Cyber Risk News

France to introduce unilateral digital tax on 1 January 2019 - Wed, 12/19/2018 - 12:40
France will introduce its own tax on large multinational technology companies from 1 January 2019, its finance minister has announced.
Categories: Cyber Risk News

EU rules impacting non-personal data in force - Wed, 12/19/2018 - 12:27
New rules that seek to end unjustified 'data localisation' and that promote greater access to and use of non-personal data have come into force in the EU.
Categories: Cyber Risk News

Hackers Depart from Large Dark Web Markets

Info Security - Wed, 12/19/2018 - 12:09
Hackers Depart from Large Dark Web Markets

Cyber-criminals are increasingly downsizing from selling their wares on large dark web marketplaces in a bid to build trust with buyers, according to McAfee.

The security giant claimed in its latest threat report for Q3 that the trend can also be seen as a response to law enforcement activity. Police effected the major takedowns of Hansa and Alpha Bay in 2017 while marketplace Olympus fell silent in September after a suspected exit scam.

“Cyber-criminals are very opportunistic in nature,” said John Fokker, head of cyber-criminal investigations at McAfee. “The cyber-threats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cyber-criminals: higher infection rates, and both operational and financial security. ”

The move on the part of these business-minded hackers with strong underground ‘brands’ to set up shop on their own has brought with it a cottage industry in website designers offering to build their digital stores, McAfee claimed.

Elsewhere, the security firm blocked an average of 480 new threats per minute during the three-month period, with IoT malware (73%), cryptomining malware (71%) and new ransomware (10%) all increasing from the previous quarter.

Overall, new malware samples increased 53%, with new macro malware up 32%. It’s no surprise that malware was the most popular attack vector, followed by account hijacking, leaks, unauthorized access and vulnerabilities.

However, instances of new mobile malware declined by 24% in Q3, and McAfee customers reported 36% fewer infections in the quarter.

Data breaches in the financial sector jumped 20% and sextortion scams continued to grow in popularity, driven by Gamut, the top spam-producing botnet.

Categories: Cyber Risk News

PSD2: EBA to set up API working group - Wed, 12/19/2018 - 11:58
The European Banking Authority (EBA) wants banks, credit card providers, fintechs and other businesses to work with it and national regulators to address technical issues that arise in the lead up to an important compliance deadline in the EU's payment services market.
Categories: Cyber Risk News

Clothing brand fined €40m over online sales restrictions - Wed, 12/19/2018 - 11:52
A company has been fined for the first time by the European Commission for prohibiting retailers authorised to sell its goods over the internet from using its brand names and trade marks for the purposes of online search advertising.
Categories: Cyber Risk News

Huawei Hits Back at Claims it Poses Security Threat

Info Security - Wed, 12/19/2018 - 10:43
Huawei Hits Back at Claims it Poses Security Threat

Huawei has hit back at reports claiming it is a national security risk, as the Czech republic joined a growing list of governments warning against using the firm’s equipment.

The Shenzhen giant’s chairman, Ken Hu, told reporters that such moves were driven by “ideology and geopolitics” and challenged the likes of the US government to provide proof to back up their claims.

“If you have proof or evidence, it should be made known,” he reportedly added. “Maybe not to Huawei and maybe not to the public, but to telecom operators, because they are the ones that buy Huawei.”

The US, Australia, New Zealand, Taiwan and Japan have all banned Huawei products on security grounds to a lesser or greater extent. With the kit-maker set to play a key role in coming  critical infrastructure deployments of 5G, the stakes couldn’t be higher.

In the UK, BT recently confirmed that the Chinese firm is not included in its plans for 5G core.

However, Australian spy chief Mike Burgess has previously warned: “the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.”

The UK government has long had a more open approach to dealing with the telco giant, allowing access to its markets as long as equipment passes muster at an evaluation center paid for by Huawei and staffed by experts from GCHQ, among others.

But even here there have been bumps in the road: in July the center claimed it could provide “only limited assurance” that Huawei equipment poses no threat to national security.

Although Huawei claims it has never acceded to any government demands which would “damage the networks or business of any of our customers,” it’s the risk of this happening in future which seems to be driving skepticism outside of China.

“High-risk vendors have been banned from Australia’s 5G network because of the threat they pose when they could be subject to unbounded extrajudicial directions from a foreign government,” wrote Burgess recently.

Although the lack of competition may indeed push up prices and slow innovation, it may be a price governments are prepared to pay. The Czech Republic’s cybersecurity watchdog this week became the latest to warn against the firm.

“China’s laws...require private companies residing in China to cooperate with intelligence services, therefore introducing them into the key state systems might present a threat,” said Dusan Navratil, director of the Czech National Cyber and Information Security Agency (NCISA).

Categories: Cyber Risk News

NASA Staff at Risk After Server Breach

Info Security - Wed, 12/19/2018 - 10:07
NASA Staff at Risk After Server Breach

NASA has been sitting on a potentially serious breach of employees’ personally identifiable information (PII) after revealing a server may have been compromised months ago.

In an HR message from the Office of the Chief Human Capital Officer, the US space agency claimed its cybersecurity staff began investigating an incident on 23 October, nearly two months ago.

“After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised,” the email continued.

“NASA and its federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any agency missions were jeopardized by the cyber incidents.”

It’s still unclear exactly how many staff may have been affected by the incident, although NASA has sent the email to all employees so they can take precautions.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” it continued.

“Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

NASA is a major target for nation state and financially motivated, as well as bedroom enthusiasts.

UK hacker Gary McKinnon famously confessed in 2009 to compromising the networks of the US space agency as part of a misguided attempt to look for evidence of a UFO conspiracy.

Sometimes NASA can be its own worst enemy: between April 2009 and April 2011, 48 mobile computing devices loaded with sensitive information were either lost or stolen.

Categories: Cyber Risk News

Today's Guest Editor: Dr Jessica Barker

Info Security - Wed, 12/19/2018 - 09:30
Today's Guest Editor: Dr Jessica Barker

This Christmas, Infosecurity has invited some top industry names to each fill the role of guest editor for a day, and we are delighted to introduce Dr Jessica Barker, who will be taking the reins today.

Dr Barker is a leader in the human nature of cybersecurity, has been named one of the top 20 most influential women in cybersecurity in the UK and awarded as one of the UK’s Tech Women 50 in 2017. 

Equipped with years of experience from running her own consultancy, she co-founded Cygenta in 2018, working with a variety of organizations from small creative agencies through to multi-national banks. Her consultancy experience, technical knowledge and sociology background give her unique insight. She is known for her clear communication style and for making cybersecurity accessible to all.

Jessica delivers thought-provoking and engaging presentations across the world, at corporate events as well as practitioner and academic conferences. Known for her ability to engage everyone from senior executives to ethical hackers and creative workers, she brings energy, enthusiasm and fun to cybersecurity. Her speaking engagements are rooted in the work she does around the psychology and sociology of cybersecurity, particularly regarding cybersecurity threats, social engineering, how to effectively communicate cybersecurity messages, the psychology of fear and cybersecurity, and the language of cybersecurity. Her specialisms span cybersecurity awareness, behavior and culture.

Jessica’s many appearances discussing cybersecurity on national and international TV and Radio have cemented her place as the media’s go-to expert on subjects that require graceful, clear and engaging communication of technical subjects. Jessica and her husband FC were Guest Curators of the 2018 Cheltenham Science Festival and are keen supporters of the NCSC Cyber Schools Hub, TeenTech and the Cyber Security Challenge.

{ "channelId" : 8325, "language": "en-US", "commId" : 344686, "displayMode" : "standalone", "height" : "auto" }
Categories: Cyber Risk News

AI Yields Security Benefits, Not Without Problems

Info Security - Wed, 12/19/2018 - 08:00
AI Yields Security Benefits, Not Without Problems

Artificial intelligence (AI) is expected to grow in the cybersecurity marketplace, likely to $18.2 billion by 2023, according to a report from P&S Market Research. AI is still only in its nascent stages, though, and the technologies present several obstacles that organizations must overcome, according to a new white paper by Osterman Research.

In a survey sponsored by ProtectWise, Osterman Research learned that AI has penetrated the security operations center (SOC), but there are many challenges that stand in the way of AI being able to deliver on its promises.

The survey found that AI has already established a strong foothold, with 73% of respondents reporting that they have implemented security solutions with at least some aspect of AI. Most organizations said their top reasons for incorporating AI were to improve the efficiency of security staff members and to make alert investigations faster.

In addition, survey results concluded that 55% of IT executives are the strongest advocates for AI, while only 38% of AI’s strongest supporters identified as non-IT executives. That difference was evidenced in the reported inconsistencies from respondents who reflected on the results of their initial deployment of AI-enabled security products.

Participants confessed that AI-enabled security solutions have significantly more security alerts and false positives on a typical day, with 61% of respondents agreeing that creating and implementing rules is burdensome and 52% citing they have no plan to implement additional AI-enabled security solutions in the future.

More than half (61%) of all respondents said that AI doesn’t stop zero-days and advanced threats, 54% said it delivers inaccurate results and 42% said it’s difficult to use. Additionally, 71% said it’s expensive. While there is still progress that needs to be made, the survey found the future of AI has great potential.

“Our bottom line assessment is that AI is not yet 'there,' but offers the promise of improving the speed of processing alerts and false positives, particularly in organizations that receive massive numbers of both. Moreover, while the full potential of AI has yet to be realized, it holds the promise of seriously addressing the cybersecurity skills shortage – it may not be a 'silver bullet,' but it may be a silver-plated one,” the survey said.

Categories: Cyber Risk News

Email Security Systems Miss 17K Threats

Info Security - Tue, 12/18/2018 - 19:22
Email Security Systems Miss 17K Threats

In its latest Email Security Risk Assessment (ESRA), Mimecast found that incumbent email security systems inaccurately deemed nearly 17,000 dangerous files “safe” this quarter. Email scams have been on the rise, which is partly what prompted Mimecast to dig into the efficacy of Office 365 and other widely used email security systems so that organizations can better understand their risk.

According to a recent survey also conducted by Mimecast, nearly 70% of employees are using company-issued devices for non-work activities, which presents an increased likelihood that users can fall victim to one of these malicious scams with dangerous files and malicious URLs while online shopping at work.

The ESRA also found that more than 21 million spam emails were missed by email security providers. Instead of being blocked they were delivered to users’ inboxes. Add to that massive oversight the fact that in excess of 205,000 malicious URLs were missed by incumbent providers, and it’s no surprise why the efficacy of email security systems needs to be measured.

In addition, providers missed more than 42,350 impersonation attempts, which were also delivered to users’ inboxes, along with an more than 17,500 undetected malware attachments that landed in inboxes.

“Mimecast has seen an increase in security efficacy versus legacy vendors along with detailed information on the proliferation of threats of all types. The ESRA provides deep insights for our customers on the types of attacks threatening their business,” said Lindsay Jack, security service director at Mimecast, in a press release.

“Attacks we are seeing include key executives being targeted with cloud storage services exploits, impersonation attacks targeting legal, finance and administrative assistance, as well as social engineering attacks against the C-suite. Mimecast helps organizations understand how they compare with other organizations in their geography or industry vertical. Additionally, these reports provide insights on the rise of new types of malware and key trends in malicious email campaigns.”

The last quarter saw a surge in emails containing dangerous file types, according to Matthew Gardiner, cybersecurity strategist at Mimecast, who said that cyber-criminals continue to adapt their email-based attacks, seeking ways to evade detection and bypass security solutions that rely on reputation-based detection or file signature matches.

“Mimecast uses multiple layers and types of detection engines, combined with high-performance analytics, a diverse set of threat intelligence sources, and computer-aided human analysis to identify and stop unsafe emails from getting into our customers’ inboxes,” Gardiner said.

Categories: Cyber Risk News

Healthcare Employees Aware of Ransomware Threats

Info Security - Tue, 12/18/2018 - 18:12
Healthcare Employees Aware of Ransomware Threats

In a new survey of North American healthcare employees, Kaspersky Lab found that ransomware has hit nearly a third of companies more than once.

Findings of the report, Cyber Pulse: The State of Cybersecurity in Healthcare, are based on the responses from the 1,758 employees surveyed. Participants ranged from doctors and surgeons to admins and IT staff within the United States and Canada. Of the total participants, 33% of healthcare employees who are aware of a ransomware attack to their organization said attacks have happened more than once.

More than one in six healthcare employees said that they know of a ransomware cybersecurity attack on their organization that has occurred in the past five years or more. Additionally, 78% of American and 85% of Canadian healthcare workers who said they were aware of a ransomware cybersecurity attack to their organization claimed to have experienced up to five attacks.

The last 12 months seem to have been slightly better, though, with only 27% of healthcare IT employees claiming that their employer experienced a ransomware cybersecurity attack within the past year.

Healthcare employees overwhelmingly value protecting their patients, and 71% cited that as their top reason for incorporating cybersecurity measures into their organizations. In addition, 60% of employees want their companies and colleagues protected.

Even though only 21% of healthcare employees believe that their organization will not likely suffer a data breach in the years to come, 23% said they trust in the cybersecurity strategy of their organizations.

“Through our study, we found that healthcare employees in North America were confident that their organization would not suffer a data breach in the forthcoming year. But whether they realize it or not, their industry is suffering hundreds of breaches a year,” said Rob Cataldo, vice president of enterprise sales at Kaspersky Lab, in a press release.

“Healthcare companies have become a major target for cyber-criminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach. Business leaders and IT personnel need to work together to create a balance of training, education and security solutions strong enough to manage the risk.”

Categories: Cyber Risk News

Attackers Connect with Malware via Malicious Memes

Info Security - Tue, 12/18/2018 - 17:58
Attackers Connect with Malware via Malicious Memes

A new type of malware has been found listening for commands from malicious memes posted on Twitter, according to new research from Trend Micro.

Cyber-criminals are using the social site as an unwilling conduit in communicating with its mothership through the use of steganography, a tactic that hides a payload inside an image in order to evade detection. The payload also instructs the malware to take a screenshot and collect system information from the infected computer, Aliakbar Zahravi wrote in a recent blog post.  

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled. Twitter has already taken the account offline as of December 13, 2018,” the blog said.

In late October, the malware authors posted malicious memes in two separate tweets. Using a Twitter account run by the malware operator, the malware listens for a command embedded in the memes. Once downloaded from the Twitter account onto the victim’s machine, the malware parses in order to act as the command-and-control (C&C) service for the malware, according to Zahravi.

“This isn’t the first occurrence of malware using popular websites to obscure command-and-control features. Most organizations will allow popular websites through their firewalls, so malware communicating with these sites can blend in with a large pipe of network data,” said Travis Smith, principal security researcher at Tripwire. “A slight uptick in a few bytes of data to Twitter is less of an anomaly than a few bytes of data going to an unknown IP address for the first time.

“What’s unique here is the use of steganography to obscure the commands even further. This tells me the authors of this malware are concerned more about folks scanning websites like Twitter or PasteBin for typical command-and-control or other malware functions in the text of those services. By using images, a typical scanning engine ingesting text would be blind to this type of obfuscation.”

Categories: Cyber Risk News

PewDiePie Hackers Deface Wall Street Journal

Info Security - Tue, 12/18/2018 - 11:43
PewDiePie Hackers Deface Wall Street Journal

Supporters of YouTube sensation PewDiePie have been at it again, this time defacing a Wall Street Journal web page in another bid to boost his subscribers.

The page itself, originally sponsored by a technology giant, was apparently fixed promptly by the newspaper’s IT team, but can be viewed here.

It references the WSJ’s 2017 investigation into PewDiePie and his featuring of anti-semitic content and Nazi imagery which ultimately led to his being dropped by Disney and losing his YouTube Red series.

“WallStreet Journal would like to apologize to pewdiepie,” the defaced message read. “Due to misrepresentation by our journalists, those of whom have now been fired, we are sponsoring pewdiepie to reach maximum subscribers and beat Tseries to 80million.”

The 27-year-old Swede has been tussling with Indian content giant T-Series at the top of the YouTube subscriber table for some time, with fans using increasingly unconventional methods to boost his base. He's currently at just over 77m subscribers.

Along with the legitimate, including billboard advertising in Times Square and around the US, have come not-so-legit tactics: including the hijacking of tens of thousands of printers around the world to print-out messages in support of the YouTuber.

This first happened last month, when an estimated 50,000 devices were compromised.

Then this week a second wave of attacks came to light, with more than double the number of printers thought to have been affected.

The individual behind it said he was using the PewDiePie banner to try and raise awareness about printer security. It was claimed that attackers could have caused devices to burn out, as well as capture and modify sensitive corporate documents.

Categories: Cyber Risk News

Twitter API Bug Exposes Users’ Country Codes

Info Security - Tue, 12/18/2018 - 10:42
Twitter API Bug Exposes Users’ Country Codes

Twitter has been forced to issue an alert that an unknown number of users may have had their location uncovered by possible state-sponsored attackers.

The social networking giant claimed it became aware of an issue with one of its support forums in mid-November and fixed it a day later on the 16th.

“This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter,” it explained. “We lock an account if it appears to be compromised or in violation of the Twitter Rules or our Terms of Service.”

The first issue could be serious because, although full phone numbers weren’t revealed in the privacy snafu, the location of affected users could be inferred.

This takes on a more sinister hue when one considers who may have been behind the attack.

“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia,” Twitter continued.

“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.”

Intelligence agencies in repressive regimes could benefit from knowing where rights campaigners, journalists and others operating online are based.

Twitter has directly informed all those it believes to be affected, but is taking the extra step of publicizing the information in case there are other account holders it can’t identify who have been impacted.

Categories: Cyber Risk News

Met Slammed for Using Dodgy Facial Recognition Cameras

Info Security - Tue, 12/18/2018 - 10:09
Met Slammed for Using Dodgy Facial Recognition Cameras

The Metropolitan Police force has come in for more heavy criticism over its use of wildly inaccurate facial recognition cameras in central London this week.

The Met claimed in a news alert that it is deploying the cameras in Soho, Piccadilly Circus and Leicester Square on Monday and Tuesday in a bid to reduce crime in the area.

It said that all the faces on the database used in the trial are of wanted suspects and anyone who declines to be scanned won’t be viewed as suspicious. The force added that there will be a “clear uniformed presence” alongside posters and leaflets being disseminated to let the public know what’s happening.

However, campaigners claim the Met isn’t being completely honest. Tweets from rights group Liberty revealed that the cameras are attached to unmarked vans, there are only three small signs to inform the public and no leaflets were actively being handed out when they turned up.

“Met press release said ‘Anyone who declines to be scanned during the deployment will not be viewed as suspicious by police officers’ - but officer in charge says people will be if they cover their faces,” the group tweeted. “The public cannot opt out. WE HAVE BEEN MISLED.”

Big Brother Watch revealed in May that police FOI responses showed facial recognition technology trials had been 98% inaccurate. It said that this figure has now risen to 100% in the months since.

In June it teamed up with Baroness Jenny Jones to launch a crowdfunded legal challenge against use of the tech by the Met and Home Office. The ICO has also expressed “deep concern” at the lack of a regulatory framework, and the surveillance camera commissioner in October forced Greater Manchester Police to halt a six-month use of cameras in a shopping center.

“The police’s use of this authoritarian surveillance tool in total absence of a legal or democratic basis is alarming. Live facial recognition is a form of mass surveillance that, if allowed to continue, will turn members of the public into walking ID cards,” argued Big Brother Watch director, Silkie Carlo.

“As with all mass surveillance tools, it is the general public who suffer more than criminals. The fact that it has been utterly useless so far shows what a terrible waste of police time and public money it is. It is well overdue that police drop this dangerous and lawless technology.”

Categories: Cyber Risk News

Today's Guest Editor: Sophia McCall

Info Security - Tue, 12/18/2018 - 09:30
Today's Guest Editor: Sophia McCall

This Christmas, Infosecurity has invited some top industry names to each fill the role of guest editor for a day, and we are delighted to introduce Sophia McCall, who will be taking the reins today.

Sophia is a third year (placement) student currently studying BSc Cyber Security Management at Bournemouth University. She is an avid player of Cyber Security Challenge UK where she has qualified twice to represent Team UK in the European Cyber Security Challenge and has succeeded in their ethical hacking competitions. She was awarded Best Newcomer to Cyber Security last year and is an active conference speaker and panel member.

She is an advocate for inspiring more females to join the security industry and also hopes to inspire younger generations to choose security as their future career. She travels around the country to deliver talks and workshops to schools and is a part of the ambassadorial program for Cyber Security Challenge UK. She currently is in a Junior Security Consultant role where she is completing a pen testing placement, which is something she hopes she can do as a full-time job in the future.

Sophia can be contacted via Twitter @spookphia.

{ "channelId" : 8325, "language": "en-US", "commId" : 344936, "displayMode" : "standalone", "height" : "auto" }
Categories: Cyber Risk News

Cobalt Group Uses New Version of ThreadKit Malware

Info Security - Mon, 12/17/2018 - 18:15
Cobalt Group Uses New Version of ThreadKit Malware

Researchers have discovered a new version of ThreadKit, malware known to be used by Cobalt Group, first identified in 2016, according to Fidelis Cybersecurity.

In the recently released report, Fidelis threat research analysts found that despite reported arrests, Cobalt Group continues to remain active, using a new version of ThreadKit, a macro delivery framework sold and used by numerous actors and groups. In addition, researchers identified CobInt, a loader and backdoor framework utilized in profiling systems.

The threat group had largely been targeting banks in Eastern Europe using phishing emails with malicious PDF attachments that allowed the group to steal more than $32,000 from multiple ATMs in an overnight attack.

“The group has since built a reputation for their highly targeted, network intrusion methods. They expanded their geographical target area out of Eastern Europe, to include North America, South America and Western Europe as well as expanded their targets from banks, to also include supply chain companies, financial exchanges, investment funds, and lenders,” wrote Jason Reaves, Fidelis threat research principal engineer, in a blog post.

Prior to Interpol reportedly arresting the group’s leader in March 2018, it was estimated that the threat actors had pilfered as much as $1.2 billion from banks across 40 different countries.

Apparently the group has new leadership, as researchers identified what appeared to be renewed activity from the group in May 2018. In the group's recent activity analyzed in the report, attackers using the Cobalt Group malware frameworks continue to hone their skills crafting tailor-made emails that appear to come from a financial partner of the targeted institution.

“In October 2018, Fidelis identified a new version of ThreadKit. As per Cobalt Group’s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,” Reaves wrote.

Categories: Cyber Risk News

Kayne, Pentagon, Crypto Owners Worst Password Offenders

Info Security - Mon, 12/17/2018 - 18:06
Kayne, Pentagon, Crypto Owners Worst Password Offenders

In its third annual list of the Worst Password Offenders, Dashlane ranked Kanye West, the Pentagon and cryptocurrency owners as the top three users who demonstrated significantly poor password habits in 2018. Also included in this year's top 10 were Google, the United Nations and Nutella.

“Passwords are the first line of defense against cyberattacks,” said Emmanuel Schalit, CEO of Dashlane, in a press release. “Weak passwords, reused passwords, and poor organizational password management can easily put sensitive information as risk.”

According to the study, an average internet user has more than 200 password-protected accounts, which Dashlane says will double over the next five years. “The sheer number of accounts requiring passwords means everyone is prone to make the same mistakes as the Password Offenders,” said Schalit. “We hope our list serves as a wake-up call to everyone to follow the best password security practices.”

After it was publicly revealed during a White House meeting that Kanye’s iPhone passcode was 000000, it’s no surprise that he claimed the top spot for weakest password. But the Pentagon taking second place is a bit alarming, particularly since the agency was ranked fourth on the 2017 list.

“A devastating audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds, as well as the discovery that software for multiple weapons systems was protected by default passwords that any member of the public could have found through a basic Google search,” the press release said.

Credit: Dashlane

Following cryptocurrency owners was the world famous hazelnut-and-chocolate spread company, Nutella, whose reported password blunder was that the company tweeted to its followers that it might consider using “Nutella” as its password.

Spots five, six and seven were held by UK law firms, the state of Texas and White House staff, one of whom reportedly “made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated as he accidentally left the document at a Washington, D.C., bus stop.”

Quite surprisingly, Google, known for its strong cybersecurity, came in eighth on the top 10, so ranking because “an engineering student from Kerala, India, hacked one of their pages and got access to a TV broadcast satellite.” Using a blank username and password on his mobile device, the student was reportedly able to log in to the Google admin pages. 

The list was rounded out by the United Nations and the University of Cambridge, after a plaintext password left on GitHub exposed the data of millions of subjects being studied by university researchers.

Categories: Cyber Risk News

US Ballistic Missiles Have Poor Security Controls

Info Security - Mon, 12/17/2018 - 18:01
US Ballistic Missiles Have Poor Security Controls

US officials did not consistently implement security controls and processes to protect ballistic missile defense system (BMDS) technical information, according to a newly declassified report, Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information, from the US Department of Defense (DoD) Inspector General.

The redacted report was published on December 10, 2018, and detailed the results of an audit conducted “in response to a congressional requirement to audit the controls in place to protect BMDS technical information.”

“We analyzed only classified networks because BMDS technical information was not managed on unclassified networks. The classified networks processed, stored, and transmitted both classified and unclassified BMDS technical information. This is the second of two audits to determine whether the DoD protected BMDS technical information from unauthorized access and disclosure,” the agency wrote.

The audit found that network administrators and data center managers failed to require multi-factor authentication in order to access the BMDS technical information and did not identify and mitigate known network vulnerabilities at three of the five components visited.

In addition, they did not lock server racks, protect and monitor classified data stored on removable media, encrypt BMDS technical information while being transmitted, implement intrusion detection capabilities on classified networks or require users to provide written justification to be granted elevated system access.

“While I agree at first glance this sounds horrible, the key word in the findings is 'consistently,' said Lamar Bailey, director of security research and development at Tripwire. “Table 1 shows results for the facilities visited broken down into weaknesses in the seven areas audited.

“Only one audit hit all five locations and this dealt with justification for access. Five of the weaknesses say they were not 'consistently' used, but this can apply to 'administrative, facility, a lab or both,' so they may not apply to the networks with the defense/offense controls.  This audit was also only done at five facilities, which is less than 5% of the facilities in operation. We should not take a Chicken Little stance here but remember basic security hygiene and foundational security controls apply to everyone.”

Categories: Cyber Risk News

UAE fintech ‘booming’ as more startups complete accelerator - Mon, 12/17/2018 - 13:53
A further 20 innovative financial technology (fintech) projects have completed the largest accelerator programme in the Middle East, underlining how attractive the region is becoming to these businesses, an expert has said.
Categories: Cyber Risk News