Cyber Risk News

Credential Stuffing Costs Firms $4m Each Year

Info Security - Tue, 04/30/2019 - 10:30
Credential Stuffing Costs Firms $4m Each Year

Credential stuffing attacks are costing EMEA businesses on average $4m each year, according to new research from Akamai.

The content delivery firm commissioned the Ponemon Institute to interview 544 IT security professionals in the region who are familiar with these attacks on their organization.

It found that companies are experiencing an average of 11 credential stuffing attempts each month, with each attack targeting 1041 user accounts.

Akamai calculated the $4m cost based on the financial impact of these attacks on application downtime ($1.2m), loss of customers ($1.6m), and the extra involvement of IT security ($1.2m) as well as the cost of follow-on fraud.

Complexity appears to be hampering efforts to contain credential stuffing. Surveyed companies had an average of 26.5 operational customer-facing websites for cyber-criminals to target via automated bot attacks.

Even more account takeover opportunities are presented by multiple log-in types across desktops, mobile web browsers, third-parties and mobile app users, it claimed.

Only a third (35%) said that they have good visibility into such attacks, while around the same number (36%) claimed they are able to quickly detect and remediate.

An overwhelming number of respondents (88%) agreed it’s difficult to differentiate real employees from imposters.

“Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing attacks — and keeping costs under control,” argued Akamai senior director, Jay Coley.

“Companies need bot management tools to monitor their behaviors and distinguish bots from genuine log-in attempts. Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device.”

Categories: Cyber Risk News

Police Warn Schools About Money Mule Recruiters

Info Security - Tue, 04/30/2019 - 09:26
Police Warn Schools About Money Mule Recruiters

Scottish police have written to every secondary school in the country warning parents and guardians that pupils are increasingly being recruited by cybercrime gangs as money mules.

Young people are typically approached online via social media ads or even WhatsApp messages, according to reports.

“People are enticed in with the belief it’s quick, easy money and assured nothing will happen to them. If you do enter into this agreement, you are breaking the law. It is a criminal offence and the effect on your life can be huge,” warned detective inspector Graeme Everest of the Organised Crime and Counter Terrorism Unit (OCCTU).

“The fraudsters involved in orchestrating mule accounts are often from serious organized crime groups and any involvement with them can be dangerous. There are victims affected by fraud across Scotland and this can have a devastating effect on people financially and emotionally. It isn’t a victimless crime and by laundering money gained from these victims, you are playing a part in this."

Money mules could be handed a sentence of up to 14 years behind bars for laundering funds on behalf of criminal gangs.

Yet the number of young people being recruited into this burgeoning part of the cybercrime underground is increasing.

Anti-fraud non-profit Cifas reported a 26% rise in reports of money mules aged 21 and under between 2017 and October 2018. In the first 10 months of last year alone, 9,636 money mule perpetrators under the age of 21 were identified in the UK by Cifas members.

“Money laundering is an insidious crime which helps criminals prosper from their illegal conduct,” argued Andrew Laing, deputy procurator fiscal for specialist casework.

““Parliament has viewed money laundering as a serious offence and offences of money laundering can attract long custodial sentences. [We have] been working closely with the police, other law enforcement agencies and the banks and we will take robust action against any person involved in money laundering where there is sufficient evidence to do so.”

Categories: Cyber Risk News

UK Government Announces Cyber Security Ambassador

Info Security - Tue, 04/30/2019 - 09:00
UK Government Announces Cyber Security Ambassador

The UK government has announced the appointment of a new cybersecurity ambassador to promote the nation’s expertise in the sector to potential export markets.

Henry Pearson joins the Department for International Trade (DIT) from previous stints as adviser for GCHQ’s National Cyber Security Centre (NCSC), the Ministry of Defence, and BAE Applied Intelligence’s Detica.

He’ll be tasked with working closely with UK cybersecurity businesses looking to sign overseas deals with governments and central banks. According to the DIT, his work will mainly be focused on the Gulf and south-east Asia.

“The UK’s reputation for cyber expertise is recognized worldwide and my department is committed to ensuring the UK fulfils its global potential, with cyber exports projected to be worth £2.6bn by 2021,” said international trade secretary Liam Fox, in a statement.

“Henry’s appointment will be instrumental in ensuring our world leading firms are able to compete on the global stage and our cutting-edge technology is the first port of call for overseas government’s looking to secure their critical national infrastructure.”

Pearson joins DIT as it faces an uphill task trying to engage meaningfully with foreign markets to soften the imminent blow of leaving the world’s largest trading bloc.

His boss, Liam Fox, has been widely pilloried in the press after promising to have 40 free trade deals ready to sign “immediately” after Britain leaves the EU, scheduled for later this year.

In fact, as of February he had secured just seven of the 69 countries the UK currently has preferential access to as part of the EU, covering only £16bn of a total £117bn in trade.

According to the latest government figures, over 840 firms provide cybersecurity services in the UK, generating £5.7bn in total revenue in 2015/16. Over the previous five years (2012-17) the number of new firms operating in the sector grew over 50%.

Categories: Cyber Risk News

Google Bans Chinese Developer from Play Store

Info Security - Mon, 04/29/2019 - 15:04
Google Bans Chinese Developer from Play Store

App developer DO Global, a Chinese developer partly owned by Baidu that generates over a half billion installs, has been banned from Google Play after the store received reports the apps were part of an ad fraud scheme, according to BuzzFeed News.

As of April 26, 46 apps from DO Global had reportedly been removed from the Play store. In addition, the news outlet reported that ad inventory for purchase through Google’s AdMob networks is no longer available in DO Global apps, “suggesting the ban has also been extended to the internet giant's ad products.”

After earlier reports that a cache of apps was part of an ad fraud scheme, Google investigated malicious behavior. “When we find violations, we take action, including the removal of a developer’s ability to monetize their app with AdMob or publish on Play," a Google spokesperson told BuzzFeed News.

On April 27, DO Global issued the following statement:

In the past week, we have noticed a series of reports about our apps by the media. We fully understand the seriousness of the allegations. As such, we immediately conducted an internal investigation on this matter. We regret to find irregularities in some of our products’ use of AdMob advertisements. Given this, we fully understand and accept Google's decision. Moreover, we have actively cooperated with them by doing a thorough examination of every app involved.

We would like to thank the media, our partners, and the public for their support. Moving forward, we will strictly follow relevant regulations and continue conducting a comprehensive review of our products. Lastly, during this process, we have caused misunderstandings and great concern due to our being unable to communicate in a timely manner and provide complete information. We offer our sincere apologies.

The news comes only weeks after Check Point researchers reported a clicker campaign that was using malware to conduct fraudulent activities against ad agencies in a series of infected applications from Google Play. Infosecurity has reached out to Google for comment, and this story will be updated if we receive a response.

Categories: Cyber Risk News

Google Bans Chinese Developer from Play Store

Info Security - Mon, 04/29/2019 - 15:04
Google Bans Chinese Developer from Play Store

App developer DO Global, a Chinese developer partly owned by Baidu that generates over a half billion installs, has been banned from Google Play after the store received reports the apps were part of an ad fraud scheme, according to BuzzFeed News.

As of April 26, 46 apps from DO Global had reportedly been removed from the Play store. In addition, the news outlet reported that ad inventory for purchase through Google’s AdMob networks is no longer available in DO Global apps, “suggesting the ban has also been extended to the internet giant's ad products.”

After earlier reports that a cache of apps was part of an ad fraud scheme, Google investigated malicious behavior. “When we find violations, we take action, including the removal of a developer’s ability to monetize their app with AdMob or publish on Play," a Google spokesperson told BuzzFeed News.

On April 27, DO Global issued the following statement:

In the past week, we have noticed a series of reports about our apps by the media. We fully understand the seriousness of the allegations. As such, we immediately conducted an internal investigation on this matter. We regret to find irregularities in some of our products’ use of AdMob advertisements. Given this, we fully understand and accept Google's decision. Moreover, we have actively cooperated with them by doing a thorough examination of every app involved.

We would like to thank the media, our partners, and the public for their support. Moving forward, we will strictly follow relevant regulations and continue conducting a comprehensive review of our products. Lastly, during this process, we have caused misunderstandings and great concern due to our being unable to communicate in a timely manner and provide complete information. We offer our sincere apologies.

The news comes only weeks after Check Point researchers reported a clicker campaign that was using malware to conduct fraudulent activities against ad agencies in a series of infected applications from Google Play. Infosecurity has reached out to Google for comment, and this story will be updated if we receive a response.

Categories: Cyber Risk News

Security Flaws in P2P Leave IoT Devices Vulnerable

Info Security - Mon, 04/29/2019 - 14:15
Security Flaws in P2P Leave IoT Devices Vulnerable

Malicious actors could exploit critical security vulnerabilities in a peer-to-peer (P2P) communications technology used across millions of internet of things (IoT) devices, according to research first reported by KrebsonSecurity.

Security researcher Paul Marrapese initially reported the vulnerabilities to the device vendor on January 15, 2019, but received no response. Nor did the vendor respond to the second or third advisory notices with intent to disclose. After three months, the critical flaws were publicly disclosed on April 24.

Developed by Shenzhen Yunni Technology Company Inc., Ltd., iLnkP2P is one of several communications technology solutions often used by device manufacturers, according to Marrapese, adding that the vulnerabilities are specific to devices using the iLnkP2P solution.

On April 26, Marrapese published a blog in which he listed the prefixes of devices that are known to be vulnerable. Warning users that hackers could exploit the P2P connection and access IoT devices, including security cameras, without the owner’s knowledge, Marrapese wrote:

Over 2 million vulnerable devices have been identified on the Internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.

Marrapese also tweeted: “Millions of security cameras, baby monitors, and 'smart' doorbells have serious vulnerabilities that allow hackers to spy on their owners.”

Even if devices encrypt traffic, Marrapese said they are likely not free from the risk of being exploited. “Analysis of a wide range of devices has suggested that most devices do not employ encryption at all, or do so in an insecure fashion. Some vendors (notably VStarcam) have gone as far as outright lying about their use of encryption.”

Categories: Cyber Risk News

FinServ Sees 60% Spike in Business Email Compromise

Info Security - Mon, 04/29/2019 - 13:38
FinServ Sees 60% Spike in Business Email Compromise

Financial services organizations are increasingly targeted by attackers using impostor emails attempting to commit fraud, according to the 2019 Email Fraud in Financial Services report published by Proofpoint.

The study analyzed more than 160 billion emails sent from 2017 to 2018, according to research. Research revealed that these business email compromise (BEC) attacks have grown by an alarming 60% from the same time in 2017. All of the attacks reportedly shared a high degree of social engineering.

The malicious actors employed domain spoofing to send the nefarious messages. The messages, which appeared to come from trusted domain sources, most often requested payments using fake identities. In addition, most attackers dispersed the emails on Mondays from 7 a.m. to 2 p.m. so that they appeared more legitimate to unsuspecting employees.  

Of the financial services firms that were targeted, 56% reported that more than five employees were targeted by BEC attacks in the final quarter of 2018. “In other words, the identities of at least five of the companies’ employees were weaponized to target other employees within that organization. About 37% of companies were targeted using two to five spoofed employee identities,” the report said.

The subject lines used in BEC attacks on financial services organizations frequently have a payment-related subject line, but attackers also use shipment-related subject categories in these impostor attacks, the report said.

“While email fraud is not unique to financial services organizations, this industry’s employees hold the keys to one of the most potentially lucrative paydays for cyber-criminals. One wrong click can expose an entire brand and its customers to substantial risk and even bigger losses,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in an email.

“It is critical that organizations prioritize the implementation of solutions that defend against these attack methods, specifically against domain spoofing, display-name spoofing and lookalike domains and [that they] train employees to identify and report socially engineered attacks across email, social media and the web.”

Categories: Cyber Risk News

FinServ Sees 60% Spike in Business Email Compromise

Info Security - Mon, 04/29/2019 - 13:38
FinServ Sees 60% Spike in Business Email Compromise

Financial services organizations are increasingly targeted by attackers using impostor emails attempting to commit fraud, according to the 2019 Email Fraud in Financial Services report published by Proofpoint.

The study analyzed more than 160 billion emails sent from 2017 to 2018, according to research. Research revealed that these business email compromise (BEC) attacks have grown by an alarming 60% from the same time in 2017. All of the attacks reportedly shared a high degree of social engineering.

The malicious actors employed domain spoofing to send the nefarious messages. The messages, which appeared to come from trusted domain sources, most often requested payments using fake identities. In addition, most attackers dispersed the emails on Mondays from 7 a.m. to 2 p.m. so that they appeared more legitimate to unsuspecting employees.  

Of the financial services firms that were targeted, 56% reported that more than five employees were targeted by BEC attacks in the final quarter of 2018. “In other words, the identities of at least five of the companies’ employees were weaponized to target other employees within that organization. About 37% of companies were targeted using two to five spoofed employee identities,” the report said.

The subject lines used in BEC attacks on financial services organizations frequently have a payment-related subject line, but attackers also use shipment-related subject categories in these impostor attacks, the report said.

“While email fraud is not unique to financial services organizations, this industry’s employees hold the keys to one of the most potentially lucrative paydays for cyber-criminals. One wrong click can expose an entire brand and its customers to substantial risk and even bigger losses,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in an email.

“It is critical that organizations prioritize the implementation of solutions that defend against these attack methods, specifically against domain spoofing, display-name spoofing and lookalike domains and [that they] train employees to identify and report socially engineered attacks across email, social media and the web.”

Categories: Cyber Risk News

Docker Hub Breach Exposes 190K Users

Info Security - Mon, 04/29/2019 - 10:30
Docker Hub Breach Exposes 190K Users

Docker Hub has suffered a major security breach exposing around 190,000 accounts, the firm revealed to its users over the weekend.

According to an email to customers shared online, the world's largest container image library discovered unauthorized access to its platform last Thursday. The database in question is said to have stored a “subset of non-financial user data.”

“During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users),” the notice from director of Docker Support, Kent Lamb, continued.

“Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

The firm is now requiring affected users to change their password for Docker Hub, and any other accounts it may have been used to secure.

It said users can view security actions on their GitHub or Bitbucket accounts to check for any suspicious activity.

“For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place,” Lamb added.

With access to users’ autobuilds, hackers could theoretically add malware to containers, which could then be deployed in live environments.

Microsoft was quick to point out that its images weren’t affected by the incident.

This isn’t the first time Docker Hub has come under scrutiny for its security practices.

Last June, security vendor Kromtech claimed to have found 17 malicious docker images stored on Docker Hub for an entire year, resulting in over five million downloads which enabled the malware authors to make $90,000 from illegal cryptomining.

Categories: Cyber Risk News

Magecart Skimming Code Found on GitHub

Info Security - Mon, 04/29/2019 - 09:30
Magecart Skimming Code Found on GitHub

Security experts are warning e-commerce site webmasters to be prepared for more Magecart attacks after spotting skimming code uploaded to a GitHub page.

The hex-encoded piece of JavaScript code was uploaded on April 20 by user “momo33333,” who had joined the software development platform the same day.

“Most often the skimming code — written in JavaScript and obfuscated — is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted,” explained Malwarebytes head of threat intelligence, Jérôme Segura.

“However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.”

He warned that over 200 e-commerce sites have already been injected with this particular skimming code.

According to Segura, the compromised sites load the script within their source code right after the CDATA script and/or immediately before the tag.

Although the skimmer was quickly taken down after Malwarebytes informed GitHub, compromised Magento sites are still at risk of malicious injection in the future, he warned.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods,” Segura concluded. “Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.”

Back in October, a researcher warned that hackers were exploiting multiple zero-day vulnerabilities in Magento extensions which had not been patched by the vendor.

Multiple groups are using the Magecart code to covertly harvest payment card details from e-commerce sites as they are entered by unwitting consumers.

The latest, number 12, was discovered in January targeting French advertising agency Adverline with a plan to compromise its content delivery network via a digital supply chain attack.

Categories: Cyber Risk News

Apple: We Banned Parental Control Apps for Security Reasons

Info Security - Mon, 04/29/2019 - 08:44
Apple: We Banned Parental Control Apps for Security Reasons

Apple has claimed the reason for its controversial decision to pull rival parental control apps from its App Store was taken due to privacy and security concerns.

The tech giant had been accused of abusing its role as the gatekeeper of the iOS app marketplace by excluding third-party titles which help parents monitor and set limits on what their children can access online on their devices.

Last month, Russian AV vendor Kaspersky Lab announced it had filed an antitrust claim against the Cupertino giant in its home country, claiming that Apple’s decision to remove its app coincided with the US firm’s release of its own Screen Time app.

“By setting its own rules for that [App Store] channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player,” Kaspersky Lab argued.

However, Apple finally released a statement on Sunday explaining its decision, claiming that the offending apps contained mobile device management (MDM) capabilities which could introduce extra security risk.

“MDM does have legitimate uses. Businesses will sometimes install MDM on enterprise devices to keep better control over proprietary data and hardware. But it is incredibly risky — and a clear violation of App Store policies — for a private, consumer-focused app business to install MDM control over a customer’s device,” it argued.

“Beyond the control that the app itself can exert over the user's device, research has shown that MDM profiles could be used by hackers to gain access for malicious purposes.”

It claimed that several developers updated their software to remove the MDM elements, while those that didn’t had their titles removed from the App Store.

“Parents shouldn’t have to trade their fears of their children’s device usage for risks to privacy and security, and the App Store should not be a platform to force this choice,” Apple continued. “No one, except you, should have unrestricted access to manage your child’s device.”

Categories: Cyber Risk News

Pros Feel Aligned with Board, Still Fear a Phish

Info Security - Fri, 04/26/2019 - 18:29
Pros Feel Aligned with Board, Still Fear a Phish

After years of requesting a seat at the table, cybersecurity professionals are starting to feel that they see eye to eye with their stakeholders, according to a new report.

The AT&T cybersecurity report surveyed 733 security experts at the RSA 2019 conference and found that the vast majority of respondents feel mostly or somewhat in sync with their executive boards when it comes to cybersecurity.

However, the report noted, “When splitting the results out by company size, a slightly different picture emerges. While the bell curve remains consistent, we see that larger enterprises appear to have a far better alignment with their stakeholders than small or medium businesses (SMBs).”

In fact, while 26% of large enterprises said they were completely aligned with their stakeholders, only 18% of SMBs stated that they were completely on the same page.

“On the other side of the spectrum 10% of SMBs felt they were not at all in alignment with their stakeholders compared to just under 7% of large enterprises,” the report said.

The results were not entirely unexpected, given that large enterprises typically have a greater pool of resources to establish more robust security governance policies. In addition, SMBs usually have fewer stakeholders who aren’t able to devote time to governance because they are more focused on hitting targets, the report said.

When asked about the top threats that concerned them, nearly a third (29%) of respondents cited phishing as their greatest worry. “Phishing comes in different guises for different purposes. Sometimes phishing emails are used to deliver a malicious payload. Other times it’s to social engineer the recipient by gaining their trust or scaring them by posing as an authority to get them to make payments – as we often see in business email compromise (BEC) attacks,” the report said.

“Ultimately, this likely boils down to the fact that for most cyber threats, a technology solution is usually available to ward off attacks, but with phishing, most systems rely heavily on the email recipient being able to detect and respond appropriately.”

Categories: Cyber Risk News

Amnesty International Hong Kong Attacked

Info Security - Fri, 04/26/2019 - 17:30
Amnesty International Hong Kong Attacked

The Hong Kong branch of Amnesty International has reportedly been the target of a sophisticated state-sponsored attack believed to have been carried out by a group of hostile threat actors within the Chinese government.

An April 25 press release from Amnesty International said the cyber-attack was detected on March 15, 2019, after monitoring tools identified suspicious behavior in the IT systems of Amnesty International Hong Kong.

Though the organization is not able to give specific details about the suspected cyber-criminals, the indicators of compromise identified at this stage are consistent with a well-developed adversary, according to the press release. Initial findings of cyber-forensic investigators suggest that the attackers used similar tools and techniques known to be associated with advanced persistent threat (APT) groups within the Chinese government.

“This sophisticated cyber-attack underscores the dangers posed by state-sponsored hacking and the need to be ever-vigilant to the risk of such attacks. We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work,” said Man-kei Tam, director of Amnesty International Hong Kong, in the press release.

“The privacy and safety of all those we work with remains our priority. We took swift action to secure our systems and have provided guidance to help individuals ensure their personal data is protected. We take the privacy of our supporters’ information extremely seriously. We have contacted all individuals whose details may have been put at risk and urge anyone concerned to get in touch,” Tam said.

Human rights defenders have been the target of multiple attacks across the globe, and Amnesty International revealed that its staff members have been targeted with surveillance attempts in the aftermath of a 2016 law granted Chinese authorities to restrict the work of human rights activists, the press release said.

Categories: Cyber Risk News

Data Protection Commission Investigates Facebook

Info Security - Fri, 04/26/2019 - 17:09
Data Protection Commission Investigates Facebook

After Facebook alerted the Data Protection Commission (DPC) that it had found hundreds of millions of user passwords stored in its internal servers in plain text format, DPC launched an investigation to determine whether the company had acted in compliance with the General Data Protection Regulation (GDPR), according to an April 25 press release.

According to its website, the DPC is the Irish supervising authority for GDPR and is the national independent authority charged with data protection rights of individuals in the EU.

“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers. We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR,” a statement from the DPC said.

Though a Facebook spokesperson told Business Insider, “We are working with the IDPC on their inquiry. There is no evidence that these internally stored passwords were abused or improperly accessed," the accidental mishandling of these passwords could result in a multi-billion-dollar fine for the social media company, according to the news outlet.

The news comes only days after Facebook said it had unintentionally uploaded – without consent – the emails of 1.5 million users. Earlier this month, Infosecurity also reported that over half a billion Facebook records were leaked by third-party app developers.

Facebook announced on March 21, 2019, that it had found some passwords being stored in readable format on its internal data storage systems, and the company updated that post on April 18 to add: “Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.”

Categories: Cyber Risk News

CISOs Consider Quitting Industry Over Surging Stress

Info Security - Fri, 04/26/2019 - 09:57
CISOs Consider Quitting Industry Over Surging Stress

IT security leaders across Europe are considering quitting their job over the stress they’re suffering due to mounting threats, compliance pressures and growing complexity, according to Symantec.

The security giant teamed up with research consultancy Thread and Chris Brauer of Goldsmiths, University of London, to compile its High Alert study, based on interviews with 3000 security decision makers in the UK, Germany and France.

Some 82% claimed they felt burned out, with nearly two-thirds saying they’re thinking about leaving their job (64%) or quitting the industry altogether (63%).

Regulations like the GDPR and NIS Directive are the number one source of stress (86%), with two-fifths (40%) concerned that they would be held responsible in the event of a breach. Skills shortages (80%), the size and complexity of the IT environment (82%) and the growing volume of threats (82%) also ranked high.

Brauer, who is director of innovation at the London university, argued that stress can have a serious impact on decision making.

“It impairs your memory, disrupts rational thinking and negatively impacts every cognitive function you have. In an industry like cybersecurity, which requires focus, creative thinking, attention to detail and rational decisions in high pressure scenarios, stress can be crippling,” he added.

“Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already suffering a skills shortage, this kind of stress can present a significant risk.”

Tool bloat appears to be another major cause of this stress. Over three-quarters (79%) of respondents claimed that “too many products/vendors” is the cause of growing pressure at work, while 68% said they felt “paralyzed” by the huge volume of threat alerts deluging the department.

“The current patchwork approach to security tooling and strategy is creating more problems than it solves,” argued Symantec EMEA CTO, Darren Thomson. “There’s so much daily noise that it’s near impossible to work out what might be a false positive and what might be a sign of a stealthy targeted attack. Meanwhile the overlaps and gaps between defensive systems present hackers with new opportunities for exploitation.”

The findings of the report chime with a similar study from Nominet back in February, which revealed that nearly all (91%) of US and UK CISOs suffer from moderate or high stress.

Categories: Cyber Risk News

#CYBERUK19: NCSC and ICO Clarify Roles to Assist Incident Response

Info Security - Fri, 04/26/2019 - 09:30
#CYBERUK19: NCSC and ICO Clarify Roles to Assist Incident Response

The UK’s National Cyber Security Centre (NCSC) and regulator the Information Commissioner’s Office (ICO) have agreed to clarify their roles and improve coordination, in a move designed to make it easier for breached organizations to reach out to the right body.

At the CYBERUK conference in Glasgow yesterday, the two set out their distinct roles and responsibilities.

GCHQ body the NCSC is tasked with dealing with incidents of “national importance” and is on hand to help victim organizations in the immediate aftermath of an attack to better understand the incident.

Although it will encourage organizations to meet their requirements under the GDPR and NIS Directive, its free advice will be given confidentially, with no information shared with GDPR regulator the ICO without seeking consent first.

The ICO will then be on hand to help organizations take the right steps to mitigate any risks to individuals’ data, and ensure a proper investigation is set up and that legal responsibilities are met.

Both have agreed to share anonymized and aggregated info to better understand risk, and to amplify each other’s messages to provide consistent advice.

ICO deputy commissioner of operations, James Dipple-Johnstone, argued that organizations need to better understand what to expect if they suffer a breach.

“The NCSC has an important role to play in keeping UK organizations safe online, while our role reflects the impact cyber-incidents have on the people whose personal data is lost, stolen or compromised,” he clarified.

“Organizations need to be clear on the legal requirements when to report these breaches to the ICO, and the potential implications, including sizeable fines, if these requirements aren’t followed.”

Joseph Carson, chief security scientist at Thycotic, welcomed the NCSC’s commitment to confidentiality.

“Ensuring that businesses have trust with the government agencies so they can work with the NCSC during an ongoing cyber-incident when time is critical knowing it is the business’s responsibility to report the incident to the ICO,” he said.

“During a cyber-breach working with the NCSC can help the business potentially recover quickly and ensure it can be investigated, giving the business time to identify whether or not they are required to report the incident to the ICO.”

Categories: Cyber Risk News

Attacks on Businesses Soar 235% in Q1

Info Security - Fri, 04/26/2019 - 09:04
Attacks on Businesses Soar 235% in Q1

A surge in ransomware and trojans in the first three months of the year led to a massive 235% year-on-year increase in detected cyber-threats to businesses in Q1 2019, according to Malwarebytes.

The security vendor’s Cybercrime tactics and techniques report for the first quarter revealed a definite shift from consumers to businesses, which is apparently hitting SMBs with fewer IT resources particularly hard.

The more business-focused aims of hackers in 2019 were particularly noticeable in the ransomware category. Here, consumer detections decreased 10% from the previous quarter and 33% year-on-year, whereas attacks against corporate targets surged 195% from the previous quarter and over 500% from the same time last year.

In a similar way, consumer detections of cryptomining malware have now dropped to almost nothing, thanks in part to the decision by Coinhive to shut down its operations. However, attacks against businesses continue to rise, especially in APAC, the report revealed.

Malwarebytes claimed these increases could be due to the Troldesh strain, which was prolific in attacks against US organizations early on in the quarter.

Elsewhere, detections of trojans like Emotet on business endpoints increased by over 200% from the previous quarter and nearly 650% year-on-year.

Malware against Macs also spiked at the start of the year. Malwarebytes noted a 60% increase from Q4 2018 to Q1 2019, while adware increased by over 200% from the previous quarter.

On the plus side, there was a significant decline from the previous quarter in detections of backdoor (-80%) and hijacker (-73%) malware. The former can be accounted for by a decline in activity from the Backdoor.Bot campaign in APAC, the report claimed.

“Consumers might breathe a sigh of relief seeing that malware targeting them has dropped by nearly 40%, but that would be short-sighted,” said Adam Kujawa, director of Malwarebytes Labs.

“Consumer data is more easily available in bulk from business targets … Cyber-criminals are using increasingly clever means of attack to get even more value from targets through the use of sophisticated trojans, adware and ransomware.”

Categories: Cyber Risk News

State of Washington Expands Breach Notice Laws

Info Security - Thu, 04/25/2019 - 19:44
State of Washington Expands Breach Notice Laws

A new law in Washington expanded regulations that mandate when consumers must be notified if a malicious actor gains access to their private data, according to a press release from the state’s office of the attorney general (AG).

In response to AG Bob Ferguson’s request for legislators to strengthen the state’s data breach notification laws, lawmakers voted unanimously in favor of HB 1071-2019-20, which the speaker signed on April 24.

“Not only is the amount of data being collected and stored about consumers increasing, the number of breaches of secure storage of the data is increasing at an alarming rate as well," Rep. Shelley Kloba, who sponsored the bill, said in the press release.

“This bill updates our consumer protection laws to shorten the notification time from 45 days to 30 days, so that consumers are made aware of a breach more quickly and can take protective action. Additionally, companies who collect and store data will need to pay more attention to safeguarding it against internal and external threats.”

In addition to reducing the notification time frame, the consumer data breach notification requirements bill was expanded to include more types of consumer information, such as usernames, passwords and passport numbers. The earlier bill had only mandated that consumers be notified if a data breach exposed their names in addition to other personal information, such as social security or driver’s license numbers.

“My office has seen the number of Washingtonians impacted by data breaches increase year after year,” Ferguson said in the press release. “Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data.”

Two senators sponsored a companion bill, SB 5046-2019-20, which remains in the Senate committee; however, another bill that would give citizens the right to know the types of data that companies are collecting, storing and selling has yet to pass the state’s legislature, according to a Tripwire blog post.

“This bill overwhelmingly cleared Washington’s Senate floor earlier in 2019 after a vote of 46 to 1,” the blog said, but it has not yet arrived on the floor of the House.

Categories: Cyber Risk News

Fake Social Accounts Multiply; Can Users ID Them?

Info Security - Thu, 04/25/2019 - 18:56
Fake Social Accounts Multiply; Can Users ID Them?

Despite Facebook and Twitter repeatedly removing illegitimate accounts from their social media platforms, the number of impersonating accounts increased 56% from 2017 to 2018 and is projected to continue to grow by 30% in 2019, according to research from ZeroFOX.

Because of this rapid proliferation of fake accounts, it is becoming increasingly more difficult for users to distinguish between accounts that are real or fake, the research found. In an April 23 blog post, ZeroFOX’s Diana Parks wrote, “There is no denying that fake profiles run rampant on social media and digital platforms. Between October 2017 and September 2018, Facebook alone removed almost 2.8 billion illegitimate accounts worldwide. By some estimates, this accounts for between 25–35% of all Facebook accounts.”

While fake accounts online are inevitable, they are also highly problematic and pose security risks to individuals and organizations. Bad actors use fraudulent accounts to target individuals using social engineering. Others use fake accounts for scams or to distribute malicious content, phishing and malware, or even inappropriate content.

Still, not everyone can easily distinguish which social media accounts are fake. Despite a 2018 post offering users tips on how to spot a fake account, the number of impersonating profiles has increased across social networking sites. This continued growth promoted ZeroFOX to develop a quiz in which users are challenged to correctly identify the fake social media account.

In addition, research from the ZeroFOX Alpha team found that since 2017 there has been a steady growth in the number of both brand and executive impersonations. “Between 2017 and 2018, brand impersonations for ZeroFOX customers increased by 5%. Based on current projections, the ZeroFOX Alpha Team anticipates an estimated 17% increase in brand impersonations over the next year. The numbers are even more staggering for executive impersonations,” Parks said.

Fake accounts impersonating top executives and VIPs reportedly grew by over 300% between 2017 and 2018 and are expected to rise another 47% in 2019.

Categories: Cyber Risk News

ASUS Not Alone in ShadowHammer Supply Chain Attack

Info Security - Thu, 04/25/2019 - 18:48
ASUS Not Alone in ShadowHammer Supply Chain Attack

Researchers believe that in last month’s malware attack, dubbed Operation ShadowHammer, the network of Taiwanese technology giant ASUS was not the only company targeted by supply chain attacks. According to Kaspersky Lab, during the ShadowHammer hacking operation, there were at least six other organizations that the attackers infiltrated.

“In our search for similar malware, we came across other digitally signed binaries from three other vendors in Asia,” Kaspersky researchers wrote in a blog post. Electronics Extreme Co. Ltd., a game developer from Thailand, was among the vendors listed as having released digitally signed binaries of a video game called Infestation: Survivor Stories, which was reportedly taken offline in 2016.

“This weaponization of code signing is direct evidence that machine identities are a beachhead for cyber-criminals. The only way to protect against these kinds of attacks is for every software development organization to make sure they are properly protected,” said Michael Thelander, director of product marketing, at Venafi.

“No one should be surprised at how extensive this attack is. Due to their wide reach, bad actors target code-signing certificates in broad, deliberate campaigns and leverage them in large, multi-stage attacks.”

Supply chain attacks have become increasingly concerning, according to the 2019 Internet Security Threat Report, which found that supply chain attacks rose by 78% between 2017 and 2018, prompting US intelligence agencies to partner in designating April as Supply Chain Integrity Month.

“Software subversion attacks – such as the ASUS Live Update intrusions – are particularly difficult to thwart because they are incredibly sophisticated and highly targeted,” said Chris Duvall, senior director at The Chertoff Group.

“Unfortunately, due to the apparent success rate, we can expect to see a continued surge in the use of third-party applications as the back channel into networks. While not a panacea, we advise clients to help prevent these attacks by accessing file integrity whenever possible and maintaining good cyber hygiene through configuration hardening, vulnerability management, segmentation.”

Categories: Cyber Risk News

Pages