Cyber Risk News

EU ruling clarifies burden of proof on illegal file-sharing - Fri, 10/19/2018 - 09:06
People identified as being responsible for illegal file-sharing must be able to provide information to show that another user of their internet connection could have been responsible for the act if they wish to avoid being held liable for copyright infringement, according to a new ruling by the EU's top court.
Categories: Cyber Risk News

Secret Comment Crew Code Spotted in New Attack

Info Security - Fri, 10/19/2018 - 09:05
Secret Comment Crew Code Spotted in New Attack

Researchers have spotted the first stage of a new advanced persistent threat (APT) campaign targeting mainly South Korean victims and borrowing code from the notorious Chinese hacking group Comment Crew.

Operation Oceansalt is the first time white hats have seen code associated with the group, also known as APT1, since it was outed in 2013. Crucially, that code was never made public, according to McAfee.

The campaign uses spear phishing tactics to deliver booby-trapped Office documents to several targets: those with knowledge of South Korean public infrastructure projects and their expenses, the Seoul-backed Inter-Korean Cooperation Fund and various targets in the US and Canada in a variety of sectors including healthcare, telecoms and agriculture.

Those behind the campaign appear to have good working knowledge of the Korean language.

The malware delivered to victims is designed to take full remote control of any targeted machine and associated network, with McAfee speculating the spear phishing emails may be a precursor to a major financially motivated attack on a bank or similar.

As for the Comment Crew cross-over, there are three possible options: code-sharing between a former member of the group and another actor; someone has managed to access code from the original APT1 operation; or a false flag operation to make it appear China and North Korea have collaborated on this campaign.

“One thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous research from the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor — offering up considerably more malicious assets,” explained McAfee chief scientists Raj Samani and senior analyst, Ryan Sherstobitoff.

“We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.”

Categories: Cyber Risk News

Technology vision foresees new technical standards for NHS systems - Thu, 10/18/2018 - 15:31
Technology used by the NHS in England will need to conform to minimum technical standards in future, under plans outlined by the UK government.
Categories: Cyber Risk News

GreyEnergy Potential Successor of BlackEnergy

Info Security - Thu, 10/18/2018 - 14:30
GreyEnergy Potential Successor of BlackEnergy

GreyEnergy, a subgroup of the advanced persistent threat (APT) group known as BlackEnergy, has been attacking the energy sector for the past three years, according to ESET.

Back in December of 2015, when approximately 230,000 people suffered a blackout after the APT group BlackEnergy attacked a power grid in Ukraine, researchers at ESET reportedly detected another malware framework, which they dubbed GreyEnergy.

Since then, the group has been attacking energy companies and other high-value targets in Ukraine and Poland. Unlike other attacks on power grids, the attacks of GreyEnergy have not resulted in mass destruction, which ESET said might be one reason why the APT has not been documented until now.

The stealthy attackers have remained undetected while focusing on espionage and reconnaissance, which ESET presumed is an indication that the group is either preparing for future cyber-sabotage attacks or laying the groundwork for an operation run by some other APT group.

ESET researchers have observed the behavior of the malware framework being used for espionage and reconnaissance purposes and have noted that GreyEnergy is strikingly similar to BlackEnergy in the construction of its malware framework, which means that a particular combination of modules is necessary for it to upload to each of the targeted victim systems.

Additionally, the fact that GreyEnergy emerged in the wild at the same time BlackEnergy disappeared leads researchers to believe that there is a link between the APTs. Both target the energy sector, and the two share at least one victim.

“It should be no surprise that threats like BlackEnergy are morphing into new variants,” said Ray DeMeo, co-founder and chief operating officer at Virsec. “There is a large arsenal of advanced hacking tools, many developed by the NSA, now readily available.

“These are difficult to detect because they manipulate legitimate application processes in run-time memory and create new variants, which further evades signature-based detection. More disturbing is that many of these attacks are targeted at disrupting critical infrastructure. Many of these ICS/SCADA systems have outdated security, designed for isolation, which is increasingly disappearing as IT and OT systems connect and converge.”

Categories: Cyber Risk News

Consumers Forgive Post-Breach, Want Privacy Rules

Info Security - Thu, 10/18/2018 - 14:06
Consumers Forgive Post-Breach, Want Privacy Rules

In a recent survey of more than 1,000 consumers, nearly half of the respondents said that when a company immediately discloses a data breach, they are open to forgiving the brand.

The Consumer Attitudes Toward Data Privacy and Security Survey, published by Janrain, showed that of the 1,079 participants, 42% are at least open to forgiving the brand, while only 7% of respondents said a breach is unforgivable. Many consumers might not shop elsewhere in the aftermath of a breach, but they do want to see GDPR-like rules implemented in the US.

The greatest concern for 44% of respondents is protecting their financial data more than any other form of personal data. For 25% of consumers protecting passwords is the top concern.

“When asked whether they'd walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said "yes" while 24% said "probably." Fifty-four said it depends on whether the business is trusted or the only option,” Janrain wrote in a press release.

More than half of consumers (59%) feel that consumers, businesses and governments need to work together and offer shared support in order to achieve data security. To that end, 66% of respondents said they would like to see GDPR-like rules implemented in the US. While the majority of respondents feel such rules would be effective, 9% said regulations would be ineffective, with only 6% saying they are concerned that more regulation would present challenges to both businesses and the economy.

Despite the fact that the majority of security incidents are the result of human error, 61% of consumers report being very careful about their computer/mobile security. The survey found that only 12% of respondents report putting forth little-to-no effort to protect their computers because they believe hackers can break into company networks anyway.

"Our survey is incredibly good news for brands that take the personal data privacy and security of their customers seriously," said Janrain CEO Jim Kaskade. "Despite high-profile missteps and outright failures in the way brands have approached data privacy and security, consumers are very open to a consent-driven relationship with brands, which will go a long way toward solidifying trust for stronger, longer-term relationships."

Categories: Cyber Risk News

Amid Fears of Election Security, SEO Poisons URLs

Info Security - Thu, 10/18/2018 - 13:23
Amid Fears of Election Security, SEO Poisons URLs

A recent poll from the University of Chicago Harris School of Public Policy and the Associated Press–NORC Center for Public Affairs Research found that a wide majority of Americans are concerned about election security ahead of next month's midterm elections.

Though Republicans seem more confident in election security, a significant number of Americans across the aisle fear the potential of a hack on voter systems, with 58% of Democrats and 39% of Republicans not fully trusting the integrity of voting systems.

Many reportedly fear that election security has seen little to no improvement since 2016 when Russia meddled in the US presidential election, particularly in light of a report from The Washington Times earlier this month that Peter King’s congressional campaign site was hacked.

“Elections are one of the most important things we rely on our government to run and they’re being outsourced to companies that clearly don’t have security as their top priority,” said Brian Vecci, technical evangelist at Varonis.

“Election systems without a verifiable paper record are inherently insecure, and any electronic system is going to be vulnerable to attack," said Vecci. "If we can’t come up with a system that’s clearly better – including more secure – than the old way of pulling levers, should we be in a rush to change?

“Election security should not be outsourced to the lowest bidder in each state, which has resulted in a huge variety of different systems and platforms and made it even harder to ensure the integrity of an election. Instead, similar to the introduction of GDPR and the California Consumer Privacy Act, if we implement a standardized system with a set level of required security regulations, we can reduce threats and ensure the outcome of our elections are in the hands of US citizens and US citizens alone.”

When it comes to election security, though, there are factors beyond technology that impact the integrity of elections. While a lack of funding, regulation and skilled staff contribute to the lack of confidence in electronic voter systems, cyber-criminals are reportedly using SEO to poison the midterm elections. Researchers from Zscaler have been actively tracking SEO poisoning campaigns and found in excess of 10,000 compromised websites with more than 15,000 keywords leading to multiple redirects.

“SEO poisoning, also known as search engine poisoning, is an attack method that involves creating web pages packed with trending keywords in an effort to trick search engines to get a higher ranking in search results,” researchers wrote in a blog post. Researchers have spent more than a month watching this midterm-elections SEO poisoning campaign and said they continue to discover hundreds of newly compromised sites every day.

Regardless of the security solutions put in place to protect the voting machines, cyber-criminals are still able to use technology to influence what information is disseminated via websites and social media, a vital piece of the discussion that has yet to make it to the forefront of the election security conversation.

Categories: Cyber Risk News

European Banks and Police Warn Consumers of Cyber Scams

Info Security - Thu, 10/18/2018 - 10:46
European Banks and Police Warn Consumers of Cyber Scams

Europol and the European Banking Federation have launched a new campaign designed to raise public awareness of growing incidents of financial fraud and data theft, as part of European Cyber Security Month (ECMS).

Over the coming week, law enforcers from 28 EU member states as well as Colombia, Liechtenstein, Norway, Switzerland and Ukraine will be joining forces with 24 national banking associations and others to warn consumers not to fall for cyber scams.

The campaign will focus on the seven most common online financial scams: CEO fraud, invoice fraud, phishing and its variants, spoofed bank websites, romance scams, personal data theft via social media, and investment and online shopping scams.

Most of these use social engineering techniques to trick the victim into handing over their personal and financial details, or paying or transferring funds to a malicious third party.

A dedicated site explains the tell-tale signs of such scams, and what consumers can do to stay safe.

Many fall under what’s known as authorized push payment (APP) fraud: where the scammer tricks their victim into making payments to an account controlled by them.

According to the UK’s Payment System Regulator (PSR) there were 43,875 reported cases of APP scams last year, and 88% of victims were consumers who lost an average of £2784.

However, it’s a contentious area as many financial institutions will not reimburse their consumers for this kind of fraud — even though few have measures in place to spot and block this kind of fraud.

The UK regulator is working on an industry code of practice, which should clarify matters, as well as initiative such as stricter checks on the identity of those opening bank accounts; confirmation of payee, so that consumers will have to verify that they are paying the person they want; and improved data sharing so banks can respond more quickly to scams.

Banking lobby group UK Finance controversially argued last week that a new levy on each payment made in the country could help provide funds to compensate victims of APP fraud.

Categories: Cyber Risk News

Former Equifax Developer Sentenced for Insider Trading

Info Security - Thu, 10/18/2018 - 09:47
Former Equifax Developer Sentenced for Insider Trading

A former software manager who helped to built a customer portal for Equifax following its catastrophic 2017 breach has been sentenced to eight months home confinement after pleading guilty to insider trading.

Sudhakar Reddy Bonthu, 44, of Atlanta, was also fined $50,000 and ordered to forfeit $75,979, according to the Department of Justice.

“Bonthu intentionally took advantage of information entrusted to him in order to make a quick profit,” said US attorney Byung Pak. “The integrity of the stock markets and the confidence of investors are impaired by those who use non-public information for personal gain.”

Bonthu, who was a software product development manager for Equifax’s Global Consumer Services team in August 2017, was called on to help develop an online interface designed for customers to check if they had been affected by the breach.

Although he wasn’t told directly that Equifax had been breached, Bonthu unsurprisingly worked it out for himself, also finding out the scale of the incident.

“On September 1, 2017, Bonthu bought 86 ‘put’ options in Equifax stock that expired on September 15, 2017. Those options allowed him to profit if the value of Equifax stock dropped within that two-week period. These trades also violated company policy, which did not allow employees to purchase option contracts in Equifax common stock,” the DoJ explained. 

“Equifax publicly disclosed the data breach on September 7, 2017, and its stock fell the next day. Bonthu then exercised his put options, making a profit of more than $75,000.”

Another insider trading case is still being fought. Former Equifax CIO Jun Ying has pleaded not guilty to charges related to his sale of $1m of shares. Prosecutors allege he did so after hearing about the incident, but before the company announced it.

Categories: Cyber Risk News

UK ISPs: Government Must Take Lead on Cybersecurity

Info Security - Thu, 10/18/2018 - 09:10
UK ISPs: Government Must Take Lead on Cybersecurity

The UK’s ISPs have called on the government to streamline the number of regulatory bodies dealing with cybersecurity, improve cybercrime reporting processes and set minimum standards for the industry.

The latest survey from the Internet Services Providers’ Association (ISPA) found that 88% suffer regular cyber-attacks: half of these on a daily basis.

However, they’re responding appropriately. Cybersecurity is a high or very high priority when it comes to day-to-day operations for 61% of ISPs, and an overwhelming 94% said they expect to increase investment in the area over the next three years.

Some 86% also plan on implementing the NCSC’s Active Cyber Defence strategy, which the GCHQ body claimed this week had driven some encouraging results over the past two years.

ISPs are very much on the front line when it comes to cyber-threats facing their customers, so it’s heartening that all respondents claimed the industry should play a proactive role in handling attacks, while 78% said they already offer cybersecurity services to their customers.

However, there appears to be a distinct lack of confidence in the government’s role, especially when it comes to the regulatory environment.

“Despite increased awareness about the importance of cybersecurity, government and law enforcement must turn their words into actions,” argued ISPA chair, Andrew Glover.

“In order to ensure the UK has an effective cybersecurity regime, the government should streamline the number of organizations involved in the cybersecurity landscape to minimize confusion. This needs to be underpinned by clear minimum standards on cybersecurity, set by government, and improved online cybercrime reporting processes.”

Some 40% of ISPs believe the response to cybercrime could be improved if there was better collaboration and coordination within the industry, although half currently don’t share their experiences with peers.

The industry also believes law enforcers need to get better at tackling online crime.

Nearly two-thirds (62%) of respondents said cybercrime handling would improve if police took a more coordinated approach, while 31% suggested that better cybercrime training was necessary. These were also the top two priorities reported in the 2016 survey, showing progress has not been made thus far.

It was revealed earlier this year that UK police spent £1.3m on cybersecurity training over the past three years.

Categories: Cyber Risk News

Launch Day Catastrophe for Donald Daters App Users

Info Security - Wed, 10/17/2018 - 16:32
Launch Day Catastrophe for Donald Daters App Users

Supporters of President Trump who want to date like-minded individuals had Emily Moreno, a former aide to Sen. Marco Rubio, to thank for creating the Donald Dater app, but their gratitude might have fallen flat after their information was leaked on the day the app was launched.

According to Time, Monero confirmed the leak was discovered on October 15, 2018, by security researcher Elliot Alderson, who was able to download the entire database, which included the personal information of more than 1,600 users.

Information on users who were seeking to “Make America Date Again,” included users’ names, profile pictures, device types, private messages and access tokens that can be used to log into their accounts, Alderson said in a tweet. The researcher also detailed how he found the database in a post on Medium.

"This is just the tip of the iceberg,” said Aaron Lint, chief scientist at Arxan. “We all know that applications are weak spots in corporate infrastructure because of the lack of true ownership for app security. Again, we see evidence of how the software itself betrays the back end. When critical data passes through your app, it can be trivially exfiltrated by attackers. Leaving the application unprotected is leaving the data in transit unprotected.”

Leaked data is not the only risk posed to users of dating apps and websites, and the Donald Dater app is not the only dating site to make headlines this week. Breaking news from Barclays reported by the BBC this morning found that an online dating site scam cost victims £2,000. Barclays reportedly found that thousands of people are losing thousands of pounds from online dating scams.

“It’s not surprising to hear dating scams are costing people dearly. We previously found that 38% of people openly share their email address in their dating profiles and 7% of people even share their passwords with people via dating sites,” said Raj Samani, chief scientist and fellow at McAfee.

“Sharing this personal information puts people directly in the firing line for hackers and scammers wanting to cash in on the online dating phenomenon. We urge dating site users to keep sensitive data such as email addresses, full names and phone numbers private. And those looking for love online need to make sure the apps they’re using are protected with strong, secure passwords to further avoid the security risks of online dating.”

Categories: Cyber Risk News

FBI Investigates Attack on Critical Water Utility

Info Security - Wed, 10/17/2018 - 16:25
FBI Investigates Attack on Critical Water Utility

According to a media release from Onslow Water and Sewer Authority (ONWASA) issued on October 15, 2018, a critical water utility in North Carolina was targeted in a cyber-attack. Federal and state officials are now working with the water utility as part of the investigation into the attack on some of its computer systems.

“In the wake of the Hurricane Florence disaster...ONWASA’s internal computer system, including servers and personal computers, were subjected to what was characterized as 'a sophisticated ransomware attack,' wrote Jeffrey Hudson, CEO, ONWASA.

Hudson also reported that no customer information was compromised. In addition to the FBI, the Department of Homeland Security and the state of North Carolina were also called in to assist.

According to Hudson, the water utility was targeted with virus attacks from a malware system on October 4. While he believed the virus was brought under control, the problem persisted, so external security experts were called in to work with ONWASA IT staff. A sophisticated malware virus, dubbed RYUK, was then launched on October 13.

In the aftermath of the attack, ONWASA received an email from the attackers, who are believed to be based in another country, according to Hudson. “The email is consistent with ransomware attacks of other governments and corporations...ONWASA will not negotiate with criminals nor bow to their demands. The FBI agrees that ransoms should not be paid,” he wrote.

As such, this ransomware attack will require that ONWASA rebuild several of its databases.

"As most ransomware is delivered through malicious email links, educating users on the danger of clicking on links from even trusted email sources can prevent many ransomware infections to begin with,” said Adam Laub, senior VP, product marketing, STEALTHbits Technologies Inc.

"Reducing end user access to file data, in particular, is also an effective mitigation technique because ransomware and other malware often relies on the access rights of the user who’s been compromised.  If they don’t have access privileges, then neither does the malware. Finally, backing up data – at least the data you really care about – can make even a successful ransomware attack a nonissue, relatively speaking."

Categories: Cyber Risk News

Mobile payments soar among Chinese travellers - Wed, 10/17/2018 - 15:06
Popular travel destinations for Chinese consumers have seen the use of mobile payments surge during the seven-day long 'Golden Week' of Chinese public holidays this October.
Categories: Cyber Risk News

9 in 10 Orgs Don't Have Desired Security Culture

Info Security - Wed, 10/17/2018 - 14:31
9 in 10 Orgs Don't Have Desired Security Culture

In a new survey on cybersecurity culture, 90% of the nearly 5,000 technology professionals who participated identified a gap in their existing culture and the cybersecurity culture they would like to have, according to ISACA and CMMI Institute.

The Cybersecurity Culture Report revealed the results of more than 4,800 technology professionals surveyed about security awareness and behaviors in enterprises, particularly how awareness integrates into daily operations and leadership priorities.

"Cybersecurity management is critical for successfully securing a modern, digital organization," said Kai Roer, CEO of CLTRe. "Building and maintaining security culture is a process. It requires a number of steps, and when done correctly, it will both boost the security culture and provide documentation and stepping stones to close the gap between as-is and to-be states." 

According to the survey, though, a mere 5% of respondents said their organization is well positioned to mitigate both internal and external threats. Only a third (34%) of respondents are aware of the role they play in creating a cyber-aware culture within their organizations, suggesting that many companies are not effectively getting the message out to all employees that they are a first line of defense when it comes to cyber-attacks.

“Enlisting the entire workforce to mitigate an enterprise’s cyber risk is an emerging practice,” Doug Grindstaff II, SVP of cybersecurity solutions at CMMI Institute, said in a press release. “We are hearing a lot of feedback about how organizations can move the needle on employee involvement. It’s challenging, but organizations are rightly concerned by the growing sophistication of cyberattacks.”

In fact, the survey found that in the small number of organizations that are satisfied with their cybersecurity culture, there is a strong correlation between widespread employee involvement and a security-minded culture. Within those organizations that have successfully created a cultural shift, 92% indicated that top executives embrace their cybersecurity awareness programs and demonstrate a deep understand of the underlying issues.

Yet 42% of organizations have not developed a cybersecurity culture management plan or policy, which ISACA said is the first step in building cybersecurity culture. The survey found that a lack of funding is a significant hurdle. Those companies that don’t yet have the culture that they want are spending only 19% of their annual budgets on training and tools, whereas those who believe their efforts to create a cyber-secure culture have been successful are spending 43% of their annual budgets.

"Spending on security culture is a crucial part of a security program," said Roer. "However, not all organizations are the same, and not all industries require the same level of security. It is, therefore, our opinion that benchmarking annual spending is not giving an accurate image of the needs to build and maintain good security culture.

"Instead, we suggest that creating a good understanding of the organizations current security posture, including its risk profile and risk acceptance, is key to success. Combine that analysis with a security culture benchmark, and you get a very potent perspective on where you are, where you want to be, and in addition, all the ammunition you need to get the funding you need, be it 19% or 43% of your annual security spending." 

Categories: Cyber Risk News

Global Cybersecurity Skills Gap Reaches Three Million

Info Security - Wed, 10/17/2018 - 12:01
Global Cybersecurity Skills Gap Reaches Three Million

Organizations globally are suffering a crippling cybersecurity workforce “gap” of 2.9 million employees today, putting the majority at greater risk of attack, according to the latest estimates from (ISC)².

The global certifications body has introduced a new gap analysis methodology, which explains why the figures are so much higher than the predicted 1.8 million industry shortfall by 2022, a spokesperson confirmed to Infosecurity.

While previous models subtracted supply from demand, the new calculation considers things like the percentage of organizations with open positions and estimated growth of companies of different sizes. It also polled IT staff in small businesses that may not be security professionals but spend 25% or more of their day on these tasks.

The new 2018 (ISC)² Cybersecurity Workforce Study is therefore a more holistic and realistic representation of the picture on the ground, (ISC)² claimed.

The fast-growing APAC region is suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).

Nearly two-thirds (63%) of organizations worldwide said they have a cybersecurity skills shortage and over half (59%) claimed this is putting them at “moderate” or “extreme” risk of attack.

Although nearly half (48%) said they plan to increase staff numbers in the next 12 months, it’s difficult to know where these are going to come from given the scale of shortages.

However, one positive new trend appears to be a wider representation of women in the industry, who now comprise a quarter (24%) of the workforce, more than double previous estimates (11%).

“By broadening our view of the workforce to include those with collateral cybersecurity duties within IT and ICT teams, we discovered that professionals are still facing familiar challenges, but also found striking differences compared to previous research, including a younger workforce and greater representation of women,” argued (ISC)² CEO, David Shearer.

Key barriers to career progression mentioned by respondents were unclear career paths (34%), lack of organizational knowledge (32%) and the cost of education to prepare for a career (28%).

Categories: Cyber Risk News

NCSC Tackles 10 Attacks on Government Per Week

Info Security - Wed, 10/17/2018 - 09:46
NCSC Tackles 10 Attacks on Government Per Week

The UK’s National Cyber Security Centre (NCSC) has blocked more than 10 cyber-attacks per week in its first two years of operation, blaming nation states for the majority of incidents.

The government body was spun out of GCHQ in 2016 with a goal of making the UK one of the safest places to live and work online.

Since then, it has dealt with 1100 attacks and helped central and local government become more resilient via its Active Cyber Defence (ACD) strategy.

The idea here is to employ simple-to-use, tried-and-tested online tools and techniques to mitigate the risk from high volume, commodity attacks like phishing.

The strategy has seen remarkable success over the past year.

Thanks to a Web Check service, public sector bodies have identified over 2,300 urgent vulnerabilities to fix, with all local authorities in England, Wales and Scotland signing up.

Meanwhile, a Protective DNS service blocks malicious sites from being accessed by government staff and notifies managers of any issues that need fixing. It has apparently now detected and blocked attempts to access over 30 million malicious websites.

A Takedown Service has also been successful, removing over 138,000 phishing sites hosted in the UK and a further 14,116 worldwide spoofing the government.  

The NCSC claimed that thanks to these efforts the UK’s share of visible global phishing attacks has roughly halved, from 5.3% in June 2016 to 2.4% in July 2018.

Finally, a Mail Check service using DMARC has helped government bodies to authenticate the emails they send so that receivers can spot more easily if they are genuine or fake.

From a figure of just over 200 in September 2017, nearly 900 government domains now use DMARC.

“You don’t need to beat cybercrime — and it would be unrealistic to think we could,” argued NCSC technical director, Ian Levy. “But we do want to make it as hard as possible and that means making it as unprofitable and risky as we can for cyber-criminals to act in the UK.”

Elsewhere, NCSC CEO, Ciaran Martin, claimed most of the attacks it has had to tackle over the past two years have come from nation states. He has been vocal in the past at calling out Russian attempts to infiltrate critical national infrastructure and destabilize the geopolitical system.

“We are calling out unacceptable behavior by hostile states and giving our businesses the specific information they need to defend themselves. We are improving our critical systems. We are helping to make using the Internet automatically safer,” he said in a statement.

“As we move into our third year, a major focus of our work will be providing every citizen with the tools they need to keep them safe online. I’m confident that the NCSC will continue to provide the best line of defense in the world to help the UK thrive in the digital age.”

Talal Rajab, head of cyber and national security at techUK, welcomed the NCSC’s contribution over the past two years.

“This report documents a vast body of work that has been undertaken including incident response, active cyber-defense, skills and education, industry engagement and protecting CNI,” he added.

“The NCSC is a leader in all of these, working with partners across industry to deliver a world leading cyber-capabilities in the UK. TechUK has been delighted to support these initiatives and is looking forward to increased engagement with the NCSC over the next year.”

Categories: Cyber Risk News

Millions of US Voter Records for Sale

Info Security - Wed, 10/17/2018 - 08:39
Millions of US Voter Records for Sale

An estimated 35 million voter records from 19 states are up for sale on a dark web forum, in what may be an inside job ahead of the mid-terms.

Anomali and Intel 471 researchers discovered a seller offering full names, phone numbers, physical addresses, voting history and other unspecified voting data.

Some 23 million records are up for sale for just three states, although no record counts were provided for the remaining 16 states. The sales price for each voter list ranges from $150 to $12,500 depending on the state.

A crowdfunding project is underway to pay the seller: a move which would offer the full lists for free to members of a particular hacking forum. Records for Kansas have apparently already been published, with Oregon next in line.

Although access to state voter registration lists is provided to political campaigns, journalists and academic researchers, there are rules forbidding their use for commercial purposes or republishing online.

If the seller is telling the truth, this haul could be useful for identity fraudsters and even those who want to interfere in the upcoming mid-terms.

“When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate,” noted Anomali.

“This type of information can facilitate criminal actions such as identity fraud or allow for false submissions of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. In a voter identity theft scenario, fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations, or requests for absentee ballots on behalf of the legitimate voter.”

The seller claimed to receive weekly updates of the registration data from contacts within the state governments, which if true could highlight a major insider risk.

“Threat actors frequently recruit and fool insiders into helping them to pull off data theft and abuse schemes. This research seems to indicate that insiders either knowingly or unwittingly helped the nefarious party to obtain voter information,” said Dtex CEO Christy Wyatt. 

“Government-sector research we conducted earlier this year revealed that 53% of agencies have been hit with an insider incident.”

The affected states are: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming.

Categories: Cyber Risk News

Bug in New iOS Lets Attacker Access iPhone Pics

Info Security - Tue, 10/16/2018 - 16:01
Bug in New iOS Lets Attacker Access iPhone Pics

A new vulnerability discovered in Apple’s latest iOS, 12.0.1, released last week, allows an attacker with physical access to an iPhone entry into photos on a locked phone, according to Jose Rodriguez, a Spanish security researcher.

While the bypass bug, reported by The Hacker News, does require that an attacker have physical access to an iPhone, an attacker could still access the photo albums and send selected pictures using Apple Messages even if the phone is locked.

Rodriguez reported the bug and provided a proof-of-concept video via YouTube in which he demonstrated various steps of the attack, which starts with an incoming call to the targeted iPhone.

After tapping the "message" option on the iOS call screen, Rodriguez selected the "custom" option, which then displayed the Messages user interface, at which point he entered random letters before calling on Siri to activate VoiceOver.

This latest bug comes only two weeks after Rodriguez discovered two similar VoiceOver vulnerabilities that gave unauthorized access to user contacts and photos, according to AppleInsider.

When the conditions of the bug are met, the iPhone displays a black screen. A left swipe on the black screen delivers an attacker to the photo library. As Rodriguez demonstrated in his proof of concept, a double tap then returns him to the Messages app where he is able to insert images into the Messages text box.

In total, the attack is a 10-step process that works on all current iPhone models running the latest version of the Apple mobile operating system, including the iPhone X and XS devices. 

Though the bug is concerning, the attacker must have a “certain level of precision” to perform the process and achieve the desired outcome, said AppleInsider

Categories: Cyber Risk News

Execs Fear Orgs Unprepared for Incident Response

Info Security - Tue, 10/16/2018 - 15:23
Execs Fear Orgs Unprepared for Incident Response

Executive-level security professionals fear their organizations are not well positioned to respond to a cyber-attack, according to the results of a new poll from Deloitte.

In a poll of more than 3,150 security professionals across all industries and sectors taken during a webcast on cyber preparedness and war-gaming, survey respondents indicated that in large part, cybersecurity remains siloed. As a result, many employees across the organizations are not well versed in how to respond to a cyber incident. In addition, participants reported that they were only somewhat confident in their organization’s ability to respond to and remediate a cyber incident despite the reality that their organizations had experienced a cybersecurity incident within the past 12 months.

While it's become commonplace to espouse that all employees play a role in cyber awareness, 30% of CEOs and executive-level respondents said their greatest challenge is that employees don’t understand the organization’s incident response plan. That lack of understanding seems to correlate with a lack of resources. For 20% of respondents, a lack of access to the funding, tools and skills needed to respond to cyber incidents is a handicap.  

“We used to say it’s ‘not if, but when’ an organization will experience a cyber incident. That message has evolved well beyond a single incident to ‘how often’ or ‘how to respond to and withstand persistent attacks,’” said Andrew Morrison, principal, Deloitte Risk and Financial Advisory Cyber Risk Services, Deloitte & Touche LLP, in a press release.

“Improving internal processes and providing employees with the knowledge, practice and skills needed to succeed can help organizations mitigate risk through preparedness, as well as increase overall business resilience to future attacks.”

Yet nearly half of respondents (49%) said that their organizations do not conduct cyber war-gaming exercises so that all employees can better understand what to do in the event of a cyber incident. As a result, 34% of participants reported not knowing their own role within their organization’s cyber incident response plan.

“Cyber war games are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after and preparing for the next cyber incident,” said Daniel Soo, cyber war-gaming leader for Deloitte cyber risk services and Deloitte Risk and Financial Advisory principal.

“The most impactful war games are those that use live knowledge of an organization’s current threat environment to support the decision-making process across operations, finance, regulatory, marketing and beyond.”

Categories: Cyber Risk News

Tech Support Scams Decline as Consumers Get Savvy

Info Security - Tue, 10/16/2018 - 11:55
Tech Support Scams Decline as Consumers Get Savvy

Global exposure to and losses from tech support scams has dropped over the past two years as consumers become more savvy, although in the UK the number suffering financially increased slightly, according to Microsoft.

The computing giant polled over 16,000 internet users in 16 countries worldwide to better understand how trends are evolving.

The latest figures revealed that 63% of consumers experienced a tech support scam, down from 68% in 2016. Those who lost money fell from 6% to 3%.

However, alongside direct monetary loss, a further 8% of consumers spent time and money checking and ‘repairing’ their PCs. That’s not to mention the 76% who reported moderate to severe stress as the result of being hit by a scam.

The report claimed that fewer pop-up ads and windows have helped reduce consumer exposure to the scams. These typically masquerade as alerts from a reputable provider like Microsoft and trick the victim into believing that their machine has been infected.

Consumers are also becoming more skeptical about unsolicited contact from a tech support ‘operative.’

Over a third (38%) said that if they were contacted by ‘tech support’ they’d try to block the company the scammer claimed to come from and 33% would look up the issue online.

Interestingly, younger netizens are more likely to be tricked into handing over their money. This may be because a higher percentage are exposed to pop-ups because of visiting high-risk torrent sites and similar. Microsoft also warned that these more ‘tech savvy’ youngsters are more likely to be over-confident.

Although the overall figures for tech support scam victims appears to be coming down globally, the UK bucked the trend.

Here, 62% of respondents said they had experienced a scam, with 6% losing money as a result, an increase from just 2% in 2016.

Microsoft urged UK victims to contact Action Fraud.

Categories: Cyber Risk News

Cybersecurity Salaries Rise 6% in One Year

Info Security - Tue, 10/16/2018 - 11:22
Cybersecurity Salaries Rise 6% in One Year

Salaries for cybersecurity professionals have risen by 6% in one year, double the national average of 2.9%, according to Acumin Consulting’s latest annual Salary Survey.

The firm analyzed 56 key cybersecurity positions across its database of end users, system integrators, consultancies and public sector divisions to provide a holistic view of salaries across organization type and role seniority.

Acumin’s findings revealed that education and compliance roles saw the biggest increases (20%) in the last year, with security analysts also benefiting from an average salary rise of 13%. Those in the role of information security officer saw the lowest increase (1.5%), whilst application security specialists and product directors saw their wages up by two percent.

“Our 2018 Salary Survey provides a snapshot of the issues that have been driving boardroom agendas this year, namely data protection regulation and user education,” said Simon Hember, group business development director at Acumin. “With the pressures brought down on organizations by the GDPR, professionals with skills in compliance and process are commanding record salaries.”

However, it appears the public sector is failing to meet the salaries being offered by private sector organizations.

“Opportunities for security professionals in the public sector should be booming, especially given the government’s commitment to the National Cyber Security Strategy and GCHQ’s recent drive to recruit 2000 roles to deal with the threat of nation state actors,” Hember added. “However, it’s no surprise that the public sector is struggling to offer the salaries, and attractive packages that can be offered by private sector organizations or indeed well-funded security start-ups.”

Categories: Cyber Risk News