Cyber Risk News

Twitter Bans Crypto-Currency Ads in Fraud Crack Down

Info Security - Wed, 03/28/2018 - 10:50
Twitter Bans Crypto-Currency Ads in Fraud Crack Down

Twitter yesterday started banning all crypto-currency advertising in a bid to head off rising levels of fraud permeating the burgeoning industry.

A statement from the micro-blogging giant had the following:

"We have added a new policy for Twitter Ads relating to a cryptocurrency. Under this new policy, the advertisement of Initial Coin Offerings (ICOs) and token sales will be prohibited globally."

According to reports, the ban will also stretch to ads from crypto-currency exchanges and wallet services, unless they come from publicly listed companies.

The decision by Twitter follows similar moves by Facebook and Google and follows rising levels of fraud and cyber-risk as investors rush to cash in on the crypto-currency digital gold rush.

One industry expert welcomed the news. Alexey Burdyko, CEO of blockchain company Play2Live, claimed the long-term impact should benefit the nascent crypto-currency industry by protecting its user base.

“One of the goals of dropping the ads is to protect investors from fraudulent, scam projects looking to take advantage of investors. These scammers are damaging trust in new token sales – so should this goal be achieved, trust will be rebuilt over time, and future crypto-launches will reap the rewards,” he told Infosecurity

“The presence of scams in this space is beyond any doubt – they are out there, and they are finding ways of parting people from their money.”

An Ernst & Young report from January claimed that 10% of all ICO funds are stolen by hackers or fraudsters, amounting to almost $400m in losses thus far.

Phishing is particularly popular, with attackers scooping up to $1.5m per month by either tricking the recipient into making a fund transfer or handing over the private keys to their digital wallets.

Burdyko added that investors and ambitious start-ups will find a way around the social ads ban.

“The impact of the ban on crypto ads across social media may affect the level of engagement that new token-sale campaigns are receiving, as large-scale awareness will be harder to achieve,” he said.

“However, there are alternative means of promoting such projects, and those potential investors that are serious about backing new crypto-currencies will research and seek out the best new campaigns regardless of social media advertising.”

Categories: Cyber Risk News

UK government confirms changes to discount rate calculation method - Wed, 03/28/2018 - 09:44
The way in which the discount rate applied to lump sum personal injury payments is calculated will be changed in order to "better reflect evidence of actual investment habits", the UK government has confirmed.
Categories: Cyber Risk News

UK Mobile Workers Exposed to Public Wi-Fi Risks

Info Security - Wed, 03/28/2018 - 09:12
UK Mobile Workers Exposed to Public Wi-Fi Risks

More than half (57%) of global IT leaders believe their mobile workers have been hacked over the past 12 months, with public Wi-Fi hotspots the prime location, according to iPass.

The connectivity solutions provider polled CIO and IT decision makers from the UK, US, Germany and France to compile its iPass Mobile Security Report 2018.

Almost all respondents (94%) believe BYOD has introduced greater security risk to the organization, with 81% noting Wi-Fi security incidents over the past year – in locations like cafes (64%), airports (60%) and hotels (52%).

These unsecured hotspots represent a goldmine for hackers to launch covert man-in-the-middle and other attacks designed to spread malware and harvest user log-ins.

Many of these security holes will be plugged by the forthcoming WPA3 standard, which will support individual data encryption tunnels, but there are caveats, according to Raghu Konka, iPass VP of engineering.

“As with any new standard, it will take some time before WPA3 becomes mainstream,” he told Infosecurity.

“For starters, the onus will be on every hotspot owner to make sure access points are WPA3 compatible. Even now there is no guarantee that every hotspot is using the latest level of encryption and that is unlikely to change even with WPA3.”

VPNs are the only sure-fire way to stay secure whilst on public Wi-Fi, he claimed.

However, UK IT leaders were least confident (38%) that their mobile workers are using a VPN every time they go online.

Despite this, almost half (42%) of them claimed to have no plans to ban the use of free Wi-Fi hotspots by employees – much higher than their counterparts in the US (9%), Germany (10%) and France (12%).

“UK organizations seemingly have no problem embracing mobile working, but when it comes to implementing a corporate policy around it they seem to be more laissez-faire. With heightened mobile security risks, they need to do a better job of enforcing secure mobile working policies,” continued Konka. 

“Employees remain one of the biggest mobile security threats, so it is imperative organizations continually educate their mobile workforce about the dangers of free Wi-Fi, and encourage them to use measures such as corporate VPNs as second nature.”

Categories: Cyber Risk News

UK Police Secretly Hoover Up Users’ Smartphone Data

Info Security - Wed, 03/28/2018 - 08:39
UK Police Secretly Hoover Up Users’ Smartphone Data

There have been calls for an immediate independent review after a new Privacy International investigation revealed that police are secretly extracting large volumes of highly sensitive data from UK users’ phones – even those not suspected of any crime.

The Digital Stop and Search report builds on previous research from the Bristol Cable in January last year detailing how law enforcers were investing hundreds of thousands intrusive UFEDs (Universal Forensic Extraction Devices) from the likes of notorious Israeli vendor Cellebrite.

Privacy International received FOI responses from 47 police forces and 26 of them (55%) admitted using the technology, with a further 17% trialing or planning to trial it. The data extraction has been going on in some form for over six years.

Such tools can find data even the user may not know they have on their device, including: emails, messages, GPS locations, call data, photos, contacts, calendar info, web browsing, social media accounts, online banking, health and fitness data, cloud storage and much more.

It is extracted from self-service kiosks at the police station, from frontline support service ‘hubs’ serving several forces, or via portable mobile phone extraction kits when out and about, the report revealed.

Privacy International’s concern is that data is often extracted without the user’s knowledge, stored insecurely and for an indefinite time, and taken not just from suspects but also victims and witnesses – even for investigations of low-level crimes.

There’s confusion among the police over the legal basis for this activity, stemming from a lack of national and local guidance, PI claimed.

This can lead to serious procedural failings. A 2015 report from the Police and Crime Commissioner (PCC) for North Yorkshire Police claimed that poor training led to practices which undermined prosecution of murder and sexual assault cases. It also found serious breaches of data security practices, including failure to encrypt citizens’ data and the loss of files.

Tottenham MP, David Lammy, claimed the lack of transparency around police use of these tools is a serious cause for concern.

“My review of our criminal justice system found that individuals from ethnic minority backgrounds still face bias in parts of our justice system, and it is only because we have transparency and data collection for everything from stop and search incidents to crown court sentencing decisions that these disparities are revealed and we are able to hold those in power to account,” he argued.

“Given the sensitive nature and wealth of information stored on our mobile phones there is significant risk of abuse and for conscious or unconscious bias to become a factor without independent scrutiny and in the absence of effective legal safeguards.”

PI solicitor, Millie Graham Wood, added that it’s highly disturbing the police have the power take such sensitive information in secret from a user without even needing a warrant.

“The police are continually failing to be transparent with the thousands of people whose phones they are secretly downloading data from,” she argued.

“An immediate independent review into this practice should be initiated by the Home Office and College of Policing, with widespread consultation with the public, to find the right balance of powers for the police and protections for the public. Let’s be clear: at the moment, the police have all the power and the public have no protections.”

Categories: Cyber Risk News

Cloud Security Concerns Surge

Info Security - Tue, 03/27/2018 - 16:27
Cloud Security Concerns Surge

While adoption of cloud computing continues to surge, security concerns are showing no signs of abating. After several years of a downward trend, 90% of cybersecurity professionals confirm they are concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top cloud security challenges are protecting against data loss and leakage (67%), threats to data privacy (61%) and breaches of confidentiality (53%).

The 2018 Cloud Security Report from Crowd Research Partners, based on an online survey of cybersecurity professionals in the 400,000-member Information Security Community on LinkedIn, shows that a lack of qualified security staff and outdated security tools are significant obstacles to enabling a secure cloud posture at many enterprises. Only 16% of organizations report that the capabilities of traditional security tools are sufficient to manage security across the cloud, which is a 6% drop from 2017. A full 84% say traditional security solutions either don’t work at all in cloud environments or have only limited functionality.

Cybersecurity professionals are also struggling with visibility into cloud infrastructure security (43%), compliance (38%) and consistent security policies across cloud and on-premises environments (35%).

“While workloads continue to move into the cloud, the study reveals that cloud security concerns are on the rise again, reversing a multi-year trend,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the Information Security Community. “With half of organizations predicting a rise in cloud security budgets, protecting today’s cloud environments require more and better trained security professionals and innovative, cloud-native security solutions to address the concerns of unauthorized access, data and privacy loss, and compliance in the cloud.”

When it comes to the biggest perceived threats to cloud security, misconfiguration of cloud platforms jumped to the No. 1 spot in this year’s survey as the single biggest threat. This is followed by unauthorized access through misuse of employee credentials and improper access controls (55%), and insecure interfaces or APIs (50%).

On the defense side, for the second year in a row, training and certification of current IT staff (56%) ranks as the most popular path to meet evolving security needs. Fifty percent of respondents use their cloud provider’s security tools, and 35% deploy third-party security software to ensure the proper cloud security controls are implemented.

Meanwhile, encryption of data at rest (64%) and data in motion (54%) top the list of the most effective cloud security technologies, followed by security information and event management (SIEM) platforms (52%).

And finally, 49% of organizations expect cloud security budgets to increase, with a median increase of 22%.

Categories: Cyber Risk News

Bad Bots Make Up a Fifth of All Web Traffic

Info Security - Tue, 03/27/2018 - 14:58
Bad Bots Make Up a Fifth of All Web Traffic

Bad bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam, digital ad fraud and downtime. In 2017, bad bots accounted for 21.8% of all website traffic, a 9.5% increase over the previous year. Good bots increased by 8.7% to make up 20.4% of all website traffic.

According to Distil Networks’ fifth annual Bad Bot Report, which details the analysis of hundreds of billions of bad bot requests at the application layer, gambling companies and airlines suffer from higher proportions of bad bot traffic than other industries, with 53.1% and 43.9% of traffic coming from bad bots, respectively. E-commerce, healthcare and ticketing websites meanwhile suffer from highly sophisticated bots, which are difficult to detect.

A full 83.2% of bad bots report their user agent as web browsers Chrome, Firefox, Safari or Internet Explorer; 10.4% claim to come from mobile browsers such as Safari Mobile, Android or Opera.

Additionally, 82.7% of bad bot traffic emanated from data centers in 2017, compared to 60.1% in 2016. The availability and low cost of cloud computing explains the dominance of data center use.

“This year bots took over public conversation, as the FBI continues its investigation into Russia’s involvement in the 2016 US presidential election and new legislation made way for stricter regulations,” said Tiffany Olson Jones, CEO of Distil Networks. “Yet as awareness grows, bot traffic and sophistication continue to escalate at an alarming rate. Despite bad bot awareness being at an all-time high, this year’s Bad Bot Report illustrates that no industry is immune to automated threats and constant vigilance is required in order to thwart attacks of this kind.”

For the first time, Russia became the most blocked country, with one in five companies (20.7%) implementing country-specific IP block requests. Last year's leader, China, dropped down to sixth place with 8.3%.

In terms of tactics, the analysis found that account takeover attacks occur two to three times per month on the average website, but immediately following a breach, they are three times more frequent, as bot operators know that people reuse the same credentials across multiple websites.

About 74% of bad bot traffic is made up of moderate or sophisticated bots, which evade detection by distributing their attacks over multiple IP addresses or simulating human behavior such as mouse movements and mobile swipes.

Also, bots can be distributed on multiple hosts to perform automated distributed denial of service (DDoS) but can also be "low and slow," use browser automation or other evasion techniques to bypass existing web application security controls, such as IP blacklisting and rate limiting.

Categories: Cyber Risk News

Energy Sector ICS is the Most-Attacked Infrastructure

Info Security - Tue, 03/27/2018 - 14:53
Energy Sector ICS is the Most-Attacked Infrastructure

In the second half of 2017, nearly 40% of all analyzed industrial control systems (ICS) in energy organizations were attacked by malware at least once – closely followed by 35% of engineering and ICS integration networks.

The cybersecurity of industrial facilities remains an issue that can lead to very serious consequences affecting industrial processes, as well as businesses losses. While analyzing the threat landscape in different industries, Kaspersky Lab ICS CERT recorded that nearly all industries regularly experience cyber-attacks on their ICS computers. However, energy and engineering were attacked more than others.

The report found that for all other industries (manufacturing, transportation, utilities, food and healthcare) the proportion of ICS computers attacked ranged from 26% to 30% on average. The vast majority of detected attacks were accidental hits.

The sector that demonstrated the most noticeable growth of ICS computers attacked during the second half of 2017 (compared to the first half of 2017) was construction, with 31% attacked. The relatively high percentage of attacked ICS computers in the construction industry compared to the first half of 2017 could indicate that these organizations are not necessarily mature enough to pay the required attention to the protection of industrial computers. Their computerized automation systems might be relatively new, and an industrial cybersecurity culture is still being developed in these organizations, Kaspersky noted.

“The results of our research into attacked ICS computers in various industries have surprised us, said Evgeny Goncharov, head of Kaspersky Lab ICS CERT. “For example, the high percentage of ICS computers attacked in power and energy companies demonstrated that the enterprises’ effort to ensure cybersecurity of their automation systems after some serious incidents in the industry is not enough, and there are multiple loopholes still there that cybercriminals can use.”

Meanwhile, the lowest percentage of ICS attacks – 15% – has been found in enterprises specializing in developing ICS software, meaning that their ICS research/development laboratories, testing platforms, demo stands and training environments are also being attacked by malicious software, although not as often as the ICS computers of industrial enterprises. Kaspersky Lab ICS CERT experts point to the significance of ICS vendors’ security, because the consequences of an attack spreading over the vendor’s partner ecosystem and customer base could be very dramatic.

Among the new trends of 2017, Kaspersky Lab ICS CERT researchers discovered a rise in mining attacks on ICS. This growth trend began in September 2017, along with an increase in the cryptocurrency market and miners in general.

“But in the case of industrial enterprises, this type of attack can pose a greater threat by creating a significant load on computers, and as a result, negatively affecting the operation of the enterprise’s ICS components and threatening their stability," the firm noted.

Overall, from February 2017 to January 2018, cryptocurrency mining programs attacked 3% of industrial automation system computers, in most cases accidentally.

Categories: Cyber Risk News

Ruling highlights gap in the law on software - Tue, 03/27/2018 - 14:25
ANALYSIS: A recent ruling by the Court of Appeal in London highlights a gap in the law on software, and should prompt a change in UK legislation.
Categories: Cyber Risk News

Online content portability rules in effect from 1 April - Tue, 03/27/2018 - 14:08
New laws that will impact online content service providers and copyright holders are set to take effect from 1 April.
Categories: Cyber Risk News

GDPR Spurs 700% Increase in Data Protection Vacancies

Info Security - Tue, 03/27/2018 - 11:03
GDPR Spurs 700% Increase in Data Protection Vacancies

The number of vacancies for Data Protection Officers (DPOs) has surged by 709% since the rules of the General Data Protection Regulation (GDPR) were ratified nearly two years ago, according to Indeed.

The jobs site claimed in new figures that the nationwide recruitment drive has attracted the attention of job-seekers, with the number of candidates looking for such roles soaring 297% in the same period.

Appointing a Data Protection Officer is a key requirement of the new EU privacy laws and could result in a fine of up to 2% of global annual turnover or €10m, whichever is higher.

You will be required to appoint a DPO if you are a public authority, your core activities require “large scale, regular and systematic monitoring of individuals” or your core activities include “large scale processing of special categories of data or data relating to criminal convictions and offences.”

DPOs are essential to such organizations, responsible for monitoring internal compliance, advising on impact assessments and data protection obligations, and acting act as a contact point for data subjects and the supervisory authority.

As highly skilled independent experts in data protection, they command a significant salary, currently standing at an average of £47,483 – nearly double the average UK wage of £27,600, according to Indeed.

With the GDPR compliance deadline of May 25 fast-approaching, one company has launched a virtual DPO service designed to help organizations get in line before the cut-off date.

An outsourced team of cybersecurity and risk mitigation lawyers work alongside ThinkMarble’s in-house security analysts and incident responders to offer bespoke GDPR compliance services to firms.

Research from 2017 found that a fifth (22%) of organizations still hadn’t hired a DPO, and that more than half (52%) of these firms weren’t planning to until the second half of 2018 or beyond.

Information commissioner, Elizabeth Denham, claimed last year: “it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm.”

However, the regulator is likely to take a dim view of organizations which haven’t taken the basic step of appointing a DPO before the May deadline.

Categories: Cyber Risk News

Iran Slams US Sanctions Following Cyber-Theft

Info Security - Tue, 03/27/2018 - 09:27
Iran Slams US Sanctions Following Cyber-Theft

Iran has hit back at US sanctions levied in response to alleged attacks on hundreds of global universities and a media company for financial gain.

The Mabna Institute is said to have stolen 31TB of IP and other valuable data from over 300 educational institutions in the US, UK, Germany, Japan, Israel and elsewhere.

The US government claimed on Friday that the Iranian military effectively outsourced the hacking work to the Institute in order to help domestic universities and research organizations gain access to non-Iranian scientific resources.

“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data,” said US Treasury under secretary Sigal Mandelker.

The two founders of the Institute were among the 10 people indicted, meaning they could face extradition to the US if they travel outside of Iran and their assets are subject to seizure by the US authorities. The Institute itself was also placed under sanctions.

Tehran’s foreign ministry spokesperson, Bahram Quassemi, condemned the sanctions as provocative and illegal, according to the BBC.

“The US will definitely not benefit from the sanctions gimmick, aimed at stopping or preventing the scientific growth of the Iranian people” he said in a statement.

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, claimed the naming and shaming of the individuals continues a trend of state-sponsored attack attribution.

“By applying sanctions quickly against the Iranian hacker network involved in this incident, the United States is signalling that any cyber-attack against the country will have consequences,” he added.

“It is another recent example of the US both calling out malicious state-sponsored cyber behavior and taking action against it. However, the sanctions applied by the US Treasury Department will have very limited effect on people without US-based assets or bank accounts.”

Categories: Cyber Risk News

EU 'geo-blocking' laws now in force - Tue, 03/27/2018 - 09:22
New laws that prohibit online businesses in the EU from applying practices that discriminate against consumers on the basis of their nationality, place or residence or place of establishment have entered into force.
Categories: Cyber Risk News

UK Govt Aims to Export Country’s Cyber-Expertise Globally

Info Security - Tue, 03/27/2018 - 08:44
UK Govt Aims to Export Country’s Cyber-Expertise Globally

The UK government is aiming to capitalize on the rise in online threats to sell the nation’s cybersecurity expertise worldwide, despite heavy criticism in the past for its own security failings.

Published on Monday, the Cyber Security Export Strategy aims to support the ongoing work of the 2016-21 National Cyber Security Strategy, which saw £1.9bn pounds of public spending committed to the sector.

The Department of International Trade (DIT) document sets out a plan to support UK companies bidding for contracts with overseas governments and CNI providers.

It also claims the DIT will “curate bespoke offers for the top buyers” in six sectors highlighted as those set to receive biggest investment in security over the coming years. It claims it will run trade missions and pitch UK companies to address identified capability gaps.

The third pillar of the DIT’s approach is to help improve global branding and marketing for UK cybersecurity companies, alongside new content on a site.

The new strategy seems to be aimed primarily at supporting SMEs which could otherwise struggle to make an impact on the global stage. It claims UK Export Finance is available for those in need of monetary support to export goods and services.

The new strategy could be seen as a response to Brexit, which experts have argued will have a hugely negative impact on the UK’s cybersecurity industry.

It’s already claimed that hiring of European practitioners is getting harder for UK firms, and there are question marks over information sharing and other region-wide agreements currently benefiting UK businesses, not to mention the tariff-free trade of the single market.

However, the sight of the government attempting to tout its expertise in cyber around the globe is somewhat ironic considering the parlous state of NHS cybersecurity. The health service was decimated by WannaCry ransomware last year, and in February, a committee reported that all 200 Trusts had failed basic security tests.

In February 2017, parliament slammed the government’s cybersecurity efforts as uncoordinated, inconsistent and failing the wider public sector outside Whitehall.

However, most experts cautiously welcomed the new DIT strategy.

“It’s great to see the government acknowledge the strength of the UK cybersecurity sector. Against a backdrop of ever-evolving threats, growing digital transformation and regulatory pressures, there has never been such global demand for effective cybersecurity products and services,” said RedScan CTO, Andy Kays.

Thales eSecurity EMEA VP, Peter Carlisle, added that the strategy demonstrates a clear government commitment to collaboration with the private sector.

“By not only honing our skills here in the UK, but by exporting our expertise overseas too, this will ensure that we ward off attacks from foreign actors whilst simultaneously strengthening our own capabilities,” he claimed.

Others were more sceptical.

“The Cyber Security Export Strategy sends out a message in no uncertain terms that security is and will remain top of the agenda. With heightening tensions between foreign nations and an increasing risk of threat actors sabotaging businesses, governments, hospitals and schools, the UK has an opportunity to lead by example and grow an already burgeoning sector,” said Smoothwall corporate security specialist, Rob Wilkinson.

“But it smacks, too, of a country trying to rebuild its reputation following major breaches including WannaCry in the NHS, Petya and businesses like Wonga. A lot of work has to be done to keep organizations safe in this country as well as countries abroad.”

Categories: Cyber Risk News