Cyber Risk News
Researchers have exposed the underhanded methods of a threat group responsible for unleashing a string of supply-chain attacks.
Winnti Group has been targeting the gaming industry for nearly a decade. Their preferred mode of attack is to compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.
In April 2013, Kaspersky Lab reported that in 2011 Winnti had altered a video game to include a backdoor. Then, in March 2019, ESET published research proving that the threat group was responsible for compromising and adding a backdoor to two other games and a gaming platform.
Gamers in Asia were the target in the most recent supply-chain attack, which researchers estimate affected "tens or hundreds of thousands" of people. Over half of the victims—55%—were located in Thailand.
Following this publication, ESET continued its investigation to discover how organizations’ digital supply chains had been compromised to deliver malware in their applications.
"Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle," says ESET researcher Marc-Étienne Léveillé.
The Winnti Group uses a packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an internet-wide scan to try to identify one variant of the backdoor, as well as potential victims.
Léveillé said: "Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was."
With their new research, ESET was able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.
Although Winnti is known principally for espionage, researchers discovered that the group was also using a botnet to min cryptocurrencies.
Léveillé said: "Perhaps they use the virtual money they mine to finance their other operations. Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain."
A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed.
The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.
Chief technology officer, Kunal Anand, explained in a blog post that the firm decided back in 2017 to migrate to the AWS Relational Database Service (RDS) in order to provide greater scale for its user database.
As part of this process the firm created a database snapshot for testing on September 15, 2017.
Separately, Imperva’s IT team created an internal compute instance containing an AWS administrative API key. Unfortunately, this server was left exposed and subsequently found by a hacker, who stole the all-important key and used it to access the database snapshot, exfiltrating the information in October 2018.
The stolen data included email addresses, hashed and salted passwords, API keys, and TLS keys — although Anand claimed to have found no evidence so far that it is being abused for malicious ends.
Imperva has since tightened its internal security, by ensuring new instances are created behind a VPN, unused and non-critical instances are decommissioned, and by putting monitoring and patching programs in place.
Other corrective actions taken include an increase in the frequency of infrastructure scanning, tighter access controls, and an increase in auditing of snapshot access.
At Imperva’s request, more than 13,000 customer passwords were changed and over 13,500 SSL certificates rotated following the breach, highlighting the scale of the incident. In addition, over 1400 API keys were regenerated, according to Anand.
Two Scottish teenagers have been arrested on suspicion of hacking and defacing a news platform used by London’s Metropolitan Police earlier this year.
An 18-year-old from Lossiemouth near Inverness and a 19-year-old from Glasgow were charged by Scottish police, according to the BBC.
The July attack compromised the Met’s Mynewsdesk platform and allowed the hackers to post a string of offensive and often bizarre messages to the police force’s Twitter feed, as well as emails sent to subscribers and a micro-site.
The Twitter account, which has over one million subscribers, was hijacked to post messages including: “F*** THE POLICE FREE DA GANG!!,” “what you gonna do phone the police?,” and “XEON IS THE BEST FIGHTER IN SCOTLAND.”
At the time, right-wing commentator Katie Hopkins jumped on the news to claim the police force had not only “lost control of London streets” but also "lost control of their Twitter account too.”
Shortly after, Donald Trump retweeted her comments to continue his spat with London mayor Sadiq Khan, claiming: “With the incompetent Mayor of London, you will never have safe streets.”
“Two men, aged 18 and 19, from the Lossiemouth and Glasgow areas respectively, have been arrested and charged in connection with unauthorized access and publication of content on the Metropolitan Police Service's news platform on Friday 19 July 2019,” a Police Scotland spokesperson told the British broadcaster.
“A report will be submitted to the Crown Office and Procurator Fiscal Service.”
It’s unclear how the account was remotely compromised, although the obvious culprit would be easy-to-guess or crack passwords.
At the time of the initial incident, security experts urged organizations to improve login security and for IT to communicate the implications of neglecting such processes to regular users who may be in charge of public-facing accounts.
Microsoft lead cybersecurity architect, Mark Simon, explained that the firm had first worked closely with partners from the Center for Internet Security, Department of Homeland Security (DHS) and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), as well as visiting several customers.
Two common challenges emerging from discussions with the latter revolved around testing of patches and confusion over how quickly they should be implemented.
“This articulated need for good reference processes was further validated by observing that a common practice for ‘testing’ a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum,” Simon explained.
“This realization guided the discussions with our partners towards creating an initiative in the NIST NCCoE [National Cybersecurity Center of Excellence] in collaboration with other industry vendors. This project — kicking off soon — will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.”
Microsoft has extended an open invitation to join the effort to any vendors which have technology that could streamline the patching process, and organizations or individuals who may have wisdom to share — either best practice tips or lessons learned.
Fixing software vulnerabilities has never been more important, especially as society increasingly relies on modern IT systems. The growth of digital transformation projects will only further amplify their importance, argued Simon.
“Applying patches is a critical part of protecting your system, and we learned that while it isn’t as easy as security departments think, it isn’t as hard as IT organizations think,” he concluded.
An audit of Mississippi government institutions has revealed an alarming lack of compliance with standard cybersecurity practices and with the state's own enterprise security program.
A survey of 125 state agencies, boards, commissions, and universities conducted by the Office of the State Auditor (OSA) revealed that only 53 had a cybersecurity policy in place. Eleven reported having no security policy or disaster recovery plan whatsoever.
The true number of completely unprepared government entities may well be higher, however, since 54 of the institutions surveyed didn't even bother to respond to the 59-question survey, despite the OSA being authorized to verify compliance.
"Many state agencies are operating as if they are not required to comply with cybersecurity law, and many refused to respond to auditors' questions about their compliance," wrote state auditor Shad White in a data services division brief dated October 1, in which the research findings were revealed.
In Mississippi it's a legal requirement for state institutions to have a third party perform a security risk assessment at least once every three years. Despite this law, 22 of the government entities admitted that they hadn't conducted a security risk assessment in the last three years.
Asked about how they stored and sent sensitive information, 38% of respondents said that they do not protect sensitive data with encryption.
The OSA also found that just over half of the government agencies that responded to the survey were less than 75% compliant with the Mississippi Enterprise Security Program.
White said: "State government cybersecurity is a serious issue for Mississippi taxpayers and citizens. Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked."
White called for leaders of agencies to question their IT professionals to make sure that their agency is compliant, and to "consider ways to go above and beyond to prevent cyber breaches."
Leading by example, the Office of the State Auditor requires all its employees to go through training to spot phishing attempts and learn best practices for preventing security incidents.
The OSA also partnered with the federal Department of Homeland Security and arranged for the DHS to perform a penetration test of the OSA's computer system to identify any vulnerabilities.
"I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now," said White.
New research has found that only a quarter of Americans know that surfing the internet in private browsing mode only prevents other users of the same computer from seeing what you've been up to online.
A survey conducted in June by the Pew Research Center asked 4,272 adults living in the United States ten digital knowledge questions. When asked to identify the correct definition of private browsing, 24% of respondents got it wrong, and 49% admitted to being unsure.
The overall findings of the research reveal that Americans’ understanding of technology-related issues varies greatly depending on the topic, term, or concept. While 67% knew that phishing scams can occur on social media, websites, email, or text messages, only 29% were in the know about WhatsApp and Instagram being owned by social media titan Facebook.
Researchers wrote: "Just 28% of adults can identify an example of two-factor authentication—one of the most important ways experts say people can protect their personal information on sensitive accounts."
On average, survey respondents were able to correctly answer only four out of the ten questions they were asked. What caused the most confusion was when participants were asked to identify Twitter's co-founder and CEO, Jack Dorsey, from a picture.
Interestingly, respondents were pretty savvy when it came to the commercial side of social media, with 59% recognizing that advertising is the largest source of revenue for most social media platforms.
Most respondents were aware of what the kind of cookie that can't be dipped in milk is all about. While 27% said they were unsure what a cookie is for, 63% knew that they allow websites to track user visits and site activity.
How much education an individual had obtained had an impact on the results. Adults with a bachelor’s or advanced degree answered a median of six questions correctly, compared with three answered by those who had, at most, a high school diploma.
Age, too, had an effect, with 18- to 29-year-olds correctly answering five out of 10 questions on average, while those aged 65 or older typically gave just three right answers.
The cybersecurity branch of the Department of Homeland Security has requested legal permission from Congress to demand data from internet services providers in a bid to prevent cyber-attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has chosen National Cybersecurity Awareness Month to seek administrative subpoena authority, which will give it the power to compel ISPs to hand over information.
Currently, when the DHS identifies cybersecurity weaknesses in the private sector, it can obtain only the IP addresses of vulnerable systems. If granted administrative subpoena authority, the DHS will have the power to require ISPs to turn over the contact details of the owners of the vulnerable systems.
The department's plan is to use this information to directly contact the owners and warn them about the vulnerabilities in their cybersecurity.
CISA assistant director for cybersecurity and communications Jeanette Manfra said: "We can see a lot of industrial control systems or potential industrial control systems, in particular, that have potential vulnerable systems that are accessible from the public internet.
"Over many years, we have tried many methods to be able to contact these entities. The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be."
Manfra said that while the DHS can often locate the vulnerable entity on its own with a spot of detective work, this process can take hours or even weeks, leaving the entity exposed to threat actors.
The logic of the request is easy to follow; however, it does raise some serious privacy concerns.
"We're very aware of the concerns about overreach," said Manfra. "We have a long history of collecting similar types of data through voluntary programs and demonstrated ways of protecting that, as well to ensure that the information is used only for the purposes for which it was collected."
The proposal is currently being scrutinized by the House of Representatives and Senate Homeland Security panels.
CISA was created in November last year with the mission to partner with both industry and government to understand and manage risks to America's critical infrastructure.
For modern security systems to succeed, it’s important for organizations to expect that security systems will fail. By expecting failure and planning for it, it’s possible to be more resilient and deliver better security outcomes, according to Solomon Sonya, assistant professor of computer science at the United States Air Force Academy.
Sonya delivered his message during a keynote at the SecTor security conference in Toronto, Canada on October 10, where he emphasized the need for employing what is known as a Byzantine Failure approach, rather than relying on a detection-only approach for IT security attacks. The Byzantine Failure approach in computer science is all about understanding that failure is something that will happen and as such, a strategy needs to be put in place for the eventuality.
“Tomorrow’s attacks will be worse than today’s,” Sonya said. “Malware continues to increase in sophistication, prevalence and proliferation across the enterprise.”
Malware has changed over the past two decades, but the basic approach employed by many organizations has not, in Sonya’s opinion. He noted that a key challenge is the fact that many of today’s security paradigms are predicated on a false belief that detection is key to success. Sonya detailed how malware has changed from the early days of SQL Slammer in 2003 to the modern threats of ransomware and fileless attacks. A key part of malware’s evolution is how it has become increasingly sophisticated and difficult to always detect or immediately block.
“Some people will argue that attacks won’t happen tomorrow because AI will better protect us,” Sonya said. “AI is good, but it’s not sufficient.”
Rather, Sonya emphasized that what is needed is for organizations to identify the weakness in systems and networks. With the weak links identified, Sonya said it’s important to understand what should be done to actually secure the assets and data that are critical to the organization.
“So if you look at the attack surface from a Byzantine perspective, you start by taking the system that you want to protect, you draw a circle around it and you say which failures can lead to compromise,” Sonya explained.
What ‘Right’ Looks Like
Rather than relying on existing approaches and expecting to be able to detect incursions, Sonya suggested that organizations should “take the road less travelled” and instead of just buying a product, invest the time to understand and discover what can fail and lead to exploitation.
For Sonya, the ‘right’ approach also involves making use of Software Defined Network (SDN) technology, to segment networks and reduce the potential impact of a failure. While detecting threats alone isn’t a winning strategy, he emphasized that having actionable threat intelligence is a valuable component.
“Many vendors will say they have threat intelligence, but what they actually provide is just data,” he argued. “Intelligence is useful only in order to help us get some kind of action and actually make a decision based on the intelligence.”
Looking beyond just basic passwords, Sonya suggested that organizations consider new forms of secure access protection systems that can validate users based on activity as well as other attributes. Additionally, there is a need for organizations to rethink how Digital Loss Prevention (DLP) technologies are used and deployed. In his view, DLP needs to be deployed in a stack for data at rest and in motion, such that if data is lost or stolen, it can’t be used by an attacker.
To conclude, Sonya noted that security professionals need to constantly question the security paradigm, be curious and explore the possibilities that an unconventional attack might introduce into an organization.
“In our scheme of protecting machines, our initial response should not rely on detection, because if we wait until we detect, it could be too late,” Sonya said.
BAE Systems has announced details of a technology pilot aimed at supporting child protection agencies. The initial project, run in partnership with Gloucestershire Constabulary Police Force, seeks to improve speed and accuracy for identifying potentially vulnerable children.
BAE Systems has adapted technology normally used to protect and safeguard businesses against fraudulent activity, to quickly and accurately bring together data relating to an individual and reveal the full picture of a vulnerable child’s reported issues.
As well as creating a faster, more efficient process for identifying and sharing key indicators of potentially harmful situations, it also allowed child protection practitioners to delve into more incidents, in more detail and implement urgent care plans where needed. The successful pilot achieved results 10-times faster than under existing processes, solving the challenge of sharing data, linking it together, analysing it and identifying what further investigation is required.
Ravi Gogna, principal consultant at BAE Systems Applied Intelligence, said: “After the tragic case of Baby P, we identified the need to overcome the data problem and adapted our existing technology and data science techniques, which helps banks and insurers tackle fraud, to amalgamate key historic pieces of data across agencies. This provided child protection officers with access to a more in-depth and comprehensive data profile of each child in the quickest possible time.”
The challenge is that we are looking for red flag events – such as a child self-harming or coming into A&E with multiple broken bones, she added. “We have an opportunity to help improve the way the child protection system identifies risk, by bringing together all the information about a child and quickly giving a holistic view of what is happening.”
The UK’s current system makes use of Multi-Agency Safeguarding Hubs (MASHs), which aim to provide a single point of contact for all safeguarding concerns regarding children and young people.
However, the NSPCC currently estimates that one in 10 children in the UK has suffered some form of abuse or neglect, and the figure continues to grow. With resources continually stretched due to the ever-rising number of cases of neglect in Britain, the current manual processes are becoming strained, with the potential to miss vulnerable children.
“The pilot proves that, with increased information, we have a greater chance of intervening early and preventing catastrophic events from happening down the line,” said Kath Davis, head of the Child Protection Unit, Gloucestershire Constabulary. “To work with people from a completely different sector sheds a whole new light on things. Things that we thought were impossible, became possible.”
There is a privacy threat lurking on perhaps hundreds of millions of devices, that could enable potential attackers to track and profile users, by using information leaked via the Tor network, even if the users never intentionally installed Tor in the first place.
In a session at the SecTor security conference in Toronto, Canada on October 10, researchers Adam Podgorski and Milind Bhargava from Deloitte Canada outlined and demonstrated previously undisclosed research into how they were able to determine that personally identifiable information (PII) is being leaked by millions of mobile users every day over Tor.
The irony of the issue is that Tor is a technology and a network that is intended to help provide and enable anonymity for users. With Tor, traffic travels through a number of different network hops to an eventual exit point in the hope of masking where the traffic originated from. Podgorski said that there are some users that choose to install a Tor browser on their mobile devices, but that’s not the problem. The problem is that Tor is being installed by mobile applications without user knowledge and potentially putting users at risk.
The researchers explained that they set up several Tor exit nodes, just to see what they could find, and the results were surprising. The researchers found that approximately 30% of all Android devices are transmitting data over Tor.
“You’re probably scratching your head now, like we were a couple of months ago, because that doesn’t make any sense,” Podgorski said. “There's no way a third of Android users know what Tor is and are actually using it.”
What the researchers determined is that Tor is being bundled, embedded and installed in other applications and users are not aware of its existence. It was not entirely clear to the researchers why Tor was being bundled with so many applications. Podgorski said that it could be due to a misunderstanding of the technology and how it can be used. Tor was also found on Apple IOS devices, but the numbers were smaller with only approximately 5% of devices sending data.
In a series of demonstrations, including live dashboards shown by Bhargava, the researchers showed what data they had collected from mobile users that were inadvertently using Tor. The data included GPS coordinates, web addresses, phone numbers, keystrokes and other PII.
“This data can be used to build a robust profile of an individual,” Podgorski said.
Bhargava explained that the exit nodes the researchers set up intentionally attempted to force browsers to not use encrypted versions of websites, forcing the devices to regular HTTP when possible. With data coming to the exit node without encryption, it was possible for the researchers to see the user data. Bhargava noted that for sites that force HTTPS encryption and do not offer any fallback option to regular un-encrypted HTTP, they wouldn’t be able to see the users data.
Also of note, Bhargava admitted that he found his own phone number in the data, which was a surprise to him, as he had not installed Tor on his device. The only applications on his phone were applications installed by the carrier.
There are several things that need to happen to fix the issue. Podgorski said that the first is awareness that there is a problem, which is what the research is intended to highlight for legislators, government and organizations. For users, Podgorski emphasized that good operational security practices need to be employed, by using encryption everywhere.
In Podgorski's view, there is already a legal compliance risk that the mobile application PII data leaks expose.
“We’re pretty sure what we found breaches GDPR on multiple levels,” he said, “but the issue is that governments can’t enforce the law if they’re not aware.”
In a paper released today, the Information Security Forum is urging organizations to capitalize on the opportunities offered by artificial intelligence while taking sensible steps to reduce the risks posed by this still immature technology.
Demystifying Artificial Intelligence in Information Security defines exactly what AI is, then lays out a realistic analysis of what it can do, and will be able to do soon, for both legitimate organizations and criminals.
While detailing AI's potential to significantly improve cyber-defenses, especially around early threat detection, ISF's research recognizes that the technology carries with it the disease as well as the cure.
Researchers wrote: "No matter the function for which an organization uses AI, such systems and the information that supports them have inherent vulnerabilities and are at risk from both accidental and adversarial threats. Compromised AI systems make poor decisions and produce unexpected outcomes.
"Simultaneously, organizations are beginning to face sophisticated AI-enabled attacks—which have the potential to compromise information and cause severe business impact at a greater speed and scale than ever before."
According to researchers, companies that have already adopted AI while it's still in its baby feathers have enjoyed benefits that include being able to counter existing threats more easily. But, as threat actors nurture their own twisted versions of the new technology to maturity, this early advantage will shrink into nothingness.
"An arms race is developing," said ISF's managing director, Steve Durbin. "AI tools and techniques that can be used in defense are also available to malicious actors including criminals, hacktivists, and state-sponsored groups.
"Sooner rather than later these adversaries will find ways to use AI to create completely new threats such as intelligent malware—and at that point, defensive AI will not just be a 'nice to have.' It will be a necessity."
Asked how far away the world is from intelligent malware, ISF senior research analyst Richard Absalom told Infosecurity Magazine: "Back in January 2018, in our publication Threat Horizon 2020, we predicted that intelligent malware would emerge by 2020. I don’t think that prediction is far off but can’t be sure—I wouldn’t bet my house on it!
"What we do know is that attackers can already use AI tools to identify vulnerabilities—although human hackers are still better at exploiting them. As soon as that intelligent malware emerges, AI tools will be required to spot anomalous activity on the network and identify well-hidden malware.
"For example, social engineering attacks that use deepfake videos and automated vishing are likely to make it impossible for human eyes and ears to identify what is real and what is fake—it may be that intelligent systems will be required to analyze all types of digital communications to establish source and authenticity."
Asked if the benefits of AI will always outweigh the risks, Absalom said: "Yes—if (big IF) the risks are managed properly. AI promises some really exciting developments for information security. The risks are not insurmountable but do require serious thought and investment to manage."
A hacker has exploited a vulnerability on Dutch website Hookers.nl to appropriate the account details of all 250,000 users, which he is now offering for sale on the dark web.
The exposed data includes the email addresses, usernames, IP addresses, and passwords of sex workers and their clients. In a sample of the data viewed by Dutch news broadcaster NOS, the passwords were encrypted, but the email addresses—many of which included the actual names of the users—were fully legible.
The hacker, an unknown man, expressed no guilt or regret over his actions, telling NOS: "Tens of thousands of websites are hacked every day. I'm not the devil. It's not a question of whether your website is hacked, but when."
According to NOS, while the hacker hasn't completed any sales of the data yet, it is available for purchase by any interested parties for a mere $300.
A moderator for Hookers.nl wrote: "Offering this information for sale is punishable by law, and if possible, we will take legal action. In addition, a report has been made to the Dutch data protection authority."
Hookers.nl is a popular website among sex workers and their clients, who use it to write reviews, exchange tips, and share their experiences of the sex industry. The website confirmed to NOS this morning that the breach had occurred and issued the assurance that all users would be notified.
The breach occurred as a result of a technical weakness in the vBulletin forum software, which was revealed a few weeks ago. The opportunistic hacker told NOS that he exploited the hole before the company behind the website, Midhold, plugged it with a patch on September 25.
"It is of course not an account of your internet provider that leaked, maybe you don't want people to know that you have an account here. We are not happy with this," said Tom Lobermann, spokesperson for Midhold, which also operates Kinky.nl, Erotracks.nl, and Webcambordeel.nl.
A breach of this kind carries with it the threat of blackmail. Arda Gerkens of the Help Wanted foundation, who assists victims of sex-related abuse, said: "Membership in such a forum is certainly something someone can be extorted with. Some people are not secretive about their prostitution visit, but it is certain that when people use a nickname, they want to remain anonymous."
Hookers.nl has set up a forum page for users who want their accounts to be removed.
CNN has been issued a new digital certificate that uses logo verification to prove emails sent from a particular domain are genuine.
The certification of the American news channel with a Verified Mark Certificate by DigiCert, Inc. marks the first time a VMC has been issued for a domain that sends emails at scale.
The news follows the announcement on September 4, 2019, that Entrust Datacard had become the first certification authority (CA) to issue a VMC.
VMCs work by verifying the existence of a secure connection between a company domain and a particular sender-designated brand logo included within an email.
The certificates are signed cryptographically with a trusted root, allowing mail applications to rely on the information the certificate contains. The organization is issued a VMC by a CA once the signature process has been completed.
Receiving their certificate has readied CNN for participation in upcoming pilots of the BIMI (Brand Indicators for Message Identification) standard, which is being developed by AuthIndicators Working Group. BIMI will allow domain owners to specify a logo that will appear in the inbox, alongside authenticated email messages sent from their domains.
To work, BIMI requires both the email and the logo to be properly validated. The email must be authenticated through the Domain-based Message Authentication, Receiving & Conformance (DMARC) standard, with a policy of quarantine or reject; the logo itself will be validated by the VMC.
VMCs are not currently in use in BIMI pilots, but they are expected to become a requirement because they are a scalable way to ensure that corporate logos are not used fraudulently.
With widespread use of VMC, BIMI, and DMARC, companies will be able to amplify and protect their online presence through authenticated messages to consumers that are instantly recognizable by their known, protected brand marks.
"DigiCert is excited to work with CNN and members of the AuthIndicators Working Group to take this first step in demonstrating the feasibility and benefit of VMCs for global brands under the BIMI pilot program," said DigiCert chief of product Jeremy Rowley.
Reports emerged yesterday that Coleen Rooney, wife of professional footballer Wayne Rooney, publicly accused Rebekah Vardy, wife of footballer Jamie Vardy, of leaking personal information about her to tabloid newspaper The Sun. Vardy was quick to refute the claims.
In a lengthy social media post on October 9, Rooney wrote: “For a few years now someone I trusted to follow me on my personal Instagram account has been consistently informing THE SUN newspaper of my private posts and stories.”
She went on to claim that “there has been so much information given to them about me, my friends and my family – all without my permission or knowledge.”
In an attempt to find out who was responsible, Rooney explained how she blocked all users from viewing her Instagram stories, except for one person, and spent five months posting a series of false stories to see if they ended up being leaked to The Sun, which they eventually did.
“Now I know for certain which account/individual it’s come from,” Rooney continued. “I have saved and screenshotted all the original stories which clearly show just one person has viewed them. It’s………Rebekah Vardy’s account.”
In response, Vardy Tweeted to deny the accusation, suggesting there had been some sort of unauthorized activity on her Instagram profile: “I never speak to anyone about this [personal stories and information] as various journalists have asked me to over the years can vouch for.
“Over the years various people have had access to my insta & just this week I found I was following people I didn’t know and have never followed myself.
“If you thought this was happening you could have told me & I could have changed my passwords to see if it stopped.”
Researchers at ESET have discovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.
According to the analysis, the attacks were conducted using a previously unreported cyber-espionage platform, which is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Given these features, ESET researchers have named the platform Attor.
“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” said Zuzana Hromcová, ESET malware researcher. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”
ESET explained that Attor consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. The plugins are delivered by to the compromised computer as encrypted DLLs and are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” added Hromcová.
The platform targets specific processes, including processes associated with Russian social networks and some encryption/digital signature utilities.
Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices.
Attor’s infrastructure for C&C communications spans four components – the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explained Hromcová.
“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able – using AT commands – to steal data from that device and make changes in it, including changing the device’s firmware,” concluded Hromcová.
At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher and ‘Samy’ MySpace computer worm creator, reflected upon the current cyber-threat landscape and warned that defenders are being challenged to a far greater degree than ever before.
That’s because of the ever-increasing numbers of internet-connected devices being used across the world, extremely high levels of information being shared online and the extremely sophisticated technology cyber-criminals now adopt in their attacks.
“Security is challenging,” Kamker said. “It’s very difficult to secure everything and as somebody who is trying to defend, you have maybe 100 holes and maybe you can cover 99 of them. For an attacker it’s much easier, you only need to find one problem, one hole to break in.”
So attacks are now very difficult to stop, he added, and that’s because they are now possible to carry out “with low cost tools – tools that even you and I can purchase, with open source software and hardware that anyone can access.”
Staying secure is therefore not easy, Kamkar warned, but he said there are three fundamental steps that can be taken to make better security more achievable.
The first “is using two-factor authentication wherever you can.”
Next, “do not use SMS two-factor authentication. The SMS network is like your local area network – anyone with access can essentially take over any phone number. Do not use SMS if you have the ability to use something like an authenticator or software on your mobile device.”
Lastly, “please use a password manager. There are pros and cons, and yes you are storing passwords in one place that’s centralized, but do anything [you can] to prevent you from using the same password over and over again, which is how all of the largest attacks I have ever seen occurred,” Kamkar concluded.
According to a new research survey, 68% of IT security stakeholders aren't sure whether they've experienced a Pass the Hash attack, and 4% don't even know what this globally prevalent form of attack is.
One Identity field strategist Dan Conrad told Infosecurity Magazine: "While 4% seems like a small percentage, that means nearly one in every 20 IT security professionals does not even know about a significant cyber-attack method.
"As attacks that have such a large impact on organizations, it’s imperative that the security industry continues to emphasize the importance of understanding PtH attacks and the proper methods to combat them."
In a PtH attack, a threat actor obtains privileged credentials by compromising an end user’s machine. The attacker then simulates an IT problem, which prompts a privileged account holder to log into an administrative system. When they do, the attacker stores their login credentials as a hash that can be extracted and used to access additional IT resources across the organization.
This attack technique has been doing the rounds since the 1990s and was first reported by Paul Ashton on Bugtraq in 1997. Back then it consisted of a modified Samba SMB client that accepted user password hashes instead of cleartext passwords.
Among the survey’s most noteworthy findings is that 95% of respondents say that PtH attacks have a direct business impact on their organizations, with 70% reporting a direct impact on operational costs.
A large majority (87%) of survey respondents say they are already taking steps to prevent PtH attacks, but only 55% have implemented privileged password management.
Microsoft issued guidance back in 2017 for companies to implement Active Directory Red Forest Design, aka Enhanced Security Administrative Environment (ESAE), to help prevent PtH attacks. The survey found that just a paltry 16% of small organizations and 31% of larger companies have followed this advice.
Perhaps most shockingly, among the respondents that have not taken any steps at all to prevent a PtH attack, 85% have no plans to do so.
Dan Conrad told Infosecurity Magazine: "As attacks that typically begin with a phishing email and could lead to a ransomware attack or sensitive data being accessed and stolen, the impact of a PtH attack can be widespread and severe.
"With data breaches creating a significant time and financial burden on any organization, it’s imperative that businesses take these attacks seriously and put privileged access management strategies and protocols in place to defend themselves."
The McCombs School of Business at the University of Texas at Austin has launched America's first professional cybersecurity certificate program specifically geared toward protecting healthcare providers from cyber-attacks.
The Leadership in Healthcare Privacy and Security Risk Management program has been launched by the school in a bid to help close the 1.8 million person gap that the 2017 Global Information Security Workforce Study predicted will hit the global cybersecurity workforce in 2022.
This unique certification course sprang forth from a collaboration between the school and the cybersecurity industry, healthcare organizations, and governmental agencies. It is endorsed by the Texas Hospital Association, cyber risk management and compliance solution provider Clearwater, and CynergisTek, Inc., a cybersecurity consulting firm dedicated to serving the information assurance needs of the healthcare industry.
"This unique leadership program will rapidly equip individuals with the knowledge, leadership skills, and problem-solving competencies needed to manage risk in healthcare environments," said a statement from the McCombs School of Business.
Cross-sector experts in healthcare privacy and security and experienced healthcare technology educators are being brought in to teach the course, which will run for eight weeks starting in July 2020. Students will learn via practical, case-based simulations and hands-on exposure to current and future healthcare cybersecurity technologies.
The course, which has been developed to meet the needs of healthcare organizations, vendors, and governmental agencies, will be built around multiple thematic modules. Modules confirmed so far include "Processes to Ensure Organizational Safety and Security" and "Policies and Governance in Healthcare Entities."
To ensure that the curriculum keeps up with the ever-evolving cybersecurity threat landscape, the program will be shaped by ongoing feedback from members of the privacy and cybersecurity industries, and in the future by program graduates as well.
With nearly 500 US healthcare organizations having been targeted by ransomware attacks since the start of the year, the need for a training program geared toward their protection is unequivocal.
Founder and executive chairman of Clearwater, Bob Chaput, who described the new certification as a "much-needed program," said: "While there’s a massive shortage of traditional technical cybersecurity talent in all industries, healthcare has been specifically challenged as one of our nation’s last industries to undergo significant digital transformation."
Britain's National Cyber Security Centre has reported a significant increase in the number of young women applying for cybersecurity courses.
Rather appropriately, the surge in female applicants for the free cybersecurity courses was announced on Ada Lovelace Day, an international celebration of women in science, technology, engineering, and math (STEM) held every year on the second Tuesday of October.
According to the figures, nearly 12,000 girls took part in the prestigious CyberFirst Girls Competition 2019. Also, the CyberFirst Defenders course, which introduces teenagers to how to build and protect small networks and personal devices, had 705 female participants.
NCSC's cybersecurity courses, which are held at venues across the UK, have proved to be popular beyond just girls, with the center reporting a 29% rise in overall applications in 2019 compared to the year before.
Participants are given the opportunity to encounter and explore everyday technology so they can build an understanding of how it works. They also attend lectures, learn through hands-on practical projects, and have the chance to hear presentations by guest speakers.
Saskia, who attended the CyberFirst Futures course that took place in Cardiff, said: "I haven't had the opportunity to study computer science at school, but CyberFirst has encouraged me to consider the subject at University—I just wish the course was longer!"
As part of the NCSC's CyberFirst initiative, young people interested in studying cybersecurity at university can apply for an annual bursary of £4,000. They can also put themselves forward for three-year apprenticeships in the cybersecurity industry, which allow them to earn while they complete a recognized degree course.
Chris Ensor, NCSC deputy director for growth, said: "We're delighted to see so many young people interested in finding out more about cybersecurity. The significant rise in female applications is especially pleasing, and something we want to see continue into the future.
"It's never been more important to increase and diversify the cybersecurity workforce and we're committed to nurturing the next generation of skilled experts and addressing the gender imbalance."
At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher infamous for creating the ‘Samy’ Myspace computer worm that gained notoriety when it propagated across the social networking site in 2005, said that hacking exploits are not always malicious in nature, and are rather often imbedded in inquisitively and a determination to push boundaries.
“There is something super-intoxicating about being able to use some sort of tool and manipulate a system across the internet without knowing anything else about it,” he explained.
It is that capability that often inspires hackers and researchers to continually evolve and develop different attack methods, and explains why threats are not only constantly changing, but are also constantly harder to defend against, Kamkar argued. “Once there is no challenge, the fun is gone [for hackers].”
Kamkar likened hacking to “solving a puzzle” and “it’s always really fun to solve a puzzle – it feels good to get to the other side."
He said: “It’s as if somebody designed a maze; in a typical maze you can escape if you find the right path out. With computer hacking, it’s as if somebody designed a maze and then they blocked off all of the exits, but when you’re hacking, you’re still able to get to the other side.”