Cyber Risk News

One in 10 IT Pros Would Steal Data if Leaving a Job

Info Security - Fri, 07/05/2019 - 15:59
One in 10 IT Pros Would Steal Data if Leaving a Job

A survey of 320 IT experts conducted by Gurucul found that one in 10 respondents admitted they would try to take as much company information with them as possible before they left their jobs. In addition, the survey found that 15% of participants would delete files or change passwords upon exiting. 

While a number of organizations have invested in technologies to help detect and defend against external attackers, many companies are starting to better understand the risks from insider threats, which a recently published whitepaper said may actually be a larger issue.

According to the report insider attacks are more difficult to detect and prevent than external ones, with 91% of respondents in a similar survey of IT and security professionals reporting they feel vulnerable to both malicious and accidental insider threats. 

“Gurucul mitigates these risks by employing behavioral analytics,” said Craig Cooper, COO of Gurucul. “By combining user and entity behavior analytics, and identity analytics, companies can not only monitor, detect and remove excess access before it is too late, but they can also monitor employee actions by detecting unusual or risky behavior. By detecting when users are acting in ways that contradict their normal behavior and job function, our customers are able to intervene.”

At issue is teams are overloaded with identities and entitlements because of the manual processes built into the static identity management rules and roles. “It is more common than not that users inside the perimeter have access to information they do not need for their job. This gives them the capability to perform abusive tasks within the company. However, insider threats are not always caused by users within the organization. They can also occur when credentials of employees are shared or compromised, which often goes undetected,” wrote Gurucul’s Alison DeNisco Rayome in a July 2 blog post.

Categories: Cyber Risk News

Golang Malware Targets Linux-Based Servers

Info Security - Fri, 07/05/2019 - 14:51
Golang Malware Targets Linux-Based Servers

A cryptominer campaign has been targeting Linux-based servers using a new Golang malware, according to research published by F5 Labs

Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16. 

Using the cryptonight algorithm to mine XMR, the attacker has earned less than $2000 USD, a figure based only on the wallets the F5 Labs miners were using. Researchers added that it is possible the attacker has several wallets used by different parts of his botnet.

“F5 researchers detected malicious requests targeting vulnerabilities in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and Drupal (CVE-2018-7600) also known as Druppalgeddon2,” the report said.

The malware campaign reportedly propagates using seven different methods, which include four web application exploits, SSH credentials enumeration, Redis database passwords enumeration, and an attempt to connect other machines through the use of discovered SSH keys.

“Some of these vulnerabilities are common targets, however, the delivered malware in this campaign was written in Go (Golang), a newer programming language not typically used to create malware,” the researchers wrote.

As Golang is not typically detected by anti-virus software, malicious actors have started using it as a malware language. “Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware. One of the earlier Golang samples was analyzed and published beginning of January 2019,” the report said. 

To host the spearhead bash script, attackers reportedly use pastebin.com, an online clipboard service. According to the report, the malware is hosted on a Chinese ecommerce website that has already been compromised. Combined with additional indicators, such as the online clipboard, GitHhub usernames, researchers suspect this could be the work of a Chinese speaking attacker.

Categories: Cyber Risk News

OneLogin Appoints Joanne Bradford to Board of Directors

Info Security - Fri, 07/05/2019 - 14:00
OneLogin Appoints Joanne Bradford to Board of Directors

Unified Access Management company OneLogin has announced that Joanne Bradford has become the newest member of its board of directors.

Bradford will bring over 30 years of marketing and operations experience to OneLogin’s board, having previously served in CMO and COO leadership positions for companies such as Microsoft, Yahoo, SoFi and Pinterest, as well as board positions for Wave, Adaptly and Comscore.

“Joanne's deep expertise in integrated mass consumer marketing at some of the most well-known and biggest tech companies in the world will be critical for OneLogin at this stage of our accelerating growth,” said Brad Brooks, CEO of OneLogin. “One of many things I love about having Joanne on board is her insights coming by way of looking at things from the end-user perspective. This intuition will play an important role as we continue our momentum capitalising on the multi-billion-dollar market opportunity for our Unified Access Management platform.”

Bradford said: “I am joining the OneLogin’s board during a critical time of exponential momentum and interest in its UAM solution – a solution that every company requires. Enterprises everywhere need OneLogin to navigate the changing landscape of cloud adoption, digital transformation, and cybersecurity. I'm honored to be joining this exceptional team and look forward to much-anticipated success.”

Categories: Cyber Risk News

Facebook, Instagram & WhatApp Outage Reveals AI Image Tags

Info Security - Fri, 07/05/2019 - 11:42
Facebook, Instagram & WhatApp Outage Reveals AI Image Tags

Billions of users were frustrated by not being able to see their images on Facebook, Instagram and WhatsApp this week due to glitches in Facebook's platform, which was triggered by “routine maintenance.” 

Instead of pictures and videos, users were shown grey boxes with text describing what was in the image. This is believed to be the company's image analysis software. 

This outage isn't the only downfall for Facebook-owned companies. In March, Facebook and Instagram suffered their longest period of disruption in its history. The 14-hour outage was sparked by a server configuration, according to the company. 

Speaking on its latest outage, the company tweeted: “We’re aware that some people are having trouble uploading or sending images, videos and other files on our apps. We're sorry for the trouble and are working to get things back to normal as quickly as possible. #facebookdown.

“Earlier today, some people and businesses experienced trouble uploading or sending images, videos and other files on our apps and platforms. The issue has since been resolved and we should be back at 100% for everyone. We're sorry for any inconvenience.” However, some users continued to complain of not being able to see images following. 

Other companies also faced outages this week. Cloudflare was brought down by a “bad software deployment” while users have complained that Apple's iCloud has also been down. 

However, users also noticed that their images were being tagged, which was the result of the company's artificial intelligence image analysis. The description of these images is meant to support visually impaired users, however, some users couldn't help but feel 'creeped out' by seeing how accurate the description of the image was. 

For Facebook, though, the damage might have been done from the outage. According to Bigbom, a decentralized advertising ecosystem company, Downdetector processed over 7.5 million reports from end users during the outage. Interestingly, the company tweeted that this latest outage was the “company's biggest one” in years. 

How the outage affected advertisers who use the platform is unknown, but Bigbom believes thousands of dollars in ad revenue would have been lost. 

Categories: Cyber Risk News

Cloudflare Left Red Faced Following Network Outage

Info Security - Fri, 07/05/2019 - 10:45
Cloudflare Left Red Faced Following Network Outage

Visitors to the Cloudflare sites faced 502 errors on July 2 2019, according to a blog post by the company. 

A post written by John Graham-Cumming, CTO of Cloudflare, was published after a 30-minute outage affected Cloudflare's network, resulting in downtime on its sites. The issues were caused by a massive spike in CPU utilization on the company's network, which was a result of a “bad software deploy.” According to Graham-Cumming, once the deployment was rolled back, service returned to normal. 

“This was not an attack (as some have speculated) and we are incredibly sorry that this incident occurred,” writes Graham-Cumming. “Internal teams are meeting as I write performing a full post-mortem to understand how this occurred and how we prevent this from ever occurring again.”

Starting at 13:42 UTC, Cloudflare experienced a global outage across its network which meant visitors to its proxied domains faced “Bad Gateway errors.” The deployment of a single misconfigured rule within the Cloudflare Web Application Firewall (WAF) during a routine deployment of new Cloudflare WAF Managed rules was the cause. According to the company's blog post, the intent of these new rules was to improve the blocking of inline JavaScript that is used in attacks. However, one of the rules “contained a regular expression that caused CPU to spike to 100% on its machines worldwide” causing traffic to drop by 82%.

“We make software deployments constantly across the network and have automated systems to run test suites and a procedure for deploying progressively to prevent incidents,” wrote Graham-Cumming. “Unfortunately, these WAF rules were deployed globally in one go and caused today’s outage.

“We recognize that an incident like this is very painful for our customers. Our testing processes were insufficient in this case and we are reviewing and making changes to our testing and deployment process to avoid incidents like this in the future.”

Categories: Cyber Risk News

St John Ambulance Hit By Ransomware Attack

Info Security - Fri, 07/05/2019 - 10:14
St John Ambulance Hit By Ransomware Attack

A ransomware attack temporarily blocked St John Ambulance staff from accessing its systems, according to its website. At 9am on Tuesday July 2 2019, the attack was detected and was resolved within half an hour. 

On its website, St John confirmed that a 'data incident' had taken place and had blocked its employees from accessing the system responsible for booking training courses. However, the organization is "confident" that data has not been shared outside of the company, and that it has informed the Information Commissioner's Office, the Charity Commission and the police of the attack.

Ransomware is a type of malware that gains access to files and systems, blocks them, and often requests a ransom to return access back to the organization. It is the same type of malware that was used as part of the WannaCry attacks on the UK's NHS, which cost the government £92m. 

As part of its official FAQ on the attack, St John has confirmed that data such as a person's name, invoicing details and driving license data are among information compromised by the attack. However, those with credit card details are advised not to worry as they are handled by third-party, Barclaycard SmartPay.

“The only data that has been affected relates to our training course delivery,” says the website. “It does not cover supplies, events, ambulance operations, volunteering, volunteer, data, employee data, clinical data or patient data.

“We work as hard as we can to protect our data systems from these types of attacks and employ a range of third-party partners and cyber-crime solutions to continually update our protection.”

The attack comes as research was presented to the House of Lords on Tuesday July 2 2019, on the urgency to address cybersecurity risks within the NHS. 

Javvad Malik, security awareness advocate at KnowBe4, commented that St John demonstrated a strong incident response, but that they still need to be vigilant: “It appears as if this ransomware attack is limited to a segregated training system and contains limited data. It's worth noting that SJA has demonstrated strong incident response procedures here with a transparent and timely response notifying the public, police, and the ICO.

“Beyond that, it's unclear how the ransomware infected the systems, but it wouldn't be surprising to hear that the infection arose from a phishing attack,” he continued. “This serves as a reminder that organizations should train their staff on being able to identify a phishing email and not click on malicious links.”

Categories: Cyber Risk News

Over Half of Employees Don't Adhere to Email Security Protocols

Info Security - Thu, 07/04/2019 - 12:08
Over Half of Employees Don't Adhere to Email Security Protocols

As many as 87% of 280 decision makers have predicted email threats to increase in the coming year, according to a survey by Barracuda Networks

According to its blog post, many organizations are admitting to being vastly unprepared when it comes to email security, with 94% admitting that “email is still the most vulnerable part of organizations’ security postures. 

“Unsurprisingly, finance departments seem to experience the most attacks, with 57% identifying it as the most targeted department," explained Chris Ross, senior vice-president of international sales at Barracuda. “What was surprising was the rise in customer support attacks; a not insignificant 32% identified this as their most attacked department in what could indicate a new emerging trend for would-be attackers.”

The blog goes onto say that employee training is still not a priority for many, with 29% of respondents only receiving such training once a year. More shockingly, 7% stated they’d either never had training or that they weren’t sure.

“The lack of training is clearly leaving employees either confused or unaware of security protocol, as over half (56%) stated that some employees do not adhere to security policies,” Ross continued. “Of those, 40% said their employees used a ‘workaround’ to do so, perhaps referring to shadow IT solutions and the issues they continue to cause in enterprise IT environments. 

“Both of these issues could be solved by regular and in-depth employee security training,” he concluded. 

Organizations have also seen cyber-attacks come through emails. In the last year, according to the survey, 47% were attacked by ransomware, 31% were victim to a business email compromise attack, and a huge 75% admitted to having been hit with brand impersonation. Barracuda also found that 83% of all email attacks were focused on brand impersonation in its recent spear phishing report. 

However, organizations are starting to take matters into their own hands, with 38% of them increasing their security budgets next year, and over a third (36%) planning to implement instant messaging applications such as Slack or Yammer, to reduce email traffic.

“This approach comes with a warning from us,” said Ross. “While we haven’t yet seen attacks using messaging platforms such as Slack, this may well change in the future and doesn’t necessarily mean that these platforms are immune to attacks. 

“Any organization going down this route should do so with care, as if we know anything about cyber-attackers, it’s that they’re always trying new ways to catch their victims out.”

These findings interestingly come out following the opinion article published in the New York Times, which highlights Slack's lack of end-to-end encryption, leaving it vulnerable to hackers. 

Categories: Cyber Risk News

Activists, Journalists & SMEs at Risk From Slack Snoopers

Info Security - Thu, 07/04/2019 - 11:42
Activists, Journalists & SMEs at Risk From Slack Snoopers

A senior privacy researcher has warned that Slack conversations could be leaked, as well as passwords and usernames, in an opinion article for the New York Times

Published on Monday, Gennie Gebhart, associate director of research at the Electronic Frontier Foundation, wrote that the business chat app does not have end-to-end encryption even though it “stores everything [a user] does on its platform by default.”

In her op-ed for the New York Times, she wrote: “...which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it." According to Slack’s S-1 form, the company has confirmed that it faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”

Slack is a business tool which allows people to engage with one another whether they are in the office or not. Using channels to separate conversations and private messaging to enable people to directly communicate with one another, it has been received positively within the workplace in general. 

However, Gebhart wrote that while Slack’s paying enterprise customers “do have a way to mitigate their security risk” it's not just them who might be vulnerable to cyber-attacks. She added: “Slack’s users include community organizers, political organizations, journalists and unions. At the Electronic Frontier Foundation, where I work, we collaborate with activists, reporters and others on their digital privacy and security, and we’ve noticed these users increasingly gravitating toward Slack’s free product.”

Slack's free product allows users to have up to 10,000 searchable messages, with any more being stored away on their servers. It also enables one-to-one voice and video calls and file sharing. On its website, Slack stated this about its security: “Slack takes privacy and data protection seriously. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.

“We’ve received internationally recognized security certifications for ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud).”

However, Gebhart was concerned that privacy could be breached with the collaboration tool. She said: “Free customer accounts don’t allow for any changes to data retention. Instead, Slack retains all of your messages but makes only the most recent 10,000 visible to you. Everything beyond that 10,000-message limit remains on Slack’s servers. So while those messages might seem out of sight and out of mind, they are all still indefinitely available to Slack, law enforcement and third-party hackers.

“Slack’s business case for keeping your old messages is to have them ready for you just in case you decide to upgrade to the paid product, which has no limit on the number of messages available for you to search and view. But many users — including those most likely to be in the cross-hairs of a law enforcement request or headline-grabbing nation-state hack — are unlikely to ever make that switch.”

Jake Moore, a cybersecurity specialist at ESET, said that while Slack is a “fantastic application” to help people break away from the downsides of email, it might now come with downsides of its own: “Admittedly, many people don’t think or even care about encryption or place it on a priority list when it comes to data or messaging but in a world where privacy is increasingly becoming more popular, companies need to be thinking about enforcing encryption and privacy for all of their customers by default with no option to bypass it. 

“Similarly, companies who don’t use two-factor-authentication by default also put their customers data at risk of having their confidential data viewed by anyone with the right know-how and tools,” he added. 

Ending her opinion article, Gebhart gave her recommendations for what the company should do for its customers: “Slack should give everyone the same privacy protections available to its paying enterprise customers and let all of its users decide for themselves which messages they want to keep and which messages they want to delete.”

Categories: Cyber Risk News

Brits Shun Biometric Authentication for Traditional Passwords, Report

Info Security - Thu, 07/04/2019 - 11:00
Brits Shun Biometric Authentication for Traditional Passwords, Report

Nearly a third of people in the UK still prefer to use passwords to authenticate over biometric credentials, according to research by GMX. In the report, 30% of respondents said that typing a password was their preferred method of accessing their online and mobile accounts. What's more, 22% also said that they like fingerprint biometrics over face or voice.

According to GMX, 30% of respondents had at least 10 different online accounts, with a further 43% feeling overwhelmed by the number of passwords they had to remember. Alarmingly, 8% feel that remembering their passwords was more stressful than changing jobs or getting a divorce. 

This stress impacts how often people get locked out of online accounts: 19% said that they get locked out of an account at least once a month because of multiple incorrect attempts to access it. Given the choice between Single Sign-On services (where you can log in with any device - laptop, PC, smartphone, etc.) or a password manager (where each service has to be logged in separately with its own password), 32% preferred Single Sign-On, while 24% chose password managers.

“This survey shows positive signs that consumers are ready to accept biometric authentication once their data privacy concerns have been met so it is up to providers to meet those privacy demands by demonstrating that they are complying with all the relevant laws,” said Jan Oetjen, managing director of GMX. “The combination of convenience and data protection will create further demand for biometric security.”

However, the public in the UK does not seem to be receptive to advanced biometric techniques. Iris scans (4%), facial (1%) and voice recognition (1%) hardly featured at all as preferred methods of authentication. 

The survey of 1050 people in the UK was carried out by email services company GMX, who did a similar study in 2016. Since this research, people who prefer using passwords has almost halved from 61%.

Categories: Cyber Risk News

29 VPN Services Owned by Six China-Based Organizations

Info Security - Wed, 07/03/2019 - 17:22
29 VPN Services Owned by Six China-Based Organizations

Analysis of the world’s top VPN services conducted by the privacy and security research firm VPNpro revealed that the top 97 VPN services are owned by only 23 parent companies.

Of those parent companies, six are based in China, and information on these companies is often hidden to consumers, according to VPNpro. Together those six companies offer 29 of the world’s VPN services, but researchers were able to piece together ownership information via company listings, geolocation data, the CVs of employees and other documentation.

“OpenVPN is incorporated in the US, and they pride themselves on their transparency and that their open source protocol is the de facto standard used by almost all other providers,” said Francis Dinha, CEO of OpenVPN.

“This new report that exposes nearly a third of top VPN providers being owned by parent companies in China is very alarming as this makes the service from these companies very insecure. If you use one of these VPNs, China can use your device to store dangerous content and initiate malicious encounters. You might be subjecting yourself to a criminal investigation.”

When all is said and done, not all VPNs are created equal. Users need to fully understand what constitutes a reputable VPN and do their due diligence when selecting a provider.

Using the example of the Chinese company Innovative Connecting, which owns three businesses that produce VPN apps, VPNpro explained that it is often the case that ownership of multiple VPNs is shared amongst various subsidiaries. With a total of ten VPN products that it produces, Innovative Connecting’s products also include the VPN apps Autumn Breeze 2018, Lemon Cove and All Connected. 

“We’re not accusing any of these companies of doing anything underhand. However, we are concerned that so many VPN providers are not fully transparent about who owns them and where they are based. Many VPN users would be shocked to know that data held on them could be legally requested by governments in countries such as China and Pakistan,” said Laura Kornelija Inamedinova, research analyst at VPNpro. 

“Our recommendation is that people do a lot of due diligence on the VPN that they want to use, since they aren’t all created equal and simply using a VPN does not guarantee privacy or security.”

Additionally, VPNpro noted that the company of origin of Super VPN & Free Proxy, Giga Studios, Sarah Hawken and Fifa VPN, four companies which together own 10 VPN services, is completely hidden.

Categories: Cyber Risk News

Magecart Campaign Offers Customizable Payload

Info Security - Wed, 07/03/2019 - 17:16
Magecart Campaign Offers Customizable Payload

Magecart has launched a new campaign offering a highly customizable payload along with JavaScript loaders and software bundles that can ensure the malicious payload isn't being executed in a debugger or sandbox, according to Fortinet researchers.

“This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19,” the researchers wrote

“E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form,” the report said.

The campaign reportedly injects a fake card payment form on a targeted web page and skims a victim's entered card information, whether or not the page is a checkout form, enabling the skimmer to be brought into the customer experience earlier, avoiding possible security software intended to catch it on the checkout page. Another feature allows Inter to avoid detection by hiding the stolen information in plain site, according to the report.

“The addition of obfuscation and anti-debugging capabilities to digital skimming toolkits such as Inter renders many of the passive scanners ineffective due to their reliance on finding the malicious payload hidden deep inside the site. In addition, attackers are now targeting specific users and are aware of the scanners that might block them, so attackers may serve a 'clean' script,” said Omri Iluz, CEO and co-founder of PerimeterX.

“A more effective solution is runtime analysis of real users. When analyzing runtime behavior of the site running in real user browsers, obfuscation and anti-debugging techniques are simply avoided, exposing the malicious payload as it’s being executed by the user.”

Magecart has launched a new campaign offering a highly customizable payload along with JavaScript loaders and software bundles that can ensure the malicious payload isn't being executed in a debugger or sandbox, according to Fortinet researchers.

“This skimmer is called Inter. It is highly customizable, so it can be easily configured to fit the buyer’s needs, and is reportedly being sold in underground forums for $1,300 per license. We started seeing attacks from this campaign on April 19,” the researchers wrote

“E-commerce websites use different platforms for handling payments. For instance, some websites handle the payments internally, while others use external payment service providers (PSPs). Depending on which platform the compromised website uses, the campaign uses either a web skimmer or a fake payment form,” the report said.

The campaign reportedly injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form, enabling the skimmer to be brought into the customer experience earlier, avoiding possible security software intended to catch it on the checkout page. Another feature allows Inter to avoid detection by hiding the stolen information in plain site, according to the report.

“The addition of obfuscation and anti-debugging capabilities to digital skimming toolkits such as Inter renders many of the passive scanners ineffective due to their reliance on finding the malicious payload hidden deep inside the site. In addition, attackers are now targeting specific users and are aware of the scanners that might block them, so attackers may serve a “clean” script,” said Omri Iluz, CEO & co-founder of PerimeterX.

“A more effective solution is runtime analysis of real users. When analyzing runtime behavior of the site running in real user browsers, obfuscation and anti-debugging techniques are simply avoided, exposing the malicious payload as it’s being executed by the user.”

Categories: Cyber Risk News

Cyber Command Warns APT Targeting Government Agencies

Info Security - Wed, 07/03/2019 - 17:16
Cyber Command Warns APT Targeting Government Agencies

A threat group has been exploiting an Outlook vulnerability to attack government agencies, according to a warning issued by the U.S. Cyber Command on July 2. 

Microsoft reportedly issued a patch for the vulnerability, CVE-2017-11774, in October 2017 after a proof of concept (PoC) was publicly disclosed. Malicious actors have been exploiting the vulnerability ever since. In December 2018, researchers at FireEye issued a report on Iranian attackers believed to be associated with APT33 who were exploiting the vulnerability.

“In mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER’s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users’ Outlook client homepages for code execution and persistence. These methods are further explored in this post in the 'RULER In-The-Wild' section,” the report said.

“Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.”

Based on the recently uploaded samples, researchers once again suspect that the targeted attacks are the work of APT33 and Shamoon 2, according to Brandon Levene, head of applied intelligence at Chronicle.

“The executables uploaded by CyberCom appear to be related to Shamoon 2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT. Additionally, CyberCom uploaded three tools likely used for the manipulation of exploited web servers,” said Levene.

“Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published."

Categories: Cyber Risk News

IT Director Fired Following Lake City Ransomware Attack

Info Security - Wed, 07/03/2019 - 12:13
IT Director Fired Following Lake City Ransomware Attack

The director of IT at Lake City Council, Florida, has been fired following a ransomware attack that resulted in the city being 'shut down' for three weeks, according to city manager, Joe Helfenberg. 

Brian Hawkins' position was terminated last week following the attack which resulted in the city paying $460,000 in Bitcoin. 

The attack, which has been described as a "triple threat" attack, disabled the city servers, phones and emails. Online systems were compromised three weeks ago by attacks, with the city agreeing to the ransom requested. It has approved the insurance company, Florida League of Cities, to pay 42 bitcoins valued at $460,000 at the time. However, the city paid a $10,000 deductible for the decryption key to restore their online systems. It was confirmed that this resulted in one IT member being fired, however it has not been confirmed specifically why.

"Our city manager did make a decision to terminate one employee, and he is revamping our whole IT department to comply with what we need to be able to overcome what happened this last week or so, and that's so it doesn't happen again," Lake City Mayor Stephen Witt told WCJB.

Investigations are ongoing, according to Lake City officials, but the Mayor isn't optimistic that the attacker will be tracked down: "Because they used the Bitcoin to collect this money, the Bitcoin is not traceable once you make this ransom payment, it's not like the authorities can hunt these people down, and a lot of these people are from eastern bloc countries or non-extradition countries, so even if we know who they are we can't go get them."

According to WCJB, Helfenberg will updated the city council about the recovery of their encrypted files at a city council meeting on Monday evening. There it was agreed that the City would pay the ransom. 

Lake City's police department and the Florida Department of Law Enforcement is investigating the case, according to Mayor Witt. The FBI is also conducting a wider investigation following ransomware attacks on other American cities. 

Categories: Cyber Risk News

Cybersecurity Should Be Handled by Law Enforcement and Government, Report

Info Security - Wed, 07/03/2019 - 11:26
Cybersecurity Should Be Handled by Law Enforcement and Government, Report

A quarter (25%) of survey respondents feel cybersecurity should be the responsibility of law enforcement, and 28% feel it is down to the government, according to a report by Palo Alto Networks. 

The study, which surveyed over 10,000 respondents in EMEA and India, explored the attitudes towards new cybersecurity technologies, such as artificial intelligence (AI), and how these technologies protect their digital way of life. It was conducted with YouGov and alongside Dr Jessica Barker, co-founder of Cygenta

According to respondents, 26% of EMEA would prefer their cybersecurity to be managed by AI rather than a human. Italy has the most confidence in relying on AI (38%), while in the UK only 21% of people prefer AI. The research also suggests that those who are more open to AI technologies have a "positive outlook on the role cybersecurity plays in their day-to-day lives." 29% of respondents, who preferred their cybersecurity managed by AI, believe having cybersecurity checks in place has a very positive impact on their overall online experience.
 
Greg Day, VP and CSO EMEA of Palo Alto Networks, comments: “AI is already playing a vital role in cybersecurity, helping to detect and prevent breaches with new capabilities that the human brain simply could not achieve. It is encouraging, therefore, to see the gap closing between AI- and human-managed cybersecurity technologies."

The study also uncovered mixed views on the perceived security of internet of things (IoT) technologies. For example, 38% of EMEA respondents believe them to be secure, with 43% believing the opposite.
 
“When any new technology emerges, there is often a reticence among many to embrace the change, even when it offers an improvement to our way of life," explains Dr Jessica Barker. "Many people are unaware of the way in which AI and machine learning are already enabling our use of technology, protecting our data and preventing cyber-attacks, largely because it is often non-invasive to the end-user. This can mean people feel hesitant about the concept of embracing AI, without realizing that it is already a positive presence in their lives. 

"It is interesting to note that IoT is considered insecure by the majority of participants, whereas most people feel that technology, in general, is helping them to be more secure online. This suggests that the technology industry needs to address security and privacy concerns surrounding IoT in a meaningful and transparent manner.”
 
Dr Barker adds: “Trust is so important in cybersecurity. People want to be actively engaged in better protecting themselves online, and they embrace technology that supports them in this. The knowledge acquired can then be transferred to other areas of their lives, most importantly, the workplace."

Categories: Cyber Risk News

NHS "Urgently" Needs to Invest In Cybersecurity Measures Says Latest Report

Info Security - Wed, 07/03/2019 - 10:34
NHS "Urgently" Needs to Invest In Cybersecurity Measures Says Latest Report

The NHS still remains vulnerable to cyber-attacks and must take "urgent steps" to protect itself, according to a whitepaper by Imperial College. Presented to the House of Lords on Tuesday, July 2, 2019, the paper suggests that a combination of out-dated computer systems, lack of investment, and a "deficit of skills and awareness in cybersecurity" are putting hospitals at risk. 

The report, written by researchers from Imperial College London’s Institute of Global Health Innovation led by Professor the Lord Ara Darzi, collated evidence from NHS organizations and examples of previous attacks in the UK and across the globe. While the report commends existing measures put in place, it says more investment is urgently needed.

There are a number of key measures for NHS trusts to implement in order to increase cyber resilience, according to the research. These initiatives include "employing cybersecurity professionals in their IT teams, building ‘fire-breaks’ into their systems to allow certain segments to become isolated if infected with a computer virus, and having clear communication systems so staff know where to get help and advice on cybersecurity."

The authors also point to the number of new technologies being used in the health system, such as robotics, artificial intelligence, implantable medical devices and personalized medicines based on a person’s genes, and say scientists must build security into the design of these technologies.

“We are in the midst of a technological revolution that is transforming the way we deliver and receive care," says Lord Darzi, co-director of the Institute of Global Health Innovation (IGHI). "But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. 

“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”

Cyber-attacks on the healthcare systems have increased in recent years. The global WannaCry attack in 2017, which took out 34 NHS trusts in the UK, cost the Department of Health and Social Care around £92 million. It resulted in thousands of appointments being cancelled, and in some cases patients were diverted to other hospitals. 

The authors of the new report warn that while the WannaCry attack was relatively crude and unsophisticated, and while it wasn't unique to the NHS, they warn that the number and sophistication of attacks is rising. 

Dr Saira Ghafur, lead author of the report from the IGHI, explains: “Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cybersecurity ‘hygiene’ to counteract the clear and present danger these incidents represent. 

"The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”

In October 2018 the Department of Health and Social Care announced a spend of £150m over the next three years to protect key services from the threat of cyber-attacks. The department also recently announced the creation of a new unit called NHSX that will oversee digital transformation and it is hoped that this organization will help streamline cybersecurity accountabilities.

Categories: Cyber Risk News

Keyfactor Announces Acquisition of Redtrust

Info Security - Tue, 07/02/2019 - 14:01
Keyfactor Announces Acquisition of Redtrust

Keyfactor, the Ohio-based digital identity management solutions provider, has announced that it will acquire Spain-based Redtrust, a digital identity solutions company that delivers centralized certificate and digital signature management, according to a July 2 press release.

“At the time of our $77 million investment, we planned to accelerate market expansion, specifically in Europe, fund product innovation and company growth,” said Jordan Rackie, CEO of Keyfactor. “We’ve certainly seen progress in all areas so far this year with this acquisition, the release of our code-signing product, Keyfactor Code Assure, in June and the company’s job creation year-over-year employee 100% growth rate (we added 50 new positions in 2019). We’ve literally doubled the company in both size and revenue and remain focused on maintaining our growth trajectory into 2020.”

Digital identity management is driving changes in the marketplace, which has left customers juggling digital transformation and the security challenges that digitization brings. 

“We’re fiercely committed to innovation and providing our customers with a platform that meets their evolving security and compliance needs. We differentiate with our turn-key, cloud-based certificate-management and IoT security platform for large enterprises – providing them the freedom to manage every digital identity. And now with Redtrust we can deliver the same for mid-sized businesses,” Rackie said.

Currently serving its customers across banking, insurance, infrastructure and healthcare industries, Redtrust’s platform secures and centralizes certificate life-cycle management, a solution that will complement Keyfactor’s end-to-end secure identity and code-signing platform. 

“We found the perfect partner with Keyfactor, and I’m thrilled for Redtrust to reach this important company milestone,” said Daniel Rodríguez, CEO at Redtrust. “Together we have a shared vision for the future of trust and an obsession with technical excellence and customer success. We’re now on an unstoppable mission to secure the digital identities for companies of all sizes in any market.”

Categories: Cyber Risk News

Keyfactor Announces Acquisition of Redtrust

Info Security - Tue, 07/02/2019 - 14:01
Keyfactor Announces Acquisition of Redtrust

Keyfactor, the Ohio-based digital identity management solutions provider, has announced that it will acquire Spain-based Redtrust, a digital identity solutions company that delivers centralized certificate and digital signature management, according to a July 2 press release.

“At the time of our $77 million investment, we planned to accelerate market expansion, specifically in Europe, fund product innovation and company growth,” said Jordan Rackie, CEO of Keyfactor. “We’ve certainly seen progress in all areas so far this year with this acquisition, the release of our code-signing product, Keyfactor Code Assure, in June and the company’s job creation year-over-year employee 100% growth rate (we added 50 new positions in 2019). We’ve literally doubled the company in both size and revenue and remain focused on maintaining our growth trajectory into 2020.”

Digital identity management is driving changes in the marketplace, which has left customers juggling digital transformation and the security challenges that digitization brings. 

“We’re fiercely committed to innovation and providing our customers with a platform that meets their evolving security and compliance needs. We differentiate with our turn-key, cloud-based certificate-management and IoT security platform for large enterprises – providing them the freedom to manage every digital identity. And now with Redtrust we can deliver the same for mid-sized businesses,” Rackie said.

Currently serving its customers across banking, insurance, infrastructure and healthcare industries, Redtrust’s platform secures and centralizes certificate life-cycle management, a solution that will complement Keyfactor’s end-to-end secure identity and code-signing platform. 

“We found the perfect partner with Keyfactor, and I’m thrilled for Redtrust to reach this important company milestone,” said Daniel Rodríguez, CEO at Redtrust. “Together we have a shared vision for the future of trust and an obsession with technical excellence and customer success. We’re now on an unstoppable mission to secure the digital identities for companies of all sizes in any market.”

Categories: Cyber Risk News

Thousands Left Vulnerable in Nexus Repository

Info Security - Tue, 07/02/2019 - 14:00
Thousands Left Vulnerable in Nexus Repository

A recent breach in Nexus Repository left many companies and government agencies vulnerable, as thousands of private artifacts were left unprotected, according to a July 2 blog post from researchers Daniel Shapira and Ariel Zelivansky, with Twistlock Labs.

While this breach was swiftly rectified, Shapira and Zelivansky noted that this type of hack could have had catastrophic consequences and cannot be taken lightly.

A team of dedicated white hats identified these weaknesses within Nexus Repository. In a July 2 blog post, researchers wrote, “During my recent work I have discovered two security vulnerabilities in Nexus Repository that affect all users under default settings.

“This post is a dive into these vulnerabilities, which exposed thousands of private artifacts across a broad range of industries, including financial services, healthcare, communications, government agencies and countless private companies. But first, let's dig into what a Nexus Repository Manager actually is.”

According to Sonatype’s website, millions of developers trust the Sonatype Nexus Repository Manager, which has more than 120,000 active repositories and claimed it is “the perfect system of record for all your software parts.”

Researchers wrote that the universal repository manager allows users to proxy, collect and manage Java dependencies, Docker images, Python packages and much more. “In sum, it makes it easier to distribute your software. Internally, you configure your build to publish artifacts to Nexus and they then become available to other developers,” the blog post said.

Because users tend to skip a lot of configuration steps and let the software run under default settings with minor modification, researchers found that the default user is always set to be admin/admin123 - CWE-521 and any unauthenticated user can read/download resources from Nexus - CWE-276.

“This means all the images in the repository can be download just by accessing the repository, with no authentication needed, or by authenticating as the default admin account if unchanged. While reviewing some of these internet accessible repositories, I have found that at least 50% of them are using the default settings – meaning they are both affected by CWE-521 and CWE-276,” researchers wrote.

“These vulnerabilities mean users expose all of their private artifacts (images, packages and more) to the internet unintentionally. And unfortunately, this scenario is more common than you might think.”

Categories: Cyber Risk News

Pages