell into nefarious hands.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” FedEx told ZDnet. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”

Tim Prendergast, CEO of Evident.io, noted that nonetheless, it’s a fact that hackers are actively searching for these kinds of misconfigurations.

“Hackers are going after S3 buckets and other repositories because that's where the data is but also because they're easy to find,” he said via email. “There's a whole hacker cottage industry around finding and exploiting S3 buckets, and it's growing because as cloud environments grow, so do the number of unsecured assets that are discoverable.”

The incident shows once again that many companies aren’t following best practices when it comes to securing their cloud infrastructure, and many seem confused about whose responsibility it is to provide that security.

“The incident, echoing others we’ve seen time and time again…raises the larger issue that many organizations have not yet fully grasped the idea that most public cloud providers are not managing their data – but are just providing a platform or infrastructure, so the management protection of data is left up to the companies themselves,” Obsidian Security CTO Ben Johnson said via email. “It’s critical that enterprises understand the risks of the cloud – that availability and uptime also mean that their data can be easily accessed unless they have the right controls in place.”

Brian NeSmith, CEO and co-founder at Arctic Wolf Networks, added: “We need to get our heads out of the clouds, because cloud services are only as secure as you make them. Companies need to start applying the same rigor and discipline to their cloud infrastructure as they do to their on-premises network.”

The incident also showcases the need to implement good security practices after a merger or acquisition.

“During any M&A transaction it is important that the company who is selling their assets notify their customers that the business is going to be sold and their private data will be transferred to new ownership,” Kromtech’s Diachenko said. “The purchasing company should give customers the option to opt out of their data being transferred and provide a data protection notice. This case highlights just how important it is to audit the digital assets when a company acquires another and to ensure that customer data is secured and properly stored before, during and after the sale. During the integration or migration phase is usually the best time to identify any security and data privacy risks.”

Categories: Cyber Risk News

Two Billion Files Leaked in US Data Breaches in 2017

Info Security - Thu, 02/15/2018 - 20:53
Two Billion Files Leaked in US Data Breaches in 2017

Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.

In 2017, a total of 551 breaches affected organizations, with over 1.9 billion files leaked, according to research from Citrix ShareFile.

Using data collected from the Privacy Rights Clearinghouse and the 2017 Cost of Data Breach Study by the Ponemon Institute, in partnership with IBM Security, the analysis found that malicious hacking was the most common type of breach in 2017, 819 million files exposed. Unintended disclosure (such as cloud storage misconfigurations) and physical loss were found to be the second and third most common data leakage causes.

These numbers mean that 2017 had an unprecedentedly and far more severely impacted than previous years, but the concerning thing is that these figures don’t include data from companies that have either not disclosed the number of files affected or did not have access to that information.

Breaking down the results, the most targeted and vulnerable industry was healthcare, which recorded 328 leaks (nearly 60% of all leaks in 2017), at an estimated cost of almost $1.2 billion. Of these, 46% came through hacking or malware, 33% were a result of unintended disclosure, 18% came from physical loss, and a combined 4% came from insider leaks and portable devices. The Commonwealth Health Organization suffered the largest breach in healthcare in 2017, with 697,800 records reported to be compromised.

According to Citrix ShareFile, healthcare was targeted because personal data such as Social Security numbers and payment information is among the highest valued information for cybercriminals.

Other industries that were disproportionately affected by breaches include the technology sector (48 breaches, amounting to 1.8 billion files and an estimated cost of $1.2 billion), finance (40 breaches and 146 million records, at an estimated cost of $144.8 million) and retail (40 breaches representing 4.7 million records at an estimated cost of $144,800).

In the report, Charlie Porter, an agent at Farmers Insurance, explained that 2017 was “the worst in history for large-scale data breaches,” adding that the “effects of the incidents could take years or decades to deal with.”

“These figures show that despite organizations and individuals being more vigilant, businesses are facing more challenges than ever before as individuals exploit any possible vulnerability they can,” said Allyson Kuegel, customer security assurance analyst at Citrix. “In the technological era, people are more willing than ever to supply data, whether it is on personal social media accounts or through transactions they make. It is not just online, where companies face potential problems but also in ensuring their own organizations invest in the latest software and have effective internal protocols.”

She added, “The battle against cybercrime and data breaches will continue for a long time as hackers look to keep one step ahead of the latest security services.”

Categories: Cyber Risk News

2 Billion Files Leaked in US Data Breaches in 2017

Info Security - Thu, 02/15/2018 - 20:53
2 Billion Files Leaked in US Data Breaches in 2017

Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.

In 2017, a total of 551 breaches affected organizations, with over 1.9 billion files leaked, according to research from Citrix ShareFile.

Using data collected from the Privacy Rights Clearinghouse and the 2017 Cost of Data Breach Study by the Ponemon Institute, in partnership with IBM Security, the analysis found that malicious hacking was the most common type of breach in 2017, 819 million files exposed. Unintended disclosure (such as cloud storage misconfigurations) and physical loss were found to be the second and third most common data leakage causes.

These numbers mean that 2017 had an unprecedentedly and far more severely impacted than previous years, but the concerning thing is that these figures don’t include data from companies that have either not disclosed the number of files affected or did not have access to that information.

Breaking down the results, the most targeted and vulnerable industry was healthcare, which recorded 328 leaks (nearly 60% of all leaks in 2017), at an estimated cost of almost $1.2 billion. Of these, 46% came through hacking or malware, 33% were a result of unintended disclosure, 18% came from physical loss, and a combined 4% came from insider leaks and portable devices. The Commonwealth Health Organization suffered the largest breach in healthcare in 2017, with 697,800 records reported to be compromised.

According to Citrix ShareFile, healthcare was targeted because personal data such as Social Security numbers and payment information is among the highest valued information for cybercriminals.

Other industries that were disproportionately affected by breaches include the technology sector (48 breaches, amounting to 1.8 billion files and an estimated cost of $1.2 billion), finance (40 breaches and 146 million records, at an estimated cost of $144.8 million) and retail (40 breaches representing 4.7 million records at an estimated cost of $144,800).

In the report, Charlie Porter, an agent at Farmers Insurance, explained that 2017 was “the worst in history for large-scale data breaches,” adding that the “effects of the incidents could take years or decades to deal with.”

“These figures show that despite organizations and individuals being more vigilant, businesses are facing more challenges than ever before as individuals exploit any possible vulnerability they can,” said Allyson Kuegel, customer security assurance analyst at Citrix. “In the technological era, people are more willing than ever to supply data, whether it is on personal social media accounts or through transactions they make. It is not just online, where companies face potential problems but also in ensuring their own organizations invest in the latest software and have effective internal protocols.”

She added, “The battle against cybercrime and data breaches will continue for a long time as hackers look to keep one step ahead of the latest security services.”

Categories: Cyber Risk News

Hack the Air Force 2.0 Flies High with $12.5K Payout

Info Security - Thu, 02/15/2018 - 20:15
Hack the Air Force 2.0 Flies High with $12.5K Payout

The results of the Pentagon’s Hack the Air Force 2.0 bug-bounty initiative are in: White hats received $103,883 in payouts and reported 106 vulnerabilities within 20 days.

The Air Force also awarded hackers the highest single bounty of any federal program to date: $12,500.

Hack the Air Force 2.0 invited trusted hackers from all over the world to participate in its second bug bounty challenge in less than a year. The challenge was the most inclusive government program to date, with 26 countries invited to participate. Twenty-seven hackers from the US, Canada, UK, Sweden, Netherlands, Belgium and Latvia participated.

On December 9, the first day of the challenge, 24 hackers met in New York City and participated in a live hacking event, the first ever to include federal government participation. Department of Defense and Air Force personnel were on site and worked alongside the hackers to simultaneously report security flaws and remediate them in real time. Together, they collaborated to find 55 of the 106 total vulnerabilities in nine hours.

 “We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force CISO Peter Kim. “This reinforces the work the Air Force is already doing to strengthen cyber-defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

Hack the Air Force 2.0 is part of the US Department of Defense’s Hack the Pentagon crowd-sourced security initiative. Since the program kicked off in 2016, more than 3,000 vulnerabilities have been resolved in US federal government systems. The first Hack the Air Force bug bounty challenge (earlier in 2017) resulted in 207 valid reports, and hackers earned more than $130,000 for their contributions; until this most recent challenge, it had paid the highest single reward of any public government program. In May 2016, Hack the Pentagon resulted in 138 valid vulnerabilities resolved and tens of thousands of dollars paid to ethical hackers for their efforts; in December 2016 Hack the Army surfaced 118 valid vulnerabilities and paid out $100,000.

Categories: Cyber Risk News

Auctions for 4G and 5G spectrum imminent following Court of Appeal ruling

Outlaw.com - Thu, 02/15/2018 - 15:15
Formal bidding for spectrum identified as central to '4G' and future '5G' services in the UK is set to commence after the Court of Appeal rejected a legal challenge against the rules set for the auction.
Categories: Cyber Risk News

Intel Offers Up to $250K for Side Channel Flaws

Info Security - Thu, 02/15/2018 - 10:30
Intel Offers Up to $250K for Side Channel Flaws

Intel has opened up its bug bounty program to all-comers for the first time, adding a new program focused on side channel vulnerabilities in the wake of the Spectre and Meltdown discoveries.

The chip giant has come in for much criticism over the past month after three serious side channel vulnerabilities were found to affect its and other vendor’s products.

The new bug bounty program will offer up to $250,000 for similar vulnerabilities, with a maximum $100,000 available in other categories.

Intel has also changed tack on who it allows to contribute, shifting the program from an invitation-only affair to one which is open to all security researchers.

The firm is presumably hoping that such moves will help it improve the security of its chips and avoid another catastrophic PR and security disaster.

“Coordinated disclosure is widely regarded as the best way to responsibly protect customers from security exploits. It minimizes the risk that exploitable information becomes publicly known before mitigations are available,” said Rick Echevarria, vice president and general manager of the Intel Platforms Security Division.

“Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published. Our bug bounty program supports this objective by creating a process whereby the security research community can inform us, directly and in a timely fashion, about potential exploits that its members discover.”

Intel has been forced to go on something of a charm offensive of late, in order to reassure customers and investors it has security covered.

However, its efforts were somewhat undermined after Microsoft was forced to issue an out-of-band patch at the end of January to fix a buggy Intel update for one of the Spectre flaws which caused “reboot issues” and possible “data loss or corruption” for some customers.

“I'm acutely aware that we have more to do, we've committed to being transparent keeping our customers and owners appraised of our progress and through our actions, building trust,” said CEO Brian Krzanich on a recent earnings call.

Categories: Cyber Risk News

UK Government: Moscow Responsible for NotPetya

Info Security - Thu, 02/15/2018 - 10:30
UK Government: Moscow Responsible for NotPetya

The UK government has taken the rare step of attributing a major cyber attack to a foreign administration, claiming the NotPetya ransomware campaign of 2017 was a Russian military effort.

“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds,” read a statement from Foreign Office cybersecurity minister, Tariq Ahmad.

“The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.”

The attack, in June 2017, is thought to have been a sophisticated operation that began by infecting popular Ukrainian accounting software ME Docs. Once downloaded by Ukrainian government agencies and critical infrastructure firms, the update then spread the infection.

It has been claimed that the ransom element of the malware was simply a cover for what was essentially a destructive malware attack designed to encrypt the hard disc of infected machines with no way to unlock them.

It spread via the NSA-developed EternalBlue and EternalRomance exploits but also via other techniques, such as using legitimate tools PSExec and WMIC.

Although originally intended to target only Ukrainian organizations, multi-nationals with offices in the country that were infected ended up spreading the malware globally.

Some organizations suffered losses in the hundreds of millions as a result, including shipper Maersk ($300m), FedEx subsidiary TNT ($300m) and UK Nurofen-maker Reckitt Benckiser (£100m).

This isn’t the first time the UK government has publicly named-and-shamed Moscow.

Both Prime Minister Theresa May and National Cyber Security Centre (NCSC) boss Ciaran Martin have called out the Russian government for attacking the UK’s critical infrastructure.

"The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm,” concluded Ahmad’s statement. “We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyber-space.”

Categories: Cyber Risk News

Crypto-Experts Slam FBI's Backdoor Encryption Demands

Info Security - Thu, 02/15/2018 - 09:38
Crypto-Experts Slam FBI's Backdoor Encryption Demands

A group of world-renowned cryptography experts have backed a senator’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

Senator Ron Wyden, who sits on the powerful Senate Select Committee on Intelligence, released the letter following a heated committee debate with FBI director Christopher Wray.

The letter is signed by Bruce Schneier, Paul Kocher, Steven Bellovin, and Martin Hellman — who won the 2015 Turing Award for inventing public key cryptography.

“We understand and sympathize with the frustration that law enforcement has to deal with when evidence may exist but cannot be accessed due to security mechanisms. At the same time, our extensive experience with encryption and computer security makes us cognizant how much the details matter: a seemingly minor change in an algorithm or protocol can completely undermine the security aspects of the system,” they write.

“Instead of vague proposals that sound reasonable yet lack details, the FBI needs to present the cryptographic research community with a detailed description of the technology that it would like implemented. That would allow the technology to be analyzed in an open and transparent manner so that its advantages and disadvantages can be weighed.”

Wyden sent a letter to Wray demanding the same on January 25, shortly after the FBI boss made his first speech. in which he repeated previous requests for tech experts to achieve what they say is impossible.

He claimed that the FBI has nearly 7800 devices it can’t access because of encryption, describing the situation as an “urgent public safety issue.”

Wray and the DoJ are not alone in their calls; British home secretary Amber Rudd has been widely ridiculed in the past for calling for the same, whilst admitting that she doesn’t understand the technology.

She was in the news again this week, after it emerged that there has been significant progress in another anti-terror initiative, involving the automated identification and removal of extremist content via an algorithm developed by London-based ASI Data Science.

Categories: Cyber Risk News

Coinherder Campaign Nets $50 Million from Bitcoin Phishing

Info Security - Wed, 02/14/2018 - 20:15
Coinherder Campaign Nets $50 Million from Bitcoin Phishing

Researchers across Cisco have been teaming up with Ukraine Cyber-Police to track the Coinhoarder campaign, a Bitcoin phishing operation that has been tied to the theft of $50 million worth of the cryptocurrency.

Cisco first observed Coinhoarder in February 2017 in a massive phishing campaign hosted in Ukraine that targeted the popular Bitcoin wallet site blockchain.info. The campaign was unique because adversaries leveraged Google AdWords to poison user search results in order to steal users’ wallets.

Cisco identified an attack pattern in which the threat actors behind the operation would establish a gateway phishing link that would appear in search results among Google ads. When searching for crypto-related keywords, such as "blockchain" or "bitcoin wallet," the spoofed links would appear at the top of search results. When clicked, the link would redirect to a page that served phishing content in the dominant language of the geographic region of the victim's IP address. After initial setup, the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims.

“Crypto-assets have proven to be a new, valuable financial commodity targeted by varying degrees of cybercriminals,” Cisco researchers said in an analysis. “In 2017, we observed phishers advance their tactics by utilizing new attack vectors such as Google Adwords combined with the use of IDNs and rogue SSL certificates to improve their probability of success and generate millions in profit.”

This campaign targeted specific geographic regions, including in African countries and other developing nations where banking can be more difficult and local currencies much more unstable compared to the digital asset. Additionally, attackers targeted users in countries whose first language is not English, making for potentially easier targets.

The group behind Coinherder has been actively pilfering Bitcoin wallets since at least 2015, primarily targeting users of online cryptocurrency wallets and exchanges, according to the researchers. Based on the observable exchange activity, Cisco estimates the Coinhoarder group to have netted over $50 million dollars over three years. There were spikes in this: Between September to December 2017 alone, the bad actors stole around $10 million. In another run, they made $2 million within 3.5-week period.

It is important to note that the price of Bitcoin shot up drastically during 2017, starting around $1,000 in January and hitting a high point just under $20,000 in December. As of press time it was trading at $9,000. Those increasing values are a blessing and a cure for the perpetrators.

“While criminals were able to profit from this, it also adds a new level of complexity for criminals to convert their cryptocurrency funds to a fiat currency like US dollars,” the researchers said. “The historic price of Bitcoin during the height of this campaign would have made it very difficult to move these ill-gotten finances easily.”

What is clear from the campaign is that cryptocurrency phishing via Google AdWords can be a lucrative attack on users worldwide.

“Phishers are significantly improving their attack techniques by moving to SSL and employing the use of IDNs to fool victims into handing over their credentials,” researchers noted. “We can expect to see more of these realistic-looking phishes.”

Categories: Cyber Risk News

Microsoft Vulnerabilities Accelerate in 2017

Info Security - Wed, 02/14/2018 - 20:11
Microsoft Vulnerabilities Accelerate in 2017

Microsoft vulnerabilities have more than doubled in the last five years, rising to 685 from 325 in 2013 – an 111% increase. This has not been at a steady rate, however: 2017 saw the most number of flaws reported in any year to date.  

According to the fifth annual Microsoft Vulnerabilities Report from Avecto, the number of critical vulnerabilities has risen by 60% since 2013. Also, despite Windows 10 being widely regarded as the most secure Windows operating system to date, the number of critical vulnerabilities in it alone increased by 132% over a five-year period.

Looking at year-over-year numbers, in total, 587 vulnerabilities were reported across Windows Vista, Windows 7, Windows 8.1/RT 8.1 and Windows 10 operating systems in 2017. Windows 10 flaws rose by a whopping 64% in 2017 compared to the previous year, hitting record highs.

Last year also saw an 89% increase in Microsoft Office vulnerabilities and a 98% increase in Microsoft browser vulnerabilities over 2016 (though this is in part due to the inclusion of Microsoft Edge from 2016 onward).

Overall, 2017 shows the largest year-on-year increase of vulnerabilities by volume, with 685 vulnerabilities reported, compared to 451 in 2016.

The results show that “100% security cannot be guaranteed in the cyber-world,” said Eric Cole, instructor at the SANS Institute. “No matter how many safeguards you put in place, there will always be some risk. Prevention techniques like application whitelisting, removing admin access and adopting the principles of least privilege go a long way toward protecting individual users’ machines and reducing inroads to the network while not severely restricting user functionality.”

And indeed, it was also found that the removal of admin rights could mitigate 80% of all critical Microsoft vulnerabilities reported in 2017, as well as 95% of critical vulnerabilities found in Microsoft browsers and 60% of critical vulnerabilities in Microsoft Office products (Excel, Word, PowerPoint, Visio, Publisher and others).

“Despite the continued rise in vulnerabilities impacting Microsoft software, there are actions that enterprises can take to ensure that they're protected without sacrificing productivity,” said Mark Austin, co-founder and CEO of Avecto. “The challenges organizations face to improve security have not changed, yet many are still unaware that by simply removing admin rights, the risk of so many threats can be mitigated.”

Categories: Cyber Risk News

Coinhive Crypto-Miner Now Affecting a Quarter of the World's Organizations

Info Security - Wed, 02/14/2018 - 19:53
Coinhive Crypto-Miner Now Affecting a Quarter of the World's Organizations

Crypto-mining malware has continued to grow globally, with 23% of organizations worldwide affected by the Coinhive variant during January.

That’s according to Check Point’s Global Threat Impact Index, which shows three different variants of crypto-mining code in its top 10 most-prevalent rankings. In addition to Coinhive impacting more than one in five organizations, JSEcoin (a JavaScript miner that can be embedded in websites) was in fifth place and Cryptoloot (which targets PCs) was in ninth.

Coinhive, January's No. 1 most-prevalent malware, performs online mining of Monero cryptocurrency when a user visits a web page. Implanted JavaScript uses the computational resources of the end user’s machines to mine coins, impacting system performance. While it’s offered as a legitimate service for webmasters looking for a monetization alternative to advertising, criminals often embed it into websites without the site knowing, and unscrupulous websites use it without letting site visitors know.

“Over the past three months crypto-mining malware has steadily become an increasing threat to organizations, as criminals have found it to be a lucrative revenue stream,” said Maya Horowitz, threat intelligence group manager at Check Point. “It is particularly challenging to protect against, as it is often hidden in websites, enabling hackers to use unsuspecting victims to tap into the huge CPU resource that many enterprises have available. As such, it is critical that organizations have the solutions in place that protect against these stealthy cyber-attacks.”

In addition to crypto-miners, Check Point researchers also discovered that 21% of organizations have still failed to deal with machines infected with the malware. Fireball, which came in at No. 2 in the rankings, manipulates victims’ browsers and turns their default search engines and homepages into fake search engines, which simply redirect the queries to either yahoo.com or google.com to generate ad revenue. It also can be used as a full-functioning malware downloader capable of executing any code on victims’ machines. It was first discovered in May 2017 and severely impacted organizations during summer of 2017.

The Rig Exploit Kit came in third for January, impacting 17% of organizations. Rig delivers exploits for Flash, Java, Silverlight and Internet Explorer.

On the mobile front, Lokibot, an Android banking Trojan, was the most popular malware used to attack organizations’ mobile estates. The code steals information, but it can also turn into a ransomware that locks the phone.

Lokibot was followed by the Triada and Hiddad mobile malwares in January. Triada is a modular backdoor for Android, which grants superuser privileges to downloaded malware. Hiddad is also an Android malware, focused on trojanizing legitimate apps then releasing them to a third-party store.

Categories: Cyber Risk News

Technology companies encouraged to sign UK 'Tech Talent Charter'

Outlaw.com - Wed, 02/14/2018 - 15:39
Major technology companies have been encouraged to sign up to the UK's 'Tech Talent Charter'.
Categories: Cyber Risk News

LCIA transparency drive welcomed as anonymised challenge decisions published

Outlaw.com - Wed, 02/14/2018 - 13:56
The recent publication of an online database of anonymised arbitrator challenge decisions by the London Court of International Arbitration (LCIA) is a "significant development in regards to transparency", an expert has said.
Categories: Cyber Risk News

Pages