Cyber Risk News

UK’s MoD Exposed in 37 Security Breaches: Report

Info Security - Tue, 10/16/2018 - 09:50
UK’s MoD Exposed in 37 Security Breaches: Report

The UK’s Ministry of Defence (MoD) appears to have exposed highly sensitive data and systems to the risk of compromise after reports revealed 37 breaches of security protocol last year.

The heavily redacted reports don’t indicate whether the security breaches led to sensitive military information falling into enemy hands, but their scale should be alarming.

The cybersecurity slip-ups include sending sensitive information unprotected over the internet — where it could potentially have been intercepted by cyber-spies.

Peripherals were connected to ministry networks without checking first for malware, and phones and laptops were taken overseas where they were apparently at risk of malware infection or interception of communications.

In some cases, devices, documents and even rooms were left unsecured, raising the prospect that unauthorized third parties could access them, according to Sky News.

A statement sent from the ministry argued that disclosing more info could increase the risk of a cyber-attack against it.

“The MoD takes the security of its personnel and establishments very seriously but we do not comment on specific security arrangements or procedures,” it added.

The UK’s MoD is not the only defense department to have been found wanting when it comes to cybersecurity recently.

Reports emerged over the weekend that as many as 30,000 Pentagon staff may have had their personal and financial data stolen via a third-party contractor.

Even more concerning, a Government Accountability Office (GAO) report recently found critical vulnerabilities in nearly all US weapons systems under development.

Eset cybersecurity expert, Jake Moore, argued that the number of security breaches recorded by the MoD is concerning.

“Human error still occurs and this report simply echoes that you can have endless computing power and other unmanned mitigation techniques in place, yet the human firewall can still easily be a target and let these attacks in,” he added. “Such prevention techniques as robust and effective staff training will no doubt reduce the number of reported attacks on the MoD.”

Categories: Cyber Risk News

UK Launches “World First” IoT Code of Practice

Info Security - Tue, 10/16/2018 - 09:01
UK Launches “World First” IoT Code of Practice

The UK government claims to be leading the way with a newly released Code of Practice (CoP) designed to drive security-by-design in the manufacture of IoT products.

Developed in partnership with the National Cyber Security Centre (NCSC), the ICO and others, the "world first" CoP aims to improve baseline security in the sector and ensure smart devices that process personal data are aligned with the GDPR.

It’s focused initially on the consumer space.

HP and Centrica Hive are the first two IoT-makers to sign up, and the government hopes its mapping document will make it easier for others to follow.

Regulation is also being developed to improve the security of consumer-grade IoT products, according to the government.

The move can be seen as a response to the risks posed to individuals and businesses from unsecured consumer IoT devices, as exploited most famously by the Mirai botnet attacks of 2016.

It also comes as the British Standards Institution (BSI) readies a new kitemark scheme for consumers and businesses to help them better identify products they can trust to be reliable and secure.

The CoP received a cautious welcome from security experts, but many argued it doesn’t go far enough.

“A code of practice is a step in the right direction, but more needs to be done. The industry should follow best practices and self-regulate, before regulators put a static, cumbersome device security framework in place,” argued John Sheehy, VP of strategy at IOActive.

“Security must be built in from the design phase of any new connected device. It cannot be an afterthought, which only makes it more costly to the manufacturer. Until the industry takes a long-term view on cybersecurity risk or faces material financial consequences, we are likely to see things get worse before they get better.”

Andy Kays, CTO at Redscan, added that global standards are needed to improve IoT security across the development lifecycle.

“Right now, cybersecurity is often last in a long list of some manufacturers’ priorities. New features and services are driving sales, not robustness. Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible,” he added.

“Retailers need to do their part in helping to protect consumers by ensuring that they choose to stock products that meet recognized security standards.”

Matt Walmsley, EMEA director at Vectra, was sceptical of the CoP’s impact.

“Voluntary codes of practices will likely only attract organizations who are already proactive and bought into addressing the issues the CoP seeks to address,” he argued.

“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the frame work’s recommendations.”

Categories: Cyber Risk News

Endpoint Attacks Increase as Patching Slows

Info Security - Tue, 10/16/2018 - 09:00
Endpoint Attacks Increase as Patching Slows

While it’s no surprise that organizations are being compromised, a new study released by Ponemon Institute found that the rate at which organizations are compromised is quite alarming.

The study, 2018 State of Endpoint Security Risk, found a 20% increase in the number of companies that have been compromised by attacks originating at their endpoints over the last 12 months.

The Barkly-sponsored survey included 660 IT and security professionals. All participants had identified zero-day and fileless attacks as the paramount concern when it comes to threats. Of all the participants, nearly two-thirds of organizations have been compromised in the past 12 months.

As a result, 70% of participants said they have replaced antivirus solutions in the past 12 months or have plans to replace them in the coming 12 months. Identifying the greatest challenges when it comes to security gaps, survey respondents cited the high volume of false positives, inadequate protections and high management complexity as their top frustrations.

Additionally, four out of five participants said they struggle to keep up with patching and reported an average delay of 102 days for patching endpoints. Despite the prevalence of zero-day attacks, the survey found that 43% of respondents said they are taking more time to test and roll out patches.

“This study confirms the biggest gap organizations need to address is proactively blocking zero-day and fileless attacks, which are responsible for the majority of today’s endpoint compromises,” said Mike Duffy, CEO of Barkly. 

For those companies that have suffered an endpoint attack in the last 12 months, the cost of attacks has also increased. Companies that reported endpoint attacks that bypassed defenses reported a 42% cost increase year-over-year, bringing the average cost of an endpoint attack for an organization to $7,120,000 in 2018. That works out to be $440 per endpoint, and the price tag is almost doubled that for small-to-midsized business that shell out an average of $763 per endpoint.

Of the successful attacks, 76% leveraged unknown and polymorphic malware or zero-day attacks. These techniques increase the odds of success, making attackers using zero-day attack vectors four times more likely to compromise endpoints, compared to traditional attack techniques.

“This increase in successful attacks have exposed a gap in protection that existing solutions and processes are not addressing,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a press release. “Antivirus products missed more attacks than they stopped in 2018 and organizations believe their current antivirus is effective at blocking only 43% of attacks. There is a clear need for more effective solutions to block zero-day and fileless attacks.”

Categories: Cyber Risk News

#Cyberrecoded: Get the Certification that is Right for You

Info Security - Tue, 10/16/2018 - 08:30
#Cyberrecoded: Get the Certification that is Right for You

Speaking at the Cyber Recoded conference in London, Steven Furnell, professor of cybersecurity at the University of Plymouth, discussed the quantity of certifications and the need to understand what is most suited for a person.

Pointing to industry reports around the shortage of skilled people in the industry, Furnell said that this “means organizations are employing and wages are increasing significantly,” while the National Cybersecurity Strategy shows that actions to tackle the skills shortage are in progress. However, Furnell admitted that there is “no single path” to a career, and there is a range of certifications you can gain and use.

Referring to the level of skills and focus, Furnell explained that there is a differing level of what certifications require and what they say about the person, and even with a vendor-issued certification, it “doesn’t necessarily mean skills in a particular product, but skills of some degree.”

He added that with different providers and certifications, not all are the same. He highlighted Comptia’s Security as being “very much geared towards entry level practitioners” which does not require prior experience, however the salary expectations for someone with a Security or a CISSP were very similar.

He said: “The industry is not aware of what a certification brings to the table, but does that mean it is the wrong thing to look at? Experience is the key, and not just getting the certification, but where you get them [employees] from and what they bring to the organization.”

He concluded by saying that security requires proper education and knowing how to fit in, but that professionalism cannot just be taught; you need the right attitude “and if you want to be a pen tester, it is the level of professionalism in which you do that role.”

Categories: Cyber Risk News

Octopus Targets Central Asian Diplomats

Info Security - Mon, 10/15/2018 - 15:40
Octopus Targets Central Asian Diplomats

An attack aimed at Central Asian diplomatic organizations, dubbed the Octopus Trojan, is able to disguise itself as a popular online messenger, according to researchers at Kaspersky Lab.

The Trojan, a malicious program for Windows, has possible links to DustSquad, a Russian-language cyber-espionage actor that focuses on Central Asian users that Kaspersky researchers have been monitoring for two years.

Attackers successfully leveraged the news that the widely used Telegram messenger may become banned in Kazakhstan. The Trojan was distributed in a package that appeared to be a legitimate version of the Telegram messenger for Kazakh opposition parties, researchers said. Once installed, Octopus gives attackers remote access to victims’ computers.

“The launcher was disguised with a recognizable symbol of one of the opposing political parties from the region, and the Trojan was hidden inside. Once activated, the Trojan gave the actors behind the malware opportunities to perform various operations with data on the infected computer, including (but not limited to) deletion, blocks, modifications, copying and downloading,” researchers wrote.

Via remote access, the attackers were able to spy on victims, steal sensitive data and gain backdoor access to the systems. “We have seen a lot of threat actors targeting diplomatic entities in Central Asia in 2018,” said Denis Legezo, security researcher, Kaspersky Lab, in a press release.

“DustSquad has been working in the region for several years and could be the group behind this new threat. Apparently, the interest in this region’s cyber affairs is growing steadily. We strongly advise users and organizations in the region to keep an eye on their systems and instruct employees to do the same.”

Kaspersky Lab recommends that organizations educate staff on digital hygiene in order to reduce risk. In addition, robust endpoint security solution with application control functionality can strengthen defenses.

Categories: Cyber Risk News

iPhone a Growing Target of Crypto-Mining Attacks

Info Security - Mon, 10/15/2018 - 15:15
iPhone a Growing Target of Crypto-Mining Attacks

Apple has increasingly been the target of crypto-mining attacks, and according to Check Point, iPhone attacks increased by nearly 400% over the last two weeks in September. 

In its most recently published Global Threat Index, Check Point researchers said they are continuing to investigate the reasons behind this sharp increase but reported that crypto-miners continued to be the most common malware in September 2018. Coinhive continued to hold the number-one position, which it has occupied since December 2017.

While Coinhive currently impacts 19% of global organizations, researchers also reported that the information-stealing Trojan Dorkbot held onto second place with a 7% global impact. The report also noted significant increase in Coinhive attacks against PCs. Attackers used the Coinhive mining malware to target iPhones, which aligned with a rise in attacks against users of the Safari browser, the primary browser used by Apple devices.

The mining malware that rivals Coinhive, known as Cryptoloot, ranked third place overall on the Threat Index, making it the second-most prevalent crypto-miner in the index. Differentiating itself from Coinhive, Cryptoloot requests a smaller revenue percentage from websites than its top competitor.

“Crypto-mining continues to be the dominant threat facing organizations globally,” Maya Horowitz, threat intelligence group manager at Check Point, said in a press release. “What is most interesting is the fourfold increase in attacks against iPhones and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development.”

“In the meantime, attacks such as these serve as a reminder that mobile devices are an often-overlooked element of an organization’s attack surface, so it’s critical that these devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.”

Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) was the top most exploited vulnerability for the seventh-consecutive month, with a reported global impact of 48% of organizations.

Categories: Cyber Risk News

Attack Vectors Long Quiet Make Loud Q3 Comeback

Info Security - Mon, 10/15/2018 - 13:55
Attack Vectors Long Quiet Make Loud Q3 Comeback

Cyber-criminals eased into the year with a somewhat quiet first and second quarter, but according to a new report from Malwarebytes, attackers made some noise in Q3 2018.  In the Cybercrime, Tactics and Techniques Q3 2018, researchers found that business detections were up 55% compared to 4% for consumers, indicating that cybercriminals are targeting victims who promise a greater return on their investments.

One notable shift in tactics was with the use of traditionally consumer-leaning malware, which the report said are now being leveraged in business attacks. The number of Trojan detections for both businesses and consumers rose 86% from last quarter.

Ransomware, cryptojacking and adware also contributed to this increase in business attacks. In addition, older strains of banking Trojans experienced a comeback, and researchers discovered the emergence of new ones, making this form of malware the number-one detection for both businesses and consumers.

Information-stealing malware, like Emotet and LokiBot grew in Q3. Researchers reported an overall increase of 5% or 1.7 million more detections in Q3 than in Q2. Emotet detections rose by 37% and ranked in the top six malware for business.

Exploit kits also had a busy quarter, with Underminder and Fallout standing out among exploit kit activity. Though not used as a singular weapon, exploit kits were added as components of web-based attacks. Attackers notably targeted Asia and expanded from South Korea into Japan.

Ransomware attacks on businesses were up 88%. Although consumer detections decreased, researchers noted the development of 40 new ransomware variants, though not all were released into the wild. Gandcrab evolved to become more lethal, and Magniber expanded into new regions.

In related news, Malwarebytes researchers noted that over the last few months, MirkoTan (a Latvian company that makes routers and ISP wireless systems) has been dealing with a stream of attacks affecting its products’ operating systems. The string of attacks began in late April when a critical flaw in RouterOS was identified.

Jérôme Segura, lead malware intelligence analyst at Malwarebytes today wrote about a new attack that has emerged, with threat actors using social engineering to get users to install a fake update with a piece of malware that scans random IP ranges to identify vulnerable routers and exploit them. Once infected, the routers are injected with a Coinhive script that forces the users behind the router to mine for cryptocurrency while they browse the internet.

Categories: Cyber Risk News

#Cyberrecoded: Students Should Get Involved to Get Hired

Info Security - Mon, 10/15/2018 - 13:15
#Cyberrecoded: Students Should Get Involved to Get Hired

Build contacts, start or join a hacking society and follow security’s trends and news to get a good start in the industry.

Speaking at the Cyber Recoded conference in London, a panel of graduates in their first jobs spoke on the 'Getting Past the Gatekeepers' panel about their experiences on getting the necessary experience that employers are looking for.

The panelists, who came from a mixture of universities across the UK and from different academic backgrounds, talked of the need to gain contacts and get involved in local security groups in order to achieve mentoring and career advice opportunities.

Chloe Ungar, student at Leeds Beckett University and intern at Hedgehog Cyber Security, said that it is invaluable to have a network around you, such as a hacking society as it “takes away scary aspects [of security], gives you confidence and allows you to experience things” more than just doing a degree would. “Without the society, I would not have pushed myself to go to conferences where I met the company who would become my employer.”

The panelists were unanimous on engaging with societies and groups both local and national, as well as joining DEF CON groups and rookie track opportunities at Security BSides events.

Asked by moderator Daniel Nash if industry were interested in experience such as working with hacking societies, James Stevenson from BT said that “if you’re passionate about it, someone else will be passionate about it.”

Jack Wilson, former Abertay University student, said that their HackSoc allowed members to present research in their meetings and gain experience in speaking.

In terms of finding work, Stevenson said he had been actively writing and producing podcasts before applying for jobs, and employers were more interested in that sort of work.

Ungar said she had identified the company she wanted to work for and met them having emailed, and heard back within half an hour, at 4 am. Brett Calderbank, who had worked in policy and governance before working in a SOC, said it was important to keep on top of what is happening in the industry, “as this is such an evolving industry.”

Nash concluded by saying that if there is no society then start your own, as while it is a lot of effort it will pay dividends for experience. 

Infosecurity asked which of the panelists had picked the company they wanted to work for, and what qualities they were looking for in an employer? Ungar said she found her employer at a BSides London conference, and she was attracted to a smaller company “where every employee counts.”

Wilson explained he had started to look for a graduate scheme six months before graduating, and gathered enough information to determine what he liked and what they [potential employer] were looking for, while Stevenson said it was important to identify the company and even if they say no, take the feedback and improve yourself, and keep on applying.

Categories: Cyber Risk News

Pentagon Staff Hit by Major Data Breach

Info Security - Mon, 10/15/2018 - 11:01
Pentagon Staff Hit by Major Data Breach

The US Department of Defense has suffered a major breach of employee’s personal and financial information, according to reports.

An unnamed official told AP that the incident may have affected as many as 30,000 civilian and military personnel.

A statement seen by the newswire confirmed that the incident had been discovered at the beginning of October, although it’s not clear when the breach took place.

“The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the department,” the statement noted. “This vendor was performing a small percentage of the overall travel management services of DoD.”

The vendor is not being disclosed for security reasons but the Pentagon is said to be taking steps to cancel its contract.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” the statement continued.

The news comes just days after a damning Government Accountability Office (GAO) report found critical vulnerabilities in nearly all weapons systems under development.

It claimed the Pentagon is only “just beginning to grapple" with the challenges highlighted in the report.

“One test report indicated that the test team was able to guess an administrator password in nine seconds,” the GAO claimed. “Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges for that software.”

To add insult to injury, when confronted with the findings, weapons program officials are said to have dismissed some test results as “unrealistic.”

Categories: Cyber Risk News

WannaCry Cost NHS £92 Million

Info Security - Mon, 10/15/2018 - 09:50
WannaCry Cost NHS £92 Million

The infamous WannaCry ransomware campaign of 2017 caused losses in the region of £92m for the NHS, the government has revealed.

In a progress update titled Securing cyber resilience in health and care, the Department of Health and Social Care caveated the figures by saying they are only broad estimates.

Broken down further, around £19m was lost directly as a result of access to info and systems being unavailable, leading to cancelled appointments and similar.

Over 19,000 appointments and operations are said to have been cancelled as a result of WannaCry.

“It is anticipated that 1% of care was disrupted over a one week period, based upon an estimate of the average level of care provided by the NHS in a one week period,” the report explained. “It is estimated that there was approximately £19m of lost output. However demand for NHS services fluctuates, therefore this should only be considered an approximate estimate.”

A much larger £72m was lost in the aftermath with additional IT support drafted in to help restore data and systems.

“Assuming each of the 80 severely affected trusts would have required the equivalent of five days FTE additional resource of an IT specialist, the cost of IT support at the time of the attack would have been £0.5m,” the report explained.

“After the attack we have estimated an average level of resource required by organizations based upon their size and the severity of disruption. There were a few anecdotal reports of costs by individual organizations, but not enough data to make a robust estimate. Therefore the figures quoted below should be considered an approximate estimate.”

WannaCry is said to have disrupted services across one-third of hospital trusts and around 8% of GP practices.

Mollie MacDougall, threat intelligence manager at Cofense, argued that ransomware could have life-threatening consequences for patients.

“If there is one lesson healthcare organizations can learn from these trends, it is to have appropriate anti-phishing programs in place that build on existing security capabilities, to include augmenting incident response efforts with real-time human-intelligence,” she added.

“Phishing keeps proving itself to be a successful vehicle for delivering damaging malware like ransomware, and as threat actors continue to find ways to bypass automated defenses, so too must network users be educated and armed to be a successful last line of defense against them.”

Categories: Cyber Risk News

Facebook Breach Hit 30 Million

Info Security - Mon, 10/15/2018 - 08:55
Facebook Breach Hit 30 Million

A major breach announced by Facebook last month affected 20 million fewer customers than at first predicted, but for 14 million unlucky users hackers managed to access virtually all their profile info.

The social network’s VP of product management, Guy Rosen, explained in an update on Friday that of the 50 million people whose access tokens were thought to be affected, 30 million actually had the tokens stolen.

“For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles),” he said.

“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For one million people, the attackers did not access any information.”

So far, there’s no sign that the attackers accessed third-party apps, Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, or advertising/developer accounts.

There was also more info on exactly how the attackers managed to carry out the attack.

According to Rosen, they “already controlled” a set of accounts, and had developed an automated technique to move from one to another, stealing access tokens for the friends of those accounts, and the friends of these friends etc.

By doing this, they obtained access tokens for around 400,000 users. Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” said Rosen.

Customized messages will be sent to those affected over the next few days with advice on how to protect themselves from follow-on scams. Users can also check here to see if they were affected.

Categories: Cyber Risk News

Secret Amazon Data Center Gives Nod to Seinfeld

Info Security - Fri, 10/12/2018 - 16:05
Secret Amazon Data Center Gives Nod to Seinfeld

On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld.

In addition to revealing the information about the data centers, located in 15 cities across nine countries, WikiLeaks also created a map showing the exact locations of the centers. A center in Manassas, Virginia, operates under the pseudonym Vandalay Industries, a fictitious latex company made famous in a Seinfeld episode when an unemployed George Costanza assured the unemployment office that he was on the verge of landing a job.   

According to WikiLeaks, “Amazon is known as Vandalay Industries on badges and all correspondence with building manager.” It’s not at all uncommon for Amazon to operate out of data centers that are owned by other companies. In fact, the intent is to have little to no indication that Amazon operates at the location, which lends to the secrecy of its whereabouts.

Though Amazon has long been a leading cloud provider for the intelligence community, the leaked locations could potentially compromise the company’s status as a leading contender for a $10 billion contract with the Department of Defense (DOD).

“Amazon is one of the only companies with the certifications required to host classified data in the cloud. The Defense Department is looking for a single provider and other companies, including Oracle and IBM, have complained that the requirements unfairly favor Amazon,” WikiLeaks wrote.

“While one of the benefits of the cloud is the potential to increase reliability through geographic distribution of computing resources, cloud infrastructure is remarkably centralized in terms of legal control. Just a few companies and their subsidiaries run the majority of cloud computing infrastructure around the world. Of these, Amazon is the largest by far, with recent market research showing that Amazon accounts for 34% of the cloud infrastructure services market.”

Prior to the leak, the locations of the cloud infrastructure controlled by Amazon were hidden. In revealing the locations, WikiLeaks also create the Quest of Random Clues, a puzzle game that encourages players to find the data centers while highlighting various concerns, one of which includes contracts with the intelligence community.

Infosecurity Magazine contacted Amazon for comment, but the company has not responded.

Categories: Cyber Risk News

No Cookies for CartThief, a New Magecart Variant

Info Security - Fri, 10/12/2018 - 15:07
No Cookies for CartThief, a New Magecart Variant

A new variant of the Magecart attacks has been targeting smaller e-commerce operations, according to The Media Trust’s digital security and operations (DSO) team.

Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the Magecart malware.

As soon as credit card information is entered into a checkout page and a payment is submitted, the malware collects, encrypts and sends personally identifiable (PII) and financial information to the malicious actors’ command-and-control server.

What sets this malware apart is the method used to encode or obfuscate the malicious domain and the PII data collection activity. To avoid arousing suspicion and sneak past many blocking technologies, there are no user-identifying cookies or source codes to set off alarms for users. The absence of cookies is one feature that differentiates CartThief from other Magecart variants. 

“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust.

By exploiting vulnerabilities in web applications, bad actors were able to attack Magento-hosted e-commerce sites and insert rogue files into legitimate HTML code, granting them access to the payment page. Because the activity has only been executed on a handful of smaller e-commerce sites, researchers believe that the attackers are intentionally flying under the radar while testing the malware before staging a larger-scale attack, which they suspect could come during the holiday shopping season.  

“Given increasing malicious activity and the advent of financial penalties, e-commerce operations should police their digital ecosystem for any unauthorized activities and actors by continuously scanning their sites. Doing so will help them pre-empt any security issues,” Bittner wrote.

Categories: Cyber Risk News

Hackers Win Big by Gambling on Identity Spoofing

Info Security - Fri, 10/12/2018 - 14:44
Hackers Win Big by Gambling on Identity Spoofing

In analyzing global cybercrime patterns ThreatMetrix found that identity spoofing, fueled by stolen identity data, is the most prevalent attack vector for the gaming and gambling industry.

Additionally, the Q2 2018 Gaming & Gambling Report discovered that location (IP) spoofing attacks increased 257% year-over-year, making it the fastest growing attack vector in the space. Because more sophisticated location spoofing tools are available, fraudsters are making frequent attempts to disguise their true location and launder money.

Distinguishing trusted users from fraudsters is made increasingly more challenging with malicious account takeovers (ATOs) and the use of collusive play and self-excluders.

“Rising cybercrime levels is no small issue for a sector that enjoys a truly global customer base,” said Ellie Burns, fraud and identity manager at ThreatMetrix, in a press release. “With more than two billion gamers worldwide, nearly 60% of the industry's traffic is cross-border.

"Operators must contend with a rapidly evolving regulatory landscape and stringent new anti-money laundering laws, making the verification of the true location of a transacting gamer a vital component in authenticating identity.”

An additional contributor to the growth of IP spoofing attacks is that users are trying to access services that might be restricted in their locations, which is one factor driving the high volume of cross-border traffic.

Increased mobile transactions were also a key finding in the report, resulting from more people placing bets and accessing accounts from their smartphones. The report revealed that 71% of all gaming and gambling transactions are now made via mobile devices, which is a 45% increase year-on-year. Not surprisingly, mobile payments are attacked more often than any other transaction. Hackers have realized that mobile serves as a door of opportunity where they are able to monetize stolen credentials.

“To deal with these challenges, gaming and gambling operators must incorporate dynamic digital identity intelligence that pieces together key indicators, such as device intelligence, true geo-location, online identity credentials and threat analysis, to better inform risk decisions. The key is to be able to effectively differentiate trusted users from fraudsters and understand changes in trusted user behavior, without adding unnecessary friction,” said Burns.

Categories: Cyber Risk News

UK Finance: New Tax Could Pay for Fraud Losses

Info Security - Fri, 10/12/2018 - 10:59
UK Finance: New Tax Could Pay for Fraud Losses

Trade association UK Finance has called for a new tax on payments to create a fund that banks can use to compensate victims of fraud.

CEO of the banking lobby, Stephen Jones, made the proposals before a Treasury Select Committee this week, reportedly claiming that a “tiny levy” on each payment could help to break the stand-off between financial institutions and other stakeholders over authorized push payment (APP) fraud.

“Customers will pay if the banks have to pay,” he’s reported to have said. “There’s no such thing as a free lunch here. It’s a question of how can the cost be fairly distributed across the system.”

APP occurs when a scammer tricks their victim into making payments to an account controlled by them. Banks argue that they shouldn’t be responsible for compensating the consumer if they’ve basically met their level of care.

A third of fraud losses in the UK last year were down to APP, amounting to £236m.

However, earlier this year the Financial Ombudsman Service (FOS) revealed that in disputes it is called upon to arbitrate, banks often try to blame customers — which it said is increasingly difficult to do given the growing sophistication of online scams.

The heated debate is part of an overall attempt to draw up an industry code governing how APP victims should be compensated.

Brooks Wallace, head of EMEA for cybercrime and fraud prevention at Trusted Knight, argued that Jones’ proposals could set a dangerous precedent and claimed the banks were trying to “shift financial responsibility to the customer before [fraud] really starts to impact their bottom line.”

“This statement demonstrates two things - firstly, that banks are starting to feel the burden of hefty fraud losses through more sophisticated online crime. Secondly, that they are becoming increasingly unwilling to foot the bill,” he added.

"This is a risky route to go down. While some fraud is not the fault of the bank, often fraud could have been halted if the bank had better fraud prevention in place for its customers. While the banks could argue that losses are down to third-parties — such as payment details being stolen in retailer data breaches — ultimately, financial organizations need to have more rigorous procedures for identifying and stopping fraudulent transactions taking place.”

Categories: Cyber Risk News

FitMetrix Exposes “Millions” of Customers’ Data

Info Security - Fri, 10/12/2018 - 09:30
FitMetrix Exposes “Millions” of Customers’ Data

A leading fitness software company may have exposed millions of customer records by failing to protect a cloud database.

Researcher Bob Diachenko said he found the exposed database hosted on AWS via a simple Shodan search for unsecured Elasticsearch instances which could be targeted by ransomware attackers.

He found the cloud store of 119GB of data belonging to Fitmetrix, with two identical sets of data and two IP addresses. Interestingly one was labelled as “compromised” as it contained a ransom note from an ultimately unsuccessful attempt to extort the company.

“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko wrote.

“This script sometimes fails and the data is still available to the user even though a ransom note is created.”

The exposed data included name, gender, email address, birth date, home and work phone, height, weight and much more.

The total number of records affected topped 122 million, although it’s unlikely that all of these contain customer data, according to Diachenko, who estimated that “millions” were still likely to have been affected.

Parent company Mindbody, which acquired the firm earlier this year, finally responded and secured the database five days after first being contacted, on October 10.

Balaji Parimi, CEO of CloudKnox Security, said these incidents are occurring more frequently as complex multi-cloud environments become more popular.

“The most likely scenario in this case is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed. These incidents are rarely malicious. They are the result of what’s emerging as the biggest cyber-threat facing enterprises today: the complexity of and lack of visibility organizations have into their own infrastructure,” he argued.

“In order to mitigate these types of mistakes and the threat they pose, it’s critical for companies to devote cybersecurity resources to gaining better visibility. That means understanding which employees have the types of privileges that can affect the company’s security posture and limiting those privileges to properly-trained, security-conscious employees. With proper visibility and authorization settings, organizations can put real guard rails in place to help prevent these types of mistakes.”

Categories: Cyber Risk News

US Telco Finds Evidence of Supply Chain Alteration: Report

Info Security - Fri, 10/12/2018 - 08:29
US Telco Finds Evidence of Supply Chain Alteration: Report

Bloomberg this week doubled down on its blockbuster report of Chinese spy chips inserted into the supply chain of a leading US server provider, claiming a leading telco found evidence of tampering.

The news site is under pressure after all main parties it claimed had been affected by the alleged sophisticated spying campaign vigorously denied the report. These included the server company itself, Supermicro, and customers Amazon and Apple — who were also backed by the UK’s GCHQ and the US Department of Homeland Security (DHS).

The unnamed telco was apparently hired by Yossi Appleboum, a former Israeli army tech specialist and now co-CEO of US-based Sepia Systems, to scan its datacenters.

According to the report, he uncovered “unusual communications” from a Supermicro server. A further inspection revealed an “implant” built into the Ethernet connector which appeared similar to other manipulations he’d seen by Chinese suppliers.

Supermicro claimed to have no knowledge of any unauthorized components and complained it was not given enough time or info to respond to the new allegations.

The latest hardware manipulation is different from the microchips alleged to have been placed on motherboards subsequently sold unwittingly to 30 major tech companies.

However, they had the same purpose, of providing unauthorized access to the network the server is installed on, and “were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China,” according to Bloomberg.

Experts have criticized the original story for containing few named sources. Apple has denied the allegations in the strongest terms, taking the unprecedented step of writing to lawmakers on the House and Senate commerce committees to reiterate these sentiments.

However, for some, it’s a timely reminder of the risks posed by modern global supply chains.

“It doesn’t require an implant from a nation state adversary,” argued Chris Day, chief cybersecurity officer at Cyxtera. “Organizations must protect themselves by practicing defense-in-depth, especially across their supply chain.”

Although the telco was unnamed, AT&T, Verizon and Sprint told Bloomberg it wasn’t them.

Categories: Cyber Risk News

Mozilla Delay Distrust with Continued Symantec Certificate Use

Info Security - Thu, 10/11/2018 - 16:15
Mozilla Delay Distrust with Continued Symantec Certificate Use

With “well over” 1% of the world’s top one million websites still using a Symantec certificate, Mozilla has suspended plans to distrust the TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert.

According to a statement by Mozilla’s certification authority program manager Wayne Thayer, so many websites continue to use these certificates that moving from Firefox 63 Nightly into Beta “would impact a significant number of our users.”

Thayer said that “it is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.”

He added: “We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October.

“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them.”

In a previous update in July, Thayer that 3.5% of the top one million websites were still using Symantec certificates that were due to be distrusted in September and October. Firefox 60 displayed an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1 2016 that chains up to a Symantec root certificate as part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017.

“This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates,” he said.

Categories: Cyber Risk News

One in 10 Reported Emails Verified as Malicious

Info Security - Thu, 10/11/2018 - 15:30
One in 10 Reported Emails Verified as Malicious

New findings from Confense have revealed that one in ten reported emails in 2018 were malicious, with more than 50% of those linked to fraudulent attempts to gather login and system information from users – known as credential phishing.

As detailed in its report The State of Phishing Defense 2018: Susceptibility, Resiliency, and Response to Phishing Attacks the firm analyzed more than 135 million phishing simulations, 800,000 reported emails and nearly 50,000 real phishing campaigns targeting organizations in 23 industries ranging from healthcare, financial services to manufacturing.

Key findings discovered that 21% of reported crimeware emails contained malicious attachments whilst the term ‘invoice’ was one of the most-used phishing subjects, appearing in six of the 10 most effective phishing campaigns this year.

However, on a more positive note, Cofense claimed the overall phishing resiliency of users had improved in the last few years with reporting rates up 14% from three years ago. Interestingly, organizations in the utilities and energy industries were noted as building the most resiliency to phishing over time, but Cofense warned that overall industries involved with critical infrastructure still have work to do.

“We founded Cofense on the principal that the human element, the users who are targeted, are a critical factor in defending against phishing threats,” said Aaron Higbee, co-founder and CTO of Cofense.

“We see phishing emails bypass technology controls every day and more and more end-users recognizing and reporting these threats that slipped past million-pound defenses. The results of our research detailed in the ‘State of Phishing Defense’ shows that resiliency is building across key industries thanks to those same people that were once deemed as the weakest-links in an organization. These trends are powerful and reinforce that humans are a key element to a successful security program.” 

Categories: Cyber Risk News

Sharp Rise in Young Brits Becoming Money Mules

Info Security - Thu, 10/11/2018 - 10:07
Sharp Rise in Young Brits Becoming Money Mules

More Brits under-21 are falling victim to identity fraud and acting as money mules than ever before, according to new figures from Cifas.

The non-profit fraud prevention service revealed new figures today claiming its members have identified a 24% increase in young victims of so-called “impersonation fraud” in the first nine months of the year, versus the same period in 2017. This type of fraud occurs when scammers use a victim’s identity to open new accounts, hijack existing ones or buy products in their name.

The largest segment of impersonation fraud affecting this age group related to payment cards (34%), an increase of 79% over the same nine-month period last year.

But the under-21s aren’t just victims of fraud, they’re increasingly also helping online scammers to launder money — a vital role in the cybercrime ecosystem.

Cifas noted a 26% rise in the identification of money mules: individuals who, often unwittingly, are recruited to receive stolen funds, withdraw them and then wire to another account, often abroad.

Although the crime carries with it a maximum penalty of 14 years behind bars, it appears many young bank account owners are attracted by the opportunity to make money quickly and easily.

Cifas CEO, Mike Haley, called for a broader education effort on the part of parents, teachers and banks.

“As the rise in money mules demonstrates, many young people seem unaware of the risks they’re running and the consequences it can have not only for the individual concerned but for society as a whole. More needs to be done to raise awareness about the harm of fraud and financial crime,” he added.

“We’re calling on banks in particular to ensure that they are providing young people with the necessary knowledge to prevent them falling victim to fraud — or becoming fraud perpetrators.”

The latest figures from Cifas released in August revealed identity fraud had fallen for the first time in four years, by 5% in the first six month of 2018 versus the same period last year.

However, identity fraud against online retail accounts rose by 24% during the period, while Cifas also recorded a rise in fraudulent applications for credit and debit cards (12%).

In April, Cifas claimed identity fraud had hit an all-time-high in the UK.

Categories: Cyber Risk News