Cyber Risk News

Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Info Security - Mon, 06/08/2020 - 09:40
Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Cyber-criminals are taking advantage of the evolving jobs market and employee health situation under COVID-19 to disguise malware in various emailed documents.

The phishing campaigns spotted by Check Point over recent days center around spoofed CVs and medical leave forms. Unemployment in the US remains at levels not seen since the Great Depression of the 1930s, with close to 40 million currently without jobs due to the pandemic.

The security vendor said that the ratio of CV-related malware to all detected malicious files doubled over the past two months. One campaign featured banking Trojan Zloader hidden in malicious .xls files in emails with subject lines such as “applying for a job” or “regarding job.”

Separately, cyber-criminals have been taking advantage of interest in the US Family and Medical Leave Act (FMLA) to lure administrative staff into opening attachments.

Attachments with names like “COVID -19 FLMA CENTER.doc” have been sent via emails with subjects like “the following is a new Employee Request Form for leave within the FMLA,” according to Check Point.

Once again, the payload is info-stealing banking Trojans like Icedid or Trickbot. Different sender domains are used to try and trick email filters.

Overall, the number of COVID-19 attacks reduced in May by 7% to 158,000 per week, the vendor claimed. However, overall, attacks are starting to pick up as businesses begin to open again.

“In March, when the pandemic was at its peak, we saw a 30% decrease in malware attacks compared to January 2020. This was because many countries went into quarantine and most businesses and other organizations were shut as a result, greatly reducing the potential number of targets for attackers,” Check Point explained.

“Now that the world is seeing some relief from the pandemic as a result of the quarantine measures, things have started to open up and businesses are running again and – guess what?  – cyber-criminals are also ramping up their malicious activities. In May, we saw a 16% increase in cyber-attacks when compared to the period between March and April, when coronavirus was at its peak.”

Categories: Cyber Risk News

IT Services Firm Conduent Felled by Maze Ransomware

Info Security - Mon, 06/08/2020 - 08:41
IT Services Firm Conduent Felled by Maze Ransomware

A multi-billion-dollar IT services firm has become the latest victim of the infamous Maze ransomware group after it appeared to target a widely publicized Citrix vulnerability.

New Jersey-headquartered Conduent claims to provide mission-critical services and solutions for “a majority of Fortune 100 companies and over 500 governments.”

The firm admitted in a statement that its European operations were hit by an attack on May 29, early in the morning local time.

“Our system identified ransomware, which was then addressed by our cybersecurity protocols,” it explained. “This interruption began at 12.45 AM CET on May 29 with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored.”

It said the incident resulted in only “partial interruption” to its services for customers, and an ongoing investigation is being undertaken featuring “internal and external security forensics and anti-virus teams.”

Although Conduent didn’t name its attacker, security researchers have seen Maze post stolen financial data from the firm online as proof of its raid.

Bad Packets claimed that, according to its own research, a Citrix server run by the IT services giant was left unpatched for at least eight weeks.

The Maze group has been observed previously exploiting the CVE-2019-19781 vulnerability in the ADC and Citrix Gateway products, which was first disclosed in December 2019.

The bug can allow an unauthenticated attacker to perform arbitrary code execution on a victim machine.

The Maze group also has previous in this area: hitting IT services firm Cognizant back in April in an attack which the firm admitted could cost it $70m in Q2 2020.

“Making sure you are using up-to-date operating systems and that software is running on the latest version is a critical part of cyber-hygiene,” argued CyberSmart CEO, Jamie Akhtar.

“Ransomware is a game of economics and incentives. By not protecting our systems, not backing up our files and giving into paying ransoms we increase the reward for the attackers and the general viability of these kinds of attacks. If we all do our part in reducing incentives, we can develop a kind of digital herd immunity where criminals in future may no longer feel the attacks are worth the effort."

Categories: Cyber Risk News

North Dakota Contact Tracing App Ends Data Share with Foursquare

Info Security - Fri, 06/05/2020 - 15:47
North Dakota Contact Tracing App Ends Data Share with Foursquare

The operators of a North Dakota contact tracing app have had a rethink when it comes to sharing users' data with third-party services. 

Care19 was created by ProudCrowd LLC to track the spread of COVID-19 in the Peace Garden State. Following the app's launch, cybersecurity company Jumbo Privacy discovered that Care19 was sending user data to third-party services.

The information being shared was the Identifier for Advertisers (IDFA), an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

North Dakota stated that the Care19 app "does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

However, Jumbo found that users accessing the Care19 app via the iOS on their iPhone could be unmasked through the IDFA on their device. 

One of the third-party services receiving Care19 users' IDFA data was Foursquare, a location service that provides advertisers with tools to reach people who have visited specific locations. That arrangement has now ceased.

Jumbo CEO Pierre Valade told Infosecurity Magazine: "Care19 shared with us on June 3rd that the new version of their app (v3.3) was no longer sharing users’ IDFA to Foursquare. We’ve reviewed the app and can confirm this is true."

Care19 and Foursquare told Jumbo that the IDFA data was collected automatically by using Foursquare's SDK, Pilgrim, and there was no way for developers to disable this collection. 

Valade said: "After you published our research and in response to our concerns, Foursquare made an important change to its geolocation SDK 'Pilgrim' to permit developers to disable collection of a user’s IDFA and prevent it from being shared with Foursquare."

Jumbo's CEO described the change of heart as "a big win for privacy" but said that there were still concerns about Care19 that needed to be addressed. 

"Care19’s privacy policy does not indicate how a user can exercise their privacy rights, what the officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for," said Valade.

In addition, Care19 has not yet confirmed that pushing the deletion tab will also delete user data anywhere else it was stored, notably in third-party servers.

Categories: Cyber Risk News

Florida Student Discovers Flaws in Leading Doorbell Security Cameras

Info Security - Fri, 06/05/2020 - 15:15
Florida Student Discovers Flaws in Leading Doorbell Security Cameras

"Systematic design flaws" have been discovered in leading internet-connected doorbell and security cameras by a Florida Institute of Technology student.

Blake Janes unearthed vulnerabilities in devices manufactured by Ring, Nest, SimpliSafe, and eight other companies relating to the removal of active user accounts. The flaws allow a shared account to remain in place and continue accessing the video feed despite appearing to have been removed.

The flaws could allow malicious actors to covertly record audio and video from vulnerable devices indefinitely, invading the privacy of victims on their very own doorsteps. In electronic stalking cases, or cases where a cohabiting couple who shared access to a device have ceased to live together, such flaws could have serious repercussions. 

The vulnerability arose from devices' being designed in such a way that decisions to grant access are completed in the cloud and not made locally on either the camera itself or the users' smartphones. 

Computer science major Janes's discovery was presented in "Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices," by the student and two Florida Tech faculty members from the university’s top institute for cybersecurity research, the L3Harris Institute for Assured Information—Terrence O’Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.

"Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems," the paper concluded. "Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content."

Janes informed vendors about the vulnerabilities and also suggested several fixes. For identifying a major flaw in the Nest suite of devices, Google awarded the hard-working student a bug bounty payment of $3,133. 

Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.

Janes and his co-authors found the flaws in the Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and the TP-Link Kasa Camera.

Categories: Cyber Risk News

Maine Community College Becomes First in State to Offer Cybersecurity Program

Info Security - Fri, 06/05/2020 - 14:30
Maine Community College Becomes First in State to Offer Cybersecurity Program

Maine residents hoping to pursue a career in cybersecurity will finally be able to study the subject at community college.

Starting in fall 2020, Northern Maine Community College (NMCC) will be the first community college in the state to offer a cybersecurity program. NMCC said a group of at least 15 first-year students has already signed up to the course, which is comparable to those already available at Maine's other higher education institutions. 

The new two-year program is a revised version of NMCC's network administration and cybersecurity associate degree program. Instructor Reuben Caron said the reworking of the course reflected the changes that have occurred in the technological landscape since its creation. 

“The program began with computer electronics and evolved into computer networking and technology,” said Caron.

“As the program has evolved to meet industry needs, we knew there was a demand for graduates to be trained in network administration and security.”

NMCC’s program features a practical curriculum that will teach students how to build their own computers and private networks that will exist beyond the college's campus network. Students will learn how computers react to different cyber-attacks and experiment with various recovery tactics. 

Encompassed in the program are courses on computer security, ethical hacking, and computer forensics. 

With ethical hacking, you learn how someone might attack your network in order to understand how to better defend it,” Caron said. “Students learn how to hack in a way that doesn’t go beyond ethical hacking and into illegal situations.”

Students will end the program qualified for positions as computer technicians, network technicians, network administrators (Microsoft and Linux), and desktop support technicians. NMCC is currently pursuing accreditation for the program from the Accreditation Council of Business Schools and Programs. 

Business department chair Dwight Clayton said the new program was an excellent starting point for Mainers dreaming of a cybersecurity career, especially for those hoping to earn while they learn.

He said: "The great thing about a two-year program is that students can enter the workforce as they continue toward a bachelor’s degree."

The news follows the 2019 launch of a four-year cybersecurity program at local university the University of Maine at Presque Isle.

Categories: Cyber Risk News

Sophos Confirms Restructuring Plans, Denies Blog Closure

Info Security - Fri, 06/05/2020 - 11:00
Sophos Confirms Restructuring Plans, Denies Blog Closure

Sophos has confirmed that it is implementing some internal restructuring, but denied that it plans to close its Naked Security blog.

Following reports which emerged last night about Sophos’ plans to furlough staff and close the award-winning blog, a spokesperson for Sophos has confirmed plans to restructure in response to market conditions associated with COVID-19 and “to accelerate the evolution already underway to our next-gen product portfolio, which features our most advanced cloud-managed protection capabilities and is the fastest growing part of our business.”

The spokesperson added: “A restructuring is always a difficult decision, but we believe it is necessary to position Sophos for continued growth and success in the years to come, and to continue to provide advanced, world-class protection for our customers.

“Sophos is appreciative of the contributions made by all our team members in supporting the company’s mission to protect people from cybercrime by developing powerful and intuitive products and services that provide the world’s most effective cybersecurity for organizations of any size.”

In the first quarter of 2020, Sophos grew billings 14% overall, its next-gen products represented over 63% of its business and the company grew 37% year-on-year.

Answering a question with regard to the future of the 10-year-old Naked Security blog, which earlier this week collected two European Security Blogger Awards for Best Corporate Blog and Best Overall Blog, Sophos said: “We can assure you that Naked Security will continue to be a source of information moving forward. Sophos is increasing focus on threat research and security investigations. As a result, we’ll do more original reporting and deep analysis.”

Security blogger and speaker Graham Cluley said in his blog that he had heard that Naked Security would be “mothballed” and he sent his “best wishes to old friends at Sophos facing possible redundancy.

“So many vendors over the years were jealous of the power that Naked Security commanded, and how it helped Sophos punch far above its weight in terms of brand awareness and thought leadership,” he said.

Categories: Cyber Risk News

Facebook Labels State-Controlled Media Ahead of US Elections

Info Security - Fri, 06/05/2020 - 10:30
Facebook Labels State-Controlled Media Ahead of US Elections

Facebook has started labelling content from state-controlled media outlets as part of an ongoing push-back against misinformation and coordinated propaganda on the platform.

Promised last October as part of the social network’s efforts to combat attempts to influence US elections, the firm will put clear labels on content from such outlets in its Ad Library Page view, on Pages and in the Page Transparency section.

The firm will also be blocking ads from state media in a month or two “out of an abundance of caution to provide an extra layer of protection against various types of foreign influence in the public debate ahead of the November 2020 election in the US,” said Facebook head of cybersecurity policy, Nathaniel Gleicher.

He explained that Facebook had consulted 65 media, governance and human rights experts around the world to draw up the criteria for what constitutes state-controlled media. It goes beyond funding to examine whether editorial control is being exerted by a government.

Factors such as editorial guidelines, ownership structure, info on newsroom leadership and governance and accountability mechanisms were all taken into account.

News organizations wanting to claim independence must be able at a minimum to demonstrate established procedures, processes and protections and a statute in the country to protect editorial independence; as well as an independent assessment by a credible third-party organization that the statute has been complied with.

“We also consider country-specific factors, including press freedom and we consult open-source research conducted by academics and leading experts,” Gleicher explained.

Last year, Chinese state-owned news channel CGTV was forced to register as a foreign agent in the US after pressure from Washington.

It will be a tense few months coming up for social media platforms as both sides of the political debate complain of bias against them. Most recently, Twitter has drawn the ire of Donald Trump by placing fake news labels on his tweets and by hiding one post made during recent riots for incitement to violence.

That same post, which repeated an infamous phrase first uttered by a racist 1960s police chief about looters, was controversially left untouched on Facebook, prompting dismay from civil rights leaders and employees.

Categories: Cyber Risk News

Chinese and Iranian State Hackers Target Trump/Biden Campaigns

Info Security - Fri, 06/05/2020 - 09:15
Chinese and Iranian State Hackers Target Trump/Biden Campaigns

Chinese and Iranian state-sponsored hackers have been caught targeting the Trump and Biden Presidential campaigns, according to Google.

Shane Huntley, director of Google’s Threat Analysis Group, revealed the news in a couple of tweets yesterday.

He confirmed that there was no sign the attacks had led to compromise.

“We sent users our govt attack warning and we referred to fed law enforcement,” Huntley added. “If you are working on a campaign this election cycle, your personal accounts may be targeted. Use the best protection you can. Two-factor authentication or Advanced Protection really can make a difference.”

Google’s Advanced Protection Program is designed to offer maximum protection for the Google accounts of journalists, activists, business leaders, campaign teams and the like who may find themselves at a high risk of targeted attacks.

It features 2FA via physical key or Android device, limited third-party app access to Google emails and Drive files, and a block on app downloads from outside Google Play.

The latest state-backed attacks were attributed to China’s APT31 (aka Zirconium, Bronze Vinewood), which has hitherto been pegged for attacks designed to compromise IP, and Iran’s APT35 group.

The latter, also known as Charming Kitten and Phosphorous, was disrupted in March 2019 when Microsoft court action allowed the firm's Digital Crimes Unit to take control of 99 of its phishing domains. It is often focused on collecting strategic intelligence from US and Middle Eastern government and military targets.

The attacks call to mind the infamous cyber-espionage campaign against Democratic Party officials ahead of the last Presidential election which led to the 'Guccifer 2.0' publication via WikiLeaks of politically embarrassing material. Hillary Clinton has since blamed the likely Russian campaign on her eventual loss to Donald Trump.

“As we have seen in recent history, APT groups targeting political campaigns is nothing new. These groups may be looking to use information that they obtain to sow discord in the country of the ongoing campaign,” said Digital Shadows security engineer, Charles Ragland.

“They may also use it for more traditional intelligence collection to inform other actions. As more and more communication is done online, this trend is likely to continue.”

Categories: Cyber Risk News

DDoS-ers Target Black Lives Matter Groups

Info Security - Fri, 06/05/2020 - 08:28
DDoS-ers Target Black Lives Matter Groups

Widespread violent protests across the US over the past week have been followed by attempted DDoS attacks on several rights groups, according to Cloudflare.

The web security firm analyzed malicious HTTP requests it blocked across the weekend of April 25/26 versus a month later (May 30/31). Minneapolis resident George Floyd was killed on May 25, sparking a wave of violence and protests across the US over the succeeding days.

Cloudflare claimed to have blocked 135.5 billion such requests in the May weekend, a 17% increase on the 116.3 billion blocked in the April weekend. That’s a month-on-month increase of over 19 billion attack requests.

The firm said that Sunday May 31 recorded an even higher month-on-month increase, of 26%, in attempted attacks.

Organizations classed as advocacy groups were subject to a much higher increase: May attack volumes were 1120-times the April figure.

“In fact, those groups went from having almost no attacks at all in April, to attacks peaking at 20,000 requests per second on a single site,” wrote Cloudflare.

“One particular attacker, likely using a hacked server in France, was especially persistent and kept up an attack continuously hitting an advocacy group continuously for over a day. We blocked those malicious HTTP requests and kept the site online.”

The security provider has detailed data on these rights groups as many of them are protected by its Project Galileo initiative, designed to shield such organizations from widespread online attempts to silence them.

“There are many organizations fighting racism who participate in Project Galileo. Over the last week we’ve seen a dramatic increase in the number of cyber-attacks against them,” the firm explained.

“Unfortunately, if recent history is any guide, those who speak out against oppression will continue to face cyber-attacks that attempt to silence them.”

Advocacy groups promoting the Black Lives Matter message weren’t the only recipients of DDoS attacks during the period. Cloudflare said it also recorded a 1.8-times increase in attacks on government sites and a 3.8-times increase in malicious traffic targeting military sites during the same period.

Categories: Cyber Risk News

#Infosec20: Best Cybersecurity Practices for SMEs

Info Security - Thu, 06/04/2020 - 17:05
#Infosec20: Best Cybersecurity Practices for SMEs

A panel discussion on the final day of the Infosecurity Europe Virtual Conference was dedicated to cybersecurity in SMEs, and in particular, practical methods these organizations can use to most effectively protect themselves from cyber-attacks.

Bridget Treacy, partner, Hunton Andrews Kurth, who moderated the panel, firstly outlined exactly why it is so important to talk about this topic: “We all tend to assume that cyber-threats are a risk for large organizations,” she said. “Actually, if you look at Verizon’s 2019 Data Breach Investigations Report, you will see that 43% of all cyber-attacks actually target small businesses, and SMEs often have really valuable data.”

The panellists agreed that, fundamentally, the threats faced by SMEs are similar to those of large businesses. They also face the same additional challenges as a result of the COVID-19 crisis. Nick Ioannou, head of IT at Ratcliffe Groves Partnership, said: “It’s more of the same – phishing, ransomware, but its more the focus [that’s changed] because criminals know a lot of people are working from home now…and also the way they are implemented – people get phoned up now; it doesn’t all have to be all over email because everyone is dispersed so it’s a lot harder to double check.”

For SMEs with significantly smaller budgets and internal cybersecurity expertise compared with large businesses, a more considered and targeted approach to counteracting cyber-threats is a necessity, and this is particularly so with regards to investments in security systems.

“Often organizations of all sizes and SMEs in particular hear about a new threat and they look for the technology to go and address that threat without actually giving full consideration to the risk that threat poses to them,” said Maxine Holt, senior research director, cybersecurity at Omdia. “If you look at risk rather than the threat itself, that can really help you improve your organization’s security posture because you’re just going to think about what’s going to affect you particularly.”

Additionally, a lower reliance on tech, and more emphasis on good practices among staff, is especially vital for companies with limited resources, establishing a more preventive approach to cybersecurity. Dai Davis, partner, Percy Crow Davis & Co, said: “Once you’ve identified the risk to your business, it’s a matter of getting the right people processes in place to ensure that you minimize that risk.”

This in no way means technology systems are unimportant; it must be ensured that tech that is implemented does not hinder the productivity and growth of small companies. Jason Maude, chief technology advocate, Starling Bank, explained: “As soon as your technology starts to run your users down too much, they will find ways around it.”

Another topic discussed by the panel was GDPR, and how compliance with the regulations should be approached by SMEs. In Maude’s view, it is something that should be embraced for the long-term benefits it can bring: “It’s encouraging you to be really efficient with your data to make sure that you know what data you have and to use it correctly,” he added.

Categories: Cyber Risk News

Japan to Review Cyber-Bullying Laws Following Wrestler's Suicide

Info Security - Thu, 06/04/2020 - 16:38
Japan to Review Cyber-Bullying Laws Following Wrestler's Suicide

Japan is to review laws relating to cyber-bullying following the untimely death of professional wrestler and reality TV show star Hana Kimura.

Kimura killed herself on May 23 by inhaling toxic gas in her Tokyo home. The 22-year-old had been subjected to online bullying after appearing in the last season of hit reality TV show Terrace House, which aired on Japan's Fuji Television and was also streamed on Netflix.

The vivacious pink-haired wrestler's death was confirmed in a statement released by her wrestling promoter, Stardom Wrestling, on May 23.

"We are very sorry to report that our Hana Kimura has passed away," it said. "Please be respectful and allow some time for things to process and keep your thoughts and prayers with her family and friends."

Prior to her death, Kimura had posted photos on social media that implied that she was being cyber-bullied and was struggling with self-harm. Her final Instagram post, uploaded on Friday, May 22, was a photo of the star posing with her cat accompanied by a caption that simply read "goodbye." 

Terrace House follows the lives of six people as they share a house together in Tokyo's Setagaya. Before filming was halted due to the COVID-19 health crisis, Kimura had been filmed arguing with fellow cast member and comedian Kobayashi Kai after he accidentally ruined one of her expensive wrestling costumes while doing laundry.

It was this incident that had allegedly resulted in Kimura receiving a deluge of hateful messages through social media. 

Wrestling journalist Adam Pacitti, who described the death of Kimura as "an absolute tragedy," tweeted: "I hope this serves as a reminder that interactions on social media can have a serious effect on the mental health of anyone, no matter who they are. Be kind."

According to Reuters, Japan will be holding a series of hearings to consider legal changes that will help cyber-bullying victims seek justice. 

Junko Mihara, a member of the ruling Liberal Democratic Party who is leading the party’s team on online harassment, said: “People must understand where the line between constructive criticism and abuse lies."

Kimura's death comes after the outbreak of COVID-19 in Japan caused internet usage to increase.

Categories: Cyber Risk News

NATO Condemns Cyber-Attacks

Info Security - Thu, 06/04/2020 - 16:00
NATO Condemns Cyber-Attacks

NATO has issued a statement condemning cyber-attacks perpetrated in the midst of the ongoing global health pandemic.

In particular, the organization slammed cyber-criminals who chose to target essential healthcare services, including hospitals caring for those infected with COVID-19 and medical research institutes trying desperately to find a cure for the novel coronavirus. 

The statement was issued yesterday in English, French, and Russian. In it, NATO said: "We condemn destabilizing and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals and research institutes."

The organization described such digital onslaughts as life-threateningly dangerous and also injurious to global efforts to succeed against a virus that has infected 6.29 million people around the world and killed over 380,000. 

"These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most and jeopardize our ability to overcome the pandemic as quickly as possible," stated NATO. 

Included in the statement was a message of support to those who had been impacted by cyber-assaults.

"We stand in solidarity with those who have been affected by malicious cyber activities and remain ready to assist Allies, including by continuing to share information, as they respond to cyber incidents that affect essential services," said NATO.

"In line with their national responsibilities and competences, Allies are committed to protecting their critical infrastructure, building resilience and bolstering cyber defenses, including through full implementation of NATO’s Cyber Defense Pledge."

NATO said that cyber defense was part of its core task of collective defense as stated at the 2018 Summit in Brussels and action would be taken by the organization against cyber-criminals.

"Reaffirming NATO’s defensive mandate, we are determined to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats," stated the organization. 

"NATO will continue to adapt to the evolving cyber threat landscape, which is affected by both state and non-state actors, including state-sponsored."

The statement concluded with a reminder that "we all stand to benefit from a rules-based, predictable, open, free, and secure cyberspace."

Categories: Cyber Risk News

Netizens Urged Not to Use Name as Password

Info Security - Thu, 06/04/2020 - 14:20
Netizens Urged Not to Use Name as Password

Password management company NordPass has urged the general public not to include people's names in their passwords. 

Research released by the company found thousands of netizens worldwide are opting to protect their sensitive information with a password that includes a name. 

According to NordPass, the name that cropped up most frequently in passwords is "Ashley." The company discovered that the gender-neutral moniker was used 94,557 times to protect sensitive data.

The second most common name, used 78,914 times, was the similarly gender-neutral "Charlie." The third and fourth most popularly used names, employed 71,035 times and 64,992 times respectively, were Michael and Nicole. 

Other gender-neutral names that featured heavily in passwords were Jordan—used 58,698 times—and Taylor, which appeared 46,375 times.  

Traditionally gender-specific names commonly used in passwords included Jessica, Hannah, Michelle, Daniel, Justin, and Joshua. 

The names correspond quite well with the US Social Security Administration's list of 100 most popular given names for babies born from 1919 to 2018. For example, Ashley ranks 17th, Michelle ranks 21st, and Nicole ranks 39th on the list of names for girls. For boys, Michael ranks 4th, Charles ranks 10th, and Jordan comes in at 83rd. 

Passwords based around names are easier for cyber-criminals to crack as the combination of characters is more predictable. 

According to the Department of Homeland Security, "most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them."

Ruby Gonzalez, head of communications at NordVPN, said people's names were just one on a list of things that should be avoided when choosing a password. 

“While choosing your own, your girlfriend’s, or daughter’s name as a password might seem a good idea as you’ll never forget it, it’s also a great way to make a hacker's job easier. As it’s a very obvious choice, the victim’s or their relative’s name will be one of the first options hackers will try,” says Ruby Gonzalez, head of communications at NordVPN. 

“People also shouldn’t use any other obvious choices, such as their address, favorite band, sports team, pet's name, the word 'password,' and any alternations of it.”

Categories: Cyber Risk News

Personal Data of 74,000 Members of San Francisco Retirement System Exposed

Info Security - Thu, 06/04/2020 - 14:15
Personal Data of 74,000 Members of San Francisco Retirement System Exposed

A data breach has occurred at the San Francisco Employees’ Retirement System (SFERS), potentially exposing the personal details of 74,000 of its members to cyber-criminals. In a data breach notification filed yesterday, SFERS said that an unauthorized person had gained access to a database hosted in a test environment one of its vendors had set up on February 24 2020.

Upon learning of the breach on March 21, the server was promptly shut down by the vendor. Although SFERS confirmed that no social security numbers or bank account numbers were included in the data file, it admitted that sensitive information such as names, addresses, date of births, beneficiary details and website usernames and security questions and answers, could have been viewed or copied.

Commenting on the breach, Michael Borohovski, director of software engineering at Synopsys, said: “A breach like this is interesting, both because it leads to almost guaranteed identity theft (if the information actually was accessed and downloaded), since it’s a treasure trove of financial information, identifying information and security questions.”

He added: “The retired employees of San Francisco need to be extremely careful and verify, personally, through existing contact info they already had, that their beneficiaries actually sent an email, should the retirees receive one.”

It is likely that the decision to place this kind of data in a testing environment will come under the spotlight, as these “are much more prone to bugs and vulnerabilities than a production environment,” according to Borohovski.

Javvad Malik, security awareness advocate at KnowBe4, added: “Test environments are usually not secured or monitored to the same level as production environments, and it is never advisable to use real data in test cases. Rather, dummy data, or heavily redacted data, should be used so that even if it is leaked or breached, it does not impact any real customers.”

The pension industry has been increasingly targeted by cyber-criminals in recent years. Last month it was reported that The Pensions Regulator faced a 148% increase in cyber-attacks in 2019.

Categories: Cyber Risk News

Google Adds YubiKey Support for Apple Devices

Info Security - Thu, 06/04/2020 - 13:45
Google Adds YubiKey Support for Apple Devices

Google has announced several mobile security enhancements, including adding support for the WebAuthn standard for use of the YubiKey.

As part of an adoption of hardware security tokens for Apple devices, users of Google services will now be able to use WebAuthn-approved tokens to securely access accounts. 

Users of Apple devices running iOS 13.3 and above will now be able to use YubiKeys on their iPhone and iPad when accessing Google's iOS apps and web services on the Safari browser. Also, hardware-based authentication can be used via the Lightning connector for YubiKey 5Ci, and for near-field communication (NFC) via YubiKey 5 NFC and Security Key NFC.

For individuals with YubiKey models that may not be NFC enabled, it is also possible to use the Apple Lightning to USB Camera Adapter. This enablement will also allow Google accounts to be protected, including for Meet and YouTube.

Ashton Tupper, director of Global communications at Yubico, said: “Many individuals and organizations around the world rely on Google products to power their day-to-day applications and communications, and provide fast and simple logins into many other web-based services. Now, this new functionality on iOS opens the door to every single Google user, to heighten their mobile security with increased YubiKey options.”

Christiaan Brand, product manager for Google Cloud, said this capability will simplify the security key experience on compatible iOS devices, and allows users to use more types of security keys for their Google Account and the Advanced Protection Program.

“We highly recommend users at a higher risk of targeted attacks to get security keys (such as Titan Security Key or your Android or iOS phone) and enroll into the Advanced Protection Program,” Brand said. “If you’re working for political committees in the United States, you may be eligible to request free Titan Security Keys through the Defending Digital Campaigns to get help enrolling into Advanced Protection.”

Categories: Cyber Risk News

Fraudulent iOS VPN Apps Attempt to Scam Users

Info Security - Thu, 06/04/2020 - 11:45
Fraudulent iOS VPN Apps Attempt to Scam Users

Digital security and privacy company Avast has issued a warning after it discovered three VPN Apps, available on the Apple App Store, which it claimed are fraudulent and appear to be ‘fleeceware’ – apps that are not ‘malicious’ but do not provide the services they claim to and/or are sold at far higher prices than they should be.

The three apps in question, Beetle VPN, Buckler VPN and Hat VPN Pro, have apparently been downloaded over 420,000, 271,000 and 96,000 times, respectively, between April 2019 and May 2020, according to data from Sensor Tower.

According to Avast, the apps claim to be VPNs and charge $9.99 a week for a weekly subscription once their free three-day trial expires.

Investigating the legitimacy of the apps, Avast researchers installed and purchased subscriptions to each. However, when they tried to use the VPNs, the apps only provided subscription options once again. After attempting to purchase the subscriptions again, Avast researchers were notified they already have a subscription and thus were unable to establish a VPN connection using any of the apps.

“Fleeceware apps fall into a grey area, because they are not malicious per se, they simply charge users absurd amounts of money for weekly, monthly or yearly subscriptions for features that should be offered at much lower costs,” said Nikolaos Chrysaidos, head of mobile threats and security at Avast. “In this case, the VPNs are being sold for $9.99 (USD) a week, when trustworthy VPNs cost 10-times less.”

With many people turning to VPN apps to protect their data while working remotely, this illustrates how important it is for users to research VPN apps before installing them, Chrysaidos added, including looking into who is behind the product, their track record with other products and user reviews, and experience in offering security and privacy apps.

Categories: Cyber Risk News

Zoom: Free Users Won’t Get Encryption So We Can Help FBI

Info Security - Thu, 06/04/2020 - 10:45
Zoom: Free Users Won’t Get Encryption So We Can Help FBI

Zoom has risked alienating security and privacy advocates by announcing that only its premium service will feature end-to-end encryption, in order for it to comply more easily with FBI access requests.

CEO, Eric Yuan, reportedly said on an analyst call yesterday that the entry-level version of the hugely popular video conferencing app would effectively not be as secure as its paid equivalent.

“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” he said.

The stance sets the platform apart from many tech companies like Apple and Facebook who are doubling down on end-to-end encryption on devices and for messaging, even in the face of vehement opposition from governments.

US attorney general William Barr and FBI director Christopher Wray have taken up where their predecessors left off in demanding that tech firms engineer de facto backdoors into their products to allow law enforcement to access communications of suspects.

Encryption experts, meanwhile, agree with Apple and others in saying it’s impossible to do so without degrading security for all users.

Yuan’s comments would also seem to be at odds with the firm’s commitments made back in April to improve trust, security and privacy for all users.

It effectively means that only those who can pay for it are provided with the most secure form of encryption.  

The irony is that Zoom has brought on board numerous big-name cryptography and security experts to bolster its image and improve the security of the platform.

These include John Hopkins cryptography expert Matthew Green, former Google privacy technology lead, Lea Kissner, cybersecurity consultancy NCC Group, former Yahoo and Facebook CSO, Alex Stamos and Luta Security.

Categories: Cyber Risk News

Malicious Android Apps Double in Q1 as Lockdown Users Are Targeted

Info Security - Thu, 06/04/2020 - 09:30
Malicious Android Apps Double in Q1 as Lockdown Users Are Targeted

The number of malicious Android apps detected in the first three months of the year is double that of the same period last year, according to new data from Upstream.

The mobile technology company’s Secure-D platform discovered over 29,000 malicious apps on the Google platform in Q1 2020 versus around 14,500 in Q1 2019.

What’s more, nine of the top 10 most popular malicious apps of the first three months of 2020 were available at some point on Google Play. Around 30% of the top 100 for 2019 were also available on the official marketplace.

Cyber-criminals are increasingly hiding their malware in leisure apps such as games, social, news and video players, to appeal to the large numbers of users now stuck at home.

Upstream said its security platform blocked 89% of the 326 million mobile transactions it processed because they were fraudulent. Many (32 million) were related to use of Snaptube, a video downloader app which was found to be engaging in mass advert and premium service subscription fraud which could have cost unwitting users tens of millions of dollars.

In fact, Upstream said the number of global transactions it blocked as fraudulent increased 55% from Q1 2019 to 2020.

It also revealed that the number of infected mobile devices it detected increased 7% to 11.2 million.

“With the majority of the world having shifted indoors, there were some darker forces acting to make a profit from the lockdown situation. At Secure-D, we've seen a sharp increase in bad actors publishing ‘leisure’ apps on the Google Play Store, which trick users into subscribing for premium services,” explained Geoffrey Cleaves, head of Secure-D at Upstream.

“Being in lockdown also means prepaid customers will find it difficult to get out the front door to top up their data bundles. In the meantime, malware could be eating into those data bundles. I suspect we may see a drop in mobile internet traffic, and successful billing attempts, in predominantly prepaid developing markets while lockdowns are in force.”

Categories: Cyber Risk News

New Report Claims Huawei Hushed Up Iran Business Links

Info Security - Thu, 06/04/2020 - 08:25
New Report Claims Huawei Hushed Up Iran Business Links

Chinese telecoms equipment giant Huawei is under pressure again after a report revealed new documents which apparently show a concerted attempt to cover-up its links with a ‘partner’ business in Iran which tried to break US sanctions.

The firm in question, Skycom, is at the center of a US case against Huawei in which it accuses it and CFO Meng Wanzhou, daughter of the owner, of fraudulently obtaining US goods for its Iran business via Skycom.

Meng is the subject of an indictment on charges including bank fraud and wire fraud and is currently awaiting extradition from Canada to the US. She and Huawei deny the charges and claim that Skycom, which was dissolved inn 2017, was a separate business partner operating in Iran.

However, new documents obtained by Reuters reportedly show that Huawei did indeed control Skycom and desperately tried to split the two operations whilst covering up the relationship once it was made public back in 2013.

“In consideration of trade compliances, A2 representative office is trying to separate Skycom and Huawei,” one document reportedly said. A2 is said to be Huawei’s code for Iran.

According to Reuters, Huawei also installed one of its own execs to be Skycom’s general manager in Iran from March 2013.

The documents, written in English, Chinese and Farsi, are also said to reveal Huawei actively working to shut down Skycom’s Tehran office and creating a new business in Iran to take over contracts from the firm worth tens of millions of dollars.

The US indictment also alleges that Meng personally gave a PowerPoint presentation to HSBC, which opened both Huawei and Skycom accounts, in which she claimed it was merely a “business partner” of Huawei. The US alleges she deceived the bank in order to move money out of the country.

She was arrested in Vancouver in 2018, with a judge last week allowing the extradition case to continue, rejecting her lawyer’s argument that the charges against her aren’t crimes in Canada.

Infosecurity has reached out to Huawei for comment on the story.

Categories: Cyber Risk News

Chicago Police Scanner Jammed by Hackers Amid Riots

Info Security - Wed, 06/03/2020 - 17:30
Chicago Police Scanner Jammed by Hackers Amid Riots

An investigation has been launched after hackers gained access to the emergency radio system used by the Chicago Police Department over the weekend. 

As officers worked hard to keep the peace amid riots and looting triggered by the death of George Floyd, hackers jammed their radio comms with slogans and music, endangering the safety of the public and those out protesting peacefully and lawfully. 

While reports of gun violence were called in, police scanners were blocked with N.W.A.'s '80s hip-hop track "F*** the Police" and Tay Zonday's "Chocolate Rain," which alludes heavily to institutional racism in the United States. 

Dispatchers struggled to communicate with police to determine where fires had broken out and find out where ambulances needed to be sent. 

“They’re not letting me copy you at all,” a frustrated dispatcher told one officer seeking assistance on Sunday night.

“It’s a very dangerous thing that they’re doing,” said Dan Casey, deputy director of public safety information technology in the Office of Emergency Management and Communications.

Casey told the Chicago Sun Times that recordings of the rogue transmissions have been passed on to local and federal authorities, who will investigate.

On Sunday a video was posted on YouTube in which two men laugh as music is played over a scanner on a Chicago police frequency while an officer attempts to radio for support. The video has attracted over 189,000 views. 

The Chicago police department has some encrypted radio frequencies, but most patrol officers use radios that aren’t capable of withstanding hacking.

“We are looking at a multiyear plan to secure the radio channels,” said Casey.

However, Casey said that some frequencies will remain unencrypted to allow other law enforcement agencies to communicate with the Chicago Police Department.

Disrupting police radio, an act known as “jamming,” is illegal and can incur a hefty custodial sentence. In 2018, the US Supreme Court upheld an eight-year prison sentence for Rajib Mitra, who jammed police radio frequencies in Madison, Wisconsin, around Halloween in 2003.

In 2011, Mitra was sentenced to a further 6.5 years behind bars for possession of child sexual abuse material. Files depicting the abuse were seized from Mitra's home computer during the initial 2003 radio jamming investigation but were so heavily encrypted that it took police years to decipher them.

Categories: Cyber Risk News