Cyber Risk News

Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Info Security - Fri, 05/22/2020 - 16:19
Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Police in Mumbai have recruited Baby Yoda to help raise awareness of the importance of cyber-safety. 

The law enforcement agency has earned a reputation online for delivering serious messages with humorous memes via social media app Instagram. It only seems appropriate that the force should use the power of 'The Force' to drive home a warning that passwords should be kept private.

On Monday, Mumbai Police shared an image of a popular meme that uses characters from TV space Western series Star Wars: The Mandalorian. In the meme, the show's lone gun fighter shares an amusing exchange with the famous character Baby Yoda.

The meme shows the fighter telling Baby Yoda to close his eyes, after which he asks him, "What do you see, bro?"

Yoda shutters his peepers and replies, "Nothing, bro."

In an amusing edit to the next line of dialogue, Mumbai Police tweaked the meme so that the fighter tells Yoda: "That's your bank balance after you shared your password with me, bro."

Along with the meme, Mumbai Police share the following caption with their 126K Instagram followers: "Share password, do not. There is no question of do."

The funny post was a hit with netizens who expressed their appreciation by filling the comments section with compliments. 

Instagram user rohitksp wrote, "Mumbai police is getting cooler day by day," while user tanabhy punned, "Mumbai police, Yoda best."

User dandekarvaibhav added: "Mumbai Police shared a Star Wars themed meme... My day is made."

User uppalakshit took the joke one step further, quipping, "That's the Bank balance during Lockdown..."

Not every heart was won by the force's attempt to raise awareness of cybersecurity in a humorous way. One user expressed the view that Mumbai police ought to be focusing their resources elsewhere. 

User ashwitha4real wrote in the comments: "Memes are great but there are groups on telegram that are sexually assaulting women, making videos and sharing it. Kindly do something about it."

At time of publication, the Baby Yoda post had garnered 23,291 likes on Instagram and attracted 209 comments.

Categories: Cyber Risk News

North Dakota's Contact Tracing App Sends User Data to Third Parties

Info Security - Fri, 05/22/2020 - 15:14
North Dakota's Contact Tracing App Sends User Data to Third Parties

A cybersecurity company has claimed that a contact tracing app introduced by North Dakota is sending data to third parties and exposing users' identities.

Like South Dakota and Utah, North Dakota has built its own contact-tracing app, Care19, in an effort to monitor the spread of the novel coronavirus.

Jumbo Privacy alleges that the Care19 app, created by ProudCrowd LLC to track the spread of COVID-19 in The Peace Garden State, is sharing user data with Foursquare and other third-party services.

Foursquare is a location service that provides advertisers with tools to reach audiences who have been at specific locations.

Users of the Care19 app are told in the privacy policy that their "location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

North Dakota claims that users of the app cannot be individually identified. On the state's website in the app FAQ section it states that “the application does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

Jumbo disputes this assertion, claiming instead that users accessing the app via the iOS on their iPhone can be unmasked through the Identifier for Advertisers (IDFA) on their device. 

The IFDA is an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

"They share the IDFA with Foursquare, which means it’s not anonymous,” said Jumbo Privacy CEO Pierre Valade. "It’s a unique ID tied to your phone.”

Foursquare confirmed in a statement that it receives Care19 data. However, the company said it promptly discards the information sent via the app and doesn't use it for anything. 

The Care19 privacy policy indicates that “Your data is identified by an anonymous code.” Jumbo found that, along with the IDFA, this anonymous code was transmitted to Foursquare. The code was also being sent, together with the name given to the phone by the user (e.g., Paul's phone), to remote logger Bugfender.

Categories: Cyber Risk News

Businesses Could Face Influx of Attacks When Offices Reopen

Info Security - Fri, 05/22/2020 - 15:00
Businesses Could Face Influx of Attacks When Offices Reopen

Cyber-criminals could be poised to trigger a wave of attacks on businesses when workers return to offices and reconnect to corporate networks, Redscan has warned. As many countries such as the UK prepare to ease COVID-19 lockdown restrictions and allow more people to return to physical workplaces, the cybersecurity firm said organizations need to take action to defend themselves against potential hackers lying dormant on employee devices.

There has been a substantial rise in threat activity over recent months, with cyber-criminals looking to exploit the sudden rise in remote working during the pandemic and the resultant lack of protection. In this period, Redscan has observed a surge in activity such as malspam, external scanning attempts to identify weaknesses in the use of remote access tools and account login attempts from unknown locations.

It therefore believes there could be an influx of attacks when staff reconnect to company networks after returning to their workplaces, with attackers ready to launch attacks including ransomware across a company network. In order to prevent this situation occurring, Redscan said firms should sanitize all endpoints on the return to the office as well as closely monitor networks for evidence of compromises.

George Glass, head of threat intelligence at Redscan, said: “During the COVID-19 pandemic there has been a steady stream of organizations reporting cyber-attacks. However, this is only likely to be the tip of the iceberg. Many more organizations are certain to have been targeted without their knowledge.

“As employees return to work post-lockdown and connect directly to corporate networks, organizations need to be alert to the possibility that criminals could be lying dormant on employee devices, waiting for the opportunity to move laterally through a network, escalate privileges and deploy ransomware.”

Redscan provided other recommendations to companies to tackle this type of threat, including updating anti-virus signatures, connecting all devices to remote networks and educating staff about the latest risks.

Categories: Cyber Risk News

Data Breach Afflicts Ohio’s Unemployment Office

Info Security - Fri, 05/22/2020 - 14:29
Data Breach Afflicts Ohio’s Unemployment Office

A data breach at the Ohio Department of Job and Family Services (ODJFS) has exposed the personal data of Pandemic Unemployment Assistance (PUA) claimants. 

Personal information including names, Social Security numbers, home addresses, and claim receipts was exposed to other claimants due to a security vulnerability detected by Deloitte Consulting on May 15. Deloitte is the technology vendor for PUA systems in several states, including Ohio. 

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement.

In a breach notification email sent to PUA claimants on May 20, ODJFS said the breach was fixed within one hour of discovery. 

The department stated: “Over the weekend, Deloitte notified ODJFS that about two dozen individuals inadvertently had the capability to view other PUA claimants’ correspondence.” 

According to the department there is no evidence to suggest that any "widespread data compromise" had occurred. 

More than 161,000 Ohioans have applied for unemployment assistance offered in the wake of COVID-19. ODJFS has not revealed how many of these claimants were affected by the data breach. 

Perhaps tellingly, every single Ohioan who has claimed PUA is being offered free credit monitoring by Deloitte Consulting for 12 months.

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement. "Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences.

Frustrated claimants, some of whom are still waiting to receive financial assistance under the PUA program, reported the breach on social media. 

ODJFS said action had been taken to ensure that the data breach was a one-off.

The department stated: “ODJFS holds the confidentiality of claimant data in the highest regard and agreed with the immediate steps Deloitte took to prevent any unauthorized PUA access in the future."

Unemployment claims in Ohio since the start of the coronavirus crisis passed the 1 million mark at the end of April, putting pressure on an archaic system.

Categories: Cyber Risk News

Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

Info Security - Fri, 05/22/2020 - 11:15
Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

The Information Commissioner’s Office (ICO) has disclosed that reported non-cyber incidents outweighed cyber-incidents in Q4 of 2019.

In its report on incident trends, the ICO said there were 2629 incidents reported to it in Q4 2019, of which 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.” Meanwhile, the main cyber-incidents were 280 as a result of phishing and 175 regarding unauthorized access. 

As a result, the ICO issued two fines. The first was £500,000 to DSG Retail Limited in January after a point of sale computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. Also, in March, the ICO fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.

ZIVVER’s CEO and founder Rick Goud pointed out the number of reported data leaks decreases every quarter in the UK, while other countries like Germany, the Netherlands, Denmark and Sweden have shown more than 50% increases. “Per inhabitant, the UK was already reporting about 10-times less data leaks than the 'top'-countries,” he said. “This is not due to less data leaks, but – instead – due to a decrease in reporting culture, possibly prompted by the lack of action shown by the ICO since GDPR came into force.”

In an email to Infosecurity, BH Consulting CEO Brian Honan said the report reinforces the fact that most security breaches are not due to “sophisticated attackers” but are the result of failings in basic security controls.

He added: “Accidental data leakage is one of the key sources for breaches and these can result from the lack of appropriate training to staff on how to handle and process data, from weak security controls that don’t prevent or alert to breaches, or a combination of both.

“Ensuring staff are properly trained in the handling and processing of personal data, the technologies they use as part of their daily work and have effective security awareness training is crucial to preventing these type of errors.”

Honan also pointed out that the blame cannot be solely put down to human error, and we need to ensure our systems and platforms provide staff with a safety net in the event they make a mistake. “This means security professionals also need to ensure the basics are covered and that systems are properly patched, effective email security to protect against phishing attacks and data leakage are in place, and that data is encrypted at rest and in transit,” he said.

“It is also important to remember that no matter what controls are in place a breach can still happen and that staff and the company need to be prepared on how to deal with it and know when and how to report breaches to the ICO, or any other relevant Data Protection Supervisory Authorities or other regulatory bodies.”

Categories: Cyber Risk News

RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Info Security - Fri, 05/22/2020 - 10:45
RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.

Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.

It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.

The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.

The attack appears to have been highly targeted, as the ransom note contained the victim’s name.

RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).

As Loman explained, the group behind the ransomware typically targets managed service providers (MSPs) and exploits holes in Windows Remote Desktop Protocol (RDP) to gain a foothold into organizations.

“After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers,” he said.

Categories: Cyber Risk News

Japan Probes Theft of Hypersonic Missile Plans – Report

Info Security - Fri, 05/22/2020 - 09:10
Japan Probes Theft of Hypersonic Missile Plans – Report

The Japanese government is investigating a potentially serious breach of national security after a cyber-attack on Mitsubishi Electric earlier this year which may have yielded top secret missile plans.

The tech giant said in a statement earlier this week that it reported an incident to the Defense Ministry in February, in which sensitive information including personal data on 8000 employees may have been stolen, according to AP.

Chief cabinet secretary Yoshihide Suga is said to have told reporters that the government is now investigating “the possible impact of the information leak on national security.”

The stolen data is thought to relate to a prototype missile that Mitsubishi was bidding to build. The firm didn’t win the bid but held sensitive documents related to the design as part of the process.

Russia, the US and China appear to be in an arms race to build these hypersonic glide vehicles (HGVs), which are said to combine the speed of a ballistic missile with the maneuvering capabilities of a cruise missile, making them incredibly difficult for conventional defense systems to track.

Given that the missiles were apparently intended to be deployed in Japan’s southern islands to ward of the threat from an increasingly assertive China, it would seem that Beijing-backed hackers are likely to be behind these latest cyber-espionage efforts.

It’s unclear whether the reported incident relates to one revealed by Mitsubishi Electric in January, which took place back in June 2019.

At the time reports suggested likely Chinese hackers had stolen 200MB of data from the firm.

However, Mitsubishi claimed that, although personal and corporate confidential information may have been taken, “sensitive information on social infrastructure such as defense, electric power and railways, highly confidential technical information, and important information concerning business partners has not been leaked."

Categories: Cyber Risk News

Wishbone Breach: 40 Million Records Leaked on Dark Web

Info Security - Fri, 05/22/2020 - 08:15
Wishbone Breach: 40 Million Records Leaked on Dark Web

A prolific dark web trader has leaked what they claim to be 40 million user records from popular mobile app Wishbone.

The individual known as “ShinyHunters” posted the data to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”

The post was shared by security vendor Cyble and indicates ongoing tension in the cybercrime community. Previously, the database was thought to be selling on the dark web for thousands of dollars.

ShinyHunters has been linked to multiple previous sales of breached data including Home Chef, which this week revealed that it had suffered a serious cybersecurity incident thought to have affected millions of customers.

Popular with youngsters, Wishbone is an iOS and Android app which allows users to “compare anything.”

The trove of data now available to all-comers includes usernames, email addresses, mobile numbers, gender, date-of-birth, Facebook and Twitter access tokens, MD5-hashed passwords and more.

This could provide fraudsters with plenty of information to carry out follow-on phishing attacks, credential stuffing and more.

Trevor Morgan, product manager at comforte AG, argued that tokenizing or securely encrypting the data could have helped Wishbone mitigate the impact of the breach.

“Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums,” he explained.

“Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information.

He urged organizations to rethink their security and data protection processes or risk becoming the next Wishbone.

This isn’t the first time Wishbone has been caught out. A 2016 breach affected 9.4 million records with 2.2 million unique email addresses, according to HaveIBeenPwned.

Categories: Cyber Risk News

Zoom Meetings Bombed with Child Sexual Abuse Material

Info Security - Thu, 05/21/2020 - 18:20
Zoom Meetings Bombed with Child Sexual Abuse Material

The disruption of nearly 200 Zoom meetings with images of child sexual abuse has prompted the FBI to issue a warning.

In recent months, schools, councils, businesses, and the general public have been using the videoconferencing app to communicate after social distancing and lockdown measures introduced to slow the spread of COVID-19 made face-to-face interaction difficult.  

However, as the number of legitimate users has risen, so too has the number of Zoom-bombing incidents in which malicious users hack meetings to subject attendees to unwanted language and images. 

While some Zoom-bombings consist of little more than a schoolboy prank, others are seriously offensive, featuring lewd imagery, expletives, and racist language. According to the FBI, a growing number of these cyber-attacks now feature material depicting the sexual abuse of minors. 

"During the last few months, the FBI has received more than 195 reports of incidents throughout the United States and in other countries in which a Zoom participant was able to broadcast a video depicting child sexual abuse material (CSAM)," wrote the FBI in a statement released yesterday.

"The FBI considers this activity to be a violent crime, as every time child sexual abuse material is viewed, the depicted child is re-victimized. Furthermore, anyone who inadvertently sees child sexual abuse material depicted during a virtual event is potentially a victim as well."

The Bureau asked any Zoom hosts or administrators who have had a meeting disrupted by the broadcast of CSAM to contact the FBI and to keep a record of what occurred. 

The FBI warned Zoom users to consider the privacy of any videoconferences they schedule. 

"Links to many virtual events are being shared online, resulting in a lack of vetting of approved participants," said the FBI. "Do not make meetings or classrooms public. Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to specific attendees." 

The Bureau advised users to make their Zoom meetings private either by requiring attendees to enter a meeting password or by using the waiting room feature to control the admittance of guests.

To limit the risk of abusive content being shown, hosts can change the screen-sharing options to "Host Only." 

Categories: Cyber Risk News

Raytheon's Board Takes Voluntary Pay Cut

Info Security - Thu, 05/21/2020 - 17:34
Raytheon's Board Takes Voluntary Pay Cut

Raytheon Technologies’ board of directors is taking a voluntary pay cut as the United States continues to be impacted by COVID-19. 

The board has reduced non-employee director compensation by an amount equal to 20% of the director cash retainer. The pay cut will apply for the annual term ending at the 2021 Annual Meeting of Shareowners.

The defense giant, which is headquartered in Waltham, Massachusetts, announced the board's gesture on May 14. 

News of the resolution follows a decision by CEO Greg Hayes to institute a temporary 10% base pay reduction for all salaried employees across the company's Pratt & Whitney and Collins Aerospace Systems businesses as well as its corporate offices. 

Raytheon employs 195,000 people across four industry-leading businesses―Collins Aerospace Systems, Pratt & Whitney, Raytheon Intelligence & Space, and Raytheon Missiles & Defense. 

Temporary reductions in pay announced by Raytheon last month will go into effect from June and remain in place until the end of the year. 

Previously, CEO Greg Hayes and executive chairman Tom Kennedy had volunteered to slash their salaries by 20% for the same period.

In a statement released May 14, Raytheon said: "Raytheon Technologies continues to monitor the crisis and is responding as needed to ensure the wellbeing of its employees, customers and suppliers, while protecting the long-term financial strength of the business."

Raytheon Technologies Corporation was formed in 2020 through the combination of Raytheon Company and the United Technologies Corporation aerospace businesses. 

This week, the company confirmed that it is closing an office in Albuquerque, New Mexico, where 200 people are currently employed. 

Raytheon spokeswoman Heather Uberuaga said the company is seeking to streamline its capabilities and relocate support for key capabilities and customer programs to alternative facilities elsewhere in the United States.

"We think this move is in the best interest of our customers as we look to further integrate and streamline our capabilities with pursuits and programs located at other sites while working with employees on a case-by-case basis to explore their individual employment options going forward,” Uberuaga wrote in an email to the Albuquerque Journal.

Categories: Cyber Risk News

Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Info Security - Thu, 05/21/2020 - 15:54
Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Cybersecurity firm Forescout Technologies Inc. yesterday sued a private equity firm for backing out of a $1.9bn buyout.

Advent International Corporation agreed to buy Forescout back in February 2020, but four days before the takeover was due to be completed, the firm announced it would no longer be closing the deal. 

According to California company Forescout, Advent said it was reneging on the deal because of the impact of the global outbreak of COVID-19. 

The takeover had been scheduled to go ahead on Monday, May 18. On May 20, Forescout filed a lawsuit in the Delaware Court of Chancery requesting that Advent be ordered to complete the buyout.

In a statement released yesterday, Forescout accused Advent of violating the terms of their merger agreement.

A spokesperson for the aggrieved cybersecurity company said: "Advent’s purported excuse for its wrongful conduct is that a closing condition to the transaction has not been satisfied because a 'material adverse effect' has occurred at Forescout.

"Forescout believes that no material adverse effect has occurred, that all closing conditions are satisfied, and that Advent is obligated to close the transaction."

The cybersecurity company said that the effects of COVID-19 had been factored into negotiations and that Advent "has relied on meritless excuses" to wriggle out of the deal.

"The merger agreement explicitly allocated the risk of any impacts from COVID-19 to Advent," said Forescout.

Theresia Gouw, chair of the Forescout board, described Advent's getting cold feet over the planned buyout as highly disappointing. 

“The only change since the merger agreement was jointly executed in February is the deepening of the COVID-19 pandemic, which has significantly impacted global macro-economic conditions," said Gouw. 

"All companies have been challenged by this pandemic, and it is highly disappointing that Advent would attempt to exploit market volatility to renege on its contractual obligations, particularly when the merger agreement explicitly excludes the effects of a pandemic as a material adverse event."

The surprising turn of events sent Forescout's shares tumbling to an all-time low yesterday. Shares were at just $18.33 when trading opened. Advent International agreed on February 6 to pay $33 a share to take Forescout private.

Categories: Cyber Risk News

Winnti Group Targets Video Game Developers with New Backdoor Malware

Info Security - Thu, 05/21/2020 - 12:00
Winnti Group Targets Video Game Developers with New Backdoor Malware

Researchers from ESET have discovered a new modular backdoor used by the Winnti Group to target several video game companies that develop MMO (massively multiplayer online) games.

As explained in a blog post, the malware, dubbed ‘PipeMon’ by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms and have thousands of simultaneous players.

According to researchers, the new modular backdoor is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor.

In at least one case, the attackers compromised a company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to Trojanize video game executables, although there’s no current evidence that has occurred. In another case, attackers compromised a company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain, ESET explained.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns,” said Mathieu Tartare, malware researcher at ESET. “Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”

Categories: Cyber Risk News

Flight Risk Employees Account for Most Insider Threats

Info Security - Thu, 05/21/2020 - 11:00
Flight Risk Employees Account for Most Insider Threats

Employees or contractors identified as a “flight risk” are linked to 60% of insider threat cases, increasing the likelihood that such incidents will involve theft of sensitive corporate data, according to Securonix.

The vendor’s 2020 Securonix Insider Threat Report was distilled from over 300 real-life insider incidents across multiple sectors.

It revealed that over 80% of staff members deemed likely to terminate their employment will take data with them, anywhere between two weeks and two months prior to them leaving. Flight risk can be determined from web browsing and email behavior, Securonix said.

Unsurprisingly, therefore, data exfiltration is the number one insider threat, with email the most popular vector for data loss, followed by web uploads and cloud storage sites.

Account sharing and shadow IT, especially the prevalence of cloud collaboration tools, are compounding the problem for IT security operations teams, the report claimed.

“Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems,” it explained.

“The circumvention of IT controls is prevalent across all organizations. IT security operations teams, especially ones from large enterprises, are finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business.”

Pharmaceutical firms accounted for the largest number of data exfiltration incidents analyzed by Securonix, which is understandable considering the highly sensitive IP handled by these organizations.

Behavioral analytics were used most often to detect abnormal user behavior and flag violations.

However, data theft is only one of many risks posed by employees. Many of these stem from negligence rather than deliberate malice. Human error, including misconfiguration of cloud systems and misdelivery of emails, accounted for 22% of breaches analyzed by Verizon in its latest report.

Categories: Cyber Risk News

IT Asset Management Forum Launches to Enhance Sector

Info Security - Thu, 05/21/2020 - 10:15
IT Asset Management Forum Launches to Enhance Sector

A not-for-profit body for the asset management sector has been established to advance the overall reputation and recognition of the IT Asset ManagEment (ITAM) industry while providing a collaborative space for ITAM leaders to come together.

The ITAM Forum launches with a board of 15 trustees from across the ITAM industry – representing IT end users, resellers, tool providers and independent consultants, with two objectives:

  • To educate and evangelize – to encourage more companies to practice ITAM and to attract new professionals into the industry
  • To promote best practice – provide a collaborative, global forum for ITAM leaders to come together and share ideas for the advancement of the ITAM industry (eventually establishing a globally-recognized Organizational certification for ITAM)

Founder Martin Thompson said that with more focus on asset management, due to the COVID-19 pandemic driving more employees to work remotely, “IT Asset Managers have a huge role to play in documenting and unpicking this rapid and unplanned investment. 

“The smart management of assets is a shrewd business practice which delivers benefits far beyond IT. ITAM therefore has a rightful place outside of the niche IT/ITSM domain from where it started, and as a boardroom priority in its own right. The ITAM Forum is here to help it achieve this goal, by raising the profile of the ITAM discipline as much more than a compliance exercise and demonstrating its value to every organization looking to better manage its assets.”

In an email to Infosecurity, Lenny Zeltser, CISO of asset management vendor Axonius, said it was encouraging to see the increasing importance that cybersecurity professionals have been assigning to IT asset management in recent years.

“Security teams recognize that ITAM is a foundational aspect of a security program,” Zeltser said. “We need to know what devices, systems, users and applications we have, so we can implement the appropriate safeguards for them. Industry frameworks such as ISO 27001, CIS Critical Controls and NIST Cybersecurity Frameworks have included the need for ITAM for years. In recent years I've seen security professionals pay much closer attention to this requirement.”

Zeltser also noted that more and more enterprises are recognizing that they don't need yet another source of asset data, and instead look for ways to gather information about IT assets from the various IT data silos, such as the CMDB, network scanners, cloud instrumentation tools, Active Directory and so on. “Each of these sources of data has partial visibility into the organization's assets. By combining this data, organizations are able to get a comprehensive view into their ITAM posture.” 

The ITAM Forum also announced a longer term objective to create a new certification program for ITAM, based on the global ISO standard for the ITAM industry – ISO19770 – which was first published in 2006. 

“By certifying organizations against the ISO standard, the ITAM Forum will look to provide the highest measure of quality to demonstrate the competence of an ITAM department in the face of increasing board level scrutiny,” Thompson said.

“By benchmarking an ITAM department output against recognized ISO standards, stakeholders in the ITAM lifecycle (in particular those not fully versed in the complexity of IT assets) will be assured of quality. While our current priority is to establish the ITAM Forum as the credible voice of the ITAM industry, we look forward to eventually establishing the ITAM Forum certification as the globally-recognized ‘Kitemark’ for ITAM quality.”

Categories: Cyber Risk News

Home Chef Breach May Affect Millions of Customers

Info Security - Thu, 05/21/2020 - 09:30
Home Chef Breach May Affect Millions of Customers

Home Chef has confirmed a major breach of customers’ personal information, potentially affecting millions of users.

The Chicago-headquartered meal delivery service revealed in a notice on its website that email addresses, encrypted passwords, last four digits of credit card numbers and “other account information such as frequency of deliveries and mailing address” were among the compromised details.

“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” it said.

Although passwords were scrambled, the firm urged customers to reset their credentials anyway. Its encryption of passwords and only partial storage of credit card details will limit the risk exposure to customers, but other personal details could be used to craft convincing phishing attacks spoofing the brand.

“You should also remain vigilant against phishing attacks and monitor your accounts for any suspicious activity,” said Home Chef. “Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website.”

Although the firm claimed that only “select customer information” was taken, a dark web trader claims to have as many as eight million records up for sale.

Boris Cipot, senior security engineer at Synopsys, argued that even Home Chef’s efforts to minimize risk exposure may be undone.

"Passwords — even encrypted passwords — can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others,” he argued.

“With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last four numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information."

Categories: Cyber Risk News

Microsoft Warns of “Massive” #COVID19 RAT

Info Security - Thu, 05/21/2020 - 08:48
Microsoft Warns of “Massive” #COVID19 RAT

Microsoft is warning of a major new COVID-19 phishing campaign using malicious Excel macros to achieve remote access of victims’ machines via a legitimate support tool.

Microsoft Security Intelligence revealed the news in a series of tweets, claiming the campaign began on May 12.

“The emails purport to come from Johns Hopkins Center bearing ‘WHO COVID-19 SITUATION REPORT.’ The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” it explained.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”

In this respect, the campaign is similar to many others that have been launched over recent weeks and months, with cyber-criminals effectively rebranding existing content with COVID-19 themes to increase success rates.

Google claimed it has been blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines,” Microsoft said of the latest RAT campaign.

“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”

In the UK, these kinds of emails should be reported to the National Cyber Security Centre’s Suspicious Email Reporting Service, but this first requires the presence-of-mind to do so from employees.

“The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware,” advised DomainTools malware researcher, Tarik Saleh. “Phishing is at its core an attack on people, and people remain the best defense against it, in addition to ensuring proper processes remain in place.”

Categories: Cyber Risk News

Michigan Launches Cybercrime Hotline

Info Security - Wed, 05/20/2020 - 19:11
Michigan Launches Cybercrime Hotline

Michigan victims of cybercrime now have a dedicated phone line to call for free round-the-clock support and advice. 

The Cybercrime Victim Support Initiative is available free of charge to residents in 13 northern Michigan counties, including Antrim, Benzie, Grand Traverse, Kalkaska, and Leelanau. 

Residents who have been targeted by cyber-criminals can call or text 211 from any phone to report the crime and receive tips on how to recover their personal information and funds. 

Calls will be handled by a center in Grand Rapids staffed by trained advisors from United Way, an organization that brings donors, volunteers, and community organizations together to solve critical problems.

In addition to offering practical guidance on what to do after a crime has taken place, the advisors will offer tips on how to avoid being caught in the cyber-criminal's net.

Data collected by the advisors will be stored in a central database and used to warn Michigan residents of all the latest scams doing the rounds. 

Seth Johnson, president of the United Way of Northwest Michigan, said that while most people are aware of old scams like the phishing email that appears to be sent by a Nigerian prince, some of the newer nefarious schemes, including ruses to con Americans out of their COVID-19 stimulus checks, are not common knowledge. 

"More and more of us are online and so more and more of us are vulnerable," Johnson said. 

As cybercrime grows ever more sophisticated, the hotline has been established as a place to which residents can turn for clear and reliable guidance. 

Johnson said: "This is meant to be a 24/7 resource where they can get the information they need." 

The initiative was launched by the Cybercrime Support Network and Heart of West Michigan United Way in partnership with the Heart of Florida United Way. Funding for the hotline was provided via a Department of Justice Office for Victims of Crime Vision 21 Grant. 

Leelanau County Sheriff Mike Borkovich said the hotline is a valuable resource for victims of cybercrime. 

Borkovich, who has seen an increase in the number of reported cybercrime incidents since the outbreak of COVID-19, said: "People have no scruples when it comes to things like that. They'll take advantage of senior citizens and try to rip them off."

Categories: Cyber Risk News

Boston Cybersecurity Firm to Create 65 Jobs in Belfast

Info Security - Wed, 05/20/2020 - 18:08
Boston Cybersecurity Firm to Create 65 Jobs in Belfast

Boston cybersecurity firm Cygilant has announced plans to create 65 jobs at its new European security operations center (SOC) in Northern Ireland's capital city, Belfast. 

Cygilant, which employs 80 people globally, established the SOC in February 2020 with the support of Invest NI, the economic development agency for Northern Ireland. 

Already, 25 employees have been recruited to work at the new center, which is based in the Centrepoint Building next to the BBC on Ormeau Avenue. Now the company has pledged to create a further 40 jobs at the center over the next couple of years, with wages averaging around £43,000.

While lockdown measures introduced to slow the spread of COVID-19 in Northern Ireland remain in place, the SOC is being operated on a remote basis. 

But despite the difficulties created by the outbreak of the novel coronavirus, Cygilant's chief executive Rob Scott said that around ten new staff had been recruited for the center since lockdown measures were imposed. 

Invest NI has offered Cygilant a generous £455,000 in funding toward the creation of new jobs in Northern Ireland. 

Former Formula 1 race-car driver Scott said the investment played a key part in the company's decision to site their European operations in the Emerald Isle. 

The Mancunian and lifelong Manchester United Football Club fan explained: “Opening this SOC is our first foray into the European market and thanks to the support of Invest NI, we made the decision to invest here in Belfast.”

Scott also cited Belfast's local talent as a determining factor. He said: “There are between 18 and 20 cybersecurity companies, so it’s becoming a major hub for that technology. It’s because there’s already a pool of people and on top of that, there are the universities, which have great cyber-security programs.”

Economy Minister Diane Dodds said that the 65 jobs created by the US company will eventually contribute £2.8m in annual salaries.

“In these challenging times it is welcome news to be able to announce new cybersecurity jobs for Northern Ireland," Dodds told The Irish News.

“This is an important endorsement of Northern Ireland’s growing reputation for excellence in cybersecurity.”

Categories: Cyber Risk News

Stanford University Tops List of US Cybersecurity Degree Providers

Info Security - Wed, 05/20/2020 - 17:32
Stanford University Tops List of US Cybersecurity Degree Providers

The cybersecurity degree offered by Stanford University has been ranked the best in the United States by independent educational organization Cyber Degrees Edu.

Private California university Stanford topped a list of America's 55 best cybersecurity degree providers published by Cyber Degrees Edu on May 18. In second and third place respectively were Carnegie Mellon University in Pennsylvania and the University of California, Davis

Of the three top degree providers, Stanford has the lowest student-to-faculty ratio with 5 students to every 1 faculty member. At Carnegie Mellon, the ratio doubles to 10 to 1, while at the University of California, Davis, the ratio is an even higher 20 to 1. 

A proprietary ratings system was used to rank the various colleges and universities offering cybersecurity bachelor’s and master’s degree programs. 

The criteria used to determine the rankings included the school’s rates of acceptance and graduation. Researchers also compared educational establishments by their retention rate, which is the number of first-time students who return to the university the following year.

Stanford boasts the highest graduation rate with 94% of students leaving the university with a degree. At Carnegie Mellon, the rate is slightly lower at 89%, while at University of California, Davis, 86% of students graduate. 

Researchers also looked at the costs of studying, the grants and scholarships available, and which colleges specialized in cybersecurity with a variety of degree programs.

"All schools on the list are either high quality or very affordable and are located across the country," said a spokesperson for Cyber Degrees Edu. "While the list provides some of the best schools for cybersecurity, Cyber Degrees EDU also recognizes that it is important for students to find the best school for their particular needs and so these rankings aim to provide the information needed for students to make the best possible choice for them."

When weighing up which degree provider was best, researchers looked beyond the school's overall reputation to its alumni.

Cyber Degrees Edu said: "What matters most is the reputation of the individual cybersecurity program. That is why knowing which schools were attended by the best cybersecurity professionals is so vital."

Categories: Cyber Risk News

NHS Contact Tracing App Security Issues Detailed

Info Security - Wed, 05/20/2020 - 12:38
NHS Contact Tracing App Security Issues Detailed

New security issues have been discovered in the UK Government’s NHS contact tracing app, as well as a potential data breach.

The app is currently being trialed on the Isle of Wight and privacy issues have been raised, which the National Cyber Security Centre (NCSC) told BBC News it was already aware of and is in the process of addressing. Raised by researchers Dr Chris Culnane and Vanessa Teague, the main issues include:

  • In the presence of an untrusted TLS server, the registration process does not properly guarantee either the integrity of the authority public key or the privacy of the shared secrets established at registration. The result completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation
  • In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key
  • Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data
  • The monitoring of interactions at eight second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key
  • The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days

The researchers praised the “cryptographic protocol of the UK’s app [that] includes a much better effort at mitigation of most external attacks” and said there are admirable aspects of the implementation and the open availability of the source code.

“However, the messaging around the app, and in particular suggestions of broadening the data collected, combined with insufficient legislative protections, a lack of siloing of the data and no sunsetting of the data retention or usage, risk undermining the trust that has been earned,” they added.

The number of risks were varied, Culnane told BBC News, explaining that, terms of the registration issues, “it's fairly low risk because it would require an attack against a well protected server, which we don't think is particularly likely.” However, he did warn that the risk surrounding the unencrypted data is higher, “because if someone was to get access to your phone, then they might be able to learn some additional information because of what is stored on that.”

David Grout, CTO for EMEA at FireEye, said: “The mounting security concerns and doubts attached to the trailed NHS app are stemming from registration issues and the use of unencrypted data within the app which can be exploited by cyber-criminals. One of the biggest concerns is attached to the fact it’s based on a ‘centralized’ model.

“Just yesterday, France defended its own centralized model where contact-matching happens via a computer service, as opposed to the decentralized model which uses the people’s phone to make the match. The UK Government will need to address these safeguarding issues ahead of the full nation roll-out, so citizens are fully confident that their data is not compromised but stored securely.”

The research came as Serco apologized after an employee accidentally shared the email addresses of almost 300 contact tracers when they were cc’d (rather than bcc’d) in an email to inform new trainees about training details.

Also, a group of civil society organizations, privacy advocates and academic researchers have written an open letter to Health Secretary Matt Hancock, asking questions about the contact tracing data store.

Signed by the likes of the Open Rights Group, Big Brother Watch, Privacy International and Liberty, they urged Hancock to “provide the public with more information and take appropriate measures to reduce the risk of data sharing and keep the aggregated data under democratic control.”

Categories: Cyber Risk News