Cyber Risk News

Cybercrime Jumped 23% Over Past Year, Says ONS

Info Security - Mon, 07/20/2020 - 08:50
Cybercrime Jumped 23% Over Past Year, Says ONS

Cybercrime offenses reported by individuals and businesses have risen 23% over the past year, according to the Office for National Statistics (ONS).

The UK government body explained that 26,215 incidents were referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud in the year ending March 2020.

The year-on-year increase was driven by a large uptick in the two highest-volume “computer misuse” types reported to Action Fraud. “Hacking – social media and email” saw a 55% increase from 12,894 offenses, and “computer viruses/malware” incidents soared by 61% to reach 6745 cases.

The double-digit increase in reported cybercrime came in spite of improvements to “internal case review processes” and an online reporting tool at Action Fraud in October 2018 which meant some offenses previously categorized as computer misuse are now being properly identified as fraud, ONS said.

On that note, when fraud is added to computer misuse, there was an increase of just 12% in cases reported to the NFIB over the period. 

The ONS claimed that its Crime Survey for England and Wales (CSEW) is a more accurate indicator of true levels of cybercrime in the region as it includes incidents that go unreported to the police. However, it only captures incidents reported by individuals.

“In the year ending March 2020, CSEW-estimated computer misuse offences did not change from the previous year, remaining at around 900,000 offences,” it noted. Fraud reported to the survey also remained pretty static, at 3.7 million cases.

George Glass, head of threat intel at Redscan, argued that the data behind the ONS report is still beset by quality issues.

“I still think this latest Crime in England and Wales report paints an inaccurate picture of computer misuse and online fraud cases in the UK. Action Fraud has been branded not fit for purpose for its failures to review reports from scam victims,” he added.

“This is the reason that the reporting system has now been overtaken by the NCSC. You only need to look at the huge numbers of reports of COVID-19 related scams to know that the situation is far worse than represented by these latest statistics.”

Categories: Cyber Risk News

Twitter Confirms 130 Accounts Hacked

Info Security - Fri, 07/17/2020 - 18:54
Twitter Confirms 130 Accounts Hacked

Twitter has revealed the true extent of this week's large-scale cyber-attack that saw the accounts of multiple celebrities compromised. 

The social media giant said a total of 130 accounts were targeted as part of a major cybersecurity incident that took place two days ago.

Following the attack, what appeared to be a Bitcoin scam was tweeted from the hijacked accounts of some of the world's most famous public figures, including former US president Barack Obama, Kanye West, Bill Gates, and former US vice president Joe Biden.

The fraudulent tweet posted from the highjacked accounts made it appear as though the victim was planning to give back to their community by making a financial donation. The post invited the victim's followers to give $1,000 in the next 30 minutes, tempting them with the lure that their donation would be doubled by the account's owner.

At first the attackers tweeted about the supposed charity drive from Bitcoin-related accounts, but it quickly spread to the accounts of public figures, including Elon Musk and Kim Kardashian West, and to the corporate accounts of Uber and Apple. 

Spotted by many as an obvious scam, the Bitcoin charitable donation tweet fooled hundreds of Twitter users and earned the cyber-attackers over $100k. 

In an effort to contain the attack, Twitter temporarily blocked all verified users from tweeting. 

According to Twitter, the successfully compromised accounts represented a "small subset" of the total number of accounts the attackers had in their crosshairs. 

The company has launched an investigation into the incident but has so far been unable to determine whether any private data was stolen. Such information could include the content of direct messages.

Providing an update to the situation via its official support account, Twitter stated: "We're working with impacted account owners and will continue to do so over the next several days. We are continuing to assess whether non-public data related to these accounts was compromised."

An investigation into the cyber-attack has been launched by the Federal Bureau of Investigation. It is believed that whoever was responsible was able to bypass account security protections by somehow gaining access to Twitter's own internal administration tools.

Categories: Cyber Risk News

Court Rules German Police Receive Too Much Data

Info Security - Fri, 07/17/2020 - 18:00
Court Rules German Police Receive Too Much Data

German law has been deemed inadequate at protecting the constitutional right of German citizens to privacy.

The federal Constitutional Court in Karlsruhe ruled that the extent to which the German police can access people's internet and cell phone data was unconstitutional and that the country's privacy laws need to be revised. 

Currently, German law enforcement agencies investigating crimes or working to prevent terror attacks are permitted to access names, addresses, birth dates, and IP addresses from telecom companies, hospitals, and hotels without the approval of a judge. However, they are not allowed to access data regarding an individual's connections to other people.

The ruling comes after campaigners voiced a challenge to the country's existing privacy laws, requesting that German police should only be allowed to access phone and internet data if a crime is suspected and in the event of a specific danger.

Proving that the wheels of justice really do turn slowly, the first of two lawsuits created to challenge the police's access to data was filed to the court back in 2013. The suit, which was backed by 6,000 people, was brought by European Pirate party politicians Katharina Nocun and Patrick Breyer.

The plaintiffs complained that German police were routinely given access to data including PIN numbers and email passwords from a variety of sources when investigating relatively minor crimes. 

Nocun and Breyer said that the sweeping access to users’ private data permissible under German law risked the creation of “a new secret police of the internet that can ransack and scan our most intimate thoughts.”

The Constitutional Court ruled that investigators can be given access to the data of users in principle, but that it needs to happen in a way that doesn't impinge on a citizen's right to privacy. 

Following the court's ruling, the German government must now obey an order to reform the nation's Telecommunications Act by the conclusion of 2021. The Act was last revised in 1996.

Revision of the Act is likely to impact how a newly enshrined law designed to combat far-right extremism is upheld. The law requires Facebook, Twitter, and YouTube to report hate speech to police and delete harmful content within 24 hours of its being posted.

Categories: Cyber Risk News

CISA Issues Emergency Vulnerability Warning

Info Security - Fri, 07/17/2020 - 17:01
CISA Issues Emergency Vulnerability Warning

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has given all government agencies 24 hours to fix a critical vulnerability in Windows Server.

An emergency directive was issued yesterday instructing agencies to deploy patches or mitigations by 2pm EDT today to resolve the CVE-2020-1350 vulnerability, also known as SIGRed. 

The flaw is a remote code execution vulnerability that exists in how Windows Server is configured to run the Domain Name System (DNS) Server role.

An unauthenticated attacker can exploit the vulnerability by sending malicious requests to a Windows DNS server. The attacker could then run arbitrary code in the context of the Local System Account.

According to the emergency directive, "CISA has determined that this vulnerability poses unacceptable significant risk to the Federal Civilian Executive Branch and requires an immediate and emergency action."

A software update to mitigate this critical flaw in Windows Server operating systems was released on July 14 by Microsoft. Now CISA is ordering all government agencies to apply the fix to every Windows Server running the DNS role and to submit an initial status report by 2pm EST on Monday, July 20. 

To Lamar Bailey, director of security research and development at Tripwire, the urgency of CISA's directive is understandable. 

“CVE-2020-1350 (SIGRed) is one of the most serious vulnerabilities disclosed this year," commented Bailey. "It scores a CVSS score of 10." 

CISA said it is "unaware of active exploitation of this vulnerability," but Bailey believes that even if this is the case, the situation could change in the immediate future.

"It is plausible to believe this is currently being exploited in the wild or will be very soon," said Bailey. "It is time to burn the midnight oil and get this patched ASAP.”

CISA's actions come after experts warned of the dangers of SIGRed earlier this week. Gill Langston, head security nerd at SolarWinds MSP, urged administrators to tackle the vulnerability as a "number one priority" after the patch was released on Tuesday. 

US government agencies have until 2pm EST on Friday, July 24 to submit a completion report, confirming that the vulnerability has been neutralized.

Categories: Cyber Risk News

DPOs Encouraged to Act Now on Invalid Privacy Shield

Info Security - Fri, 07/17/2020 - 11:30
DPOs Encouraged to Act Now on Invalid Privacy Shield

Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.

Speaking on a conference call after the earlier decision around Privacy Shield being declared invalid, Cordery partners Andre Bywater and Jonathan Armstrong called the announcement “among the most eagerly awaited” in the field of data protection.

Bywater advised listeners that it is worth them doing some due diligence “to see who they are sending data to so they are fully protected.” He said he had not expected Privacy Shield to be invalidated, and it has been declared invalid due to concerns around US domestic law and the access and use of European residents’ data.

With it appearing unlikely that there will be any type of grace period, he recommended putting in SCCs where there is an issue. An SCC is an obligation imposed on both the exporter and the importer of data between the EU and third countries to ensure that data transfer arrangements protect the rights and freedoms of data subjects.

Armstrong said it may be the case that SCCs are “probably the only game in town for people” and depending on national challenges, we “could end up with the nightmare where some authorities accept SCCs and some do not.”

Armstrong explained that he does not expect a new and improved version of the Privacy Shield, and while there are more groups that have brought challenges, he is not convinced there would be any short term solution. “We are in a different world post-GDPR, and there are more powers to enforce, so Data Protection Authorities (DPAs) have to step up,” he said. He also argued that any new version of Privacy Shield would “be likely to have more teeth as a result.”

Asked by Infosecurity if BCRs are a better option, Armstrong said they have a different foundation in GDPR and are specifically there to transfer data, but this cannot be done overnight and a sponsoring DPA will need to be found to approve it and take it to other regulators, and that process could take eight to nine months minimum. “It is not a quick fix and you will need interim plans,” he said.

Looking forward, Armstrong said that had Facebook still completed data transfers last night, it could have problems and this could be an overall concern for social media companies. “Most organizations have got to react today or tomorrow and have a plan, it will not be foolproof and include communications and FAQs,” he said.

“There may be some political fudge, and there may be a ‘keep calm and carry on’ message from (vice-president of the European Commission for Values and Transparency) Vera Jourova, as she has bigged-up privacy rights and this is a difficult political tightrope for her and enforcement will be proportionate to give her a chance to create a plan, but aggrieved individuals and pressure groups are not as patient as a regulator could be.”

Bywater said regulators will be taking a much closer look at SCCs and may ask to see them and see where you transfer data, “so take a closer look at what you have in place as this is not something that will go away.”

Categories: Cyber Risk News

Government Promises IoT Security Enforcement Body

Info Security - Fri, 07/17/2020 - 10:30
Government Promises IoT Security Enforcement Body

A new enforcement body could have the power to ban, recall or destroy insecure consumer IoT products, according to the latest government plans.

The UK is looking to take a global lead on IoT security with proposed legislation first published at the start of the year.

In an update yesterday it revealed that a new body would be set up to enforce the law, with powers to: temporarily ban sales while a product is tested, permanently ban insecure products and serve recall notices.

Under the proposals, it could also be granted the power to apply for a court order to confiscate or destroy a dangerous product or issue fines against the manufacturer.

Earlier in the year, the government revealed that the law will mandate three main security requirements for all smart gadgets sold in the UK.

These are: unique device passwords which are not resettable to factor defaults, a public point of contact at the manufacturer to report bugs to and clearly visible information stating the minimum length of time updates will be available for.

It remains to be seen how the UK would actually enforce a ban on the sale of non-compliant IoT kit, especially products manufactured abroad and sold online, as most are.

That hasn’t stopped the government trumpeting its efforts as a leader in this area: it claimed to have been instrumental in helping to develop the recently announced global ETSI standard for consumer smart devices.

The government is now requesting feedback from industry stakeholders to help it shape the final enforcement approach.

“Consumer IoT devices are increasingly delivering on their potential to improve consumers’ lives, with smart speakers, activity trackers and smart kitchen appliances a few notable examples,” said techUK CEO Julian David. “However, poor security practices have consistently slowed the adoption of these devices, acting as a barrier to UK citizens reaping the benefits of the latest innovations and products.”

Categories: Cyber Risk News

Cloud Configuration Error Exposes 260,000+ Actors

Info Security - Fri, 07/17/2020 - 09:40
Cloud Configuration Error Exposes 260,000+ Actors

More than 260,000 actors have had their personal data exposed thanks to yet another misconfigured cloud server.

Researchers at SafetyDetectives led by Anurag Sen discovered the unprotected Elasticsearch server, which contained 1GB of data, amounting to 9.5 million records.

It apparently belonged to New Orleans-based casting agency, which has recruited actors for Terminator movies, TV show True Detective and other productions.

The “talent profiles” found in the trove included full names, residential and email addresses, phone numbers, dates of birth, height and weight, photographs and vehicle information.

In total, over 260,000 members had their data exposed in this way, including potentially actors under the age of 18, according to SafetyDetectives.

It warned that the leaked email addresses and personal data could be used to send convincing phishing emails impersonating MyCastingFile, in order to trick users into clicking through on malware downloads.

“Photographs provided by users can be harnessed to conduct scams involving facial recognition such as identity fraud, as well as being used to create multiple illegitimate profiles, to carry out what’s known as ‘catfishing’ — the act of luring someone into a relationship by means of a fictional online persona,” it added.

It’s believed the database was exposed since May 31 2020, but the researchers said the issue was fixed following their disclosure.

Pravin Kothari, founder and CEO of cloud security vendor CipherCloud, argued that avoiding misconfigurations in the cloud is increasingly challenging.

“These issues most frequently revolve around a lack of visibility into faulty controls, not a lack of effort,” he added.

“Perhaps the biggest hurdle, even greater than monitoring for risky configurations, as in this case, relates to better management of cloud data itself. We find that organizations are moving so fast to embrace cloud apps and infrastructure that they cannot maintain visibility into all the issues of data protection and access required to prevent subsequent breaches.”

Categories: Cyber Risk News

Russia Operatives Accused of 2019 Election Interference

Info Security - Fri, 07/17/2020 - 08:30
Russia Operatives Accused of 2019 Election Interference

The UK has accused Russia of interfering in the 2019 General Election by spreading online leaked government documents revealing negotiations with the US on trade.

A statement from the foreign secretary Dominic Raab branded the practice “completely unacceptable.

“On the basis of extensive analysis, the government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online amplification of illicitly acquired and leaked government documents,” it noted.

The documents, which eventually ended up in the hands of former Labour leader Jeremy Corbyn, detailed how the NHS was being used by the US as a bargaining chip in post-Brexit trade talks.

Raab avoided accusing the Kremlin of directly stealing the documents, which The Guardian claimed “are thought to have been obtained via a government special adviser’s personal email account.”

However, they were allegedly disseminated online by alleged Russian actors. They were posted first on Reddit last October by a user named “Gregoriator,” and then via Twitter by a user with the same name.

Social media analysts at Graphika reportedly claimed the spelling and grammatical mistakes in those posts are common to Russian language speakers, and the amplification techniques used are also said to be straight out of the Kremlin playbook.

The timing of Raab’s statement could be significant, as it comes ahead of a long-awaited intelligence report into whether Russia has influenced the democratic process in the UK, including the EU referendum.

Prime Minister Boris Johnson and senior ministers have long dismissed such claims and Johnson has delayed the report’s release for many months.

“Today’s government claim is an attempt to divert attention from the threat to the NHS and the Tory party links to Russian oligarchs expected to be revealed in the long-buried parliamentary Russia report,” said former Labour leader Corbyn yesterday.

The news comes as the National Cyber Security Center yesterday revealed that Russian hackers were actively attempting to steal IP related to US, UK and Canadian efforts to find a COVID-19 vaccine.

Categories: Cyber Risk News

Over Half of Canadians Victims of Cybercrime

Info Security - Thu, 07/16/2020 - 17:30
Over Half of Canadians Victims of Cybercrime

More than half of Canadians have fallen victim to a cybercrime, according to a new report by the Cybersecure Policy Exchange (CPX) at Ryerson University in Toronto. 

In the report Advancing a Cybersecure Canada: Introducing the Cybersecure Policy Exchange, the CPX revealed that 57% of Canadians say that they have been a victim of a cybercrime. 

This percentage is a significant increase from 2017, when, according to an Accenture survey, just 36% of Canadians reported being the target of a cybercrime attempt. 

The findings came from a survey of 2000 Canadians conducted in mid-May 2020 that sought to understand the experiences, choices and priorities of the public toward their online safety. 

Of the five types of cybercrime listed in the survey, the most commonly encountered was ransomware or an unintentionally installed or downloaded computer virus or piece of malware, with the former being experience by 8% of respondents and the latter by 31%.

Data breaches proved problematic for more than a quarter of those surveyed, with 28% reporting that their personal information had been exposed through a cybersecurity incident of this nature. 

While the majority of those surveyed had not experienced a hack of an online account, 22% had fallen victim to this particular cybercrime. A malicious email or spoofed website had managed to deceive 13% of those surveyed.

CPX was launched earlier this year with a mission to “broaden and deepen the debate and discussion of cybersecurity and digital privacy policy in Canada, and to create and advance innovative policy responses, from idea generation to implementation.”

With the publication of the report, the initiative hopes to stimulate a national debate around cybersecurity and digital privacy.

“We need urgent national policies that protect our security and digital privacy, while ensuring equal access for all,” said one of the report authors, Charles Finlay.

CPX maintains that there is an urgent need to address the security and privacy risks and vulnerabilities facing Canadians online. 

“To do so, our governments, our public and private institutions, and all Canadians, must demonstrate leadership, to ensure that we create and implement balanced public policy that will drive innovation while responsibly protecting Canadians,” stated the authors of the report.

Categories: Cyber Risk News

Tech Giants Sued Over Biometric Privacy

Info Security - Thu, 07/16/2020 - 17:24
Tech Giants Sued Over Biometric Privacy

Online retail giant Amazon and tech leaders Microsoft and Google are reportedly being sued for allegedly violating a biometric privacy law in the state of Illinois. 

Cases against the companies were brought on Tuesday by two residents of the Prairie State, Steven Vance and Tim Janecyk. 

The plaintiffs allege that the three companies obtained a database from IBM that contained 100 million faceprint pictures scraped from the photo-hosting site Flickr

IBM's Diversity in Faces database was released in January last year. The database was coded to describe the appearance of each subject and touted as a step toward eradicating bias in facial recognition. 

Images added to the database were reportedly taken from Flickr without obtaining the consent of the individuals whose faces were photographed. 

Collecting or storing scans of a consumer's facial geometry without their written consent is outlawed in Illinois under the Biometric Information Privacy Act, passed in 2008. Vance and Janecyk say their images were included in the data set without their consent, despite the fact that they identified themselves as residents of Illinois. 

In four separate class-action lawsuits filed in two different states, the duo alleges that Amazon, Microsoft, Google parent Alphabet, and software company FaceFirst violated Illinois law by obtaining the IBM database "to improve the fairness and accuracy" of their own facial recognition technologies and products. 

According to the suit, the defendants "chose to use and profit from biometric identifiers and information scanned from photographs that were uploaded from Illinois; managed via Illinois-based user accounts, computers and mobile devices, and/or created in Illinois.

"In doing so, [the defendants] exposed Illinois residents and citizens to ongoing privacy risks within Illinois, knowing that [their] conduct would injure those residents and citizens within Illinois."

The lawsuit against FaceFirst was filed in the Central District of California, while the complaint against Google parent Alphabet was brought in federal court in the Northern District of California. Suits against Amazon and Microsoft were filed in the Western District of Washington.

Vance and Janecyk brought a case against IBM earlier this year for allegedly breaking the same Illinois privacy law when they created the database. That case is pending in Illinois' federal district court.

Categories: Cyber Risk News

FBI Issues Cybersecurity Warning to Air Travelers

Info Security - Thu, 07/16/2020 - 15:40
FBI Issues Cybersecurity Warning to Air Travelers

The Federal Bureau of Investigation has issued a warning to air travelers to be wary of bogus US airport websites when booking flights online. 

Cyber-supervisory special agent Conal Whetten spoke to members of the press on Wednesday to raise awareness regarding the creation of a number of websites cleverly faked to look like the real deal.   

Whetten said these spoofed domains, which grow increasingly sophisticated as cyber-criminals hone their skills for mimicry, posed a real threat for travelers, airports and the aviation industry as a whole. 

By establishing a malicious domain that appears to feature an organization’s logo, font, color scheme, and writing style, cyber-criminals are frequently able to fool users into thinking that they are on a site that is authentic and safe to use. 

“They do this to steal personal and business data,” explained Whetten, “and US airports are an attractive target for cyber-actors because there is a rich environment of business and personal information.”

The malicious lookalike websites are created with domain names that are virtually the same as the site they are impersonating, often with just one character altered. This subtle difference can easily go undetected.

According to Whetten, criminals create these fake domains to spread malware capable of compromising a user’s personal or business data. The theft of this data can ultimately lead to identity theft and financial loss.

“They can use your social media lists to scam your friends and family, even order fraudulent purchases from online businesses, ultimately leaving you with the bill,” said Whetten.

The threat doesn’t stop once tickets have been booked, with criminals banking on airport users reaching for an IoT device at the airport to pass the time before they fly.

“Cyber-actors can capitalize on this sector by creating spoof domains and Wi-Fi networks, which can trick both passengers and airport operators into interacting with malicious websites or emails,” said Whetten.  

The agent advised users to disable or remove all unnecessary software protocols and portals and to use multi-factor authentication where possible. 

Describing just how widespread this particular cybercrime is, Whetten said: “Over 96% of companies suffer from domain spoofing attacks in one form or another.”

Categories: Cyber Risk News

Three-Quarters of UK Businesses Facing Compliance Problems Following Lockdown

Info Security - Thu, 07/16/2020 - 15:20
Three-Quarters of UK Businesses Facing Compliance Problems Following Lockdown

Three-quarters (75%) of UK data protection officers (DPOs) anticipate the Covid-19 lockdown will cause difficulties in meeting data compliance obligations, potentially leading to large fines, according to a study by Guardum.

In the survey, 72% of DSOs expect a backlog of data subject access requests (DSARs) upon returning to the office, while 3% are concerned there will be a “mountain” of DSARs to complete when they go back.

Additionally, 30% of DPOs believe there will be a massive increase in DSARs over the next six months. Furloughed or laid off employees during the pandemic will be a major driver of this growth according to 73% of respondents, while one in five said it will be the biggest single factor.

Under GDPR rules, if requested, organizations must provide data subjects with a copy of their personal data within 30 days or face the prospect of a maximum fine of up to €20 million or 4% of turnover from the Information Commissioners Office (ICO).

The findings suggest that HR personnel will face substantial data compliance challenges once the UK government’s furlough scheme ends in October. Under the scheme, the government pays a portion of the wages of employees who would otherwise lose their jobs during the crisis. It is expected that as the scheme is wound down, however, many of these workers will be made redundant.

Rob Westmacott, co-founder of Guardum, commented: “HR personnel will soon find themselves at the sharp end in dealing with large DSAR volumes raised by disgruntled former employees. If DSAR volumes reach the record levels DPOs expect then firms will struggle to meet their 30-day turn-around obligations using conventional manual processes.

“DSAR requests can be time consuming and costly: maintaining the privacy of any third parties means that the process of redaction will become impossible to manage effectively without some form of automation.”

The report also found that 46% of all DSARs received by mid to large-sized organisations are from employees or contractors, while one-third (33%) comes through legal representation, with ex-employees making up 15% of this portion.

Categories: Cyber Risk News

Russian APT Crew Actively Target #COVID19 Vaccine Developers

Info Security - Thu, 07/16/2020 - 14:46
Russian APT Crew Actively Target #COVID19 Vaccine Developers

State-sponsored hackers are actively targeting organizations involved with the development of a COVID-19 vaccine. 

According to the NCSC, the threat group APT29, which has been named 'Cozy Bear' and is believed to be associated with Russian intelligence, has been targeting UK, US and Canadian vaccine research and development organizations. 

Paul Chichester, director of operations at the NCSC, condemned the attacks, calling them “despicable” and working against those doing vital work to combat the coronavirus pandemic.

“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said. “We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”

APT29 typically conducts widespread scanning in an effort to obtain authentication credentials to access systems. “In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC reported. “The group then deployed public exploits against the vulnerable services identified.”

The NCSC’s advisory claimed the group uses a variety of tools and techniques, including spear-phishing and custom malware known as 'WellMess' and 'WellMail.' WellMess is lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods.

WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server. Similar to WellMess, WellMail uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers.

The NCSC has been supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

John Hultquist, senior director of intelligence analysis for Mandiant Threat Intelligence, said it was no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure, as “COVID-19 is an existential threat to every government in the world.”

He said: “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg-up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”

Categories: Cyber Risk News

Award-Winning Tech Expert Joins Arcserve as New CTO

Info Security - Thu, 07/16/2020 - 14:15
Award-Winning Tech Expert Joins Arcserve as New CTO

Data and ransomware protection provider Arcserve today announced the appointment of award-winning tech veteran Ivan Pittaluga as its new chief technology officer (CTO).

Pittaluga brings a proven record of leading advances in service delivery and transformational technology in the high-tech space to the role. As Arcserve’s new CTO, he will oversee the strategy and development of the company’s portfolio of backup, disaster recovery, continuous availability, migration and archiving solutions.

“The world of data protection is rapidly evolving, fueled by unprecedented challenges from a larger data attack surface and increasingly prevalent cyber-threats,” said Tom Signorello, CEO at Arcserve.

“The addition of Ivan will accelerate our market-first solutions to these, and other business continuity challenges, with his recognized history of driving organizational change and delivering technology that changes the way companies do business.”

Pittalauga previously served as vice-president of data protection and governance for Veritas Technologies and has held senior engineering positions at Symantec, Commvault, Legato Systems (Dell EMC) and Mastercard.

“We’re living in a digitized economy, and enterprises today can no longer risk exposing their data to cyber-threats or loss,” said Pittaluga. “Equally important are the new forms of data and environments that will emerge from rapid innovation in the cloud – all of which will need comprehensive protection. Arcserve’s 30-year experience and foresight to anticipate market shifts uniquely positions it for an exciting chapter of innovation, which I’m pleased to be a part of.”

Categories: Cyber Risk News

EE Launches Identity Checker to Help Fight Customer Fraud

Info Security - Thu, 07/16/2020 - 12:45
EE Launches Identity Checker to Help Fight Customer Fraud

Mobile operator EE, part of the BT Group, has today announced the launch of its new Digital Identity platform designed to help protect customers against becoming victims of fraud.

The platform offers a series of online identity checks that guard against fraud in real time, making customer transactions safer and supporting banking partners in the UK to detect SIM swapping fraud and prevent further fraudulent activities.

The platform’s ‘Sim Swap’ checker allows businesses to know when a customer’s SIM was last changed, as a recent change could indicate potential fraud. That data is then used to block financial transactions from taking place until further identity checks are carried out.

A ‘Call Divert’ feature allows for the confirmation that no call diversions have been put in place on a phone number (a key sign that sim swapping fraud has taken place) whilst the platform can also help prevent fraudulent online account sign ups with its ‘Know Your Customer’ product. This grants businesses the ability to confirm a user’s identity by cross-checking new customer data with data held in the EE databases to see if a phone has been reported lost or stolen.

Christian Thrane, managing director of consumer marketing at BT, said: “At BT and EE, we are committed to innovating to help protect customers from fraud and are already working closely with a number of industries, including banking, eCommerce and gaming, to protect millions of transactions every day. We are continuing to move into new sectors to help prevent even more fraudulent activity, so consumers across the UK can be confident in the safety of their online experiences.”

Categories: Cyber Risk News

EU Court of Justice Deems Privacy Shield Unlawful

Info Security - Thu, 07/16/2020 - 11:45
EU Court of Justice Deems Privacy Shield Unlawful

The EU-US Privacy Shield has been declared invalid, meaning it is now unlawful to transfer personal data to the USA using it.

In a judgment announced today, the Court of Justice of the European Union (‘CJEU’) ruled that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful.

The decision follows a case brought against the privacy campaigner Max Schrems against Facebook Ireland, when Facebook Ireland said it could not ensure adequate privacy protections for users in Europe with respect to their personal data sent to Facebook in the United States. This was due to the different nature of the US legal system's rules on national security, privacy and data protection.     

Initially, the Privacy Shield was negotiated with the US Department of Commerce between 2015 and 2016 to remedy the collapse of the Safe Harbour agreementin 2015, when the first Schrems case brought the end of that procedure.  

Amanda Brock, CEO at OpenUK, said: “The question really is how to bridge the gap between the UK and European privacy requirements and the fact that the US does not meet the ‘adequate protections test’, despite a huge number of European companies in our platform economy processing personal data there.

“If business goes down the route of a further sticking plaster, then it runs the risk of Schrems 3. It really is time for us to look long and hard at the issues cause by the US approach to privacy.”

However the CJEU has upheld the validity of the Standard Contractual Clauses scheme, thereby providing a safety net for transatlantic business. Also, EU data protection authorities will have a new role in assessing third countries’ protection and could ban exports of data to certain countries, and data exporters and importers using the standard contract clauses must verify the level of protection in the third country first.

Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP), said this “will undoubtedly leave tens of thousands of U.S. companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually.”

The judgement determined the General Data Protection Regulation (GDPR) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards.

In particular, the declaration was on decision 2016/1250, which refers to the adequacy of the protection provided by the EU-U.S. Privacy Shield, and that has been declared invalid.

Toni Vitale, partner and head of data protection at JMW Solicitors, said: “Put simply, the CJEU have an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilized in the USA.

“The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary.

“As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.”

Schrems said he was very happy about the judgement. “This is a total blow to the Irish DPC and Facebook,” he said. “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.

“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."

Categories: Cyber Risk News

#COVID19 Accounted for Massive Increase in Q1 Phishing Trends

Info Security - Thu, 07/16/2020 - 11:30
#COVID19 Accounted for Massive Increase in Q1 Phishing Trends

Just over 10% of all phishing attempts in Q1 were related to COVID-19.

According to research by Positive Technologies, 13% of phishing attacks were related to COVID-19 and the number of attacks increased by 22.5% from what was seen in Q4 of 2019. Yana Avezova, analyst at Positive Technologies, said: “Hackers were quick to use common concerns about coronavirus as lures in phishing emails. One out of every five emails was sent to government agencies.”

The research also determined there were 23 “very active” APT groups whose attacks in Q1 2020 mostly targeted government agencies, industrial, financial and medical institutions.

Also, more than a third (34%) of all malware attacks on organizations used ransomware, particularly where ransomware operators demanded a ransom in exchange for not disclosing stolen data. The research found that one out of every 10 ransomware attacks targeted industrial organizations.

At the beginning of the year, many cybersecurity experts found high levels of activity relating to a new ransomware called Snake, which is capable of stopping processes related to ICS operation and deleting backups or snapshots of files in use.

Jamie Akhtar, CEO and co-founder of CyberSmart, said the report isn’t surprising, as there was an “enormous spike in phishing campaigns, fake websites and social profiles that were deliberately impersonating COVID-19 and healthcare-related authorities as hackers exploited the unprepared public.”

He added: “Many of these phishing emails can be extremely convincing and are not likely to end soon.

“Businesses and their employees can protect themselves against these attacks in the future by using email filtering that will detect and flag suspicious email addresses and malicious links or attachments, but these often don't catch everything. Training employees on how to spot suspicious and phishing emails is the best way to prevent these kinds of attacks.”

Categories: Cyber Risk News

Walmart Sued Under CCPA After Data Breach

Info Security - Thu, 07/16/2020 - 10:30
Walmart Sued Under CCPA After Data Breach

Walmart has become the latest big-name brand accused of violating California’s new data breach regulations.

The retail giant is the subject of a new complaint alleging that customers now face “significant injuries and damage” after an unspecified incident.

Customer names, addresses, financial and other information were among the haul for attackers, according to the suit filed in the US District Court for the Northern District of California.

“As a result of defendants’ wrongful actions and inactions, customer information was stolen. Many customers of Walmart have had their PII compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft and have otherwise suffered damages,” the suit alleges.

“Further, despite the fact that the accounts are available for sale on the dark web, and Walmart’s website contains multiple severe vulnerabilities through which the data was obtained, Walmart has failed whatsoever to notify its customers that their data has been stolen.”

Although it’s unknown at present how many customers were affected by the incident, the filing claims that the number of class members is “at least in the thousands.”

If the maximum damages under the California Consumer Privacy Act (CCPA) are awarded, that means $750 per customer.

Walmart intends to defend the claims made against it.

“We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information,” it said, according to Bloomberg.

Other tech firms also lined up for CCPA suits include Salesforce, controversial facial recognition firm Clearview AI and online marketplace Minted.

The new law came into force at the start of 2020, but enforcement began on July 1. It brings with it new GDPR-like powers for individuals to demand that companies don’t share their data with third parties, and that they reveal what information they hold on data subjects.

It also empowers customers to sue if they feel their privacy rights have been violated, even if they’ve not been the subject of a breach.

Categories: Cyber Risk News

Malicious Router Log-Ins Soar Tenfold in Botnet Battle

Info Security - Thu, 07/16/2020 - 09:30
Malicious Router Log-Ins Soar Tenfold in Botnet Battle

Home users are being urged to ensure their routers are adequately protected after experts revealed a tenfold spike in brute force log-in attempts.

Trend Micro’s latest research, Worm War: The Botnet Battle for IoT Territory, describes a threat landscape in which rival cyber-criminals are competing against each other in a race to compromise as many devices as possible, to conscript into botnets.

The vendor claimed that automated log-in attempts against routers rose from 23 million in September to nearly 249 million attempts in December 2019. As recently as March this year, it detected almost 194 million brute force logins.

The report also revealed an uptick in routers attempting to open telnet sessions with other devices. As telnet is unencrypted it’s a favorite way for hackers or their botnets to sniff user credentials and therefore infect more routers or IoT devices.

Nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week in mid-March, according to Trend Micro data.

The report warned that these mass compromises could cause serious disruption for home networks at a time when many global users are being forced to work and study from home.

Aside from performance issues, if a compromised router subsequently carries out cyber-attacks as part of a botnet, its associated IP address could end up being blacklisted, cutting off users from their corporate network and other key parts of the internet.

The “worm wars” described by Trend Micro also have a wider impact on the security of the connected world, according to principal security strategist, Bharat Mistry.

“Home routers and consumer grade IoT devices continue to be easy pickings for hackers. The potential for mass scale and geographic distribution of compromised devices allows cyber-criminals to create powerful botnets that can cripple victim organizations,” he told Infosecurity.

“Compromised devices are the foot soldiers for lucrative attack campaigns and have sparked a war between cyber-criminals competing to take over as many routers as they can.”

Botnets are typically used in DDoS campaigns or rented out by cyber-criminals for other purposes such as to obfuscate the location of attackers.

The report urged home users to use a strong router password and stay on the latest firmware version, alongside log monitoring and other measures.

Categories: Cyber Risk News

Twitter Staff Tricked in Celeb Account Hijacking Campaign

Info Security - Thu, 07/16/2020 - 08:29
Twitter Staff Tricked in Celeb Account Hijacking Campaign

Twitter has revealed that its own staff were the cause of a coordinated account hijacking campaign affecting major tech companies and celebrities this week.

The social network’s support account noted in a thread a few hours ago that although its investigation is still ongoing it believes the incidents were a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

“We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” it added.

“Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.”

Twitter said it also limited functionality for a larger group of accounts, even those showing no signs of being compromised, while it investigates what happened.

Accounts with millions of followers belonging to Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Kanye West and others were briefly hijacked and used to promote a cryptocurrency scam. The corporate accounts of Apple, Bitcoin, Coinbase and others were also taken over.

“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” noted one message, followed by a link. Other versions urged followers to send Bitcoin to a specific wallet, claiming that the celeb would “double any payment.”

That wallet received $100,000 in digital currency via hundreds of transactions and was quickly transferred to other wallets, an expert told CNN.

Stuart Reed, UK director at Orange Cyberdefense, argued that a lack of awareness among employees continues to put organizations at risk of social engineering, especially at a time when many are working from home today.

“Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others,” he added.

“Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behavior. Building resilience towards social engineering attacks provides a significant line of defense.”

Categories: Cyber Risk News