Cyber Risk News
Cyber-attacks remained the biggest perceived risk of doing business for executives in North America and Europe, and second globally, according to an annual World Economic Forum (WEF) report published yesterday.
Compiled from the responses of over 12,900 executives in 133 countries, the Regional Risks for Doing Business 2019 report outlines “the five global risks that you believe to be of most concern for doing business in your country within the next 10 years.”
Cyber-attacks were pegged as the biggest risk by CEOs in six of the world’s 10 largest economies: the US, Germany, the UK, France, Italy and Canada, as well as Italy and six other European countries.
Data fraud or theft was put in seventh place in terms of most concerning business risks for global respondents.
“The fact that cyber-threats worry the business community as much as they do academia, civil society, governments and other thought leaders shows just how disruptive this risk is to all aspects of life,” the report noted.
“As economies and societies continue to digitize, cyber-attacks are both more lucrative for attackers and more dangerous for victims.”
The WEF report highlighted the emergence of “formjacking” or Magecart attacks, alongside cryptojacking and the persistent threat of ransomware including the major losses suffered by Norsk Hydro as contributing to CEO unease over cyber-threats.
Some 61% of European businesses reported cyber-incidents in 2019 compared to 45% the previous year, according to insurer Hiscox.
In the US, the report pointed to a spate of ransomware attacks on local government authorities across the country and concerns over the security of election systems.
“Cybersecurity remains the most concerning risk to business leaders in advanced economies, and growing technology dependence for many businesses will only amplify this,” argued John Drzik, president of global risk and digital at Marsh.
“Combined with fractious geopolitical developments, and growing economic concerns, executives face a very challenging portfolio of potential threats. Business leaders should re-evaluate their underlying view of the global risk environment and make greater efforts to strengthen their corporate agility and resilience.”
A former Yahoo employee has pleaded guilty to hacking thousands of customer accounts in search of sexual images and videos.
Reyes Daniel Ruiz, 34, of Tracy, California, admitted in a San Jose federal court on Monday to hacking around 6000 accounts — targeting those belonging to young women, including friends and colleagues.
He is said to have copied the content to a hard drive at home, although Ruiz destroyed it after his employer raised the alarm about suspicious activity.
It’s unclear exactly how he actually compromised the accounts, but the Department of Justice claimed he was first able to “crack” user passwords to access internal Yahoo systems.
Once inside, he was then able to compromise other accounts, including iCloud, Facebook, Gmail and DropBox — presumably if password reset emails were sent to the hacked Yahoo accounts.
Ruiz was charged with one count of computer intrusion and one count of interception of a wire communication. Under a plea agreement he admitted to the first charge, which carries a maximum sentence of five years behind bars plus a fine of $250,000.
Carl Wearn, head of e-crime at Mimecast, argued that all organizations should have measures in place to mitigate the insider threat, and claimed the incident shows that password resets represent a serious business risk.
“We need to make it harder for hackers to trickle into a number of systems from one weak point. A starting point is to monitor systems for unusual behavior. A pattern of multiple employees resetting passwords, for example, should trigger a warning,” he added.
“Additionally, there should always be multiple administrators so that access privileges are not abused. Businesses may not be able to prevent every employee from using their skills or access for malicious means, but they can put a plan in place for spotting and tackling such behavior.”
Web-conferencing users who don't assign passwords could be having online meetings with more people than they think, according to new research.
The Cequence CQ Prime Threat Research team today announced its discovery in July 2019 of a vulnerability in the Cisco Webex and Zoom video-conferencing platforms that potentially exposes millions of online meetings to snooping.
By launching an enumeration attack that targets web-conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs, threat actors could exploit the vulnerability to view and listen to active meetings that haven't been protected by a password.
"In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community," said Shreyans Mehta, Cequence Security CTO and co-founder.
"In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web-conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities."
Following best practices on vulnerability disclosures, the CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings.
Richard Farley, CISO of Zoom Video Communications, Inc., said: "Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature."
The Cisco Product Security Incident Response Team (PSIRT) issued an informational security advisory to its Webex customers, but said it "is not aware of any malicious exploitation of this potential attack scenario."
PSIRT said: "Cisco Webex provides the host with controls that protect the meeting—such as disallowing join before host, locking a meeting, as well as ensuring guests do not join without authentication."
Passwords are enabled as a default setting for meetings on both the Zoom and Cisco Webex platforms. However, users who are in the mood to live dangerously have the option to make meetings on both platforms password-free.
A malicious campaign that waged 13 attacks against hundreds of well-known publishers has been identified and put down by The Media Trust.
Rather appropriately for the Halloween season, the malware was given the name GhostCat-3PC by researchers in the Trust's Digital Security & Operations (DSO) team.
GhostCat-3PC ran behind an ad that used advanced, obfuscated code and delivery patterns to evade detection by the traditional signature-based ad blockers used by many of the publishers.
After a quick prowl to check if the user was on a list of targeted domains, GhostCat would initiate a fraudulent pop-up that, if clicked, led to malicious content.
The team discovered the malware in late August and observed it escalate its attack until well into September.
"What makes GhostCat-3PC unique is the scale of this highly orchestrated campaign, the sophistication of obfuscation techniques to outsmart security tools, and what appears to be an attempt to test and track the response of signature-based security defenses," Mike Bittner, The Media Trust's associate director of digital security and operations, told Infosecurity Magazine.
"Bad actors behind GhostCat-3PC know what blockers are present in these publications and are likely using these attacks as a kind of stress test to determine the risk of being discovered and impeded."
In a report published today, the DSO researchers explained how the creators of GhostCat hid malicious code inside seemingly innocuous code to get the malware past ad blockers.
The researchers wrote: "Most blockers work by detecting known malicious signatures found in an ad tag or on a publisher site. These signatures are typically static in nature and therefore must result in an exact match to the malicious code in order to be successful. Any change to the targeted code, no matter how minor, will prevent the blocker from producing a match to the specified signature."
The Media Trust sees an average of 1,000 active, unrelated incidents in any 24-hour period, and more than 170 newly minted malicious domains each day.
Asked how new ad blockers need to be to have any kind of effect against this continually evolving threat, Bittner told Infosecurity Magazine: "Pre-2019 blockers would be useless.
"Signature-based defenses like conventional blockers will have to update their keyword blocklists many times each day just to keep up with bad actors’ relentless assault. Just this past month, five premium publishers using conventional blocking solutions have had at least one major incident unrelated to GhostCat-3PC."
Engaging threat actors to launch a disinformation campaign in the Western media is "alarmingly simple and inexpensive" according to a new report.
Using the Recorded Future platform, Insikt Group researchers set up a fake company located in a Western country to gain insight into the chilling world of disinformation. Researchers then hired two sophisticated disinformation vendors, which they found on a Russian-speaking underground forum, to influence public perception of the fictitious company.
The first vendor, given the code name Raskolnikov in the report (presumably as a nod to Dostoevsky's protagonist in Crime and Punishment), was engaged to paint a positive picture of the company. The second vendor, code-named Doctor Zhivago, was hired to destroy the reputation of the company, which was code-named Tyrell Corporation in the report.
Researchers were able to launch a customizable month-long media campaign with each vendor for only a few thousand dollars. Services ranged from $8 for a social media post to $1,500 for SEO services and traditional media articles.
Raskolnikov created accounts for Tyrell Corporation on major Western social media platforms and gathered over 100 followers on each account. They offered a price list for sharing content on 45 websites, including ft.com, thelondoneconomic.com, eveningexpress.co.uk, and thefintechtimes.com.
Insikt Group researchers said: "In two weeks, the Tyrell Corporation was in the 'news'—one of the media sources was a less established media outlet, though the other was a very reputable source that had published a newspaper for nearly a century."
Doctor Zhivago claimed to work with a team that included journalists, editors, translators, search engine optimization (SEO) specialists, and hackers. The threat actor used social media to spread claims that Tyrell Corporation had manipulated employees, and even offered to file a complaint against the company for its supposed involvement in human trafficking.
Researchers said: "First, a group of older accounts—referred to as 'aged accounts'— that posted links to the articles they had published in media sources was employed. Then, a new batch of accounts that reposted content from the aforementioned aged accounts to amplify the messages was used.
"These new accounts befriended citizens living in the same country the Tyrell Corporation was located in to make the campaign more effective by targeting the audience."
Commenting on the research, Roman Sannikov, head of analyst services at Recorded Future, told Infosecurity Magazine: "We were surprised by how professional the vendors seemed to be. They provided much better customer service than your typical underground threat actor. They were there to provide us with advice on how we should carry out the campaigns and were very responsive to our questions and requests."
Asked how the research has shaped his view of the world, Sannikov said: "I think we already suspected that this was going on, though the fact that these threat actors were able to carry out the campaigns so quickly, inexpensively, and effectively in the West was certainly jarring.
"It underscores how important this issue is, not only when it comes to the public sector, but for private companies and individuals as well. We hope that our research will open people's eyes to this problem before it becomes pervasive outside of the vendors' traditional markets of Russian-speaking countries and Eastern Europe."
While businesses are seeing an increase in attack sophistication, and the overall attack volume in the past 12 months has increased, defense is getting better.
Speaking to Infosecurity, Rick McElroy, head of security strategy at Carbon Black, said that these statistics were due to what he called the “trickle down cyber-economy for adversaries” where nation state actors, cyber-militias and contractors working for them develop multi-million dollar tools which get into the wild – such as the exploits which enabled WannaCry and NotPetya to spread.
“As new capabilities and ammunition are developed, you’ll see that move into things like ransomware,” he explained. “Secondary, [offense] is not a highly specialized skill anymore, a lot of people are trained in it, and you can buy a lot of capabilities on the dark web. So the rise is down to more people being involved, and the sophistication is down to the cyber-economy, but defenders do have better tools.”
On that point, McElroy said that because there is better tooling in prevention and detection, the adversary has to improve and become more “stealthy.”
Asked if the state of cybersecurity was improving for defenders, McElroy said he believed it was getting better as “people are starting to sleep a bit more” and getting some of things that they need thanks to budget approval. “It comes back to how to make the army bigger, and recruit successfully as people look at ‘non-traditional areas’” he said.
The research found that 76% of UK organizations were more confident in their ability to repel cyber-attacks than they were 12 months ago.
McElroy said: “As the cyber-defense sector continues to mature, businesses are becoming more aware of the tools at their disposal and the tactics they can use to combat cyber-attacks. We believe this growing confidence is indicative of a power shift in favor of defenders, who are taking a more proactive approach to hunting out and neutralizing threats than previously.”
He praised the MITRE ATT&CK framework as enabling defenders as it made vendors improve their technology, and pointed out that there is a feeling that defenders have better tools than ever before “which is definitely increasing the confidence that they have” as things can be found in environments that otherwise would not have been known about.
The research also found that 90% of UK businesses said threat hunting has improved their defenses, and McElroy noted that there is less reliance on alerting, and this has had a positive impact, “but where do you find the threat hunters as this is a skill that has not been around for long and globally there is a massive shortage of threat hunters and incident responders.”
A Danish firm has revealed that a suspected ransomware attack on its IT systems last month may end up costing as much as $95m.
Demant, which is one of the world’s leading makers of hearing aids, said it experienced a “critical incident” on September 3. Although it refuses to clarify the nature of the incident, local reports were less circumspect.
Although the firm had backed up data, the sheer scale of the attack appears to have had a major impact on its recovery.
“The Group’s IT infrastructure was hit by cybercrime. Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution,” Demant admitted in an update late last week.
“We continue ramping up to accommodate the back-log built up since the incident, to rebuild necessary inventories across the supply chain and to reduce turnaround times of repair and custom-made hearing aids. We are still in the recovery and ramp-up phase at our amplifier production site in Denmark and at our cochlear implants production site in France.”
The cumulative effect of these outages will have a negative financial impact on the firm in the region of DKK 550-650m ($80-95m). This includes a DKK 100 ($15m) deduction thanks to the firm’s cyber insurance policy.
Demant expects DKK 50m ($7m) to be incurred due to direct losses.
The firm’s hearing wholesale business was particularly badly affected, accounting for around half of estimated lost sales.
“The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” it continued.
“Despite our efforts to operate the business in the best possible way, our immediate focus on supporting existing customers to prevent them from being impacted by the incident has impacted sales and will likely impact our organic growth rate throughout the rest of the year.”
The news is another cautionary tale for firms currently unprepared to deal with the ransomware epidemic that continues to spread across the globe. Norwegian aluminium giant Norsk Hydro was hit earlier this year, leading to losses in the tens of millions of dollars.
Around 60% of global organizations have suffered a breach in the past three years, with the rest increasingly feeling like their turn is coming soon, according to new research from Bitdefender.
The security firm polled over 6000 cybersecurity professionals from organizations of all sizes in the UK, US, Australia, New Zealand, Germany, France, Italy and Spain to compile its Hacked Off! study.
While six in 10 respondents said they’d been hit by a data breach, 36% claimed they could be facing one without knowing. It’s no surprise that over half (58%) are concerned about the readiness of their organization to deal with such an attack.
Board-level buy-in is a major sticking point: 57% of respondents claimed that the C-suite is the least likely to comply with corporate cybersecurity policy, putting their firm at risk and making it hard to drive the kind of company-wide security-by-design culture demanded by GDPR and other regulators.
Nearly three-quarters (73%) believe they’re more at risk as they are under-resourced, while alert fatigue is a major problem, with over half (53%) of endpoint detection and response (EDR) alerts described as false alarms.
The research found that, partly because of this EDR failure, firms are reacting too slowly to incidents.
Over a fifth (29%) claimed it would take a week or longer to detect an advanced cyber-attack, while just three in every 100 cybersecurity professionals claimed 100% of attacks can be efficiently detected and isolated.
Yet despite all of these shortcomings, more than half (57%) of respondents rated their organization’s cybersecurity “very good” or “excellent.”
Liviu Arsene, global cybersecurity researcher at Bitdefender, explained that further investments in anti-malware, network traffic analysis and EDR were all highlighted by respondents as necessary.
“Poor cybersecurity is an undeniable threat to businesses today. From the loss of customer trust to the impact on the bottom line it is critical for infosec professionals to get it right,” he added.
“According to respondents, 53% of infosec professionals have contemplated leaving their job due to under-resourcing in terms of staff. Resources are in fact such a bugbear that infosec pros say the main obstacles to their organizations’ strengthening their cybersecurity posture are a lack of budget and a lack of skilled personnel.”
Nearly 100 HMRC employees have faced disciplinary action after misusing computer systems over the past two years, according to Parliament Street.
The think tank sent Freedom of Information (FOI) requests to the UK tax office to better understand the insider threat there.
It revealed that 92 staff members had misused IT systems over the previous two financial years, with eight sacked for their indiscretions.
Most common was misuse of email, with 15 written warnings issued in 2017-18 and a further 11 in 2018-19. According to the think tank, the culprit in many of these was a repeat offender, who had also been issued with a final written warning for computer misuse.
In 2018-19, nine written warnings were issued for misuse of social media channels, compared to zero the previous year.
In addition, 13 HMRC employees were reprimanded for misuse of telecommunications, and 19 were disciplined for misuse of computer equipment or systems.
In fact, all eight dismissals were for “misuse of computer equipment.”
Absolute Software CEO, Christy Wyatt, said tackling insider abuses should be a top priority for the public sector, especially organizations handling highly sensitive financial data on millions of citizens.
“This kind of activity often involves individuals abusing access to personal information and in some cases sharing it, leading to a potential data breach,” she added.
“Organizations like HMRC need to adopt an enterprise resilience mindset not only around potential bad employee behavior, but fortifying their overall security posture and risk management profile.”
The HMRC has been called out before for poor data protection practices. In May, privacy regulator the ICO handed it an enforcement notice after it broke the law over collection of biometric data from taxpayers.
Some 20% of cybersecurity incidents and 15% of the data breaches investigated by Verizon this year were linked to insiders, according to its Data Breach Investigations Report (DBIR).
Hundreds of servers used to support child pornography, cybercrime, and the sale of illegal drugs have been seized in a police raid on a former NATO bunker in Germany.
German authorities arrested thirteen people between the ages of 20 and 59 on Friday after busting up a dark web hosting operation being run from a heavily fortified five-floor military bunker in the peaceful riverside town of Traben-Trarbach.
After breaking through an iron door to gain access to the temperature-controlled bunker, 600 police searched the 1.3-acre premises and found around 200 servers stored in stacks together with disks, mobile phones, documents, and a large sum of cash.
A 59-year-old Dutchman, who purchased the bunker in 2013, is thought to be the owner and operator of the business, which offered secured "bulletproof" website hosting to illegal businesses and concealed their activities from authorities. Sites linked to the bunker include illegal online drug stores Cannabis Road, Orange Chemicals, and Wall Street Market, formerly the second-largest global marketplace for drugs, where users could also buy hacking tools and financial-theft ware.
Suspects arrested in connection with the raid are thought to have links to organized crime and are likely to be named as accessories to over 250,000 offenses involving money counterfeiting, drugs, data mining, forged documents, and the distribution of child pornography.
Seven of the people arrested are being held in custody, with two thought to hold previous convictions for running a similar business out of a former military bunker in the Netherlands, which was sold as CyberBunker.
Regional criminal police chief Johannes Kunz said, "I think it’s a huge success . . . that we were able at all to get police forces into the bunker complex, which is still secured at the highest military level. We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center."
Since the operation of the bunker hosting service isn't illegal per se, German authorities must prove the suspects arrested were aware of the illegal behavior of the hosted businesses to secure a conviction. Evaluating the stored data to determine this could take anywhere from months to years.
Commenting on the raid, Vectra's head of security, Chris Morales, said: "We need to see more collaboration like this which involves the coordination between digital forensics and investigation and physical police enforcement. I applaud all of the German law enforcement agencies involved on a job well done."
Companies can drive down their value by hiding or mishandling data breaches, according to research by the world's largest nonprofit association of certified cybersecurity professionals, (ISC)².
Researchers questioned 250 mergers and acquisitions (M&A) experts based in the US to determine how important a company's cybersecurity program and breach history is in deciding its value ahead of a potential purchase.
Findings shared in the Cybersecurity Assessments in Mergers and Acquisitions report, released today, revealed that 49% of M&A experts have seen deals derailed after due diligence brought an undisclosed breach to light.
Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.
"While every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price," John McCumber, director of cybersecurity advocacy, North America, for (ISC)², told Infosecurity Magazine.
Having strong cybersecurity can give a company the edge over a competitor. Researchers found that 77% of experts had recommended a particular company be acquired over another because of the strength of its cybersecurity program.
The report is a reality check for companies who think a lackluster approach to cybersecurity won't diminish their stock. All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.
"While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favorably by potential buyers than those who seem doomed to repeat their mistakes," McCumber told Infosecurity Magazine.
"Each deal is different. But what our report indicates is that in order to maximize the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance."
Pennsylvania could follow Texas to become the second US state to make cyber-flashing illegal.
Philadelphia County state representative Mary Isaacson told Infosecurity Magazine that she plans to introduce a bill to ban the unsolicited electronic transmission of sexually explicit and obscene images in the Keystone State at the end of October.
Isaacson sent a memorandum to all 203 members of the Pennsylvania House of Representatives on September 20, calling for them to co-sponsor her proposed legislation.
"Despite the success of the #MeToo movement, sexual harassment remains a serious problem in our society, particularly due to online forms of sexual harassment. 20% of women and 10% of men ages 18 to 29 report having been sexually harassed online," wrote Isaacson in the memorandum, before calling on members to "please join me in combatting online sexual harassment and ensuring the dignity of all Pennsylvanians."
Speaking to Infosecurity Magazine, Isaacson said that although she hadn't personally received any unsolicited sexually explicit images, she had heard stories from her children about cyber-flashing experienced by their peers.
"I represent a lot of millennials, and I am a parent of two teens. I worry for my son and my daughter," said Isaacson. "With Air Dropping technology, if a group of teens are at a concert, someone there can send them obscene images that the teens will see whether they have given permission or not. Their privacy is being invaded when they are just trying to have a good time."
Asked what she thought drove people to become cyber-flashers, Isaacson said: "I think that it's their psychology, that they do it to bully and intimidate people and invade their privacy. It's a very serious societal problem that affects everyone, men as well as women."
Isaacson's proposed legislation follows the passage of House Bill 2789 into law in Texas on August 31 this year. Under the new law, the electronic transmission of sexually explicit material without the recipient's consent became a Class C misdemeanor, punishable by a fine of up to $500.
Describing how her bill will differ from what was passed in the Lone Star State, Isaacson said: "Right now, it's modeled after what was done in Texas, but it could possibly change."
Isaacson, who was on the road when speaking to Infosecurity Magazine, was unable to state exactly how many members had answered her co-sponsorship call. However, the state representative was able to confirm that her proposed legislation has secured bipartisan support.
Security software and services company BlackBerry Limited has announced the launch BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space.
The Labs will be led by CTO Charles Eagan and will include a team of over 120 software developers, architects, researchers, product leads and security experts working to identify, explore and create new technologies to ensure BlackBerry is on the cutting edge of security innovation.
The company stated that initial projects from BlackBerry Labs will focus on machine learning approaches to security in partnership with BlackBerry’s existing Cylance, Enterprise and QNX business units.
“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Charles Eagan, BlackBerry CTO. “Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; artificial intelligence to zero trust environments.”
A new law has passed the US senate which will demand the federal government ramp up its support for organizations hit by ransomware.
The DHS Cyber Hunt and Incident Response Teams Act would require the Department of Homeland Security (DHS) to build dedicated teams tasked with providing advice to organizations on how best to protect their systems from attack, as well as other technical support, including incident response assistance.
Although the new capabilities would be available to all public and private organizations on request — including businesses, police departments, hospitals, and banks — senate minority leader Chuck Schumer focused on protection for New York state schools in his comments on the legislation.
“The Senate passing the DHS Cyber Hunt and Incident Response Teams Act is an important step in protecting upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments,” he said in a statement.
“It’s critical that we use all available resources to protect New York students from cyber crooks, and enhance and increase our resiliency to these attacks. I’m proud of the role I played in pushing this sorely-needed legislation through the senate and won’t stop working until it’s signed into law.”
One security vendor calculated last week that ransomware attacks have disrupted operations at 49 US school districts and educational institutions in the first nine months of the year, compromising potentially 500 K-12 schools versus just 11 last year.
This makes the sector the second most popular for ransomware attackers after local municipalities.
These have been battered by attacks over the past few months, with one campaign in Texas hitting 23 local government entities simultaneously.
A similar piece of legislation to the DHS Cyber Hunt and Incident Response Teams Act has already passed in the House of Representatives, so the two will now begin the reconciliation process.
Airbus has been forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year, according to reports.
The commercial and military aircraft-maker revealed in January that it suffered a cyber-attack resulting in unauthorized access to data, but this campaign is thought to be much bigger in scope.
Hackers have targeted UK engine-maker Rolls Royce and French tech supplier Expleo, as well as two other French Airbus suppliers, although none of the organizations confirmed the news to AFP.
Unnamed “security sources” told the newswire that the “sophisticated” attack on the companies focused on compromising the VPNs connecting them with Airbus networks.
The sources claimed that the hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems.
These are areas Chinese aircraft manufacturers are thought to be relatively weak in, while state-backed Comac is said to be struggling to gain certification for its C919 commercial airliner.
The notorious APT10 and the Jiangsu outpost of the Ministry of State Security, known as JSSD, have both been pegged as possible perpetrators.
“Our national security is at risk and it's well past time to address this challenge with leadership and resources,” argued Jake Olcott, VP of government affairs at BitSight. “The entire defense supply chain has been under attack for years, and it's not just the small companies that are vulnerable. Defense agencies must gain visibility immediately. We can't afford to wait.”
Ilia Kolochenko, CEO of web security firm ImmuniWeb, added that third party risk management is still at an early stage in many organizations.
“The situation is largely exacerbated by different national and regional standards and best practices, often incompatible or contrariwise overlapping,” he argued.
“Globally recognized standards, such as ISO 27001, 27701 and 9001, can definitely ensure a baseline of security, privacy and quality assurance amid suppliers. One should, however, bear in mind that they are no silver bullet and some additional monitoring of suppliers handling critical business data is a requisite.”
Microsoft and others have launched a new non-profit which aims to reduce the “frequency, impact and scale” of cyber-attacks on citizens and critical infrastructure (CNI).
The Hewlett Foundation and Mastercard, alongside other unnamed “leading organizations,” have joined Microsoft as initial funders of the CyberPeace Institute.
Its three core functions are to: help and defend civilian victims of cyber-attacks, including by mobilizing a new CyberVolunteer Network, analyze and investigate attacks, to raise understanding and drive global accountability and promote cybersecurity norms of responsible behavior by nation states.
“The escalating attacks we’ve seen in recent years are not just about computers attacking computers – these attacks threaten and often harm the lives and livelihoods of real people, including their ability to access basic services like heath care, banking and electricity,” argued Microsoft corporate vice president, Tom Burt.
“For years, non-governmental organizations around the world have provided on-the-ground help and vocal advocacy for victims of wars and natural disasters, and have convened important discussions about protecting the victims they serve. It’s become clear that victims of attacks originating on the internet deserve similar assistance, and the CyberPeace Institute will do just that.”
The Geneva-based organization will be headed up by President Marietje Schaake, former member of the European Parliament and international policy director at Stanford university’s Cyber Policy Center and CEO Stéphane Duguin, head of the European Internet Referral Unit at Europol.
The institute joins other recent initiatives designed to tackle the global challenge of cybercrime and incidents impacting CNI, including: the Cybersecurity Tech Accord, which has signed up more than 100 companies and the Paris Peace Call for Trust & Security in Cyberspace, which now has signatories from 67 countries, 139 international and civil society organizations, and 358 private organizations.
Lawyer, law professor, and civil rights advocate Danielle Keats Citron has been awarded a MacArthur grant for her efforts to address the scourge of cyber-harassment.
Citron, a professor at Boston University Law School, is one of 26 individuals this year to receive a so-called genius grant from the John D. and Catherine T. MacArthur Foundation. Citron was awarded $625,000 to support her ongoing mission to study and write about online abuse and invasions of sexual privacy, the harm that they inflict, and how law and society should respond to them.
Through her work, Citron has found that cyber-harassment can have a devastating and long-lasting effect on victims, making it difficult for them to go about their daily lives.
"Cyber-harassment is the targeting of specific individuals with a course of conduct that causes severe emotional distress and often the fear of physical harm, and it impacts them in a way that takes away what we consider crucial ability to make the most out of their lives in the 21st century; to get employment, keep a job, engage with other people, and go to school free from the fear of online abuse," said Citron.
She continued: "We wouldn’t accept people walking down the street and being screeched at and threatened and humiliated and hurt, and we shouldn’t find it an acceptable part of online life."
Citron has been studying and writing about online abuse for 15 years. During that period, she has worked with tech companies to update safety and privacy policies. She has also advised US legislators and state attorneys general on how to combat the most extreme forms of cyber-abuse, including cyber-stalking and revenge porn—the posting of intimate photos or videos without consent.
The situation is improving, with the number of states to pass cyber-stalking laws rising from 4 in 2009 to 46 today.
Currently, Citron is focused on studying and writing about deep fake technology, which is machine learning technology that lets you manipulate or fabricate audio and video to show people doing and saying things that they’ve never done or said.
She said: "The technology is advancing so rapidly that soon—within months—technologists expect that the state of the art will become so sophisticated that it will become impossible to distinguish fakery from what’s real. The impact that it has is not just on individuals; it has an impact on the truth and more broadly on our trust in democratic institutions."
A new piece of spyware, designed to steal sensitive information from users of the messaging app Telegram, is for sale on the black market.
Trojan-delivered Masad Stealer and Clipper was clocked by researchers at Juniper Threat Labs. The spyware uses Telegram as a command and control (CnC) channel to cloak itself in a veil of anonymity.
After installing itself on the computer of a Telegram user, Masad Stealer busies itself collecting information stored on the system, such as browser passwords, autofill browser field data, and desktop files. The spyware also automatically replaces cryptocurrency wallets from the clipboard with its own.
Other information vulnerable to an attack perpetrated through Masad Stealer includes credit card browser data, FileZilla files, steam files, browser cookies, PC and system information, and installed software and processes.
Masad Stealer is being advertised for sale in several hack forums, making it an active and ongoing threat. Buyers can pick up a variety of versions, ranging from a free one to a premium package costing $85, with each tier of the malware offering different features.
Researchers at Juniper said: "Masad Stealer sends all of the information it collects—and receives commands from—a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers."
Masad Stealer is written using Autoit scripts and then compiled into an executable Windows file. Most of the samples discovered by Juniper were 1.5 MiB in size; however, the spyware has also been strutting around in larger executables and has been spotted bundled into other software.
Telegram, which celebrated its sixth birthday in August, has over 200 million monthly active users. While its platform may have been breached, the app is fully confident in its ability to protect the privacy of messages sent by its users.
The app claims on its website to be "more secure than mass market messengers like WhatsApp and Line" and offers anyone who can decipher a Telegram message up to $300,000 in prize money.
New York is suing Dunkin' for allegedly failing to inform its customers of multiple cyber-attacks that compromised customer accounts.
According to the lawsuit, filed in state Supreme Court in Manhattan, money was stolen by cyber-criminals, who hacked into the online accounts of 20,000 Dunkin' customers in 2015. New York further alleges that Dunkin' didn't disclose to its customers full details of a cyber-attack that affected 300,000 customer accounts in 2018.
The lawsuit states: "In 2015, Dunkin’s customer accounts were targeted in a series of online attacks. During this period, attackers made millions of automated attempts to access customer accounts. Tens of thousands of customer accounts were compromised. Tens of thousands of dollars on customers’ stored value cards were stolen."
During the summer of 2015, Dunkin's app developer repeatedly alerted Dunkin' to ongoing attempts by hackers to log in to customer accounts and provided the company with a list of 19,715 accounts that had been compromised over just a sample five-day period, but the donut-seller failed to tell customers, according to the lawsuit.
Dunkin’ chief communications officer Karen Raskopf told Infosecurity Magazine that there was no credence to the claims being made in the lawsuit.
In an emailed statement to Infosecurity Magazine, Raskopf said: "There is absolutely no basis for these claims by the New York Attorney General’s Office. For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.
"The investigation centered on a credential stuffing incident that occurred in 2015, in which third parties unsuccessfully tried to access approximately 20,000 Dunkin’ app accounts. The database in question did not contain any customer payment card information.
"The incident was brought to our attention by our then-firewall vendor, and we immediately conducted a thorough investigation. This investigation showed that no customer’s account was wrongfully accessed, and, therefore, there was no reason to notify our customers."
Dunkin' Brands, Inc. has 8,000 Dunkin' restaurants across America, a thousand of which are in New York.
"We take the security of our customers’ data seriously and have robust data protection safeguards in place. We look forward to proving our case in court," said Raskopf.
Global consumers overwhelmingly reject government arguments that encryption backdoors will make them safer from terrorists, according to new research from Venafi.
The security vendor polled over 4100 consumers in the US, UK, France and Germany to better understand their attitudes to government and social media when it comes to data protection.
Law enforcers and governments on both sides of the Atlantic have consistently argued that encrypted services and devices provide a safe space for terrorists and criminals to operate.
In July, US attorney general, William Barr, added his voice to the calls for government-mandated backdoor access to such data in specific circumstances, saying it “can and must be done.”
However, 64% of respondents told Venafi that they don’t believe government access to private data would make society any safer from terrorists. In fact, just 30% said they thought governments can be trusted to protect their personal data, falling to 24% in the US and climbing slightly (to 40%) in the UK.
“Many politicians and law enforcement officials wish to use surveillance tools and backdoors that most consumers associate with authoritarian regimes, not democracies,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.
“If we can’t trust governments to protect sensitive personal data, it’s difficult to imagine how they will be able to regulate the private sector effectively.”
The poll’s respondents are joined by IT security professionals and cryptography experts in their views on mandated backdoors.
Nearly three-quarters (73%) of IT security pros told Venafi in March that laws effectively forcing tech companies to insert backdoors in their products would make their nation less secure.
As if that weren’t enough, a group of world-leading cryptography experts last year backed senator Ron Wyden’s demands that the FBI explain the technical basis for its claim that backdoors can be engineered without impacting user security. The Bureau has so far chosen not to respond.
The Venafi poll also revealed that, perhaps unsurprisingly, just 22% of consumers believe social media companies can be trusted to protect their personal and private data.