Cyber Risk News

Icann Files Suit in Germany in Bid to Clarify GDPR

Info Security - Thu, 05/31/2018 - 09:54
Icann Files Suit in Germany in Bid to Clarify GDPR

Internet oversight body Icann has filed a one-sided lawsuit in Germany in a bid to clarify its GDPR obligations, after clashes with European regulators.

Icann is taking action after EPAG, part of the Tucows group, decided to no longer collect “administrative and technical contact information” for the Whois database as it believes it would conflict with the new privacy legislation.

However, failing to do so breaks the terms of Icann’s recently created Temporary Specification.

Although the oversight body believes the new rules comply with the GDPR, Tucows disagrees, claiming it breaks the principle of data minimization if it means the registry is required “to store and process personal data belonging to people with whom we have no legal or contractual relationship.”

There are also issues with Icann’s requirement that registrars send all data collected to the relevant registry as it contravenes the principle of data use only when a legitimate legal basis applies, Tucows said.

“Icann has also required that we continue to publish the organization, state/province, and country fields in the public Whois. We disagree that the organization should be published because, although it is optional, many people do not realize this and put their own first and last names in the organization field,” Tucows added. “We do not want to expose the personal data of these registrants because of a misunderstanding, and it will take considerable time to educate registrants and cleanse this data from the field.”

For Icann and the US government, this is a serious matter as they believe Whois data is a critical resource for law enforcers and IP rights holders and one which should be kept intact.

That sets Washington yet again on a collision course with Brussels.

It should also be mentioned that Icann’s one-sided filing should help to stay any further GDPR-related legal action against the body until a decision is made.

Andy Kays, CTO of Redscan, argued that Whois can be an invaluable resource in helping to track down phishers and spammers.

“An accreditation scheme, that would vet access to personal data in Whois records for special interest groups such as the police, security researchers and journalists, would certainly be very welcome and help to address concerns,” he added. “Planning to implement such a vetting system should have started years ago but by only recently attempting to outline its proposals, Icann shows that it has been too slow to react to the global impact of the GDPR.”

Categories: Cyber Risk News

US Court Upholds Kaspersky Lab Government Ban

Info Security - Thu, 05/31/2018 - 08:44
US Court Upholds Kaspersky Lab Government Ban

Kaspersky Lab has failed in its bid to have a ban on the sale of its products to government agencies overturned.

A US district court upheld the ban, despite the Moscow-based AV firm filing two lawsuits against the relevant documentation: the September 2017 Binding Operative Directive (BOD 17-01) and the Congressional National Defense Authorization Act (NDAA).

Kaspersky Lab’s founder Eugene Kaspersky had argued that the rulings violate the Fifth Amendment by interfering with due process.

However, judge Kollar-Kotelly dismissed both arguments, ruling that the NDAA “eliminates a perceived risk to the nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.”

As the NDAA is taking effect later this year, the BOD wouldn’t cause any further impact to Kaspersky Lab because government agencies would already be warned off buying its products, she added.

In a statement, the AV firm said it was “disappointed” with the ruling and will be appealing the verdict.

“Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding,” it added.

“Given the lack of evidence of wrongdoing by the company and the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community. Policy prohibiting the US government's use of Kaspersky Lab products and services actually undermines the government's expressed goal of protecting federal systems from the most serious cyber threats.”

Kaspersky Lab launched a Global Transparency Initiative last year in a bid to reassure Western governments of its integrity in the face of claims it allowed Russian intelligence to use its products to spy on targets.

The firm is opening a Swiss datacenter as part of this effort to handle all data for customers in key markets like Europe, North America and Australia.

Categories: Cyber Risk News

European Data Protection Board backs ban on 'cookie walls'

Outlaw.com - Thu, 05/31/2018 - 08:06
Website and mobile app operators should be barred from requiring consumers to agree to the collection and use of their personal data in return for gaining access to their services, a new data protection watchdog has said.
Categories: Cyber Risk News

UK drone laws set with safety in mind

Outlaw.com - Wed, 05/30/2018 - 16:01
Drone operators will face height and geographical restrictions on where they can fly their machines from later this summer under new UK laws.
Categories: Cyber Risk News

EU Agencies Join to Tackle Dark Web Crime

Info Security - Wed, 05/30/2018 - 15:56
EU Agencies Join to Tackle Dark Web Crime

In an effort to strengthen their ability to fight cybercrime on the dark web, multiple law enforcement agencies have come together to establish a Dark Web Team. Europol announced yesterday that it will work with EU partners and global law enforcement agencies to reduce the size of the underground crime economy.

In a 29 May event that marked the official launch of the new Europol Dark Web Team, stakeholders from the European Commission, Interpol, and Eurojust joined with law enforcement agents from 28 countries in The Hague, the Netherlands, and expressed their enthusiasm over the expanded efforts to take down cybercriminals on the dark web.

Through its European Cybercrime Centre (C3), Europol has been actively monitoring the dark web for several years. Investigations in the underground marketplaces have yielded an array of tools, tactics and techniques used by cybercriminals. 

As a result, Europol, in partnership with other law enforcement agencies, has successfully shut down AlphaBay and Hansa, "two of the largest marketplaces responsible for the trading of over 350 000 illicit goods like drugs, firearms and cybercrime tools, such as malware," according to a Europol press release

The reported success of the crime-fighting partnerships has led to a reduced number of illicit transactions, with Europol reporting that some dark web traders have closed down their platforms for fear of getting caught. 

The dedicated Dark Web Team will share information through a coordinated approach, allowing the different agencies to provide operational support and varying degrees of expertise in the wide range of cybercrimes that they are fighting.  

Chief commissioner Ivaylo Spiridonov, director of the Bulgarian general directorate combatting organised crime, delivered the opening remarks on behalf of the current Presidency of the Council of the EU and highlighted that “today’s expert assembly will further enhance the law enforcement’s ability to find sustainable solutions and a common coordinated approach to respond to criminality on the dark web.”

Categories: Cyber Risk News

Tesla Car Crashes into Police SUV

Info Security - Wed, 05/30/2018 - 15:34
Tesla Car Crashes into Police SUV

Police are investigating a 29 May crash in which the driver of a Tesla Model S car struck a parked police vehicle in Laguna Beach, California, at 11:07 a.m. local time. The police cruiser, though unoccupied, was damaged when the Tesla’s front end rammed into the rear driver’s side of the patrol car.

The driver of the 2015 Model S car, who suffered minor injuries, told investigators that the car was in autopilot. According to a Tesla spokesperson, “When using Autopilot, drivers are continuously reminded of their responsibility to keep their hands on the wheel and maintain control of the vehicle at all times.”

Tesla told Infosecurity Magazine the company has always been clear that Autopilot doesn’t make the car impervious to all accidents. “Before a driver can use Autopilot, they must accept a dialogue box which states that ‘Autopilot is designed for use on highways that have a center divider and clear lane markings,’” the spokesperson wrote in an email.

Many Twitter users have weighed in on the crash, expressing both defense of Tesla and concern over the expectations of what autopilot is actually capable of. In response to news of the crash, one person tweeted, “IMO, Tesla tech gives a driver an invaluable 2nd set of eyes that make the car way safer than most ... BUT it seems the pattern emerging is drivers believing they purchased a chauffeur ! - driver aid NOT driver replacement.”

In related news, another Tesla owner endured a crash in Seattle, Washington, yesterday. While the company continues crash tests for the Tesla Model 3, electrek reported that the owner of a Model 3 was rear-ended yesterday but said that the car “performed miraculously.”

In his story of the crash published on Tesla Motor Club, the car owner, known as Anatari, wrote that he was traveling along the I-90 tunnel at 65 mph when he was hit from behind by another vehicle. Anatari said he lost control of the car.

The car then spun out of control and hit the freeway divider wall, “all the way on the other side of the freeway 4 lanes across, and then bouncing back all the way back to the other side of the freeway and hitting that wall before coming to a stop.

“Thankfully the model 3 performed miraculously, crumple zones compressed, airbags deployed, no fire after the accident, and no one in my family seems to be seriously injured.”

Categories: Cyber Risk News

US-Iran sanctions: what should non-US businesses do now?

Outlaw.com - Wed, 05/30/2018 - 15:04
ANALYSIS: As we approach 4 August, when US secondary sanctions begin to be reactivated, businesses with connections to Iran should be carefully considering their next steps.
Categories: Cyber Risk News

Ruling offers guidance on interpreting the Managed ICT Services Model Agreement

Outlaw.com - Wed, 05/30/2018 - 14:28
ANALYSIS: A recent ruling by the Court of Session in Edinburgh has provided guidance on how the UK government model IT services contract should be operated and interpreted, as well as for independent experts in preparing their reports.
Categories: Cyber Risk News

To Keep Them Safe Online, Teach Them to Phish

Info Security - Wed, 05/30/2018 - 14:00
To Keep Them Safe Online, Teach Them to Phish

Security experts in Hamilton, Bermuda, yesterday hosted a live hacking demonstration showing event attendees the ease with which attackers are able to gain access to a corporate network through a phishing email campaign. 

The event, hosted by the (ISC)2 Bermuda Chartering Chapter, revealed the tricks that hackers use to get email recipients to click on malicious links and share their personal information. Dionach senior technical consultant Mark Phillips and business development manager Mathew Sofiyani simulated the phishing attacks.

According to the Royal Gazette, the demonstration warned that "having gained controlled of a compromised computer, an attacker is in a position to monitor everything that goes on, operate inbuilt microphones, webcams, and record key strokes to capture username and password details. If it is a company workstation that is compromised that could lead to serious and costly damage to an internal network, and the loss of valuable corporate data."

These events are an effort to raise awareness and share technical expertise, with good reason. Symantec's 2018 Internet Security Threat Report found that "spearphishing is the number one infection vector, employed by 71 percent of organized groups in 2017."

A classic example is the tech support scam, and since the GDPR has prompted many organizations to make customers aware of changes to their privacy policies, attackers have leveraged that communication as another avenue for scams.

Penetration testers and ethical hackers are increasing their efforts to help organizations educate their employees on not only the inherent dangers of phishing campaigns but also how to spot a malicious email.

On 29 May, The Wall Street Journal broke down the anatomy of a phishing attack as explained by Shawn Moyer, a founding partner at Atredis Partners

Attackers look for a way into the company and use social engineering tactics to hack the trust of unsuspecting users. Then comes the attack. Yet there are several ways to avoid falling victim to an attack.

Phillips showed yesterday's event attendees that hovering over links reveals the actual URL destination and pointed out the distinctions between "http" and "https". 

End users were also advised to read carefully in order to spot spelling errors. While phishing is far more problematic, brazen attackers also use "vishing" and engage with their targets over the phone. The goal is always to get the victim to reveal personal information, which Phillips said is very easy for attackers to do. 

Categories: Cyber Risk News

New broadband speed advert standards in force in the UK

Outlaw.com - Wed, 05/30/2018 - 13:58
Broadband providers in the UK are now subject to stricter rules over the claims they can make about the speed of their services.
Categories: Cyber Risk News

Spear-Phisher Gets Five Years for Helping FSB Yahoo Hackers

Info Security - Wed, 05/30/2018 - 10:23
Spear-Phisher Gets Five Years for Helping FSB Yahoo Hackers

A Canadian man has been handed down a five-year prison sentence for his part in a Russian government conspiracy which resulted in the compromise of 500 million Yahoo accounts.

Kazakhstan-born Karim Baratov, 23, pleaded guilty in November 2017 to spear-phishing at least 80 webmail accounts belonging to “individuals of interest” for the Russian intelligence service the FSB. He’s then said to have sent the account passwords to a co-conspirator in exchange for money.

Baratov is also said to have hacked more than 11,000 webmail accounts in total from around 2010 until his March 2017 arrest in Canada.

Although he wasn’t directly responsible for the Yahoo breach, his co-conspirators in the FSB and fellow “hacker-for-hire” Alexsey Belan were, according to the Department of Justice. Baratov’s job was in fact to hack user accounts for non-Yahoo providers such as Gmail.

The persons of interest Baratov helped the FSB to monitor included Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies, the DoJ said in a detailed description of the case back in March 2017.

“It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts,” said FBI special agent in charge John Bennett.

“Today's sentencing demonstrates the FBI's unwavering commitment to disrupt and prosecute malicious cyber actors despite their attempts to conceal their identities and hide from justice.”

The judge also ordered Baratov to pay a fine of $250,000, apparently claiming the large sum would make up for the relatively lenient sentence, which prosecutors wanted doubled.

The compromise of 500 million user accounts at Yahoo is not thought to be linked to the other breaches affecting billions of customers.

Categories: Cyber Risk News

US Government Warns of North Korean APT Malware

Info Security - Wed, 05/30/2018 - 09:24
US Government Warns of North Korean APT Malware

The US-CERT has released a new technical alert warning of two pieces of malware it says are being used by the North Korean government.

The joint alert comes from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and refers to the prolific APT group known as Hidden Cobra.

The two pieces of malware it’s using are: remote access trojan (RAT) Joanap and SMB worm Brambul.

“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States — including the media, aerospace, financial, and critical infrastructure sectors,” US-CERT claimed.

The US government has found Joanap on 87 compromised network nodes in 17 countries including China, Spain, Sweden, India, Brazil and Iran.

“Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by Hidden Cobra actors remotely from a command and control server,” the alert continued. “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.”

Joanap operates covertly, moving laterally inside an infected network to any connected nodes, said US-CERT.

“Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network,” it added. “Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

The US-CERT urged organizations to mitigate the risk posed by these attacks by: keeping systems up-to-date with patches and the latest AV, applying least privilege policy to permissions, scanning and blocking suspicious email attachments, disabling Microsoft’s File and Printer Sharing service and configuring personal workstation firewalls to deny unsolicited connection requests.

Categories: Cyber Risk News

Two Canadian Banks Warn Customers of Possible Breach

Info Security - Wed, 05/30/2018 - 08:56
Two Canadian Banks Warn Customers of Possible Breach

Two Canadian banks confirmed on Monday that they have been contacted by ‘fraudsters’ claiming to have in their possession personal and financial information on tens of thousands of customers.

The Bank of Montreal (BMO) said in a brief statement that the data related to a “limited” number of customers, which some reports put as high as 50,000.

“We believe they originated the attack from outside the country. We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” it added.

The lender is working with the authorities and contacting those who may have been affected, advising customers to keep a close eye on their accounts for any potentially suspicious activity.

Simplii Financial, a subsidiary of the Canadian Imperial Bank of Commerce, was more transparent, revealing that around 40,000 customers may have been affected after it was contacted by fraudsters on Sunday, the same day as BMO.

It’s also investigating the claims and has also reached out to customers, urging them to monitor their accounts and to always use a complex password and PIN on their accounts, although this in itself is indicative that 2FA is not used by the bank as standard for customer authentication.

“We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, senior vice president at Simplii Financial. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

It’s not clear whether the parties that contacted each bank were fraudsters or the hackers who initially breached the data.

James Lerud, head of the Verodin Behavioral Research Team, argued that if the data breach is genuine then the banks’ detection and prevention measures appear to have failed.

“Hats off to both banks for alerting the public, this was the right thing to do and takes a lot of power away from the hackers, but we shouldn't completely let them off the hook,” he added.

“Banks and other organizations we trust with sensitive information need to let the public know exactly how they are validating and improving defenses over time. Without a program to scientifically validate and improve controls, customers should find it hard to trust these entities with their valuable information.”

Categories: Cyber Risk News

No Smiles for Coca-Cola After Data Breach

Info Security - Tue, 05/29/2018 - 14:38
No Smiles for Coca-Cola After Data Breach

The threat of malicious insiders is one that Coca-Cola knows all too well now that it has had to disclose a breach after a former employee was discovered to have stolen a hard drive. 

According to Cyware, Coca-Cola suffered a data breach in September 2017 in which the personal data of 8,000 employees was compromised after a former employer at one of its subsidiaries stole an external hard drive. Law enforcement officials notified the company and initially requested that Coca-Cola not disclose the incident, as they were still investigating the breach. 

The company has now notified affected employees with a letter that explains what happened, what information was involved and what the company is doing in response to the breach.

"Our investigation identified documents containing certain personal information for Coca-Cola employees and other individuals that was contained in the data held by the former employee. We do not have any information to suggest that the misappropriated information was used to commit identity theft," the notification letter said.  

In an effort to restore confidence, Coca-Cola wrote that it has secured the services of Kroll to provide identity monitoring for one year at no cost, warning those affected by the breach that "it is important that you remain vigilant against possible identity theft by regularly reviewing your account statement and credit report." 

Insider threats remain the top source of security incidents, according to PwC's Global State of Information Security Survey 2018. While outsider threats have decreased, "those attributed to insiders, such as third parties–including suppliers, consultants and contractors–and employees, have stayed about the same or increased."

While Albawaba Business reported that a Kaspersky Lab study found data breaches are costing enterprises more money, Coca-Cola stock prices don't yet reflect financial losses. On 25 May, only days before the breach was announced, FinTelegraph reported, "The Coca-Cola Company has lost -3.91% in value over the last three months, and -7.56% over the last six-month period."

At the end of the 25 May trading session, the stock was worth $42.32. Today, it is trading up from that at $42.66.  

Categories: Cyber Risk News

Destroyed Keys Cost WIRED $100,000 in Bitcoin

Info Security - Tue, 05/29/2018 - 13:31
Destroyed Keys Cost WIRED $100,000 in Bitcoin

Back in 2013, WIRED began mining for Bitcoin using a mining device sent to it by the now-defunct Butterfly Labs. It successfully mined 13 Bitcoins reportedly worth around $100,000 and apparently threw away the keys in its quest to remain ethical in its reporting on cryptocurrency. Years later, Louise Matsakis, staff writer at WIRED, said the magazine could have locked the coins down to be used at a future date.

Butterfly Labs had shared a 5-gigahash-per-second Bitcoin miner with WIRED so that it could review the miner. Paying customers would have had to invest $274 for the system that WIRED received. At the time, miners didn't need the powerful, specialized hardware required to mine crytocurrencies that is required today.

By essentially winning the Bitcoin lottery a couple times, WIRED earned itself over 13 coins, which left it confronting a moral dilemma. When former senior writer for WIRED Robert McMillian reported on the earnings, he set forth the poignant question of what they should do with the proceeds. After a lengthy conversation, staff members couldn't agree on what to do with the earnings, but, Matsakis said, "what was agreed upon was that the money shouldn't just sit there, because it could influence how the magazine reported on cryptocurrencies."

To settle the matter, WIRED decided to destroy the private keys that unlock the Bitcoin wallet so that the funds could never be spent. "Originally I was going to say that the closest metaphor I have is that we dropped a car key somewhere in the Atlantic, but I think it's closer for me to say we dropped the key somewhere between here and the Alpha Centauri," said Stefan Antonowicz, the then-head of engineering at WIRED who set up the miner.

Recovering lost or stolen Bitcoin is impossible, according to Cryptalker. That's bad news for anyone at WIRED who hoped to maybe someday recover the keys. Shredding the private keys to its 13 Bitcoin is a loss, but one that pales in comparison to the estimated 2.78 and 3.79 million lost coins in the worldwide abyss.

Categories: Cyber Risk News

More Data Leaked from AWS Bucket Misconfigurations

Info Security - Tue, 05/29/2018 - 11:27
More Data Leaked from AWS Bucket Misconfigurations

Another Amazon S3 bucket misconfiguration breach, this time with AgentRun, has resulted in an insurance start-up exposing data for clients, including Cigna, Transamerica, SafeCo Insurance, Schneider Insurance, Manhattan Life, and Everest Re. Sensitive personal and medical information of thousands of insurance policyholders was exposed, leaving the data without password protection and publicly accessible to anyone while AgentRun was migrating to the bucket during an application upgrade, according to Cyware.

Mike McKee, CEO, ObserveIT, said that companies are moving faster than ever, so it no surprise that many security breaches occur due to human error. "This is another example of how damaging an insider with good intentions but poor execution or adherence to policy can be to an organization," McKee said.

Many organizations don't understand how to evaluate the security practices of all their downline parties. Fred Kneip, CEO, CyberGRX, said it is critical to know not only who has your data but also where it is and how well they are securing it. "Are they encrypting the data in an S3 bucket? These are critical factors that organizations need to understand about all third parties in their digital ecosystem in order to know which pose the most risk to their data. We’re going to continue to see these types of attacks until the industry takes this issue more seriously and adopts a more collaborative approach to reducing third-party risk.”

Some argue that cloud providers probably need to do more, and Mukul Kumar, CISO and VP of cyber practice at Cavirin, said that they are moving in this direction to protect the cloud assets of organizations that have little or no expertise. Still, Kumar said, "when spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."

Sanjay Kalra, co-founder and chief product officer at Lacework, said, "AWS provides an amazing services that helps any innovative business accelerate the deployment of new applications. That said, properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources. It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

With AWS incidents happening on an almost weekly basis, McKee said that companies can better mitigate risks of human error by identifying high-risk users and third-party vendors with data and system access, ensuring that strict change control sets are in place, continuously monitoring user activity, implementing technology to help detect and respond to risky, out-of-policy actions quickly and implementing ongoing employee education programs.

Categories: Cyber Risk News

Apple Device Access Requests Decline

Info Security - Tue, 05/29/2018 - 10:26
Apple Device Access Requests Decline

Apple received over 29,700 requests from law enforcers to access customer devices in the second half of 2017 and provided data in 79% of cases.

The findings are revealed in the tech giant’s latest Report on Government and Private Party Requests for Customer Information covering July 1 to December 31 last year.

The requests cover just over 309,000 devices, more than double the 151,000 it received over the same time period in 2016, and back then the number of requests was slightly higher (30,184).

Apple claimed that in the US, the high number of devices specified in requests was “predominantly due to device repair fraud investigations, fraudulent purchase investigations, and stolen device investigations.”

In China, it was due to “tax/device export investigations, device repair/warranty fraud investigations, and stolen device investigations.”

Apple added that device-based requests usually seek “details of customers associated with devices or device connections to Apple services.”

The firm famously prides itself on providing access only up to a point where it is technically possible, and will not – for example – accede to requests by law enforcers to unlock encrypted devices by re-engineering products. That has led to a well-publicized stand-off with the FBI in recent years.

The firm isn’t allowed to be as transparent with national security-related requests, although it claimed not to have any orders for bulk data “to date.” It said that during the second half of 2017 it received 16,000-16,249 national security orders affecting 8000-8249 accounts.

From the next report, Apple claimed it will reveal the number of apps removed from its app store.

The report comes as a new bill calling for even greater transparency on the part of Silicon Valley firms was approved by a Senate committee last week.

The new National Defense Authorization Act includes provisions which would force US tech firms that do business with the US military to disclose if their products have had source code examined by foreign governments.

A Reuters report last year revealed that HP allowed Russian operatives to scrutinize software used by the Pentagon.

Categories: Cyber Risk News

PGP Founder: Don’t Disable Encryption Service

Info Security - Tue, 05/29/2018 - 09:21
PGP Founder: Don’t Disable Encryption Service

The man credited with inventing PGP has teamed up with other key developers to assure users that the popular encryption program is not insecure, despite some reports to the contrary earlier this month.

Some outlets and the Electronic Frontier Foundation (EFF) mis-reported the findings of new research detailing several new ‘vulnerabilities’ in PGP and recommended users disable the service, they said.

The post late last week added the following:

“These statements are highly misleading and potentially dangerous. PGP is not broken. The vulnerabilities identified by eFail are not flaws with the OpenPGP protocol itself but rather flaws in certain implementations of PGP, including in Apple Mail, Mozilla Thunderbird, and Microsoft Outlook. Many other commonly used software based upon PGP are not affected by the eFail vulnerability in any way, as the researchers themselves point out in their paper.”

The authors of the post – including Phil Zimmerman and the developers of Enigmail, Mailvelope and ProtonMail – recommended users switch to PGP implementations that are not impacted by eFail, or update their PGP software to the latest version.

“Ensure that everyone you communicate with is also using unaffected implementations or has updated their PGP software,” they added. “Be sure to get a verified confirmation from your contacts before sending sensitive information to them.”

The quartet are particularly scathing of the EFF, claiming its advice for users to disable PGP plugins or stop using PGP altogether “is akin to saying, ‘some locks can be broken; therefore we must remove all doors’,” and therefore could put individuals at risk if they rely on PGP for security.

Infosecurity reported at the time that security experts had criticized the EFF’s warnings as “pretty overblown” and that OpenPGP tools would continue to function without any issues.

The other signatories are ProtonMail founder, Andy Yen, Enigmail founder Patrick Brunschwig and Mailvelope founder Thomas Oberndörfer.

Categories: Cyber Risk News

Prolific Phisher ‘Courvoisier’ Gets 10 Years Behind Bars

Info Security - Tue, 05/29/2018 - 08:53
Prolific Phisher ‘Courvoisier’ Gets 10 Years Behind Bars

A British man has been sentenced to a decade behind bars for a range of computer crime and drugs offenses.

Grant West, 26, was behind a string of phishing attacks against customers of big-name brands including Just Eat, Sainsbury’s, Ladbrokes and Argos.

Between July and December 2015 he’s said to have conspired with unknown parties to obtain data on Just Eat customers and use it “to facilitate fraudulent transactions whether directly or indirectly following transmission of the data to others.”

It’s believed he carried out these phishing attacks by spamming users with offers of a £10 gift voucher for answering questions about the service and filling in their personal details.

He’s also sentenced with conspiracy to defraud by “obtaining, using and supplying …  fullz” – i.e. lucrative packages of complete identity information.

Presumably in order to obtain these credentials, West was convicted of carrying out “brute force” attacks using popular off-the-shelf tool Sentry MBA to compromise the websites of Sainsbury’s, Nectar, Groupon, AO.com, Ladbrokes, Coral betting, Uber, Asda and many more.

He was also convicted of possessing and supplying cannabis and selling “how to” guides to other hackers and fraudsters.

West was caught in dramatic fashion after police finally tracked the IP address of his girlfriend’s laptop, and captured the unlocked device as he was travelling from Rhyl to London by train.

“This prosecution was able to prove that Grant West was the prolific cyber hacker known as Courvoisier. West was caught by police conducting attacks on company websites,” said Sarah Jennings, of the Crown Prosecution Service.

“He sold the lists of financial information to make money and even used stolen credit card details to pay for holidays, food and shopping. In the end, West had no alternative but to plead guilty due to the overwhelming evidence.”

West is said to have made over £180,000 by selling his wares on the now-defunct dark web marketplace Alpha Bay.

Categories: Cyber Risk News

Security of HTML5 May Not Live Up to Promise

Info Security - Fri, 05/25/2018 - 16:09
Security of HTML5 May Not Live Up to Promise

Once believed to be bereft of the security risks inherent in plugins like Adobe Flash, HTML5 attributes enable malware attacks, and The Media Trust is reporting that it has discovered numerous malware incidents in the hypertext markup language. 

In a blog posted today, The Media Trust wrote, “The malware, which has produced at least 21 separate incidents affecting dozens of globally recognized digital media publishers and at least 15 ad networks, uses JavaScript commands in order to hide within HTML5 creative and avoid detection. The scale of the infection marks a turning point for HTML5’s presumed security and demonstrates the advances malware developers have made in exploiting the open standards’ basic functionality to launch their attack.”

Introduced as code that enabled an improved user experience when playing multimedia content on computers and mobile devices, HTML5 has served as a viable and more secure alternative to the Flash plugin. In 2015, when Flash was identified as the source of the greatest security risk facing companies and individuals, security was cited as the chief reason for HTML5 adoption.  

“In fact, over the past five years, developers, along with publishers and browser providers, have staged a mass exodus from Flash technology into HTML5, which seemed to promise greater security and more advanced web app features,” The Media Trust wrote.

However, the malware team at the Media Trust has discovered that the very attributes that allow HTML5 to deliver the content of popular formats without external plugins are also being used to cloak malware. By breaking it into smaller parts, the malware is harder to detect, but when certain conditions are met, those broken parts are pieced back together. 

While researchers have discovered HTML5 malware before, these instances are different because they require no victim interaction and are targeting devices that have trouble detecting malware. 

“The HTML5 malware was designed to entice victims to enter their information in response to a pop-up ad. This campaign is quickly spreading through the online world, waiting for individuals with the right devices to trigger the collection of personally identifiable information,” The Media Trust wrote. In addition, no antivirus solutions have been able to stop any previous versions of HTML5 malware.

Categories: Cyber Risk News

Pages