Cyber Risk News

SIEM Still Creates Complexity and Administration Challenges

Info Security - Thu, 02/20/2020 - 18:05
SIEM Still Creates Complexity and Administration Challenges

Based on a series of Twitter polls hosted by Sumo Logic, 40.3% of Twitter users that responded said that SIEM is valued most as a “security control” whilst less than a quarter saw it used for threat detection or data collection.

According to 5766 votes, threat detection accounted for 23.3% of responses, while data collection accounted for 24.3%. Commenting, Michael Thoma, principal consultant, risk management at the Crypsis Group, told Infosecurity that a SIEM can be used as a form of security control as some SIEMs can detect if a user was added to a domain admin account without a ticket and use APIs to disable that user automatically.

“There are many tools that can supplement threat detection in lieu of a SIEM,” he explained. “In fact, a SIEM is typically centralization of the technology platforms that alert and log in the first place. For instance, you may have an Intrusion Prevention System (IPS) that is sending events and alerts to your SIEM based on malicious network activity. The SIEM can allow for additional correlation and retention of system logs, but the IPS by itself can still provide alerts on what is happening within your environment.”

In another Twitter vote, of 621 respondents, 38.5% said that administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment and 29.5% opted for operations. Thoma said that SIEM is “absolutely one of the most valued security controls for security operations and IT teams; however, it's only as useful as its implementation.”

He claimed that SIEM engineering and management requires a dedicated team that is both intimately familiar with the platform itself and the internal infrastructure and operations. “A SIEM is not an off-the-shelf product, and too many teams implement a SIEM for a fraction of the capabilities offered,” he said. “There are likely just as many teams using it for the full effectiveness as there are those hoping to use it as a silver bullet.”

Thoma said he suspected that an out-of-the box SIEM solution was not likely in the coming years, as “SIEMs are inherently complex as they must be able to integrate with a multitude of technology stacks across many business verticals and allow for the creation of custom metrics and alerts specific to an organization's environment.”

The surveys were done in advance of Sumo Logic announcing the availability of its new Cloud SIEM Enterprise offering, which includes capabilities to ease the burden on security operations center personnel. The company said that the new capabilities help identify and prioritize high fidelity threats and automate the analyst workflow, allowing SOC personnel to better manage real security events and effectively enforce security and compliance policies.

Jon Oltsik, senior principal analyst and fellow at ESG, said: “Despite the central role SIEM plays, the research indicates that SOC teams use additional tools beyond SIEM for threat detection and response, investigations and query, threat intelligence analysis and process automation and orchestration. Sumo Logic’s Cloud SIEM Enterprise can help bridge this gap with a broader set of automation capabilities targeted directly at the modern SOC.”

Greg Martin, general manager, security business unit, Sumo Logic, added: “With the industry’s fast-moving transformation to public cloud, we wanted to give security teams a cloud-native solution with robust features they can use to navigate today’s cloud-centric world.”

Categories: Cyber Risk News

HP Joins Industry-Standards Initiative for Printer Security

Info Security - Thu, 02/20/2020 - 17:30
HP Joins Industry-Standards Initiative for Printer Security

HP Inc. has announced that it has joined the Buyers Lab (BLI) Security Validation Testing program for MFPs and printers to help drive more stringent industry standards for printer security.

Common endpoint devices such as office printers have proven to be serious security weak spots for organizations of all sizes in recent years, chiefly due to modern printers being produced with various forms of in-built connectivity, without the same sophistication of security to go with it. Printers have therefore become an attractive target for cyber-attackers looking for an easy foot into corporate networks.

The BLI Security Validation Testing program was designed to verify printers that pass through its program,so that they are equipped to combat the increasingly sophisticated threat landscape, thus helping to establish standards so customers can select the best options for their desired security posture.

“Our decision to engage in this testing program is driven by our desire to help raise the bar for the entire industry,” said Tuan Tran, president, imaging, printing and solutions business, HP Inc. “We believe more can and should be done to mitigate security risks. This is an important step in driving more stringent industry standards for IoT devices, like printers, and pushing our industry to a higher standard. We encourage all our industry counterparts to join in this effort.”

As an inaugural participant of the BLI Security Validation Testing program, HP has passed the first two rounds of testing and earned the Security Validation Testing seals for Device Penetration and Policy Compliance for its HP FutureSmart v4 Enterprise firmware platform.

The news comes a year-and-a-half after HP Inc. became the first company to launch a bug bounty scheme dedicated to printing services, offering rewards of up to $10,000 for researchers who correctly report vulnerabilities in its printing technology.

Categories: Cyber Risk News

Chinese Hackers Target Asian Betting Firms

Info Security - Thu, 02/20/2020 - 11:30
Chinese Hackers Target Asian Betting Firms

Chinese hackers linked to state-backed groups have been observed targeting gambling companies in southeast Asia as part of another cyber-espionage campaign.

A new report from Trend Micro and Talent-Jump Technologies, Uncovering DRBControl, details the work of the eponymous group, whose activities were uncovered in 2019.

Attackers first deploy a spear-phishing email containing .DOCX files, which trigger a backdoor malware download if opened.

“The campaign uses two previously unidentified backdoors. Known malware families such as PlugX and the HyperBro backdoor, as well as custom post-exploitation tools were also found in the attacker's arsenal,” Trend Micro claimed.

“Interestingly, one of the backdoors used file hosting service Dropbox as its command-and-control (C&C) channel.”

The group also uses Dropbox to deliver different payloads to victims, and to store commands, post-exploitation tools and stolen files.

Post-exploitation tools used by the group range from password dumpers and clipboard stealers to UAC bypass tools, code loaders and brute forcing tools.

DRBControl also uses malware associated with the state-linked Winnti and Emissary Panda groups, although it’s unclear whether the campaign itself has links to Beijing.

“Links to the Winnti group range from mutexes to domain names and issued commands,” said Trend Micro. “The HyperBro backdoor, which appears to be exclusive to Emissary Panda, was also used in this campaign.”

The campaign is ongoing, with researchers believed to have detected hundreds of compromised endpoints in the region.

Given that the exfiltrated data so far has consisted of internal databases and source code, it is thought the hackers are focused on cyber-espionage and gaining competitive intelligence, according to the report.

Categories: Cyber Risk News

Over 2000 UK Government Devices Go Missing in a Year

Info Security - Thu, 02/20/2020 - 10:30
Over 2000 UK Government Devices Go Missing in a Year

Over 2000 mobile devices used by UK government employees have gone missing in the space of a year, with a significant number unencrypted, according to new Freedom of Information (FOI) data.

Requests were sent by global communications company Viasat to 47 government departments, with full or partial replies received back from 27 of them.

During the period June 1 2018 to June 1 2019, a total of 2004 devices were reported lost or stolen, which amounts to eight per working day or 39 per week, according to the firm.

Even more concerning is the fact that the vast majority (767) were lost by the Ministry of Defence (MoD), followed by HMRC (288), the Department for Business, Energy and Industrial Strategy (197) and the Foreign Office (193).

On the plus side, the majority (1824) of the missing smartphones, laptops, PDAs, external storage devices and tablets were reported as encrypted. However, scores (65) were not, and the status of a further 115 is unknown.

Viasat’s UK managing director, Steve Beeching, argued that mobile security must be a top priority for government.

“Despite the progress made on encrypting devices, the fact that unencrypted government devices are still being lost is concerning, suggesting more needs to be done to ensure data is protected at all times. For devices this means total encryption – going beyond password protection to secure data at a hardware level,” he said.

“While the necessity for security is clear in areas such as defense and security, all government departments run the risk of a damaging security breach. It only takes one device getting into the wrong hands to give malicious actors access to sensitive content, whether top-secret information or personal data.”

In fact, the loss of personal data puts missing devices like these in the realm of GDPR regulation.

Viasat asked the government departments when they had last been audited by privacy watchdog the Information Commissioner’s Office (ICO), which is good practice for public sector organizations. In total, eight of those that replied said they had never been audited, while some had not been checked for years: the MoD’s last audit was in 2010, for example.

Departments can proactively ask for an audit free of charge whenever they like, to ensure they're meeting commitments to data protection laws.

“Individual departments cannot assume that their data will not be of interest to attackers – with the right strategy, any data can be a threat,” continued Beeching. “UK government departments must take a zero-tolerance approach to non-encrypted devices in order to safeguard data from falling into the wrong hands.”

Categories: Cyber Risk News

Ransomware Wreaks Havoc Across Europe

Info Security - Thu, 02/20/2020 - 09:54
Ransomware Wreaks Havoc Across Europe

Security experts have this week warned Italian and Swiss businesses to be on their guard as ongoing ransomware campaigns continue to target vulnerable systems.

In Switzerland, the Reporting and Analysis Centre for Information Assurance (Melani) issued an alert for local firms, claiming that it has already been forced to deal with a dozen cases where SMEs and large organizations have had their systems encrypted.

“The attackers made ransom demands of several tens of thousands of Swiss francs, in some cases even millions,” it said. The Swiss Franc is virtually 1:1 with the US Dollar at present.

“A technical analysis of the incidents revealed that the IT security of the companies affected was often incomplete and the usual best practices were not fully observed. Furthermore, warnings from the authorities were not heeded.”

The best practices that firms have been ignoring include AV installation, RDP endpoints protected with two-factor authentication (2FA), regular offline backups and patching, network segmentation and restricted user rights.

It’s unclear what strain of ransomware is targeting the businesses, but Melani urged victims not to pay up.

“If a ransom payment is nevertheless being considered, it should be noted that although systems and data might be decrypted, the underlying infection from malware such as Emotet or TrickBot will remain active,” it added. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware or steal sensitive data from it.”

The news comes as security experts spotted a new campaign targeting Italian users with the Dharma ransomware variant.

Hackers are this time using malicious spam to spread the ransomware, alongside the Ursniff data stealing trojan.

The phishing email in question purports to contain an invoice from a client, but if the user clicks on a link in the body of the message, they will be taken to a OneDrive page where an automatic malware download will begin.

Categories: Cyber Risk News

2020 Tax Season Attacks Already Targeting Small Businesses

Info Security - Wed, 02/19/2020 - 17:30
2020 Tax Season Attacks Already Targeting Small Businesses

The deadline for filing taxes in the United States is eight weeks away, but new research has shown that small businesses are already being hit by tax season–related cyber-attacks.

Research conducted by Proofpoint indicates that attackers are “aggressively jumping into tax season,” with the deployment of two main attack strategies. 

The first strategy is to send tax-themed emails with enticingly titled malicious attachments, such as "Important changes, filing due date and charges to form 1099."

The second tactic is to compromise legitimate tax-focused websites to deliver malware to people who visit the sites. Data gathered so far indicates that small businesses that specialize in tax preparation are a particular focus for website compromise cyber-attacks this tax season. 

“If you have the word 'tax' in your domain name, you're a target this year. And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately,” said senior director of threat research and detection at Proofpoint, Sherrod Degrippo. 

Attackers were observed gaining access to legitimate tax-focused websites via unpatched and out-of-date WordPress and other content management system installations. Code planted by attackers on compromised sites downloads malware onto the systems of people who visit in an attempt to access and steal their data. Researchers noted that code was often hosted elsewhere to make the compromise harder to spot.

Degrippo said: “In these attacks, we’ve seen the sites of smaller tax preparation and accounting firms targeted and compromised. This makes sense because smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened.”

Describing the most sophisticated threat observed by researchers and how dangerous such attacks can be, Degrippo told Infosecurity Magazine: "A recent attack observed spoofed the full branding of a very well-known tax preparation service in the US for both the lure and the landing page for credential phishing. If a threat actor is successful in obtaining an authentic W2, they can potentially file taxes on behalf of that person, receiving the refund to their own account instead of the actual taxpayer."

Degrippo warned that phishing emails are now dangerously sophisticated.

"With the introduction of social engineering, phishing emails have become nearly indistinguishable from legitimate emails. They use trusted brands, and the correct logos, format, and wording as an email that might be expected from that brand. 

"Attackers are adept at using LinkedIn and Google to conduct reconnaissance on potential individuals that have access to the information they want and are laser-focused on targeting them directly through email. And they are continuing to use email because it’s cheap, easy to use, and above all, effective."

Categories: Cyber Risk News

Air Force Gives Students a Second Crack at Cybersecurity Certification

Info Security - Wed, 02/19/2020 - 16:54
Air Force Gives Students a Second Crack at Cybersecurity Certification

The United States Air Force is offering students who failed to gain cybersecurity certification the first time around a second opportunity to qualify.

Previously, students who didn’t pass the Security+ exam on their first go had to rethink their chosen area of specialization within the Air Force. The new Pathfinder program gives students a precious second chance to pursue their dream of working in cybersecurity.

To acquire the Security+ certification, students must prove that they have the necessary skills to perform in a security-based information technology career by passing the Security+ exam. 

“The exam is known to be complex and difficult and many Airmen fail and lost their designated career field,” said Airman 1st Class Seth Haddix, 81st Training Wing, Public Affairs.

Under the new program, selected re-classed students who failed to pass the exam the first time can retake the test during their first six months at their duty station. 

The program has worked out well for Senior Airman Jennica Ripoli, 21st CD communications technician at Peterson Air Force Base in Colorado.

“Missing my chance of getting my desired job in the Air Force crushed me. It felt like I wasn’t able to achieve what I worked so hard for, and I would never be able to follow the career I wanted,” said Ripoli. 

“Being able to eventually transfer over to cybersecurity after passing amazed me and made me feel like the Air Force is really trying to help me follow the right path.”

Being able to finally pass the exam and follow her dream career has been a real confidence boost for Ripoli.

She said: “This opportunity proved that I could overcome failure. I worked hard and continued to pursue the path I wanted, and I was successful.”

By switching fields, airmen who complete the Pathfinder program gain the distinction of possessing two Air Force Specialty Codes (AFSCs) instead of the usual one. 

The first airman to complete the Pathfinder program was Airman 1st Class Johnathan Garcia, 75th Communications Squadron client systems technician, Hill Air Force Base, Utah.

“I feel I am more qualified with the knowledge of two AFSCs,” Garcia said. “I have more knowledge working with the other cyber jobs on base.”

Categories: Cyber Risk News

Cyber-Flashing on UK Trains Doubles

Info Security - Wed, 02/19/2020 - 15:55
Cyber-Flashing on UK Trains Doubles

British Transport Police have reported an alarming increase in the number of women being sent sexually explicit images by strangers while traveling via train.

In 2018, 34 cases of cyber-flashing offenses were reported to British Transport Police. In 2019, the number of recorded cases rose to 66, almost doubling over a one-year period. 

Cyber-flashing occurs when a sexual predator sends an unsolicited pornographic image or video to a stranger via the iPhone file-sharing function AirDrop.   

Police fear the actual figures could be vastly higher as most incidents of cyber-flashing go unreported. Reasons for this could include the fear and/or embarrassment experienced by the victim, the difficulty in identifying the offender who sent the image, and a lack of serious consequences for offenders who are caught cyber-flashing. 

AirDrop allows files to be sent anonymously, allowing offenders to harass women with impunity. All that victims receive is a preview of the image and the name of the phone being used to commit the crime. 

Despite a huge increase in the number of recorded cases of this particular crime on British trains, only one sexual predator was arrested for cyber-flashing in 2019. Although the crime creates a sickening imposition upon women who enter what should be a safe public space, police don't always take reports of this crime seriously.

Last year, a woman who reported a cyber-flashing incident that occurred while she was traveling on London's Bakerloo line was told by the British Transport Police officer that the crime was impossible to investigate. The officer belittled the victim's experience by suggesting to her that it was "just photos." 

Under current British law, cyber-flashing is not considered a sexual offense. However, it's not hard to imagine that offenders who can violate a woman's privacy through cyber-flashing, and who are not caught and punished, could go on to commit sexual offenses.   

ESET cybersecurity specialist Jake Moore said: "I recommend people set up AirDrop for contacts only to stop people you don’t know sending you unsolicited messages—or even better just turn it on when you need it."

Moore said that women could reduce their chances of receiving unwanted porn while going about their daily lives by pretending that they are not female. 

Shifting the onus onto women to take preventative actions against this unwarranted and abhorrent behavior by men, he said: "Another way of mitigating the chance of being sent an unsolicited message could be to change the name on your device to something neutral, rather than your name."

Categories: Cyber Risk News

Medical Devices Intro Major Bluekeep Risk to Hospitals

Info Security - Wed, 02/19/2020 - 12:00
Medical Devices Intro Major Bluekeep Risk to Hospitals

Medical devices represent a major risk to healthcare organizations (HCOs), and are twice as likely as standard network devices to be vulnerable to Bluekeep, according to CyberMDX.

The security vendor’s 2020 Healthcare Security Vision Report claimed that a third (30%) of US HCOs have experienced a cyber-attack in the past 12 months.

Connected devices are an increasing source of risk, as many are left unpatched and unmanaged, the report claimed. For example, 55% of imaging devices run unpatched or outdated Windows versions which could leave them vulnerable to Bluekeep.

This is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine to spread malware or launch info-stealing attacks. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers, and could spread without user interaction in a way similar to the EternalBlue exploit that enabled WannaCry to do so much damage to the NHS.

CyberMDX uncovered a range of security issues among HCOs, claiming that 11% don’t patch devices at all, and that a typical hospital will have patched only 40% or fewer vulnerable devices four months after a bug disclosure.

There’s more: a quarter (25%) don’t possess a full inventory of connected devices, while a further 13% admit theirs is unreliable. A third (34%) say they don’t identify, profile or continuously monitor medical devices and a further 21% do this manually, which is is not sustainable given the explosion in such endpoints.

It’s perhaps no surprise that the average hospital has lost track of 30% of its devices, according to the report.

The challenges extend to staff cybersecurity training and awareness: 23% of respondents said they have no such program in place and 17% claimed they do but it hasn’t launched yet.

Over a third (36%) still lack a formal BYOD policy.

According to IBM’s latest Cost of a Data Breach report, HCOs suffered the highest cost of a breach – nearly $6.5m on average – for the ninth year in a row in 2019. CyberMDX also claimed that at least 10 hospitals had to turn away patients last year due to ransomware attacks.

Categories: Cyber Risk News

US Gas Pipeline Shut After Ransomware Attack

Info Security - Wed, 02/19/2020 - 10:30
US Gas Pipeline Shut After Ransomware Attack

A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed.

The unnamed “natural gas compression” plant was first targeted with a spear-phishing email, allowing the attacker to access its IT and then pivot to its OT network, according to the technical alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

The ransomware used was not named, but described as a “commodity” type designed to infect Windows systems, rather than the new strain spotted recently that had ICS-specific functions.

As such, it didn’t manage to impact any of the programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes. Still, the ransomware was able to compromise human machine interfaces (HMIs), data historians and polling servers on the OT network.

The victim organization was ill-prepared for such an attack: a worrying sign that some critical infrastructure providers still haven’t evolved their threat modelling to take account of modern black hat techniques.

Specifically, the organization failed to implement robust segmentation between IT and OT networks, allowing the attacker to infect both. It also did not build cyber-risk into its emergency response plan, focusing solely on threats to physical safety.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,” the CISA alert noted.

“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

CISA urged critical infrastructure organizations to: add cyber-risk planning to their incident response strategies, practice failover to alternate control systems, use tabletop exercises to train employees, identify technical and human points of failure for operational visibility and recognize the safety implications of cyber-attacks, among other steps.

Among the physical security controls it recommended were network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, AV, whitelisting, traffic filtering and regular patching.

Categories: Cyber Risk News

AdSense Extortionists Threaten to Trigger Google Fraud Alarms

Info Security - Wed, 02/19/2020 - 09:50
AdSense Extortionists Threaten to Trigger Google Fraud Alarms

Security experts are warning of a new extortion email campaign threatening to bombard websites using AdSense with fake traffic, thereby triggering Google’s anti-fraud systems.

A website owner wrote to journalist and researcher Brian Krebs claiming to have received just such a threat. The extortionists demanded $5000 in Bitcoin, or else they would bombard the site with bot-driven traffic.

This in turn, they claimed, would set off alarm bells with Google and force the tech giant to suspend the web owner’s AdSense account, depriving him of valuable advertising revenue.

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended,” the email reportedly argued.

“It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to a second AdSense ban that could be permanent.”

Google itself claimed such threats are rare, and in any case it has the tools to detect and prevent sabotage like this from succeeding.

It urged any web owners that have been the subject of such threats to fill in an online form, and/or to visit its help page on sabotage.

Jake Moore, cybersecurity specialist at ESET, urged users to treat these extortionists as they should ransomware authors, by refusing to engage.

“I would firmly advise people not to pay any extortionists as there is no guarantee that this will stop the traffic. If anything, these criminals will likely place your name on their suckers list, and possibly come back with higher payment demands,” he added.

“This should be reported to the police, and I suggest you do not communicate with these attackers.”  

Categories: Cyber Risk News

Intentional Malicious Insider Breaches Increased Between 2019 and 2020

Info Security - Wed, 02/19/2020 - 09:05
Intentional Malicious Insider Breaches Increased Between 2019 and 2020

The concern about intentional data breaches has increased year-on-year, with 75% of IT leaders believing that employees have put data at risk intentionally.

According to research by Egress of 528 CSOs and IT leaders, 97% of respondents said “insider breach risk” is a significant concern. Of those surveyed, 78% said that employees have put data at risk accidentally, while 75% believed employees have put data at risk intentionally. This is a rise of 14% since last year’s research.

Chief marketing officer, Tim Pickard, said he was not surprised that 97% of CISOs and IT leaders would be concerned, and too many companies are relying on employees to report breaches.

Egress CEO Tony Pepper added that the “severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches.”

Of those employees that have accidentally leaked data, 41% said it was due to a phishing message, 31% said that this was due to information being sent to the wrong recipient and 29% said that they or a colleague had intentionally shared data against company policy in the last year.

Looking at the causes of an intentional breach, 32% of those polled said that this was due to employees sharing data to personal systems, while 22% blamed employees leaking data to a contractor and 21% said that employees share data directly to cyber-criminals. Also, 18% said that employees take data to a new job, with only 4% saying that they “don’t have malicious insider breaches.”

Speaking to Infosecurity at the launch of the research, Pickard said that, from a point of view of intentionally leaking data, “there is a general awareness around the potential risks that exist from employees, and it doesn’t have to be malicious to be intentional, it could be mis-guided by someone trying to get their job done and putting data at risk.

“There are a number of elements at play, as none of us see the work environment getting any easier and there will be increased pressure at work for most people,” Pickard argued. “People have access to all sorts of technologies that IT leaders would rather they did not have, and cloud is a great thing, but it makes available some powerful technologies to people for a very small amount of money.”

Speaking to Infosecurity, Panaseer CEO Nik Whitfield cited the case of Sergey Aleynikov who was charged with stealing code from Goldman Sachs and giving it to his next employer. “There are different types of insider: some help themselves while some do it maliciously – but to them it is normal behavior,” he said. “Malicious insiders are also being placed by cyber-criminals and getting jobs in companies to steal information or to do corporate espionage.”

Categories: Cyber Risk News

US Teen Arrested Over Alleged Swatting and Cyberstalking

Info Security - Tue, 02/18/2020 - 17:33
US Teen Arrested Over Alleged Swatting and Cyberstalking

A 19-year-old American man has been arrested for allegedly engaging in a six-year cybercrime wave that involved swatting, computer fraud, and the stalking of multiple victims, including a New York schoolgirl.

Tristan Rowe was arrested on February 12 after allegedly threatening to kill one victim and bomb their school. Cops say he sent multiple disturbing messages to the victim, including one depicting a knife accompanied by the words "you don't deserve to live."

Another chilling message allegedly sent by Rowe showed a detailed map from Tennessee to a victim's home address in the Bronx, New York. 

Rowe, who refers to himself as Angus, is alleged to have engaged in a persistent online stalking and harassment campaign against one particular victim. Police say he hacked online accounts belonging to the victim and to members of their family and even hacked into the computer systems of the victim's former high school to interfere with the grading system.

Tennessee resident Rowe is further accused of orchestrating multiple incidents of swatting, sending armed police to respond to false reports of an emergency at a victim's residence.  

One such incident, brought about by 19-year-old Ohio gamer Tyler Barriss, resulted in the death of Kansas father 28-year-old Andrew Finch, who was shot and killed by a member of the responding SWAT team in 2017. Rowe allegedly used this potentially fatal tactic not only to terrorize his intended victim, but also to stage swatting incidents at the homes of the victim's friends and family. 

In a message that demonstrated he was fully aware of the danger to life caused by swatting, Rowe allegedly told the victim, "Your choice u can wind up dead cause the armoured cops will come raid u."

Cops say that evidence obtained from Rowe's computer indicates that he conducted a number of computer intrusions of government and private-sector websites. They say Rowe was planning to compromise, or had already compromised, an inmate tracking website used by federal and local law enforcement, a police department website, the website of a hospital in New York, and a website for a state Department of Motor Vehicles. 

Rowe has been charged with one count of cyberstalking and one count of unauthorized access to a computer. He faces a ten-year custodial sentence if convicted on both counts.

Categories: Cyber Risk News

Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

Info Security - Tue, 02/18/2020 - 16:16
Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

India has made its first arrest of an alleged dark web narcotics vendor. 

Recent Amity University graduate Dipu Singh was taken into custody in Alambagh, Lucknow, on February 9 by India’s Narcotics Control Bureau (NCB). The 21-year-old is accused of selling psychotropic drugs disguised as erectile dysfunction remedies on dark web marketplaces in exchange for cryptocurrency.

Singh, whom the NCB described as "a major player on the dark net," allegedly sold illegal drugs to clients in several European countries, including Romania and Spain, and to customers in the UK and the US. 

The illegal pills were mostly sold through dark web sites Majestic Garden and Empire Market, then shipped via global post offices and international courier services. The NCB suspects Singh also made sales via WhatsApp.

"Singh had mastered the technique to disguise the identity while making a shipment. It was learnt that the said parcel was devoid of KYC details," said deputy director general of operations at the NCB, Rajesh Nandan Srivastava.

In three seizures, NCB’s Mumbai Zonal Unit recovered 33,000 Tramadol and Zolpidem tablets, which they claim can be linked to Singh’s alleged drug dealing operation. Another 22,000 tablets were seized by the Delhi team.

A total of 55,000 psychotropic tablets, which include tramadol, zolpidem, and alprazolam, were seized as part of a two-month-long operation into Singh's alleged activities. 

Singh gained a bachelor’s degree in Hotel Management last year. To help fund his studies, Singh accepted a part-time job at a legitimate internet pharmacy in 2018. There he earned a commission from the sale of fitness supplements and erectile dysfunction medicines, but the NCB alleges that the then student was lured over to the dark side by the promise of more money.

An NCB spokesperson said Singh "further learnt that the major profit is in the sale of controlled psychotropic medicines."

Singh allegedly worked with an associate, who took orders for the drugs and shared details of where to deliver each package. After using couriers to collect the drugs from various cities in India, Singh is accused of sending them out to his customers packaged as erectile dysfunction medicine.

If convicted, Singh is likely to face a stiff sentence.

Categories: Cyber Risk News

Dell in Talks to Sell RSA Cybersecurity Firm

Info Security - Tue, 02/18/2020 - 15:02
Dell in Talks to Sell RSA Cybersecurity Firm

Dell is said to be finalizing a $2bn deal to sell its RSA cybersecurity company to a private equity firm, according to the Wall Street Journal

Citing sources “familiar with the matter,” the Journal reported Monday that a deal concerning the sale of RSA Security LLC could be finalized as early as today between Dell Technologies Inc. and STG Partners LLC.

Multiple award-winning security company RSA is best known for its software tokens, which generate random codes to enable access to corporate networks. According to its website, the firm has 30,000 customers around the globe. 

RSA Security was founded as an independent company in 1982 and was acquired by EMC Corporation in 2006 for $2.1bn. Dell acquired RSA a decade later with the purchase of EMC.

Reports that Dell was considering divesting the security company were first shared back in November 2019 by Bloomberg. Back then, RSA Security was expected to fetch at least $1bn, including debt.  

A month later, PE Hub reported that Morgan Stanley had been engaged by Dell to complete the sale of RSA in a deal estimated at the time to be worth $3bn.  

News of the possible finalization of the transaction comes one week before RSA's annual conference is due to take place in San Francisco. The conference hit the headlines last week when major sponsor IBM Corporation withdrew its support from the event, citing concerns over the spread of the coronavirus. 

If given the green light, the RSA deal will be the latest in a string of acquisitions of cybersecurity companies by private equity firms. In January, Insight Partners shelled out $5bn to acquire Swiss cloud data management company Veeam Software Inc and set aside a further $1.1bn in an agreement to acquire Armis Inc. 

Then, earlier this month, news broke that PE firm Advent International and Crosspoint Capital Partners would be acquiring Forescout Technologies Inc for $1.9bn

Currently Dell has two different endpoint security products. The computer manufacturer bought a controlling stake in Secureworks in 2011 and through its acquisition of EMC, the company owns 81% of VMware, which last year bought Carbon Black for $2.1bn.

Categories: Cyber Risk News

Two-Thirds of CISOs Struggling with Skills Shortages

Info Security - Tue, 02/18/2020 - 12:01
Two-Thirds of CISOs Struggling with Skills Shortages

Two-thirds (66%) of global CISOs say they are struggling to recruit the right talent and a similar number believe shortages will only get worse, according to a new study from Marlin Hawk.

The global executive recruiter surveyed 500 cybersecurity leaders working in businesses with 500 or more employees across the US, Europe and APAC, to compile its report, Global Snapshot: The CISO in 2020.

It found CISOs in APAC are encountering most difficulties with recruitment: 91% of respondents there said it was hard to find the right talent, versus 61% in the UK and 54% in the US. Globally, the main challenges revolved around candidates lacking the right technical knowledge (34%), the right experience (30%) and being the right culture fit (10%).

Although 73% of respondents are under 45-years-old, there may be long-term trouble ahead for many companies. The average tenure as CISO is four years globally, and 85% of respondents said they are actively looking for a new role or would consider one if approached.

The report warned in particular of a “brain drain” from the public sector, where over a quarter of respondents are actively pursuing new roles. Over half (52%) said they wanted a new challenge whilst 37% pointed to better compensation.

A further 62% of CISOs think the global cybersecurity talent shortage will get worse over the next five years.

This chimes with data from other sources, including the (ISC)2, whose most recent study reported a global shortfall in security professionals in excess of four million. This included 561,000 in North America and a 2.6 million shortfall in APAC, while the shortage in Europe rose by over 100% from the previous year to 291,000.

Ron Green, CSO at Mastercard, argued that the right technology could help to alleviate skills challenges.  

“Machine learning and automation are going to be really helpful to current and future CISOs,” he said.

“Businesses are still going to need smart humans on security but already the humans that are in our security operations centers are being overwhelmed with things they have to monitor and you can't simply keep putting in more people because there aren't enough.”

Categories: Cyber Risk News

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Info Security - Tue, 02/18/2020 - 11:00
Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Security researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.

The problem lies with versions 1.3.4 and above and 1.6.1 and below of the ThemeGrill Demo Importer plugin, according to WebARX.

The firm said that the bug could allow any unauthenticated user to wipe the entire database to its default state and then log in as administrator.

“The prerequisite is that there must be a theme installed and activated that was published by ThemeGrill. In order to be automatically logged in as an administrator, there must be a user called ‘admin’ in the database. Regardless of this condition, the database will still be wiped to its default state,” the firm explained.

“Based on the SVN commit history, this issue has existed in the code for roughly three years, since version 1.3.4.”

WebARX warned that the vulnerability is particularly dangerous as it doesn’t require a suspicious-looking payload to exploit. For that reason, firewalls are not likely to block attacks by default and security admins would need to create a special rule for them to do so.

ThemeGrill is a popular provider of WordPress themes which users can deploy to customize their websites. The plugin in question can be used to demo content, widgets and theme settings quickly and easily.

The vulnerability is the second in the space of a month which could allow attackers to effectively wipe targeted WordPress sites.

Back in January, Wordfence warned of critical flaw CVE-2020-7048 which affects the WP Database Reset plugin that has been installed over 80,000 times.

“Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database,” the firm explained. “This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.”

Categories: Cyber Risk News

Iranian Hackers Backdoored VPNs Via One-Day Bugs

Info Security - Tue, 02/18/2020 - 10:12
Iranian Hackers Backdoored VPNs Via One-Day Bugs

Security researchers have joined the dots on a long-running Iranian cyber-espionage campaign that targeted unpatched bugs in VPN and RDP to infiltrate target organizations globally.

Building on previous research from Dragos, which named the campaign “Parasite” and attributed it to the state-backed APT33 group, ClearSky has gone further with more details.

Its new report claimed the three-year-long campaign “Fox Kitten” is most likely the product of APT33 (Elfin) and APT34 (OilRig) and APT39 (Chafer).

Dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries were affected by the campaign, which is said to have been focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies.

The initial incursion into these organizations was achieved by exploiting one-day vulnerabilities in VPN services, such as those offered by Pulse Secure, Fortinet and Palo Alto Networks’ Global Protect.

The Pulse Secure vulnerability is also thought to have been exploited by ransomware attackers to compromise Travelex, among other victims.

“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.

“At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”

The groups used a combination of open source tools such as Juicy Potato and Invoke the Hash, and custom malware like open ports mapping tool STSRCheck and RDP over SSH tunneling backdoor POWSSHNET.

Although the purpose of the operation appears to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.

Categories: Cyber Risk News

Six-Year-Old Brits Suspects in Sexting Offenses

Info Security - Mon, 02/17/2020 - 18:40
Six-Year-Old Brits Suspects in Sexting Offenses

British police have been investigating children as young as six over their involvement in sexting offenses. 

Figures released by London's Metropolitan Police Service reveal that between January 2017 and August 2019, a total of 353 children aged from six to thirteen were investigated in relation to sending and receiving sexual images. 

Sexting investigations involving children under age 14 have increased dramatically since figures began to be recorded two and a half years ago. In 2017, 92 under-14s were investigated. In 2018, the figure rose to 151, and in the first six months of last year, 110 under-14s were recorded as sexting suspects.

The true figures could be far higher, said the Met, which is not seeking to prosecute children, but to raise awareness among kids and their parents about the law. 

"We do not want to criminalize young people unnecessarily—we want to educate them so that they can be better informed about the legal position and mindful about the potential pitfalls of an activity many of them might regard as nothing out of the ordinary," said Detective Superintendent Zena Marshall.

The Met said that many youngsters had no idea that taking, sharing, or possessing sexually explicit pictures of children under age 18 was a crime. Others said that images of them had been distributed without their consent. 

"We know that many young people do not realize that creating or sharing explicit images of an under-18 is against the law, even if the persons doing it are children themselves, and as police we have a duty to record allegations concerning sexting when they are reported to us," said Marshall.

"Someone could be classed as a victim, witness or suspect, depending on the circumstances."

Scotland Yard—the Met's London headquarters—said that the force received sexting reports involving children from a number of sources, including parents, schools, youth clubs, local authorities, and the children themselves. 

report published by the Internet Watch Foundation (IWF) last month found that a third of child sex abuse images online are originally posted by the children themselves in the hopes of winning social approval.

The Met said that the exchange of sexually explicit images amongst teenagers was now a "societal norm," and that online indecent image offenses as a whole had risen by 130 percent since 2016.

Categories: Cyber Risk News

Personal Data of 144K Canadians Breached by Federal Government

Info Security - Mon, 02/17/2020 - 17:49
Personal Data of 144K Canadians Breached by Federal Government

New figures tabled in Canada's House of Commons have revealed that at least 144,000 Canadians have had their personal information mishandled by federal departments and agencies over the past two years. 

The figures were part of an 800-page document written in response to an Order Paper question filed last month by Conservative MP Dean Allison. No information as to how the data came to be mishandled was included in the federal government's lengthy answer.

In total, 7,992 breaches were found to have occurred at 10 different agencies and departments. The errors range in severity from minor infractions to serious data breaches that resulted in the exposure of sensitive personal information. 

The Canada Revenue Agency (CRA) was the worst offender, with 3,020 breaches affecting 60,000 Canadians recorded between January 1, 2018, and December 10, 2019. 

A spokesperson for the CRA, Etienne Biram, said: "Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents."

One of those three major incidents occurred when some CRA employees were accidentally given access to a hard drive containing personal information belonging to 11,780 individuals in January 2019. 

Biram said that no evidence had been uncovered that indicated the files had actually been accessed by any unauthorized personnel. 

Over the same time period, 122 breaches affecting 24,000 people were reported by Health Canada. In one breach, a government employee received an email containing personal information.

Health Canada spokesperson Tammy Jarbeau said: "The majority of the reported breaches were the result of human error and did not release sensitive personal information."

The figure of 144,000 tabled in the House was based on estimates, meaning the real number of breaches could be higher. Not all the departments were able to state with accuracy how many people were affected by individual breaches or how many breach victims were contacted after a particular breach had occurred. 

Under current law, federal departments are only obliged to notify individuals in the event of a breach affecting large numbers of people or in the event of "material" breaches, in which sensitive personal information that could reasonably be expected to cause serious injury or harm to an individual is exposed.

Categories: Cyber Risk News