Cyber Risk News

#DEFCON Vote Hacking Village Refute NASS 'Unfair' Claims

Info Security - Fri, 08/10/2018 - 23:26
#DEFCON Vote Hacking Village Refute NASS 'Unfair' Claims

DEFCON has hit back at criticisms levied at it by the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines.

In a statement released on 9th August, the NASS said that while it applauded “the goal of DEFCON attendees to find and report vulnerabilities in election systems" it felt it was important to point out that work has been done by states' own information technology teams, and also named the Department of Homeland Security (DHS), the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the private sector, the National Guard and universities as being involved “to enhance and reinforce their cyber postures with penetration testing, risk and vulnerability assessments and many other tools.”

In particular, the NASS said that its main concern with the approach taken by DEFCON “is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security” and while delegates have access to voting machines, NASS said that many of these are no longer in use, and the environment does not "replicate accurate physical and cyber protections established by state and local governments before, and on Election Day." 

The NASS also said that it was concerned that creating “mock” election office networks and voter registration databases for participants to defend and/or hack was also unrealistic. It said: “It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols.”

In response, a statement from the DEFCON Vote Hacking Village sent to Infosecurity claimed that the goal of the village is to present the most realistic election network possible, to further the education, discovery, and the free exchange of facts.

“Therefore, the Voting Village made a concerted effort to involve as many local election officials as possible,” it said.

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”
 

In particular, it named the state of Ohio and Cook County, Illinois whose participation enabled the village “to incorporate several key elements of the voting process to replicate the election infrastructure.”

The village also disregarded claims that the machines are old and out of use, as all but one are still in use.

“We did our public demonstrations with the decommissioned WinVote out of a sense of responsibility to not broadcast a guide to hacking an actively in-use machine to the public,” the statement said.

“We invite NASS and all election machine manufacturers to learn about the vulnerabilities we find this year, and we invite them to participate next year because as we know, cyber threats are constantly evolving and becoming more sophisticated.”

DEFCON’s Voting Machine Hacking Village is the latest village for the Las Vegas conference, following on from initiatives around IoT, lockpicking, and social engineering.

Categories: Cyber Risk News

#Defcon DHS Says Collaboration Needed for Secure Infrastructure and Elections

Info Security - Fri, 08/10/2018 - 19:07
#Defcon DHS Says Collaboration Needed for Secure Infrastructure and Elections

Speaking at DefCon 26 in Las Vegas on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, assistant secretary, Office of Cybersecurity and Communications from the Department of Homeland Security stressed the need for public and private sector collaboration.

She said that “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.”

In terms of critical infrastructure, Manfra said that this is “purely voluntary in the private sector” and includes “everyone working for yourself or your company, and this includes academic institutions and the broader private and public partnership to work together to figure our critical infrastructure.”

She went on to talk about the concept of collective defense, saying that government is “one player in the community,” and with companies and citizens on the front line with government sectors “we have to share information and be transparent and build trust with individuals and entities that we have not done before.”

This was part of finding ways to cooperate on capabilities as “adversaries have taken advantage for a long time” and ways need to be found to reverse the fight.

Looking back at the 2016 election, Manfra said that prior to that attackers had been trying to hack the election process “for decades”, and while it was very difficult to manipulate an election, those running elections are not the most resourced, so the challenge had to be on how to help them ensure their security and use best practices for when they deal with old technology and software.

Joking that she “yearns for the days when only the electricity went out,” Manfra said that adversaries “undermine the traditional concept of democracy, of intellectual property, of privacy, of business and if we don’t come together sand figure out how collectively defend, they are going to turn the internet into a model that suits their concept.”

Speaking at DefCon 26 in Las Vegas on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, assistant secretary, Office of Cybersecurity and Communications from the Department of Homeland Security stressed the need for public and private sector collaboration. Saying that “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.”

In terms of critical infrastructure, Manfra said that this is “purely voluntary in private sector” and includes “everyone working for yourself or your company, and this includes academic institutions and the broader private and public partnership to work together to figure our CNI.”

She went on to talk about the concept of collective defense, saying that government is “one player in the community,” and with companies and citizens on the front line with government sectors “we have to share information and be transparent and build trust with individuals and entities that we have not done before.”

This was part of finding ways to cooperate on capabilities as “adversaries have taken advantage for a long time” and ways need to be found to reverse the fight.

Looking at the 2016 elections, Manfra said that prior to the 2016 elections, attackers had been trying to hack the election process “for decades”, and while it was very difficult to manipulate an election, those running elections are not the most resourced, so the challenge had to be on how to help them ensure their security and use best practices for when they deal with old technology and software.

Joking that she “yearns for the days when only the electricity went out,” Manfra said that adversaries “undermine the traditional concept of democracy, of intellectual property, of privacy, of business and if we don’t come together sand figure out how collectively defend, they are going to turn the internet into a model that suits their concept.”

Categories: Cyber Risk News

New Security Awareness Practitioner Certification

Info Security - Fri, 08/10/2018 - 15:45
New Security Awareness Practitioner Certification

Recognizing that the weak link in most security chains is human beings, the InfoSec Institute announced a new certification for security awareness practitioners. The Certified Security Awareness Practitioner (CSAP) boot camp is an intensive three-day course that prepares participants in building and managing their organization’s security awareness training program.

Information covered in the boot camp expands across seven domains of knowledge. Students will demonstrate a mastery of understanding in the need for enterprise security awareness training, the security awareness practitioner role and responsibilities, security awareness program planning, development and implementation, managing a security awareness program as a project and common challenges related to security awareness training.

With the goal of making end-user behavior more secure, CSAP will train participants to evaluate human risk and the current corporate culture as it relates to security. In addition, students will be able to assess the current security training programs within their organizations and recognize the areas of weakness that might be making them more vulnerable to attacks.

Critical to the success of any security awareness training program is top-level support, so the course also explores ways to gain buy-in from corporate leadership. Designed to ensure that candidates become experts at both developing and implementing successful enterprise security awareness training, students will be able to enforce security policies while engaging learners by using the best training platform for their company.

“The best security awareness programs go beyond routine phishing simulations and training campaigns to sustainably shift workforce security culture. With our new CSAP boot camp and certification we’ll arm program managers with the strategies, tactics and ideas to kick-start a strong security awareness program and reduce cyber-attack susceptibility,” said Jack Koziol, CEO and founder of InfoSec Institute, in a press release.

Registration for the boot camp includes a voucher for the 50-question multiple-choice exam. Students will need to pass the test with a 70% or better to earn the IACRB CSAP certification. Participants have four different options for completing the course, which include interactive, live-streamed instruction; public training boot camps hosted nationwide; customized team training at the client’s location and self-paced, computer-based instruction.

Categories: Cyber Risk News

Risk of Fraud in Mobile Point-of-Sale Device Flaw

Info Security - Fri, 08/10/2018 - 13:34
Risk of Fraud in Mobile Point-of-Sale Device Flaw

At yesterday’s final day of Black Hat USA 2018, researchers from Positive Technologies demonstrated how attackers could exploit a flaw in mobile point-of-sale (mPOS) devices to charge fraudulent transactions and alter the amount charged during a transaction.

The flaw enabled attackers to execute man-in-the-middle transactions, send random code through Bluetooth or other mobile applications, and change payment values for magstripe transactions. Researchers Leigh-Anne Galloway and Tim Yunusov also found that the mPOS devices are also vulnerable to remote code execution (RCE), which gave an attacker access to the whole operating system of the reader.

The researchers discovered the vulnerabilities in four market-leading mPOS devices – Square, SumUp, iZettle and PayPal – and have disclosed the vulnerabilities to all of the providers.

The use of mPOS has grown in the last few years. While it is the endpoint of payment infrastructure, there is no barrier to entry for a device to begin accepting card payments. Thus, mPOS providers are attractive targets to criminals.

“These days it's hard to find a business that doesn't accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept noncash payments,” Galloway said.

“Currently there are very few checks on merchants before they can start using an mPOS device and less-scrupulous individuals can, therefore, essentially steal money from people with relative ease if they have the technical know-how," Galloway continued. "As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

Even though more than half (58.5 percent) of debit and credit cards in the US are EMV enabled, only 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat, according to Positive Technologies.

“Anyone who is making a payment on an mPOS device should not make the transaction via magstripe but instead use chip and pin, chip and signature, or contactless,” Yunusov said.

“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority.”

Categories: Cyber Risk News

Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene

Info Security - Fri, 08/10/2018 - 11:33
Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene

The Center for Internet Security (CIS) refers to an organization's implementation of security controls as its “cyber hygiene,” but a new survey finds that nearly two-thirds of organizations are not practicing good cyber hygiene habits as they have no established benchmarks for implementing security controls.  

The new State of Cyber Hygiene Report by Tripwire surveyed 306 IT security professionals to learn if and how organizations are implementing security controls. Conducted in July 2018 in partnership with Dimensional Research, the survey found that almost two-thirds of organizations admitted that they do not use hardening benchmarks, such as CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.

“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience," said Tripwire’s Tim Erlin, vice president of product management and strategy, in a press release. "It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward."

Maintaining visibility of their environments is an ongoing challenge for many organizations, which makes it difficult for them to quickly address unauthorized potential issues. While attackers can launch a successful network attack in minutes, 57 percent of respondents said it takes them hours, weeks, months or longer to detect new devices connecting to their organization’s network.

Despite best practice recommendations, 40 percent of organizations fail to have a weekly cadence of scanning for vulnerabilities, and only half run the more comprehensive authenticated scans. Organizations are also slow when it comes to patches. Deploying a patch can take anywhere from one month to more than a year for 27 percent of organizations.

Additionally, 44 percent do not have a central location for collecting logs from all critical systems, even though 98 percent admit they should be more efficient at checking logs. One fourth of respondents (25 percent) confessed that they are not efficient at all and another 73 percent claimed to be fairly efficient but said that they could improve.

"When cyber-attacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case," Erlin said. "Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment."

Categories: Cyber Risk News

Satellite Flaws Raise Aviation Fears

Info Security - Fri, 08/10/2018 - 10:28
Satellite Flaws Raise Aviation Fears

Security researchers have revealed new vulnerabilities in satellite communication and on-board operating systems with potentially critical safety implications for the aviation and maritime industries.

IOActive’s Ruben Santamarta authored the first paper, launched at Black Hat yesterday, which is a follow-up to his 2014 research on satcom vulnerabilities.

It details how attackers could exploit the flaws to take control of satcom systems and earth stations on commercial aircraft such as Norwegian, Icelandair and Southwest and those used by the US military in conflict zones.

Although there was no risk to aircraft safety, the vulnerabilities could be exploited from the ground to attack crew and passenger devices and control satellite antenna positioning and communications, the report claimed.

The impact on the military, however, could be more destructive, if the enemy were able to use the flaws to disrupt or modify on-board satellite comms and/or pinpoint the location of military units.

A separate safety risk lies with satcom generated High Intensity Radiated Fields (HIRF), which the report claimed could be manipulated to launch a cyber-physical attack to “provoke malfunctions in critical navigation systems or even health damages to persons exposed to this kind of non-ionizing RF.”

The issues highlighted in the report have been addressed by the aviation industry, but experts said they should serve as a wake-up call.

“It’s not the first time this year that the security of satellite systems has been called into question, but the news that software vulnerabilities exist in the US national security infrastructure must jolt the global security industry into action," argued Paul Farrington, director of EMEA solutions architects at Veracode. "Security must be built into software from the outset, then it must be continuously, rigorously tested with preventative patching immediately undertaken on vulnerabilities."

The other report, set to be delivered on Sunday, details vulnerabilities in the popular WingOS operating system used by countless airlines around the world to provide Wi-Fi to passengers, as well as hospitals, casinos and even the New York City subway.

They could theoretically be exploited not only to compromise passenger devices but also to move to other more critical systems on board, according to report author Josep Rodriguez.

“Since the attacker now has code execution at the WingOS device, now the attacker can pivot and try to attack these other assets inside the internal network of the New York City subway or at the aircraft scenario,” he explained.

“Obviously, we don't know for sure what is beyond that, but what is clearly obvious is that this is technically possible and clearly this is also a really juicy entry point for attackers that might want to attack other assets in the internal network of that particular scenario.”

Categories: Cyber Risk News

Cops Claim Victory After Busting $1m Phone Fraud Ring

Info Security - Fri, 08/10/2018 - 09:45
Cops Claim Victory After Busting $1m Phone Fraud Ring

Twelve defendants have been charged with offenses relating to a $1m smartphone fraud ring in which over 3300 customer accounts were illegally accessed.

The massive fraud campaign is said to date back to at least 2014. Members of the gang would hijack customer accounts using credentials either phished or bought on the dark web, or even fake ID in store.

They would then physically buy new devices or upgrades in-store, charging the majority of the cost back to the customer’s account. Some also opened new accounts using victims’ Social Security numbers. The devices were mainly sold for profit in the Bronx, according to the Department of Justice.

During the investigation, a Homeland Security Investigations (HSI) team searched a property in Mt Vernon, New York where six of the 12 defendants were found along with 47 electronic devices. Investigators claimed two IP addresses associated with the property were used to access around 3300 smartphone customer accounts and fraudulently purchase at least 1294 devices.

The 11 computers also seized contained evidence of a 15-minute “how to” video on smartphone fraud, indicators they’d been used to visit dark web sites and numerous Google searches relating to fraud.

Each of the 12 has been charged with one count of conspiracy to commit wire fraud, and one count of aggravated identity theft, which could land them a sentence of over 20 years.

“Those arrested today were allegedly part of a fraud network operating in New York, the Dominican Republic and the Darknet. Their activities left a trail of unsuspecting victims across the United States and cost businesses significant losses,” said HSI special agent in charge, Angel Melendez.

“They traveled to 30 states to obtain cellphones that were later sold through fencing operations in the Bronx. Telecommunications fraud is a huge business and where there is a profit to be made by criminals, HSI’s longstanding El Dorado Task Force will follow the money to bring those perpetrators to justice.”

Categories: Cyber Risk News

Smart Cities at Risk from 'Panic Attacks'

Info Security - Fri, 08/10/2018 - 09:04
Smart Cities at Risk from 'Panic Attacks'

Security researchers have warned of potentially catastrophic cyber “panic attacks” against smart city systems after revealing 17 new zero-day vulnerabilities.

Threatcare and IBM X-Force Red joined forces to test how resilient intelligent transportation systems, disaster management and the industrial Internet of Things (IoT) are to remote “supervillain-level” attacks.

They found 17 zero-days in systems from Libelium, Echelon and Battelle which included some basic issues such as default passwords, authentication bypass and SQL injections.

However, because these systems often perform crucial tasks there’s a real risk that a bad actor could cause mass panic by exploiting them.

Scenarios could include manipulation of water level sensors to report flooding in an area where there is none, or silencing sensors when there is a flood. Vulnerabilities could also be exploited to trigger radiation leak alarms, or alter traffic management systems to create gridlock in urban areas, the report claimed.

“After we found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, our team found dozens (and, in some cases, hundreds) of each vendor’s devices exposed to remote access on the internet. All we did was use common search engines like Shodan or Censys, which are accessible to anyone using a computer,” IBM explained.

“We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks.”

The three vendors studied in this survey were described as “responsive” when contacted about the issues and have since released updates to fix the vulnerabilities highlighted.

However, IBM urged more rigorous testing of smart city systems including application scanning and red team exercises. It also suggested IP address restrictions when connecting smart city systems, use of SIEM to spot suspicious traffic and safer password and API key practices.

Categories: Cyber Risk News

#BHUSA The Value of Skills, Education and Experience in Information Security Hiring

Info Security - Thu, 08/09/2018 - 21:51
#BHUSA The Value of Skills, Education and Experience in Information Security Hiring

In a panel entitled “Winning the Information Security Job Hunt” at the Black Hat conference in Las Vegas, moderator Kelly Sheridan from Dark Reading asked panelists Dawn-Marie Hutchinson, executive director and executive advisory at Optiv, and Drew Fearson, head of daily operations at NinjaJobs, about whether there is a skills shortage and what is in the highest demand.

Fearson said the discussion around the skills shortage is interesting as there is a shortage in some countries and some markets, “but it is not as crazy as it is meant to be.”

“There wouldn’t be any shortage if folks were allowed to work remotely,” Fearson said, citing an example of two jobs where the one with a remote working option had 74 applications and one that required working on site in Ohio had no applications.

Hutchinson said, “It is hard to be a security leader and not be in the office, and if you’re not willing to relocate you’re going to have a problem.”

In terms of which skills were in demand, Fearson said that he saw a lot more demand for DevSecOps roles, while Huchinson encouraged delegates to specialize in one area but to avoid becoming too siloed in their work.

She said, “Focus on one thing you do well and if you’re just starting out, decide where to go and if you’re a risk manager or a compliance person, stay there and own it. When you take on multiple tasks, you become a jack-of-all-trades and a master of none.”

Asked about the value of certifications and experience, Hutchinson said that certs can be valuable if you’re new to the industry and you need to show security knowledge, but don’t focus too heavily on working with one product. 

Said Fearson, “Keep your résumé simple, but add a section on technologies used and skills gained, and add all of your buzzwords there.”

Asked by Infosecurity Magazine about the value of an education that is not in an IT-related subject, Hutchinson said she would not care what an applicant went to college for “but [that] you went to college and you demonstrated that you worked hard in teams and you pursued something that maybe had some ROI in it, maybe not, but I am happy if you went to college.”

Answering the same question, Fearson said, “There is value in having a computer science degree when you’re just starting out, as that shows you get certain things. On the surface level that does help, but once you have some more experience I don’t think it matters.”

Categories: Cyber Risk News

#BHUSA Focus on Hiring and Retaining Female Security Employees

Info Security - Thu, 08/09/2018 - 19:16
#BHUSA Focus on Hiring and Retaining Female Security Employees

Speaking at the Black Hat conference in Las Vegas, Ashley Holtz from NBCUniversal looked at common mistakes and preconceptions in hiring and retaining female cybersecurity engineers.

She said that a lot of studies claim that women are unhappy and discriminated against, while other studies say that careers in cybersecurity are popular because they offer “travel opportunities, flexibility and remote work.” It's important to realize, she said, that not all people are the same but are “affected by the same expectations on being treated fairly.”

Holtz cited industry research that claimed that as they advance in their careers, women are more likely to become project managers and people managers and less likely to be technical leaders and that we need remove the factors that cause that early on.

Looking at female-only environments and mentors and citing research from ISACA, she said that many women do not feel that they need a female mentor but having a woman saying "I get treated fairly here" would be good. She later claimed that if there were a female mentor, she would want her to talk about opportunities, but “I do not need a need a female mentor just because I’m female.”

In terms of the three key areas of hiring, retaining and promoting, Holtz said that women are keen to be evaluated and treated the same as other employees, and she encouraged hiring companies to connect with local hacker and security meet-up groups and consider the language used in job descriptions.

Regarding hiring, she asked where jobs are posted and which higher education partnerships a company has. She also asked companies to consider opportunities for training and how candidates are being selected for interview, whether it is on skills, experience, education or other factors.

For retention of staff, she said that people want recognition, as “it is not always about the individual’s contributions technically but how they work with the team.”

Following on from the earlier talk by Makenzie Peterson on sexual harassment, Holtz encouraged having a way to comfortably report sexual harassment without stigma or retaliation.

Finally, with regard to promotion, she asked if women are actively sponsored and mentored to achieve career goals and if all employees know the success criteria for their roles. “What this means is are they identifying people to get the right training and are they discussing their career goals with them?”

Categories: Cyber Risk News

West Virginia Goes Mobile, Georgians Sue for Paper Vote

Info Security - Thu, 08/09/2018 - 17:00
West Virginia Goes Mobile, Georgians Sue for Paper Vote

While the Trump administration grapples with looming concerns over election security, West Virginia’s servicemen and servicewomen stationed overseas will be casting their ballots via a smartphone app, according to CNN. The convenience of voting by mobile devices will likely make it easier for troops living abroad to partake in the upcoming elections, and West Virginia's secretary of state Mac Warner is reportedly confident that the mobile app is secure.

"There is nobody that deserves the right to vote any more than the guys that are out there and the women that are out there, putting their lives on the line for us," Warner told CNN. Yet the option to vote using the mobile app is currently only available to troops serving abroad, which raises questions about how confident officials and security experts are when it comes to election security issues.

“Unfortunately, securing electronic and online voting systems presents us with a set of unique challenges that are notoriously difficult to overcome,” said Sam Small, CSO of ZeroFOX. “In particular, experts in this area must find a way to simultaneously address three key requirements: voter anonymity, verification of individual votes, and end-to-end election integrity."

“Until the scientific community makes further advancements, I'd wager that virtually no credible electronic voting security expert would endorse or encourage plans to run an election on consumer-owned mobile devices,” said Small.

It’s not only mobile device voting that has people concerned. Citizens have been repeatedly told that it is possible for adversaries to compromise electronic voting systems, which is the root of a suit filed earlier this week by a second group of plaintiffs in Georgia. The suit aims to switch Georgia to using paper ballots for the November election rather than using possibly insecure electronic voting machines.

“The preliminary injunction,” said David Cross, partner at Morrison & Foerster, “seeks to achieve what the secretary of state has refused to do: implement an election system in Georgia that is reasonably secure from hacking and other interference.”

Few states still use an electronic voting system, but Georgia does, which means there is no paper trail and no means to audit the election results. “Numerous election security experts, including Prof. Alex Halderman, and federal officials, including members of Congress from both parties, have confirmed the inherent unreliability and vulnerabilities with Georgia’s electronic voting machines,” Cross said.

“Our motion details these vulnerabilities as well as those that are specific to Georgia, including public access to highly sensitive voter registration and other election information, such as passwords of election officials.”  

Categories: Cyber Risk News

A New Guide to Implementing a Successful DLP Program

Info Security - Thu, 08/09/2018 - 16:08
A New Guide to Implementing a Successful DLP Program

With an ever-expanding attack surface, organizations are at greater risk of having sensitive data leaked, according to Information Security Forum (ISF), which announced the release of its new digest, Data Leakage Prevention (DLP).

Intended to provide guidance to organizations looking to implement a successful DLP program, the paper offers tips on DLP deployment garnered from the experience of ISF members. The authors detail 10 key attributes of a successful program and try to impress that focusing solely on technology will likely be unsuccessful.

Because ISF members have reported that they experience greater success with DLP technologies when used within a dedicated DLP program, ISF recommends implementing a more structured approach to detect and prevent data leaks.

“DLP has gained in popularity as organizations recognize the importance of adopting a data-centric approach to security,” said Steve Durbin, managing director of ISF. “To fully realize the benefits that DLP can deliver, organizations need to take a structured and systematic approach to implementation that extends beyond simply installing DLP tools and technology. Our latest digest will help organizations to prepare, implement and maintain a DLP program, which achieves objectives and demonstrates risk reduction.”

Preventing data leaks is a greater challenge in today’s mobile workforce, particularly with the advent of cloud computing, but ISF said that implementing a DLP program can significantly reduce an organization’s risk of data leakage. According to ISF, DLP tools need to be implemented as part of a formal program supported by the right blend of people, process and technology when deployed in three phases: governance, preparation and implementation.

“A prerequisite of a successful DLP program is support from executive management and ongoing collaboration with business representatives,” continued Durbin. “By implementing a comprehensive DLP program that encompasses awareness training, tools, supporting technologies and other security controls, organizations can compensate for weaknesses in DLP technology and proactively manage the risk. By deploying DLP technology, organizations can be more vigilant in protecting data whilst ensuring that the right people have the right access to the right data at the right time.”

Categories: Cyber Risk News

Hacker Gets a Hole in One with PGA Servers

Info Security - Thu, 08/09/2018 - 15:21
Hacker Gets a Hole in One with PGA Servers

While the 100th PGA of America tournament is under way at Bellerive Country Club in St. Louis, Missouri, it is unclear whether PGA has had access to its servers returned after it was struck with a ransomware attack earlier this week, according to news from Golfweek.

Members of the PGA staff allegedly discovered the attack Tuesday morning when they received a message stating that their network had been hijacked and all files had been encrypted. Golfweek reported that an attacker used malware to lock down official files and then demanded Bitcoin payments be sent to a specified wallet number. The messages to the victims reportedly stated that efforts to decrypt the files “may lead to the impossibility of recovery of certain files.”

Infosecurity Magazine contacted PGA, and a media spokesperson said that they have no comment at this time, but an anonymous source told Golfweek that PGA did not intend to pay the ransom. It was also reported that as of Wednesday, 8 August, PGA officials had not gained complete access to its servers.

According to BleepingComputer, the hacker’s message included the misspelling of the word “algorithm,” suggesting that PGA was the victim of BitPaymer Ransomware, which allows attackers to hack into remote desktop services connected to the internet and then move within the network to infect any computers they can access.

Rob Embers, CCO of Dionach, said, “In our experience, and as the PGA ransomware attack illustrates, information security breaches such as this are becoming more frequent across all sectors, not just those that are considered typical targets such as financial services.

“It’s imperative to conduct regular security assessments and remediate against known issues – and improve staff knowledge and awareness so they don’t inadvertently give cyber-attackers a foothold in your IT infrastructure," Embers continued. "In this instance, it seems that the breach involves the loss of creative materials which is undoubtedly costly from a business perspective, but we see cases every month where sensitive customer or commercial data is exposed, compounding the risks of reputational damage and even regulatory penalties.”

Categories: Cyber Risk News

Chinese Cyber-Criminals Take Chances on the Surface Web

Info Security - Thu, 08/09/2018 - 11:05
Chinese Cyber-Criminals Take Chances on the Surface Web

The Chinese hacking community operates by-and-large out in the open, using code words to avoid government scrutiny and benefitting from state support when attacks are aimed outside the country, according to a new report.

While most news analysis of Chinese cyber-attacks focuses on state-sponsored campaigns, there is in fact a thriving and fast-maturing domestic cybercrime underground, according to IntSightsDark Side of Asia report.

On the one hand these players are restricted in that the Tor browser is blocked by the Great Firewall, cryptocurrency is banned, VPN use is severely restricted and the authorities can access WeChat communications.

However, where money is involved there will always be a way. IntSights claimed that “clear net” websites are seen as the best way to reach large numbers of customers, with hackers using special code words to avoid scrutiny.

Popular social networks like QQ, WeChat, Baidu Tieba and Baidu Zhidao are used to communicate and advertise everything from DDoS tools and stolen data to forged documents, malware and hacking-as-a-service, the firm said.

“The government does attempt to fight against Chinese cyber-criminals, for example shutting down their websites and making arrests when they can, but due to the sheer number of websites and users in China, even the monitoring and censoring activity being done by the government cannot stop all cyber-criminal activity on the Chinese web,” it claimed.

“While there are tens of thousands of dark websites in Russian and English, the number of Chinese websites is rather small. Moreover, some of the web pages originate from Hong Kong and Taiwan.”

To fill the gap, Chinese cyber-criminals also populate Russian dark web forums to obtain “tools and information” and flood Western sites to sell drugs and other illegal items, the report claimed.

It goes without saying that if a Chinese cyber-criminal or group were to attack a foreign target — for financial gain or in nationalist-fueled hacktivism — the government is likely to turn a blind eye, according to the report.

Categories: Cyber Risk News

Accenture: CNI and Supply Chains at Risk

Info Security - Thu, 08/09/2018 - 09:32
Accenture: CNI and Supply Chains at Risk

Attacks on critical infrastructure and industry supply chains and cryptomining represent some of the biggest threats facing organizations today, according to Accenture.

The firm’s latest Cyber Threatscape Report claimed CNI is an increasingly high value target for cyber-criminals and nation state actors alike, while a wide range of attackers will continue to focus on supply chains as a weak link in the corporate security chain.

“Third- and fourth-party environments provide adversaries with an entry point, even in verticals with mature cybersecurity standards, frameworks, and regulations,” the report noted. “Recent campaigns highlight the challenges of combatting weaponized software updates, pre-packaged devices, and supplier ecosystems as they fall outside the control of victim organizations.”

The consulting giant also pointed to a “radical shift” in the use of cryptocurrency mining malware targeting alternative coins like Monero, a trend likely to continue well into 2019.

The report highlighted a growing cyber-threat from Iran and APT groups using the same TTPs as espionage campaigns but for money-making ventures. The infamous Cobalt Group and Fin7 are just two examples.

While not earth-shattering, the report’s findings back-up many of the trends other industry experts and vendors have highlighted in the past. The NCSC has warned of supply chain attacks this year and increasingly brazen Russian attacks on UK critical national infrastructure in the energy, telecoms, media and other sectors.

A report in July from Check Point revealed cryptomining malware detections more than doubled from the second half of 2017 to the first six months of this year.

In response to these emerging threats, organizations must get more proactive in their thinking about business risk, according to Accenture Security managing director, Josh Ray.

“Learning from previous incidents and understanding what is coming next based on timely and actionable threat intelligence is key to keeping data and systems safe,” he said.

However, a survey from Accenture earlier this year found that 71% of CISOs interviewed believe cyber-threats are still a “bit of a black box; we do not quite know how or when they will affect our organization.”

Further, it found that only 13% of organizations think about future threats when drawing up their security budgets.

Categories: Cyber Risk News

Over 20 Flaws Discovered in Popular Healthcare Software

Info Security - Thu, 08/09/2018 - 08:51
Over 20 Flaws Discovered in Popular Healthcare Software

Multiple vulnerabilities in a popular healthcare software provider’s products may have put at risk the data of over 90 million patients.

OpenEMR develops open source electronic health record (EHR) and practice management tools, which are used to serve an estimated 30 million patients in the US and over three-times that number globally.

However, according to a report released by researchers at Project Insecurity this week, its products were riddled with over 20 serious issues.

These included nine separate SQL injection vulnerabilities, four remote code execution flaws and several arbitrary file read, write and delete bugs. Others included a portal authentication bypass, unauthenticated information disclosure, and cross-site request forgery.

The group reached out to the vendor on July 7 and gave it a month to fix the bugs before going public.

The firm has now patched “most” of the vulnerabilities disclosed, according to the BBC.

"The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication,” a statement noted.

Healthcare was the industry most affected by breaches (24%) last year, and also the only sector in which insider threats (56%) outweighed those from external attackers (43%), according to Verizon.

Separate research from Thales eSecurity claimed that 70% of global healthcare organizations have been breached.

“Organizations such as OpenEMR who handle sensitive data are a prime target for attackers globally and cannot afford to have any gaps in their cybersecurity,” argued Keith Graham, CTO at SecureAuth Core Security.

“Keeping data available, confidential and safe isn’t just a business issue — it allows healthcare personnel to provide the best patient care possible. This discovery should act as a warning to other healthcare organizations to examine their own cybersecurity posture, including extensive pen testing, and improve their approach to authentication.”

Categories: Cyber Risk News

#BHUSA: Companies Encouraged to Adopt Sexual Harassment Policies

Info Security - Thu, 08/09/2018 - 08:00
#BHUSA: Companies Encouraged to Adopt Sexual Harassment Policies

Speaking at the Black Hat conference in Las Vegas on 'How can Communities Move Forward After Incidents of Sexual Harassment or Assault?', Makenzie Peterson, wellness program director at Cornell University College of Veterinary Medicine, followed instances of sexual assault and asked how as a community can we address the issues.

At the first Black Hat after the emergence of the #MeToo movement against sexual harassment and assault, and after accusations against notable security researchers, Peterson said that sexual violence “is about power and control,” and looked at how best to respond.

“Offer unconditional support, listen to them, tell them you believe them, offer resources and realize that there are resources available in the community, and knowing what is available is really nice, as well as knowing there are people to talk to,” she said. “Also, don’t tell them what to do, and challenge the statements of self-blame.”

She recommended the “listen, validate, refer” method of listening to them and acknowledging that you’re here for them, and refer them to resources.

From a leadership perspective, Peterson said that there are ways that companies can be more progressive on this and she recommended adopting “a clear stance and make it very clear on your platforms” that everyone should know about what is and what is not OK.

She also recommended taking all complaints seriously, training and teaching community members at least twice a year about sexual harassment and what it is and what they can do about it.

Peterson concluded by calling for better prevention, education and accountability. “Sexual violence is not discriminatory, it is very much impacting everyone,” she said.

“Please think thoughtfully about community: always put the survivor at the center of your discussions as they are feeling something worse, and come up with something that people can read and understand and make it known and make it clear and very open, the more open you make the topic the much easier it is for a survivor to come forward in a male community.”

Categories: Cyber Risk News

#BHUSA: Companies Encouraged to Adopt Sexual Harrassment Policies

Info Security - Thu, 08/09/2018 - 08:00
#BHUSA: Companies Encouraged to Adopt Sexual Harrassment Policies

Speaking at the Black Hat conference in Las Vegas on 'How can Communities Move Forward After Incidents of Sexual Harassment or Assault?', Makenzie Peterson, wellness program director at Cornell University College of Veterinary Medicine, followed instances of sexual assault and asked how as a community can we address the issues.

At the first Black Hat after the emergence of the #MeToo movement against sexual harassment and assault, and after accusations against notable security researchers, Peterson said that sexual violence “is about power and control,” and looked at how best to respond.

“Offer unconditional support, listen to them, tell them you believe them, offer resources and realize that there are resources available in the community, and knowing what is available is really nice, as well as knowing there are people to talk to,” she said. “Also, don’t tell them what to do, and challenge the statements of self-blame.”

She recommended the “listen, validate, refer” method of listening to them and acknowledging that you’re here for them, and refer them to resources.

From a leadership perspective, Peterson said that there are ways that companies can be more progressive on this and she recommended adopting “a clear stance and make it very clear on your platforms” that everyone should know about what is and what is not OK.

She also recommended taking all complaints seriously, training and teaching community members at least twice a year about sexual harassment and what it is and what they can do about it.

Peterson concluded by calling for better prevention, education and accountability. “Sexual violence is not discriminatory, it is very much impacting everyone,” she said.

“Please think thoughtfully about community: always put the survivor at the center of your discussions as they are feeling something worse, and come up with something that people can read and understand and make it known and make it clear and very open, the more open you make the topic the much easier it is for a survivor to come forward in a male community.”

Categories: Cyber Risk News

#BHUSA Reality of Infosec Mental Health Issues Detailed

Info Security - Wed, 08/08/2018 - 23:33
#BHUSA Reality of Infosec Mental Health Issues Detailed

Speaking on “Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community” at the Black Hat conference in Las Vegas, the problems that employees can typically face were detailed, as well as solutions that employees and employers can turn to.

Christian Dameff, clinical informatics fellow at the University of California, San Diego where he is also a security researcher, detailed instances where he was led to feel burned out. The other speaker, Jay Radcliffe, cyber security researcher at Boston Scientific, highlighted the common symptoms of burnout including “feeling cynical, no satisfaction from accomplishments, dreading going to work and no work life balance” which he said were “prevalent in the information security community.”

Radcliffe said: “I’ve seen friends leave and find new jobs after a year as they are burned out and tired of the rigmarole, and only working and traveling.” 

The two speakers said that there are lots of options to resolve issues, including counselors, clinicians, therapists and psychologists, with the latter “trained and providing therapy for mental health conditions” according to Dameff. He recommended using the C-SSRS screening tool, while self tests are available to diagnose depression.

Speaking to Infosecurity about what businesses can do, Radcliffe said he felt that small things can make a difference, such as making sure employees take their vacation time, making sure that they are encouraged if they are over-burdened all of the time.

He said: “If you think your employees have a lot of burnout, then do a burnout survey and actually measure your employees. Have them fill it out on a quarterly basis and if they show symptoms of burnout then you can make changes so that they are aware of that burnout and do something about, it like make vacation mandatory or change their work schedules.”

Radcliffe acknowledged a “hero complex” in information security of taking on work regardless, but this is not healthy. “But this gives us value and it makes us feel like valuable employees, but it is unhealthy,” he said. 

Dameff said that there is often privacy concerns on burnout surveys, and people are often concerned about confidentiality. “A feeling that if my score was really high, I’m forced to go on vacation and my colleagues have to pick up the slack, so therefore I am depressed: you’ve got to be really careful about stuff like that,” Dameff said.

“But Jay is right, you’ve got to be able to see the trends and anticipate them and indicate how bad it is going to be, and figure out alternative strategies so you can keep people healthy and happy and sane.”

Categories: Cyber Risk News

#BHUSA Politics and Cyber-Defense Are Colliding

Info Security - Wed, 08/08/2018 - 21:19
#BHUSA Politics and Cyber-Defense Are Colliding

Opening Black Hat USA in Las Vegas, Black Hat founder Jeff Moss commented on the convergence of cybersecurity and political issues and said that world events “have caught up with us and we’re being tested.”

Saying that if offense is a purely technical endeavor, defense is “largely political” in spend, strategy and what is being defended.

“I believe the technology we are delivering favors offense, the machine learning, the reinforcing algorithms, so the momentum is on offense, but in defense we’re stuck with politics,” he said.

Moss claimed that a culture needs to be built for defense, while for offense, it is more present.

“What are the political issues we’re facing? GDPR compliance is pretty political, you cannot twiddle a router and fix GDPR," he said. "Soon we might have a California law to deal with and more third-party agreements as we move more and more to the cloud, [and] that’s a political decision, too."

“If you look at some of the problems Facebook had with data retention," he continued, "and Cambridge Analytica got their hands on some data, how do you claw that data back? Who has access to your data and what are they doing with it? Not a technical thing; it sounds more political.”

Because of this, Moss said, business models are running into political models. So if your business model is to "connect the world’s users" but you’re dealing with a government whose model is to “control consent for the stability for society,” there is going to be some conflict.

“We’re starting to see that on a global scale,” he said. “That is ratcheting up the tension, and that seems new to me. That is why we are in the final exam stage, where all of these issues are conflating, and they are going to look to us for answers. It’s going to be people in this room who are involved in these conversations. Together we can probably figure this out.”

He said that it feels like the adversaries have strategies while we have tactics, and that's not good.

Moss concluded by saying that there are maybe 20 companies in the world that are in a position to raise the level of security and resilience for all of us. “I cannot fix the problems in the Microsoft operating system, only Microsoft can do that,” he said. “So if we politically influence Microsoft to build a better product, that will help everyone on the planet.”

Categories: Cyber Risk News

Pages