Cyber Risk News

Phishing Attack Impersonates Law Firm

Info Security - Wed, 10/03/2018 - 16:44
Phishing Attack Impersonates Law Firm

Netskope's Threat Research Labs today revealed details about a newly discovered phishing cyber-attack targeting the client bases of a law firm in Denver, Colorado, and across the US.

Using a PDF file decoy hosted in Azure’s Blob Storage service, the attacker sends the file as attachment to its targets. The decoy is linked to an Office 365 phishing page and has a Microsoft-issued domain and SSL certificate.

Because these attachments are often synced automatically to cloud storage services through collaboration settings in a variety of popular software and third-party apps in a number of enterprises, the campaign is very difficult to detect.

Traditionally, the PDF is delivered as an email attachment that appears to come from a legitimate source. It’s not uncommon for these attachments to be saved to a cloud storage service, such as Google Drive. Nor is it uncommon that a user would share the document. The PDF discovered is named “Scanned Document…Please Review.pdf” and appears as though it is actually coming from the Denver-based law firm. When users click the hyperlink to download the PDF, a pop-up message alerts the user that the document is attempting to connect to an Azure blob storage URL, which leads to the phishing web page.

“At face value, seeing a Microsoft domain and a Microsoft-issued SSL certificate, on a site asking for Office 365 credentials is pretty strong evidence that the site is legitimate, and are likely enough to convince a user to enter their credentials. Upon clicking continue, the victim's credentials are uploaded to https://searchurl[.]bid/livelogins2017/finish40.php,” Netskope wrote in today’s blog post.

Classified as a more complex variant of Netskope's "CloudPhishing Fan-out Effect" discovery last year, the PDF decoy instantly uploads the victim’s user credentials once accidentally downloaded, and the process repeats itself as the file continues to be inadvertently shared throughout the organization.

Researchers reported the sites they discovered on September 17, 2018. Netskope recommends that users always check the domain of the link and be aware of the domains typically used at login, particularly with sensitive services. Organizations should also keep systems and antivirus updated with the latest releases and patches.

Categories: Cyber Risk News

Palo Alto Networks to Acquire RedLock

Info Security - Wed, 10/03/2018 - 16:39
Palo Alto Networks to Acquire RedLock

In a move that will bolster its existing security offerings for multi-cloud environments, Palo Alto Networks today announced its intent to acquire RedLock. In March 2018, Palo Alto Networks acquired, a deal that augmented its inline, host-based and API-based security offerings.

As many organizations continue to migrate to the cloud, they report a lack of visibility and centralization across the multi-cloud environment, according to RedLock. Because the company captures event details and correlates resource configuration, network traffic and third-party feed, its acquisition addresses the pain points companies have in managing compliance and detecting and responding to threats quickly.

According to today’s Palo Alto Networks post, RedLock brings risk prioritization with risk scores determined for every cloud resource, rapid response whereby companies can perform auto-remediation, threat investigation that searches for all databases that were receiving traffic from suspicious IP addresses and an audit trail that provides customers with a DVR-like capability to view time-serialized activity.

“We are thrilled to add RedLock's technology to our cloud security offerings,” said Nikesh Arora, chairman and CEO of Palo Alto Networks, in today’s press release. “The addition of their technologies allows us to offer the most comprehensive security for multi-cloud environments, including Amazon Web Services, Google Cloud Platform and Microsoft Azure, and significantly strengthens our cloud strategy going forward.”

In a blog post, RedLock co-founder and CEO Varun Badhwar wrote that combining its capabilities with Palo Alto Networks and Evident will enable the company to deliver more robust security offerings that include continuous discovery and inventory of public cloud resources, compliance reporting and the ability to prioritize vulnerabilities.

“We are excited to join Palo Alto Networks to bring together the strength of our cloud analytics and their industry-leading compliance technologies to help security teams protect their organizations,” wrote Badhwar.

Categories: Cyber Risk News

#IPEXPO: What Threat Intel Teaches Us About App Security

Info Security - Wed, 10/03/2018 - 14:00
#IPEXPO: What Threat Intel Teaches Us About App Security

Speaking at IP EXPO Europe, Ray Pompon, principal threat researcher at F5, said that applications are now at the center of business, the reason people use the internet and the gateway to data. Pompon said F5 research showed that 34% of web apps are considered mission critical, with 765 web apps used in the average organization.

However, “most of our security problems are happening at the app layer,” he added, and by applying threat intelligence to application security we can “know what is going to happen before the bad guys.”

Pompon argued that security problems arise around applications because they are all too often thought of as single devices, when they are actually ‘colony creatures’ made up of five tiers: services, access, TLS/SSL, DNS and network.

“All of these layers are integral to making an app work,” he said, “but attacks can target each of these tiers,” (see image 1) so it is vital to consider each of these tiers when approaching application security.

Image 1
Categories: Cyber Risk News

#IPEXPO: Cyber-Attacks: Why You Can’t Always Trust Companies, or Security Staff

Info Security - Wed, 10/03/2018 - 13:20
#IPEXPO: Cyber-Attacks: Why You Can’t Always Trust Companies, or Security Staff

Speaking at IP EXPO Europe, security analyst Graham Cluley presented a session exploring some ‘unbelievable tales’ of ‘cyber horrors’, arguing that you cannot always trust companies or IT security staff when it comes to cyber-attacks.

The first example he pointed to involved a dating site called BeautifulPeople which only allowed users to join based on their attractive appearance, which it actively vetted.

Cluley explained that, in June 2011, the website claimed they had ejected 30,000 members after a virus attack affected its vetting system. “We got suspicious when tens of thousands of new members were accepted over a six-week period, many of whom were no oil painting,” were apparently the words the firm used to explain the situation.

However, after reaching out to the site to inspect the malware and receiving confusing/unlikely responses about the nature of the virus, he came to the conclusion that the company’s claim of suffering a cyber-attack was nothing more than a ploy to increase its public exposure.

“Here we have a company which is lying about being hacked,” he said. “Normally companies like to say they haven’t been hacked, or they’ve only been hacked a little bit. In the case of BeautifulPeople, they lied and said they had been hacked in order to get more media attention, and more people joining their website.”

Ironically, the site did suffer a real data breach affecting over one million users in April 2016, Cluley said. “Surprisingly, BeautifulPeople did not decide to do a press release about this security breach. Not all companies tell the truth when it comes to computer security,” he added.

There are also instances when you cannot always trust IT security staff, Cluley continued, citing the example of a man who was the head of IT security of the Iowa lottery, who tried to defraud his own company out of millions of dollars in winnings by targeting the computer that was used to randomly generate the winning numbers.

With the use of a code that affected and compromised the method the number generator used, the man was able to reduce the possible number of outcomes from around 10.9 million to just a few hundred. After buying a few hundred lottery tickets that week, he was able to get the winning numbers, though he was arrested, investigated and jailed and did not receive the winnings.

“The threat can come from all kinds of different directions,” Cluley concluded, “there is so much focus on the external threat, but there is a significant threat posed by your internal staff as well.”

Categories: Cyber Risk News

#IPEXPO: Tech Industry Must ‘Deliberately Affect Change’

Info Security - Wed, 10/03/2018 - 12:30
#IPEXPO: Tech Industry Must ‘Deliberately Affect Change’

Speaking in the opening keynote session at IP EXPO Europe, Canadian astronaut Chris Hadfield said that if you ever want to be able to push the very edge of technology and what is considered normal, you need to “deliberately affect change.”

However, “change involves risk,” he added, and it requires an extremely high level of risk to “do something new.”

Reflecting on his illustrious career, Hadfield said that “impossible things happen when someone sets an idea, technology advances forward and people apply themselves to try and map that transformation – it’s incredible where it can take you!”

However, whenever you look to make changes and try something new, “things go wrong,” he continued. It happens in business on a daily basis, and it happens inside a space station– “things fail all the time,” he said.

“When you’re attempting to transform and change, it’s really important to have an idea of what perfection looks like and what your goal is – that’s how you unify your team – but you have to absolutely expect that things will go wrong, and you will not be judged on what your goals were, you’ll be judged on what you did next.”

To conclude, Hadfield said that driving technological change requires us to never be satisfied with our own level of competence at anything. “No matter how component you are, even if you get 100% on a test, six months from now you won’t – either you will have forgotten or the technology would have changed.

“You folks [tech professionals] are in the cutting-edge technology business, you need to be relentlessly dissatisfied with your own expertise, always. Things will never be this slow again and the necessity for you to step up to that is the first fundamental step in transformation and change.”

Categories: Cyber Risk News

Twitter Updates Aim to Enhance "Election Integrity"

Info Security - Wed, 10/03/2018 - 10:42
Twitter Updates Aim to Enhance "Election Integrity"

Twitter has updated its rules and detection and enforcement capabilities in a bid to boost confidence in the platform ahead of the US midterm elections.

In a post from VP of truth and safety, Del Harvey, and head of site integrity, Yoel Roth, the firm explained that the enhancements were part of an “election integrity” push.

They include updated and expanded rules to discern whether an account is fake or not. Some of the factors now included are use of stock or stolen avatar photos; stolen or copied profile bios; and intentionally misleading profile information, including location.

Twitter claimed it is also getting tough on accounts that “deliberately mimic or are intended to replace accounts we have previously suspended for violating our rules.”

It is lowering the bar for taking action on accounts claiming responsibility for hacking, “which includes threats and public incentives to hack specific people and accounts.”

These efforts will combine with unnamed improvements to ban policy violators, and the development of proprietary systems to “identify and remove ban evaders at speed and scale.”

The micro-blogging platform claimed that its automated detection tools challenged on average 9.4 million accounts each week in the first half of September, while user-generated spam reports declined from 17,000 per day in May, to around 16,000 per day in September.

The firm was at pains to point out its partnership with Republicans, Democrats and state election officials to take action on tweets about elections and political issues “with misleading or incorrect party affiliation information.”

It remains to be seen whether these efforts will be enough to disrupt a concerted effort by the Russian state to disrupt, misinform and sow discord within the US electorate.

It’s a tactic which came to light during the 2016 race for the White House, and has been seen at work in the UK ahead of the Brexit vote.

Categories: Cyber Risk News

Facebook: No Evidence Hackers Accessed Third-Party Apps

Info Security - Wed, 10/03/2018 - 09:51
Facebook: No Evidence Hackers Accessed Third-Party Apps

Facebook has claimed to have found no evidence that third-party apps were affected by a recently disclosed breach where attackers stole access keys for 50 million user accounts.

VP of product management, Guy Rosen, explained in an update on Tuesday that no signs have been uncovered during the investigation to indicate that “the attackers accessed any apps using Facebook Login.”

“Any developer using our official Facebook SDKs — and all those that have regularly checked the validity of their users’ access tokens — were automatically protected when we reset people’s access tokens,” he continued.

“However, out of an abundance of caution, as some developers may not use our SDKs — or regularly check whether Facebook access tokens are valid — we’re building a tool to enable developers to manually identify the users of their apps who may have been affected, so that they can log them out.”

Rosen took the opportunity to repeat Facebook Login security best practices for developers: namely that they use Facebook’s official SDKs, as these automatically check the validity of access tokens every day and force a fresh login if the social network resets them.

They were also urged to use the Graph API to keep information updated regularly and “always log users out of apps where error codes show that any Facebook session is invalid.”

Although the news will be welcomed by any companies running third-party apps that can be logged-in to via Facebook, the aftershocks of the breach itself are still coming.

Some reports have suggested Facebook log-ins are up for sale on the dark web for between $3 and $12, by trusted vendors — although there’s no confirmation that their appearance is linked to the cyber-attack reported late last week.

While most reports currently circulating — particularly those purporting that the firm is facing a GDPR fine of over $1bn — are speculative at best, there is a potential risk for users of follow-on phishing and ransom attacks.

These could include small snippets of info gleaned from any compromised accounts to make the scam appear more legitimate. Such tactics have already been used in the past to try to extort money from victims. Even those not affected by the breach could be targeted by phishers looking to capitalize on the notoriety of the incident.

Categories: Cyber Risk News

Fortnite Cheaters Tempted with Data-Stealing Malware

Info Security - Wed, 10/03/2018 - 09:00
Fortnite Cheaters Tempted with Data-Stealing Malware

Cheaters looking to gain an advantage on popular video game Fortnite have been warned about a new scam delivering information-stealing malware.

Malwarebytes researcher, Chris Boyd, explained that the threat has been designed to coincide with the new seasons of the Epic Games title.

The malware was hidden amidst a “sizable mish-mash” of free season six passes, ‘free’ Android versions of the game, ‘free V-Bucks’ used to buy additional content for the game, and “a lot of bogus cheats, wallhacks, and aimbots,” he said.

It’s hidden in YouTube clips masquerading as cheats. One managed to garner 120,000 views before it was pulled.

“Offering up a malicious file under the pretense of a cheat is as old school as it gets, but that’s never stopped cyber-criminals before,” Boyd added. “In this scenario, would-be cheaters suffer a taste of their own medicine via a daisy chain of click-throughs and (eventually) some malware as a parting gift.”

In one instance, clicking the link to the clip sends the user to a third-party site called Sub2Unlock where they’re asked to “subscribe to unlock.”

This differs from typical scams of this type, where users often have to fill in surveys. After completing this stage, they are taken to a spoof cheat site at bt-fortnite-cheats(dot)tk.

“This site is a fairly good-looking portal claiming to offer up the desired cheat tools, and it stands a fair chance of convincing youngsters of its legitimacy. A little bit more button clicking, and potential victims are taken to a more general download site containing what appears to be an awful lot of files alongside a wide range of adverts,” Boyd continued.

“As far as the malicious file in question goes, at time of writing, 1,207 downloads had taken place. That’s 1,207 downloads too many.”

The malware in question is detected as Trojan.Malpack, with a data-stealing payload designed to send the stolen info to a location in Russia.

“Some of the most notable things it takes an interest in are browser session information, cookies, Bitcoin wallets, and also Steam sessions,” explained Boyd.

Reports have also emerged of stolen Fortnite and other account being sold on Instagram

Categories: Cyber Risk News

Malware Less Common in Q2, Still Top Attack Method

Info Security - Tue, 10/02/2018 - 16:30
Malware Less Common in Q2, Still Top Attack Method

Despite malware attacks becoming less common since Q1 2018, they are still the top attack method, according to new research from Positive Technologies.

In its Q2 2018 Cybersecurity Threatscape, Positive Technologies found that the number of unique cyber incidents grew by 47% from the same period last year, while malware attacks dropped from 63% in Q1 to 49% in Q2. Credential compromises more than doubled between Q1 (7% of all attack methods) and Q2 (19%).

The report also found that most unique cyber incidents were targeted attacks on companies, their clients and cryptocurrency exchanges. Attackers used malware and made efforts to exploit zero-day vulnerabilities. Additionally, they leveraged social engineering tactics to steal administrator passwords and accessed partner companies in pursuit of their targets.

Both May and June saw twice as many attacks as were reported in Q1 2017. During Q2, hackers stole more than $100 million from cryptocurrency platforms. In addition to cryptocurrency, attackers were also out to obtain data in the second quarter of 2018. In fact, in 40% of the attacks, obtaining information was the apparent motivation, while 39% of attackers were conducted for financial gain. Most often, attackers compromised online platforms and e-commerce sites to steal personal data, credentials and credit cards.

Information is in high demand on the dark web, with a reported 59% of the supply offered consisting of users credentials. With the stolen credentials, attackers can access a variety of sites and services, including banks.

“We took a look at which information attracted hackers the most in Q2 2018. At the top of the list are personal data (30%) and account credentials (22%), such as for online banking. Credit and debit card information (15%) was obtained most often by using spyware or via compromised websites,” Positive Technologies wrote.

Targeted attacks against companies and organizations represented 54% of the total Q2 2018 attacks, though only 15% of attacks were against government. Infrastructure was the target of 44% of attacks this second quarter, while attacks on web resources grew nearly 10 points from 23% in Q2 2017 to 32% in 2018.

Categories: Cyber Risk News

ReliaQuest Gifts $1m to Build Cyber Lab at USF

Info Security - Tue, 10/02/2018 - 14:43
ReliaQuest Gifts $1m to Build Cyber Lab at USF

The University of South Florida (USF) has received a $1m gift to fund a cybersecurity lab at the USF Muma College of Business. With the goal of making Florida the “Cyber State,” ReliaQuest extended the gift to USF, payable over the course of five years.

The partnership is being touted as a first-of-its-kind initiative that will prepare students with the skills they need to pursue careers in cybersecurity. "Cybersecurity is one of the hottest job fields that exists today, with a huge demand for skilled professionals. Rather than see this as a challenge, we see it as an opportunity to find innovative solutions together with industry partners like ReliaQuest," said USF Muma College of Business dean Moez Limayem in a press release.

"Ultimately, it's our students who will benefit the most, gaining valuable skills and hands-on experiences that will help them land lucrative jobs after graduation and help build Florida's economy."

The ReliaQuest Cybersecurity Lab will provide hands-on, real-world training in a security operations center (SOC) environment. The gift highlights the company’s effort to address the workforce shortage looming over the cybersecurity industry.

The lab is an extension of ReliaQuest University, the internal training program that already exists at ReliaQuest. Partnering with USF will expand the reach of the training by offering a four-week immersive program in the fundamentals of cybersecurity. As part of the partnership, all students at USF, regardless of their majors, will have access to the Cyber Simulator, the component of ReliaQuest University where users receive the hands-on training with the latest security technologies.

"In the face of what the industry refers to as a talent shortage, we believe that cybersecurity is actually suffering from a skills shortage," said ReliaQuest CEO Brian Murphy. "There are plenty of people eager to enter the cybersecurity field, but they need the skills to perform effectively in those positions. To overcome this challenge, ReliaQuest has chosen to invest both our expertise and financial resources to help solve one of the biggest problems in the industry."

Categories: Cyber Risk News

Apollo Faces Criticism for Breach of 200 Million Contacts

Info Security - Tue, 10/02/2018 - 14:20
Apollo Faces Criticism for Breach of 200 Million Contacts

Sales engagement startup Apollo, whose database of 200 million contacts across 10 million companies was reportedly hacked, is facing criticism for failing to protect the data it collects. According to TechCrunch, Apollo said its contacts database was stolen in a data breach.

While the company’s website offers no information on the breach, Apollo does admit that despite any security practices, it cannot guarantee the protection of the data it collects. “We understand the importance of the security of the information we collect, but we cannot promise that our security measures will eliminate all security risks or avoid any security breaches.”

Infosecurity Magazine contacted Apollo for more details but has not received a response. Bjoern Zinssmeister of Templarbit reportedly gained access to an email sent to affected Apollo customers. The communication acknowledged that the majority of exposed information came from its publicly gathered prospect database. According to TechCrunch, in Apollo's mandatory customer communication email, CEO Tim Zheng wrote that no additional information is available at this time given that the investigation is still ongoing.

Yet content from the email has been made public, and critics say Apollo's security efforts were insufficient. “In an email to affected customers, Apollo said the data breach was discovered weeks after system upgrades in July,” said Zohar Alon, CEO, Dome9. “Apollo is not the first company to have a breach go unresolved for a long period of time, proving organizations do not emphasize security to a high-enough degree.”

Acknowledging that there are security risks that could result in a breach does not go far enough in protecting customer data for a company that boasts a database of 200 million contacts from 10 million companies. “If other organizations want to prevent breaches like the one experienced by Apollo, they must leverage advanced security capabilities built for the cloud,” said Jacob Serpa, product marketing manager, Bitglass.

“They should employ multifactor authentication to verify users' identities more accurately, as well as contextual access control that can flexibly extend data access based on a user's location, device type, and more.”

“The breach of Apollo’s enormous database of 200 million prospective customers and 10 million companies adds to a growing list of companies that compile large amounts of data yet fail to keep it safe,” said Ruchika Mishra, director of products and solutions, Balbix.

“When you are expected to keep prospect, customer, supply chain and other business-critical contact information safe, you must be proactive about your security efforts and try to detect and mitigate cyber risks in your network before they are exploited.”

Categories: Cyber Risk News

Financial Sector Breaches Have Tripled Since 2016

Info Security - Tue, 10/02/2018 - 12:01
Financial Sector Breaches Have Tripled Since 2016

US financial services firms suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016, according to new data from Bitglass.

The security vendor aggregated data from the Identity Theft Resource Center (ITRC) and the Privacy Rights Clearinghouse (PRC) to gain insight for its Financial Breach Report 2018.

In total, there were 103 breaches recorded from January to August 2018, versus the 37 recorded over the same period in 2016. That’s understandable considering the wealth of lucrative sensitive information these companies typically store, including home addresses, bank statements and Social Security numbers.

Hacking and malware were responsible for the vast majority (74%), with 15% down to accidental disclosures, 9% the result of a physical breach and 3% the result of insider threats.

Bitglass also claimed that 44% of financial services organizations have malware in at least one of their cloud apps, with ransomware-as-a-service, modular banking trojans, cloud crypto-jacking attacks and more all posing a threat.

It noted that 93% of AV engines, along with Google Drive and Microsoft SharePoint, were unable to detect the zero-day ShurL0ckr ransomware that appeared earlier this year.

The top three breaches so far in 2018 accounted for more records than all of those in the vendor’s 2016 report: 64,512. These included an insider theft of 1.5 million customer details at SunTrust Bank.

The data broadly aligns with Verizon’s most recent Data Breach Investigations Report (DBIR), which revealed earlier this year that 92% of threat actors in attacks on financial services firms are external and 7% internal.

However, that report also pointed to the growing need not just to protect against data theft, but also guard against ATM skimming and jackpotting.

The report also comes just a day after UK regulator the Financial Conduct Authority (FCA) fined Tesco Bank over £16m for failings that led to a theft of over £2m from customers’ accounts back in 2016.

Categories: Cyber Risk News

MoD Launches Cyber Cadet Training Program

Info Security - Tue, 10/02/2018 - 09:19
MoD Launches Cyber Cadet Training Program

The Ministry of Defence has launched a new program designed to equip more young people with cyber-skills.

The Cadets CyberFirst program will train up 2000 Armed Forces cadets each year with cybersecurity know-how.

Over £1m will be invested in the initiative each year, with cadets able to choose from introductory courses on how to protect small networks as well as more advanced curricula. The money will also be used to train more than 50 Cadet Force adult volunteers to deliver the program going forward.

“We live in a modern world where our phones are rarely out of our hands and we rely on computers to make daily tasks easier. Cyber threats to the UK are constantly evolving and this exciting initiative to train and develop ‘cyber cadets’ — the first of its kind in a NATO state — reaffirms our leading role in tackling security threats head on,” said defense secretary, Gavin Williamson.

“It is important to recognize the vital role cadets play in our communities, and I am determined to grow the number of young people signing up and make sure their successes are properly recognized each year.”

The Cadet Expansion Programme aims to increase the number of cadets in schools from 43,000 to 60,000.

The initiative was welcomed by industry experts.

“It is evident that there is currently a shortage of talent in the cybersecurity industry, which we as a nation are struggling to circumvent. All organizations — private and public — are pivotal in closing the cybersecurity skills gap, ensuring our children are fully equipped for facing future inevitabilities,” said Rob Norris, VP head of enterprise & cybersecurity at Fujitsu EMEIA.

“And with our latest report revealing that a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, this new scheme provides an invaluable resource as the country looks to identify and nurture the cyber experts of the future.”

McAfee chief scientist, Raj Samani, added that the need to close skills gaps is especially urgent given the rise in nation state attacks.

“Initiatives like this will help to encourage more people into the cybersecurity sector — making students aware of the career prospects in this space and creating a new generation of defense against cyber-criminals,” he argued.

Categories: Cyber Risk News

Tory App Snafu Exposes Ministers’ Personal Info

Info Security - Tue, 10/02/2018 - 08:51
Tory App Snafu Exposes Ministers’ Personal Info

A malfunctioning mobile app has left the Conservative Party red-faced after users were able to access phone numbers and other personal details of Cabinet ministers, as the party's conference kicked off in Birmingham this week.

Events industry app developer, CrowdComms, apologized “unreservedly” for the incident, explaining in a statement that it became aware of unusual activity on the platform over the weekend.

“An error meant that a third party in possession of a conference attendee's email address was able, without further authentication, to potentially see data which the attendee had not wished to share — name, email address, phone number, job title and photo,” it noted.

“The error was rectified within 30 minutes. It is likely that it affected a very small proportion of attendees and we are working with the Conservative Party to ensure any potentially affected attendees are notified.”

Before the issue was fixed, various Cabinet ministers reportedly received prank calls and some had their headshots on the app changed: former foreign secretary Boris Johnson’s pic was apparently changed to a pornographic image.

Mark Noctor, VP EMEA at Arxan Technologies, argued that organizations must start treating their applications as the new endpoint.

“Apps needs to be protected from compromise or attackers can effectively bypass security controls and have access to cryptographic keys, payload formats, credentials, API endpoint references and so much more,” he warned.

“As the party of government, the Tories are meant to be passing and enforcing laws. This would appear to be a breach of GDPR law, raising to the fore whether enough has really been done to ensure data privacy. There need to be regulations that require app security to be in place and not just seen as a ‘tick box activity’ as it may have been in the past.”

Categories: Cyber Risk News

Failure to Protect Data Costs Bupa £175,000

Info Security - Mon, 10/01/2018 - 15:00
Failure to Protect Data Costs Bupa £175,000

The Information Commissioner’s Office (ICO) has fined Bupa Insurance Services Limited (Bupa) £175,000 for its failure to protect the personal information of its customers. Had the timing of the breach been different, Bupa would have faced fines under the General Data Protection Regulations (GDPR), but the security incident occurred prior to those regulations going into effect.

According to the ICO, a Bupa employee stole the personal data of 547,000 employees between January 6 and March 11, 2017. By email himself bulk data reports, the employee was able to pilfer personal information that reportedly included names, dates of birth, nationalities and administrative information for the policy and its beneficiaries, including membership number, email address, phone and fax number, but not any medical information.

In the Monetary Penalty Notice, ICO wrote, “The monetary penalty concerns Bupa Global's customer relationship management system ('SWAN') which holds customer records relating to 1.5 million data subjects. SWAN is used to manage claims made by Bupa Global customers under their international health insurance policies.”

Because Bupa failed to have effective security measures in place and did not routinely monitor SWAN activity logs, the employee successfully emailed the reports to his personal email and then put the information up for sale on the dark web.

After an external partner alerted Bupa to the breach on June 16, 2017, the employee was terminated. Until that point, “Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data,” ICO wrote.

For breaching the mandate that companies keep personal data secure, Bupa received the maximum penalties under the Data Protection Act of 1998, which preceded the GDPR. ICO director of investigations Steve Eckersley said in the September 28 post, “Bupa failed to recognize that people’s personal data was at risk and failed to take reasonable steps to secure it."

“Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.”

Categories: Cyber Risk News

Ransomware Casts Anchor at the Port of San Diego

Info Security - Mon, 10/01/2018 - 14:14
Ransomware Casts Anchor at the Port of San Diego

A cybersecurity incident at the Port of San Diego was first announced on Tuesday, September 25, 2018, but CEO Randa Coniglio announced on September 27, 2018, that the event was actually a ransomware attack on the port, which oversees more than 34 miles of coastline along San Diego Bay.

The port remains open, but the attack has disrupted the agency's information technology systems. According to the press release, the port is working with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) on the investigation and remains in close communication and coordination with the U.S. Coast Guard. 

Normal port operations continued despite the attack on the network systems. “Public safety operations are ongoing, and ships and boats continue to access the bay without impacts from the cybersecurity incident. While some of the port's information technology systems were compromised by the attack, port staff also proactively shut down other systems out of an abundance of caution,” Coniglio continued.

The attack has caused temporary impacts on some services to the public, including park permits, public records requests, and business services. A ransom note demanded payment in Bitcoin, though the port has not disclosed the amount requested by the cybercriminals. No additional information on whether the port has paid the ransom or has retrieved access to any encrypted files is available at this time.

"The Port of San Diego malware infiltration and subsequent ransomware demand is just the latest example of a local government entity (and critical infrastructure) being disrupted by ransomware, rendering employees unable to access enterprise applications and do their jobs,” said Sherban Naum, senior vice president for corporate strategy and technology at Bromium.

“Unfortunately, it’s no longer a case of if a breach will occur, but when, and how quickly federal agencies can get systems back up and running. Government – whether local, state or federal – needs to stop playing catch up and supplement layered defenses with virtualization, protecting by design by isolating threats in a virtual environment. Only by isolating undetectable threats as a part of life and limiting the damage and profits that can made by them will we start to see the tide turn. This will keep employees productive and prevent ransomware from putting organizations at risk on the stormy seas of the threat environment.”

Categories: Cyber Risk News

Password Security Better, Still Poses Business Risk

Info Security - Mon, 10/01/2018 - 13:38
Password Security Better, Still Poses Business Risk

Today marks the start of National Cybersecurity Awareness Month (NCSAM), and LastPass by LogMeIn has released the 2018 Global Password Security Report to align with the efforts of NCSAM. While businesses have reportedly made progress with passwords, they still have a long way to go toward strengthening password security. Today’s report is an effort to continue to raise awareness about the risks of dangerous password behavior.

Analying anonymized data from more than 43,000 companies of all sizes that are using LastPass as their business password manager, the report graded businesses, awarding a password security score on a scale of 0–100. The average password security score of organizations was 52. Organizations with fewer than 25 employees averaged 50, while technology companies scored averaged 53 points, in part because 31% of businesses in the technology sector have adopted multifactor authentication.

“Passwords continue to be a challenge to cybersecurity in the workplace, and attacks continue to grow in number and complexity every year. Despite these threats, businesses have struggled to quantify their own level of password risk,” said Gerald Beuchelt, CISO at LogMeIn in a press release.

Given that an increased number of end users poses a higher risk, it makes sense that the bigger the company, the lower the score. However, when looking at the organizations included in the survey, those who were within the first year of using a password management tool saw an increase of nearly 15 points in their password security score. Yet the data revealed that the practice of password sharing still prevails, with a single employee sharing, on average, six passwords with co-workers.

“Security professionals often fail to consider the value of the first factor of enterprise authentication: the password. Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up,” said Frank Dickson, research vice president, security products at IDC.

The report highlights two benchmarks for evaluating password security: the LastPass Security Score and the LastPass Password Strength Score. The LastPass Security Score incorporates the Password Strength Score and assessed whether passwords were vulnerable based on a variety of indicators, including whether they were duplicated. Additional security settings, such a multifactor authentication, were also considered in the overall score.

Categories: Cyber Risk News

Review to consider role of data in UK regulated markets - Mon, 10/01/2018 - 11:34
The role that data can play in improving competition, innovation and consumers' experiences in the UK's financial services, energy and telecoms markets is to be considered in a new cross-government review.
Categories: Cyber Risk News

Tesco Bank Fined £16m After 2016 Cyber Heist

Info Security - Mon, 10/01/2018 - 11:01
Tesco Bank Fined £16m After 2016 Cyber Heist

Tesco Bank has been fined £16.4m by the UK’s financial regulator for deficiencies which allowed hackers to steal millions from its customers in 2016.

Online attackers bagged £2.24m in the November raid two years ago, in what the lender described as “sophisticated criminal fraud.”

Although the actual MO of the attackers is still unknown, the Financial Conduct Authority (FCA) has seen the details and decided to slap a major fine on Tesco Bank for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack.”

Specifically, the bank failed the regulator’s Principle 2, due to deficiencies in the “design of its debit card,” and its configuration of fraud detection and authentication rules.

The bank was also criticized for failing to respond to the incident with “sufficient rigor, skill and urgency.”

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” explained FCA executive director of enforcement and market oversight, Mark Steward.

“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

The fine would have been an even bigger £33.5m had Tesco Bank not provided high-level co-operation which helped to protect more customers and quickly compensate those affected. It also received a 30% discount for early settlement, the FCA said.

Categories: Cyber Risk News

Torii IoT Botnet Takes Mirai to the Next Level

Info Security - Mon, 10/01/2018 - 09:39
Torii IoT Botnet Takes Mirai to the Next Level

Security experts are warning of a new IoT botnet far more stealthy, persistent and advanced than Mirai and designed to compromise a wide range of device architectures.

Researcher @VessOnSecurity first tweeted about his discovery last week after detecting the threat via a honeypot. Although it spreads via Telnet and targets weak credentials on devices, “it’s not your run-of-the-mill Mirai variant or Monero miner,” he warned.

“It does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,” explained Avast in a follow-up analysis.

“Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.”

Dubbed “Torii” by the firm, the threat first finds out the architecture of the targeted device, and downloads an appropriate payload — with MIPS, ARM, x86, x64, PowerPC, SuperH and more supported.

This payload is a dropped for the second stage. Meanwhile, Torii uses at least six methods to make sure the file remains on the device and always runs.

“The second stage payload is a full-fledged bot capable of executing commands from its master (CnC),” said Avast. “It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc.”

Sean Newman, director at Corero Network Security, said Torii is “cashing in on the rapidly expanding global pool of IoT devices.”

“Its secret could be the large number of different platforms the code can support, which gives it the diversity needed to find enough devices that still use simple default username/password pairs,” he added. “Until IoT manufacturers solve the issue of shipping devices with the same default administrator credentials, it’s going to remain child’s play for cyber-criminals to leverage them for nefarious purposes.”

Categories: Cyber Risk News