Cyber Risk News

Defamation law to be reformed in Scotland - Tue, 01/15/2019 - 15:38
Major changes to defamation laws in Scotland have been backed by the Scottish government in a move which will bring the laws more closely into line with those already in place in England and Wales.
Categories: Cyber Risk News

Orgs Slow to Advance IoT Security

Info Security - Tue, 01/15/2019 - 15:14
Orgs Slow to Advance IoT Security

Despite the burgeoning IoT market, organizations made limited progress on IoT security in 2018, according to a new report from Gemalto. Though there is evidence of incremental improvements, security measures are being outpaced by the rapid growth of IoT, which is on track to hit 20 billion devices by 2023.

The survey queried 950 IT and business decision-makers with awareness of IoT in their organization in 2018. Of those, only 48% of companies said that they have the ability to detect whether their IoT devices have suffered a breach; however, 90% of respondents believe that security is a major concern for their customers.

According to the report, more than half (54%) of consumers fear that their privacy may be compromised with IoT devices, yet only 14% of the survey participants see protecting customer privacy by security IoT devices as an ethical responsibility.

“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Jason Hart, CTO, data protection at Gemalto, in a press release. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”

More than a third (38%) of participants said they experience privacy challenges associated with collecting large amounts of IoT data. Still, more organizations have started using passwords to protect IoT devices. While 63% of organizations said they used passwords in 2017, the number of positive responses rose to 66% in 2018.

Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store,” Hart said. “But while it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”

Categories: Cyber Risk News

City of Del Rio Hit by Ransomware Attack

Info Security - Tue, 01/15/2019 - 14:48
City of Del Rio Hit by Ransomware Attack

Another ransomware attack has made headlines with the city of Del Rio, Texas, announcing on January 10, 2019, that the servers at City Hall were disabled, according to a press release.

“The first step in addressing the issue, was for the City’s M.I.S. (Management Information Services) Department to isolate the ransomware which necessitated turning off the internet connection for all city departments and not allowing employees to log into the system. Due to this, transactions at City Hall are being done manually with paper.”

As has been the alternative method of communication for many organizations that have been impacted by cyber-attacks, Del Rio turned to social media, using Facebook to inform citizens of alternative payment options available to them.

After reporting the attack to the FBI, Del Rio was referred to the Secret Service. “The City is diligently working on finding the best solution to resolve this situation and restore the system. We ask the public to be patient with us as we may be slower in processing requests at this time,” the press release said.

At the time of writing this, the website for the city of Del Rio was up and running, though there is no word on the full scope of the attack. Infosecurity has contacted the city, and this story will be updated with any response.

“The growing number of exploit kits and malware at their disposal is emboldening malicious actors to attack organizations with a rich trove of consumer data,” said Mike Bittner, digital security and operations manager at The Media Trust.

“Government organizations, in particular city governments, are prime targets; they not only process a lot of citizen and business data but are also less secure as tighter budgets severely limit what IT updates they can carry out. Bad actors have no doubt put the 89,000 local governments across the country in their cross hairs. It is just a matter of time before many of these governments realize they’ve been hacked.”

Categories: Cyber Risk News

Shutdown a Threat to IT Security Recruitment

Info Security - Tue, 01/15/2019 - 14:41
Shutdown a Threat to IT Security Recruitment

As the US inches toward a full month of a government shutdown, concerns over the impact on national security and cybersecurity continue to mount, and according to security experts from Juniper Networks, Untangle and Vectra, the shutdown may affect government IT recruiting and hiring.

With the skills gap being one of the hurdles every company must clear in order to mature in their overall cybersecurity posture, most organizations are trying to get more creative when it comes to recruitment. The government, though, is in its 25th day of a shutdown.

“The biggest impact of the shutdown, in my opinion, is that furloughing cybersecurity analysts creates a vulnerability for government networks. As we all know, the top problem in security today is the shortage of trained cybersecurity professionals, and the cybersecurity skills shortage was already getting worse in 2018 with millions of unfilled cybersecurity jobs,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.

The problem is exacerbated because some staff are furloughed with the shutdown As was reported by Infosecurity last week, attackers can potentially intensify their activity and exploit security gaps and vulnerabilities resulting from the shutdown. When considering the long-term ramifications, Bilogorskiy said it’s likely that the government will lose valuable cybersecurity talent to the private sector.

During prior shutdowns, recruiting and hiring efforts have certainly been impacted, as these are not typically considered essential functions,” said Dave Mihelcic, federal chief technology and strategy officer for Juniper Networks and former chief technology officer of Defense Information Systems Agency (DISA).

“Perhaps the more significant challenge posed by these shutdowns was the lasting impressions they made on young IT professionals," Mihelcic continued. "Undoubtedly IT job seekers had a more negative view of federal employment due to the shutdown. Likewise the most talented IT professionals in federal service were left with lasting questions about their future that would cause some to seek outside opportunities.”

The problem isn't limited in scope, either. Yes, expired certificates are a problem, but collaboration between the public and private sector is critical to strong cyber-defense. "With only a skeleton crew at the helm, data sharing and rapid response can fall by the wayside, leaving our nation vulnerable to cyber threats and attacks. The longer the shutdown continues, the more opportunity there is for both private and state-sponsored attackers to take advantage of any possible lapses in oversight,” said Heather Paunet, vice president of product management at Untangle.

Government agencies have often lost potential talent to the salary battle with private industry, but the biggest concern of the government shutdown is that this type of instability would hamper the federal government’s ability to attract and retain good cybersecurity talent, according to Chris Morales, head of security analytics at Vectra. 

"With the number of available roles in the private sector that pay with much more lucrative salaries and benefits, it’s going to just get harder for government agencies to compete. If anyone is in need of more automation and efficiency in security operations processes, it will be these federal agencies.”

Categories: Cyber Risk News

UK Banks Finally Issue New Cards After Ticketmaster Breach

Info Security - Tue, 01/15/2019 - 11:35
UK Banks Finally Issue New Cards After Ticketmaster Breach

Two major UK high street banks have started to send out replacement cards for some of their customers, nine months after one lender reported fraudulent activity to Ticketmaster.

Customers of NatWest and RBS have taken to social media to vent their frustration over the way the incident has been handled.

Some complained that this is the first they’ve heard of the breach, which Ticketmaster reported in June and is believed to have affected in the region of 40,000 UK customers.

Others wanted to know if the letter sent by their bank was genuine.

“During 2018 Ticketmaster announced that they suffered a data breach between September 2017 and June 2018, which included data for some of our customers because of this we are replacing all customer debit and credit cards that may have been compromised by this breach,” explained a Twitter response to one such query by NatWest.

The banks claim they are issuing the replacement cards as a precaution, so there’s no confirmation that details were definitely accessed in the incident.

However, the lengthy delay in responding to the breach comes in stark contrast to banking start-up Monzo which requested Mastercard to issue replacement cards for all affected customers back in April last year.

In fact, the bank wrote in a blog post that it had initially contacted the ticketing giant to inform it of a potential breach, a warning that appeared to have gone unheeded for nearly two months.

Breaches are often first detected by banks as they’re able to analyze fraud patterns on customer cards to pinpoint a merchant they have in common.

The breach itself was the result of digital skimming code known as Magecart being seeded into software provided by a third-party developer Inbenta Technologies.

The latter claimed that Ticketmaster had implemented it incorrectly on its payments page.

“We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability,” it said at the time.

It’s unclear how many RBS and NatWest customers have experienced fraud as a result of the Ticketmaster breach, although card details from other Magecart breaches at BA and Newegg were spotted for sale on dark web sites just a week later.

This would seem to highlight the need for a speedy response from all parties in such cases, including the breached firm and relevant banks/card providers.

Categories: Cyber Risk News

Bug Bounties Aren't Silver Bullet for Better Security: Report

Info Security - Tue, 01/15/2019 - 10:55
Bug Bounties Aren't Silver Bullet for Better Security: Report

Many organizations may find they’re better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research.

The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs.

It studied 61 HackerOne bounty programs over 23 months — including those run for Twitter, Coinbase, Square and other big names — and one Facebook program over 45 months.

It claimed that, contrary to industry hype, organizations running these programs don’t benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards.

It’s also claimed that even these elite “top 1%” ethical hackers can’t make a decent wage by Western standards.

The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.

There are, of course, exceptions: last week we reported that one company has upped its maximum payout for iOS zero-day exploits to $2m. However, it appears that these programs offer more of a salary top-up to Western researchers than a main source of income.

Security research firm Trail of Bits claimed the findings proved that firms should reconsider their security strategies by hiring “boffins” directly as consultants instead of running bug bounty programs.

“The authors of Fixing a Hole argue that bug bounties should be designed to incentivize the elite. They say that making bounties invite-only lowers the operational cost of managing a tsunami of trivial, non-issue, and duplicate bugs. Only 4-5% of bugs from Google, Facebook, and GitHub’s public-facing bounty programs were eligible for payment,” it argued in a blog post.

“According to the authors, a small number of bounty hunters are indispensable and hold significant power to shape the market for bug bounty programs. Based on this, hiring security consultants under terms and conditions that can be controlled seems more practical.”

That view is unsurprisingly not shared by HackerOne CEO, Marten Mickos, who said the MIT study is not representative.

“If it is based on HackerOne data, it is only based only on a fragment of it. The hacker community is indeed power-law distributed,” he added in comments sent to Infosecurity.

“The top performers are orders of magnitude more productive than newcomers. The beauty is that many newcomers rise very quickly in the ranks. Within this merit-based system, there is unlimited opportunity for one with skill and will."

Report co-author and CEO of Luta Security, Katie Moussouris, doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”

“Orgs can't #bugbounty their way to secure, same as they can't pen test their way to secure,” she tweeted. “The myth of ‘many eyes’ is convenient, but untrue as proven in both open source & bounties. Skilled bug bounty hunters rarely make a good living by Western standards.”

Categories: Cyber Risk News

Polish Government Mulls Huawei Ban After Employee Arrested

Info Security - Tue, 01/15/2019 - 10:12
Polish Government Mulls Huawei Ban After Employee Arrested

The Polish government is reportedly considering a ban of the use of Huawei products by the public sector following the arrest of an employee of the firm on suspicion of espionage.

Country sales director, Wang Weijing, was arrested on Friday along with a former Polish official who was apparently responsible for issuing security certificates for government IT equipment.

Huawei has sought to distance itself from the spying allegations by sacking Wang. The firm has said in a statement that the individual had brought the Shenzhen giant into disrepute, but that at the same time his alleged actions “have no relation to the company.”

With national security concerns over Chinese firms growing in the West, Warsaw could be inclined to join others in cooling its relationship with the world’s biggest telecoms equipment maker.

A senior government official told Reuters it was considering a public sector ban on Huawei alongside possible legislation which could allow restrictions to be placed on firms posing a national security threat.

Cybersecurity minister, Karol Okonski, told the news site: “We will analyze whether ... our decision can include an end to the use ... of Huawei products.”

“We do not have the legal means to force private companies or citizens to stop using any IT company’s products,” he added. “It cannot be ruled out that we will consider legislative changes that would allow such a move.”

Although the firm has repeatedly hit back at claims it is a security risk, stating it is a victim of wider geopolitical tensions, the US and Australia have effectively banned its equipment from their 5G networks while New Zealand and Canada are mooting the same.

Japan has said it will prevent the firm from competing for government contracts.

In the UK, the firm has pledged $2bn to allay recently aired security concerns about vulnerabilities in its products, although its equipment will still be used in BT’s 5G edge networks. There’s also the possibility that the government will go further.

“We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a very definite position,” MI6 chief Alex Younger has said.

Categories: Cyber Risk News

Three Flaws in Schneider Electric Charging Stations

Info Security - Mon, 01/14/2019 - 18:37
Three Flaws in Schneider Electric Charging Stations

Three different vulnerabilities in the Schneider Electric EVlink Parking electric vehicle charging station, which could have allowed an attacker to halt the charging process, have been patched, according to Positive Technologies.

Researchers discovered the vulnerabilities, CVE-2018-7800CVE-2018-7801 and CVE-2018-7802, in charging stations used at parking environments in several countries, including at offices, hotels, supermarkets, fleets and municipals. The vulnerabilities reportedly affect EVLink Parking v3.2.0-12_v1 and earlier.

“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” says Paolo Emiliani, industry and SCADA research analyst at Positive Technologies said in a press release. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”

According to today's news post, if exploited, the vulnerabilities would enable cyber-criminals to stop the charging process for vehicles plugged into the affected stations, as well as unlock and steal the charging cables.

Specifically, CVE-2018-7800 and CVE-2018-7802 gave attackers privileged access to the charging station so that a hacker could “stop the charging process, switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off, and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.”

In addition, exploitation of the second vulnerability enabled access to the web-interface, where an attacker could directly manage the operating system and make changes to files and configurations or add new users or back doors.  

Schneider stated that customers can set up a firewall to block remote/external access except by authorized users as a risk mitigation strategy and recommended several cybersecurity best practices, including locating control and safety system networks and remote devices behind firewalls, and keeping those isolated from the business network.

“Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices,” the security notification stated.

Categories: Cyber Risk News

Singapore Airlines Warns of Phishing Scam

Info Security - Mon, 01/14/2019 - 17:31
Singapore Airlines Warns of Phishing Scam

After news that a bug in its software resulted in a data breach, Singapore Airlines (SIA) has today issued a warning on Facebook, alerting customers to be wary of scams and phishing sites promising free airline tickets.

In what the company called a fraudulent online survey being dispersed via WhatsApp, scammers ask users if they have ever traveled with the airline and make the specious claim that SIA is offering free tickets in celebration of its anniversary.

In truth the survey is a scam attempting to trick SIA customers into giving their personal and credit card information. “If a recipient answers the survey questions and click on ... 'Claim Tickets' or 'WhatsApp,' user will be redirected to a non-SIA website that is designed to trick the recipients into filling in their personal and credit card information. This fraudulent website is only accessible via mobile device browsers. They are shared and forwarded via WhatsApp,” SIA wrote.

In addition, the company is using social media to reach its customers as well. “It has come to our attention that there is a website that claims to be from Singapore Airlines, offering free air tickets as prizes, before proceeding to request personal data,” Singapore Airlines wrote on Facebook.

“We have reported the site to be taken down and would like to advise customers to exercise discretion when revealing personal data to unverified sources. These websites, emails and calls should be verified if in doubt. Please send us details on our social media channels or via this link

“We would also like to advise customers to be cautious of social media posts and phishing websites that appear similar to our official website Thank you.”

Cyber-criminals continue to prey on the naïveté and trust of end users. Already in 2019, Infosecurity has reported on multiple different scams, such as 60% of UK consumers leaving themselves vulnerable to New Year’s resolution online scams and the return of the WhatsApp Gold scam.

Increasingly, though, users are realizing that with all online and mobile ads, nothing is ever really free. One Facebook user warned, “If it sounds/looks to good to be true, it usually is! Always delete these things after checking official websites!”

Categories: Cyber Risk News

Crypto-Mining, Banking Trojans Top Malware Threats

Info Security - Mon, 01/14/2019 - 16:57
Crypto-Mining, Banking Trojans Top Malware Threats

Crypto-mining malware has again topped the threat index, with Coinhive holding strong in the number one malware threat for the 13th consecutive month, according to the latest Global Threat Index for December 2018, published by Check Point.

The threat index looks at the most common active malware variants and trends as cyber criminals evolve toward crypto-mining and multipurpose malware.

A second-stage downloader, SmokeLoader, first identified back in 2011, jumped to ninth place on the December top-10 list. “After a surge of activity in the Ukraine and Japan, its global impact grew by 20. SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker,” according to a press release.

“December’s report saw SmokeLoader appearing in the top 10 for the first time. Its sudden surge in prevalence reinforces the growing trend towards damaging, multipurpose malware in the Global Threat Index, with the top 10 divided equally between crypto-miners and malware that uses multiple methods to distribute numerous threats,” said Maya Horowitz, threat intelligence and research group manager at Check Point.

“The diversity of the malware in the Index means that it is critical that enterprises employ a multilayered cybersecurity strategy that protects against both established malware families and brand new threats.”

Open-source CPU mining software XMRig followed behind Coinhive, and JavaScript miner Jsecoin rounded out the top three, demonstrating that diversity.

For mobile malware, Triada, a modular backdoor for Android that grants super-user privileges to downloaded malware, ranked number one.

“Check Point researchers also analyzed the most exploited cyber vulnerabilities. Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November. In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%,” the press release stated.

Not surprisingly, the report also reflected a rise in banking Trojans, particularly in the data-stealing Trojan, Ramnit, which ranked eighth on the top-10 list.

Categories: Cyber Risk News

UK moving from 'open banking' to 'open finance' - Mon, 01/14/2019 - 16:19
Businesses and consumers can expect to gain greater control over how their financial data is used, meaning they will be able to access innovative new services as the UK moves to a system of 'open finance', an expert has said.
Categories: Cyber Risk News

UK government gives advice to online businesses in case of no-deal Brexit - Mon, 01/14/2019 - 15:03
The UK government has issued guidance for online businesses and service providers on how to operate in the European Economic Area (EEA) should the UK leave the EU at the end of March with no withdrawal agreement.
Categories: Cyber Risk News

Amazon 'Dash' button ruled illegal in Germany - Mon, 01/14/2019 - 13:01
Amazon's Dash button service breaches consumer protection and e-commerce regulations in Germany, a court in the country has ruled.
Categories: Cyber Risk News

NHS to test power of smart meters to enable digital health - Mon, 01/14/2019 - 10:47
The power of smart meters to monitor the health of people in the home is to be examined in an NHS trial in England in an initiative that shows the potential for energy suppliers to diversify into the health and care sector, an expert has said.
Categories: Cyber Risk News

BSIA Publishes Guidelines to Reduce Exposure to Digital Sabotage

Info Security - Mon, 01/14/2019 - 10:42
BSIA Publishes Guidelines to Reduce Exposure to Digital Sabotage

The British Security Industry Association (BSIA) has published a summary of current guidelines to minimize the exposure to digital sabotage of network connected equipment, software and systems used in electronic security.

The 335 Cyber Secure It - Best Practice Guidelines for Connected Security Systems document, designed by the Cyber Security Product Assurance Group (CySPAG) and leading industry experts, is “intended to be used as a guide by any stakeholder (designers, manufacturers, installers, maintainers, service providers and users) in the supply chain regarding connected security devices/services.”

The guidelines are based on international industry best practice and refer to recognized international guidance and standards that “will assist the supply chain in their duty of care to other network users, particularly with respect to protecting the integrity of existing cybersecurity countermeasures already in place or the implementation of such countermeasures in new solutions.”

Steve Lampett, technical services manager, BSIA, said: “We think that Cyber secure it – Best Practice Guidelines for Connected Security Systems will become an invaluable guide for our industry practitioners and stakeholders alike as technology continues to evolve and the internet is used to provide a better end user experience.

“This will enable us to better serve our industry consumers by providing professional, safe and secure internet enabled security solutions.”

Categories: Cyber Risk News

Third-Party Breach Exposed 31K Patient Records

Info Security - Fri, 01/11/2019 - 18:39
Third-Party Breach Exposed 31K Patient Records

The healthcare sector continues to be the target of cyberattacks, with Managed Health Services (MHS) of Indiana Health Plan announcing recently that a third-party data breach potentially exposed up to 31,000 patients' personal data in one of two security incidents the company has disclosed in the past month.

The organization reportedly manages Indiana's Hoosier Healthwise and Hoosier Care Connect Medicaid programs. “MHS learned from its vendor, LCP Transportation, that unauthorized persons had gained access to some of their employees’ email accounts. This access took place sometime between July 30 and September 7, 2018,” the news release stated.

On October 29, 2018, MHS launched an investigation after learning that protected health information, including names, insurance ID numbers, addresses, dates of birth, dates of service and descriptions of medication conditions, was possibly disclosed.

“The incident was caused by a phishing attack on the vendor’s systems. The vendor immediately took steps to secure the email accounts and began an investigation, including hiring a computer forensic firm to assist. The investigation concluded that some of your information may have been in the email accounts and that could be accessed. There is no evidence that your information has been misused.”

“Phishing attacks are a favorite for malicious adversaries as one of the most successful methods for stealing and exposing data. LCP Transportation, a third-party vendor of Managed Health Services, recently felt the impact of how a phishing attack targeted at their employees can trickle down the chain – ultimately breaching roughly 31,000 patient records held by their business associate,” said Fred Kneip, CEO, CyberGRX.

“To combat this, healthcare providers require a cyber solution that moves beyond previous, static approaches to third-party cyber-risk management that is unable to scale with their growing ecosystems.”

According to Becker’s Hospital Review, this is the fourth data breach impacting health plans disclosed in the past month. Yet another example of the ways in which individuals and their personal data are at the mercy of insecure organizations, the MHS incident follows a reported data breach at Humana and two separate security incident announcements at BCBS of Michigan.

Categories: Cyber Risk News

Dems Use Fake News Propaganda in Alabama Campaign

Info Security - Fri, 01/11/2019 - 17:29
Dems Use Fake News Propaganda in Alabama Campaign

For the second time in less than two months, the New York Times has reported that a progressive group of Democrats allegedly leveraged social media sites in a secret project intended to spread false information and sway the 2017 Senate race in Alabama.

According to the New York Times, “The 'Dry Alabama' campaign, not previously reported, was the stealth creation of progressive Democrats who were out to defeat Mr. Moore – the second such secret effort to be unmasked.”

In December 2018, a technologically savvy group of Alabama Democrats allegedly attempted to mimic tactics used by the Russians, who meddled in the 2016 presidential campaign, according to one of the group's internal reports.

According to The Hill, Matt Osborne, a progressive activist who worked on the Dry Alabama campaign, said Democrats had no choice but to use disinformation if they wanted to level the playing field with Republicans. “If you don’t do it, you’re fighting with one hand tied behind your back,” Osborne reportedly said. “You have a moral imperative to do this – to do whatever it takes.”

The reality is that this was the intentional creation of fake news. "It is akin to having a digital billboard or TV ad with incorrect facts," said Chris Morales, head of security analytics at Vectra. "Since we have been successful using AI to detect attacker behaviors in real time, someone should ask a team of data scientists to find a way to use AI to detect political misinformation, since there seems to be more than an average person can sort through.”

Reportedly a participant in the Alabama project, Jonathon Morgan was chief executive of a small cybersecurity firm New Knowledge.

“First of all, I find it abhorrent that a firm would use 'cybersecurity' as part of its tagline if in fact they were conducting offensive maneuvers to sow disinformation,” said Paul Innella, CEO of Washington DC-based cybersecurity firm TDI.

“Cybersecurity professionals have an ethics code we follow, one which is endorsed when obtaining a number of certifications in our space. While it’s not the Hippocratic Oath, we still hold ourselves to a high standard – cybersecurity is defensive at its core. This is a slippery slope of the highest order if we are going to start using a field whose reputation is built on trust to now pivot to a field of propagating mistrust.”

The proper use of cybersecurity would enable detection of misinformation and impede the progress of spreading this kind of propaganda, Innella continued. 

“A cyber task force should be formed that combines the awesome power of our intelligence and justice agencies to combat this ever-present danger. A threat to free and honest speech is a threat to our constitutional rights, one which demands an even more powerful response.  We absolutely have the people and the technologies to address this growing danger, our government needs to employ it, diligently, and now.”

Categories: Cyber Risk News

Side-Channel Attack Targets Windows, Linux

Info Security - Fri, 01/11/2019 - 16:22
Side-Channel Attack Targets Windows, Linux

A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions.

In explaining the attack, authors wrote: “Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks.”

After detailing background information on hardware caches, cache attacks, and software caches, the authors provide an attack threat model in which the researchers “assume that attacker and victim have access to the same operating system page cache. On Linux, we also assume that the attacker has read access to the target page, which may be any page of any attacker-accessible file on the system.”

In addition to mitigation strategies, the researchers also stated that they responsibly disclosed the vulnerability to Microsoft, and the company said it will roll out a fix.

"This attack class presents a significantly lower complexity barrier than previous hardware-based, side-channel attacks and can easily be put into practice by threat actors, both nation-state as well as cyber-gangs,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“In particular, password recovery via unprivileged applications is a major worry, as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless. There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag," said Hahad.

Categories: Cyber Risk News

US Shutdown Plays into Hackers’ Hands

Info Security - Fri, 01/11/2019 - 10:45
US Shutdown Plays into Hackers’ Hands

The US government shutdown is having a chilling effect on national cybersecurity, with 80 government web certificates having already expired without being renewed and FBI agents issuing a stark warning.

Vendor Netcraft claimed on Thursday that the lapsed certificates include those affecting “sensitive government payment portals and remote access services” at agencies like NASA, as well as the Department of Justice and the Court of Appeals.

The impact of this administrative snafu is to render the sites inaccessible or insecure. If HSTS is properly implemented, modern browsers will now not allow users to visit sites with expired certificates, said Netcraft.

“However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header — but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before,” it explained.

“Consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass. This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”

The concern is that as the shutdown continues, growing numbers of certificates will expire without being renewed, increasing the security risk.

The National Institute of Standards and Technology (NIST) is particularly badly affected by the shutdown, with an estimated 85% of personnel furloughed and its website shut.

That’s bad news for the information security community as NIST guidance documents and frameworks are widely consulted to improve baseline security practices around the world.

As if that weren't enough, FBI special agents have signed an open letter warning that the shutdown could hurt operations and even force agents to consider roles elsewhere.

"As those on the frontlines in the fight against criminals and terrorists, we urge expediency before financial insecurity compromises national security," they said.

Suzanne Spaulding, a former Department of Homeland Security (DHS) under-secretary and Nozomi Networks advisor, warned that the loss of so many government employees means the US is “losing ground against our adversaries.”

“And the timing couldn’t be worse, with Congress just having established the new Cybersecurity and Infrastructure Security Agency (CISA) at the DHS,” she added.

“Getting this agency fully operational requires a lot of work and it’s like repairing an airplane while you’re flying it. You try to avoid disrupting the critical operational activity even while you make changes to improve the organization. This shutdown is a disruption CISA can ill afford.”

House Democrats have accused Trump of holding the country hostage over an exaggerated threat, as he demands over $5bn to fund a wall on the southern border with Mexico that he originally promised would be paid for by the Latin American nation.

The current shutdown is the longest since 1995, with an estimated 800,000 federal employees expecting not to be paid this week. Most Americans blame the president for the impasse, according to a new poll.

Categories: Cyber Risk News

Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Info Security - Fri, 01/11/2019 - 10:30
Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Confectionary giant Mondelez is suing Zurich after the insurer refused to pay out over $100m on its insurance policy to cover losses incurred during the NotPetya ransomware campaign.

The owner of Cadbury believes it is owed the money to pay for the permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other disruption to its distribution operations, according to reports.

It believes this falls under its policy’s provision to cover “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

However, the insurance giant has claimed that an exclusion applies in this case because NotPetya falls under a “hostile or warlike action in time of peace or war” — meaning it doesn’t have to pay up.

Led by the UK, the Five Eyes nations came together in February last year to blame Russia for the attacks in June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds,” a Foreign Office statement noted at the time.

However, despite their strong statements, the governments didn’t produce hard evidence to back up their claims, which could make it difficult for Zurich to prove its case, according to experts.

The insurer should instead have invoked a gross negligence clause, because Mondelez was hit by the same ransomware twice, argued Igor Baikalov, chief scientist at Securonix.

“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn't happen again,” he added.

“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich's own policy?”

NotPetya cost losses that ran into the hundreds of millions for the likes of FedEx, Maersk, Merck and many more. It was claimed in November that they have now exceeded $3bn.

Categories: Cyber Risk News