Cyber Risk News

PewDiePie Hackers Hijack Printers Again

Info Security - Mon, 12/17/2018 - 10:40
PewDiePie Hackers Hijack Printers Again

Printers around the world appear to have been hijacked again with a message to subscribe to a popular YouTube vlogger, and improve their cybersecurity.

Those behind the attack are thought to be the same ones that managed to get a message in support of social media star PewDiePie printed out on 50,000 machines last month.

It’s claimed the latest attack has forced print-outs on double that number: with users around the world in the UK, US, Argentina, Spain, Australia and elsewhere taking to social media to post pictures.

This time there appears to be a bigger message to users: protect your printers.

The original hacker told the BBC that by exploiting printer flaws he could capture and modify sensitive documents as they are printed, and force data to be written to the machine’s processor.

“These chips have a limited lifetime of writes. If you keep the loop on enough, the chip will fry and the printer will no longer function,” he told the broadcaster.

"I've been trying to show that 'hacking' isn't a game or toy, it can have serious real-life consequences. We really want people to pay attention to this because causing physical damage is very much a possibility."

Bob Reny, EMEA CTO at ForeScout, warned organizations to gain control of the situation.

“The first step is to audit your environment. Does your printer need access to the internet? No, it usually only needs local connection to workstations that need to print,” he argued.

“Second, overlay control. Don’t allow your IoT to beacon to the internet and advertise their services. Be more intelligent as to what the IoT device is doing and only allow those specific tasks to be done.”

IT departments should also apply roles to network access, he said.

“Do I have a good audit for all my printers and what services they need to run? How do my clients interact with printers?” explained Reny. “The key is to ensure that no device is doing more on the network than they should be doing, and there are a range of technologies available to help firms address that at a very reasonable cost.”

Categories: Cyber Risk News

Last Week’s Bomb Hoaxers Are Serial Online Extortionists

Info Security - Mon, 12/17/2018 - 10:11
Last Week’s Bomb Hoaxers Are Serial Online Extortionists

A hoax bomb campaign that rattled organizations across the US and Canada at the end of last week was launched by attackers previously known for individually targeted sextortion scams.

Jaeson Schultz, technical leader of Cisco Talos Security Intelligence & Research Group, explained in a blog post that they had obviously made a decision to threaten a much larger number of people.

“So far, all of the samples Talos has found to be associated with the bomb threat attack were sent from IP addresses belonging to the domain registrar and hosting company, suggesting that the attackers in this case may have compromised credentials for domains that are hosted at this particular domain registrar,” he continued.

“Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign. In those cases, the attackers sent out emails claiming to have compromising videos of the victim and will release them to the public unless the attacker receives a Bitcoin payment.”

The good news is that no organization affected last week fell for the ruse: of the 17 Bitcoin addresses used in the attack, only two had a positive balance and even these were under $1 each, Schultz said.

However, the attackers have already moved on to another tactic, using likely compromised IP addresses in Russia to send a new batch of extortion emails.

These revert back to the original tactic of targeting individuals rather than organizations and threaten to throw acid onto the recipient unless money is paid in Bitcoin.

“The criminals conducting these extortion email attacks have demonstrated that they are willing to concoct any threat and story imaginable that they believe would fool the recipient,” concluded Schultz.

“At this point, we have seen several different variations of these emails, and we expect these sorts of attacks to continue as long as there are victims who will believe these threats to be credible, and be scared enough to send money to the attackers.”

It goes without saying that any recipient is urged to ignore any such unsolicited email threats.

Categories: Cyber Risk News

Save the Children Hit by $1m BEC Scam

Info Security - Mon, 12/17/2018 - 09:50
Save the Children Hit by $1m BEC Scam

A leading children’s charity was conned into sending $1m to a fraudster’s bank account this year, in another example of the dangers of Business Email Compromise (BEC).

Save the Children Federation, the US outpost of the world-famous British non-profit, revealed the incident in a recent filing with the IRS, according to the Boston Globe.

The attacker managed to access an employee’s email account and from there sent fake invoices and other documents designed to trick the organization into sending the money.

According to the report, the hacker pretended the money was needed to pay for health center solar panels in Pakistan. It was a well-researched ruse given the charity has had a base there for decades.

By the time it was realized the transfer was a scam, the money had already been deposited in a Japanese bank account, although the non-profit managed to recover all but $112,000 thanks to its insurance policy.

The charity said it has improved its security processes since. It was hit a second time by an email scam after a vendor’s email account was hacked and an impersonator requested the charity send money to a new bank account in Africa. Fortunately, the $9210 payment was reportedly recovered in time.

Javvad Malik, security advocate at AlienVault, said such attacks are increasingly commonplace.

“Because these are standard emails, there is little that [security] technologies can do to detect them. Therefore, raising user awareness is vital so they are less likely to fall victim to such attacks,” he said.

“Also, companies should have a two-person check process in place so that one person can't make a new payment without a colleague verifying the authenticity of the payment.”

According to the FBI, over $12.5bn was lost to BEC between October 2013 and May 2018.

UK government findings from earlier this year revealed that nearly three-quarters (73%) of charities with annual incomes over £5m had suffered a cyber-attack or breach over the previous 12 months.

Categories: Cyber Risk News

Today's Guest Editor: Raj Samani

Info Security - Mon, 12/17/2018 - 09:30
Today's Guest Editor: Raj Samani

This Christmas, Infosecurity has invited some top industry names to each fill the role of guest editor for a day, and we are delighted to introduce Raj Samani, who will be taking the reins for our first day.

Raj is a computer security expert working as the chief scientist and McAfee fellow for cybersecurity firm McAfee. Raj has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3) in The Hague.  

Raj has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe Hall of Fame, Peter Szor award, Intel Achievement Award, among others. Raj is also the co-author of the book Applied Cyber Security and the Smart Grid, CSA Guide to Cloud computing, as well as technical editor for numerous other publications. 

{ "channelId" : 8325, "language": "en-US", "commId" : 344840, "displayMode" : "standalone", "height" : "auto" }

Categories: Cyber Risk News

Boomoji Databases Without Passwords Left Exposed

Info Security - Fri, 12/14/2018 - 16:32
Boomoji Databases Without Passwords Left Exposed

An unprotected ElasticSearch server led to a potentially massive data leak for a popular avatar app maker, Boomoji. The app, which is based in China and has 5.3 million users across the globe, allows iOS and Android users to create 3D avatars.

The personal data of its entire user base was exposed after Boomoji reportedly left two ElasticSearch databases unprotected without a password, according to TechCrunch.

According to Anurag Kahol, CTO, Bitglass, “There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries.”

A database serving international users was based in the US, and another, which serves Chinese users, was based in Hong Kong in order to comply with China’s data security laws. The databases reportedly contained the usernames, gender, country, phone type, unique Boomoji ID, users’ schools, the geolocation for 375,000 users and the phone book entry of every user that allowed the app to access their contacts. 

Because the app also allows access to contact data, in addition to the data for 5.3 million users, contact information of an additional 125 million people who may not even know the app exists could have been compromised as well. Even if you did not use the app, if someone you know does and has your phone number stored on their device, the app more than likely uploaded your contact information onto Boomoji’s database.

“This exposure demonstrates how most enterprises – even hyper-scale providers – do not have adequate visibility into their entire infrastructure and assets to detect vulnerabilities and security gaps,” said Jonathan Bensen, acting CISO and director of product management, Balbix.

“Unsecured databases with no password protection is a simple enough problem to fix, if the companies are continuously monitoring all assets in order quickly identify and remediate priority issues.”

Categories: Cyber Risk News

Extortion Email Causes Widespread Panic Across US

Info Security - Fri, 12/14/2018 - 15:46
Extortion Email Causes Widespread Panic Across US

Law enforcement agencies across the country spent the better part of yesterday evening investigating a slew of bomb threats delivered by email to businesses and universities across the US and Canada. The hoax email warning that an explosive device was in the recipient’s place of work evoked fear among many Americans yesterday, according to KrebsonSecurity.

Different variations of the email were distributed with subject lines that read “Think Twice” or “--SPAM--My device is inside your building,” as seen in the image below. The emails demand payment in Bitcoin to have the bomb removed.

"We are aware of the recent bomb threats made in cities around the country, and we remain in touch with our law enforcement partners to provide assistance," an FBI statement read. "As always, we encourage the public to remain vigilant and to promptly report suspicious activities which could represent a threat to public safety."

In addition, the New York Police Department Counterterrorism Bureau asserted that the threats are not considered credible. Law enforcement agencies from Raleigh to Chicago and dozens of other cities also responded to threats, none of which have been substantiated.

“All it takes is one successful payout to make this scheme worthwhile for the perpetrator. This is a high-risk extortion attempt because there's no doubt it would garner significant attention from law enforcement,” said Tim Erlin, VP, product management and strategy at Tripwire.

“At this point, it's unclear if there's an additional motive beyond extortion. It is clear, however, that disruption has been a consequence. There will be an in-depth investigation into who is behind this campaign, and it's likely they'll be identified.”

The ease with which an attacker can craft such a large-scale disruption has ignited concern. “While these Bitcoin demands seem over the top, the disruption can cost millions in police time alone, and the potential for this to escalate with copycats is always alarming,” said Atiq Raza, CEO of Virsec. “As new extortion ideas get out there, the potential for serious, targeted attacks on high-value cyber-targets will only increases."

Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, said that the incident should serve as a reminder to all organizations that they must conduct regular training of their employees as to the different types of threats.

"As with any trend, there is the genuine product, and there are copycats. What we have seen here would be the latter. However, given the availability of hacker tools for hire and personal data for low prices, it will become harder to separate the two. The bad guys continue to look for any vulnerabilities they can find in one’s security controls.  This is just another example, with the hope that a small percentage of the targets will act on the email.”

Categories: Cyber Risk News

FEC Votes to Use Campaign Funds for Cybersecurity

Info Security - Fri, 12/14/2018 - 15:15
FEC Votes to Use Campaign Funds for Cybersecurity

The Federal Election Committee (FEC) has voted that lawmakers are allowed to use leftover campaign funds to guard personal email accounts and devices from cyber threats.

In a proposed draft of its advisory opinion, the FEC responded to Sen. Ron Wyden’s question: “May a United States Senator use campaign funds to pay for the costs of cybersecurity measures to protect his personal electronic devices and accounts?”

The FEC responded, “Yes.”

“The Commission concludes that you may use campaign funds to pay for the costs of security measures to protect your personal devices and accounts without such payments constituting an impermissible conversion of campaign funds to personal use, under the Act and Commission regulations,” the FEC wrote.

In submitting his request to the FEC, Sen. Wyden acknowledged that he had not experienced any personal threats thus far, but he argued that the cyber threats elected officials face include "attacks by sophisticated state-sponsored hackers and intelligence agencies against personal devices and accounts."

In the advisory opinion, the FEC acknowledged that both Dan Coats, director of National Intelligence, and Michael Rogers, former director of the National Security Agency (NSA), agreed that the personal accounts of lawmakers are at risk of cyber-attacks.

“It’s become increasingly clear in recent years that foreign attackers view institutions that underpin democracy as high-value targets. From election equipment to the elected representatives themselves, malicious actors will systematically look for access,” said Ben Johnson, co-founder and CTO, Obsidian Security.

“The ruling by the FEC allowing leftover campaign funds to purchase additional cybersecurity detection and protection has kept the conversation about election protection going. We need to ask whether cybersecurity should have to rely on unpredictable leftover funds or if it should be a key component to candidates’ campaign machinery. Personal devices and personal accounts are coupled with corporate and government security,." said Johnson.

"That trend is only going to increase. A stronger approach to personal cybersecurity hygiene can help provide a critical extra layer of defense against attackers looking to influence or access US government systems. Put simply: anything that makes our personal identities safer will benefit our professional identities."

Categories: Cyber Risk News

UK Retailers Braced for Attacks This Christmas

Info Security - Fri, 12/14/2018 - 11:00
UK Retailers Braced for Attacks This Christmas

Unpatched security vulnerabilities remain the biggest threat to UK retailers as they increase spending to mitigate risk during the busy Christmas shopping period, according to Infoblox.

The security vendor polled 3000 consumers and retail IT professionals across Europe and the US to better understand their attitudes to data security during December.

In the UK, the largest number of IT pros (28%) claimed unpatched flaws were the main source of attacks, followed by consumer or end-user error (25%), supply chain vulnerabilities (22%) and unprotected IoT devices (21%).

Given these risks, it’s no surprise that 63% of UK retailers have increased spending on cybersecurity during the busy period.

Although it was unclear in which areas they’re spending, a rise in social engineering attacks is seen as a major threat (34%). It would therefore appear that phishing attempts aimed at both consumers and retail employees is high on the list of concerns.

However, ID fraud (16%) and data security (13%) are far less important for UK consumers than delivery (55%). That might explain why a fifth of them take no proactive measures to protect their data — higher than in any other country surveyed.

Despite this apparent complacency, consumers are far from convinced that the stores they shop in are capable of keeping their personal data secure. Just one third (34%) said they trust retailers to hold their data.

“It’s interesting to read that so few consumers around the world are actively concerned with the protection of their own data when shopping online, particularly when two thirds of those we surveyed had little trust in how retailers held that data,” said Infoblox technical director for Western Europe, Gary Cox.

“More education is clearly required of the risks that online shoppers face, especially over Christmas, and the steps they can take to better protect their own data and identity from those intent on theft and fraud.”

According to the British Retail Consortium’s 2016 Retail Crime Survey, 53% of all fraud in the industry comes from cyber, amounting to estimated losses of £100 million.

Categories: Cyber Risk News

Cyber-Criminal Gets 20 Months After Using Home-Made Fraud Device

Info Security - Fri, 12/14/2018 - 10:22
Cyber-Criminal Gets 20 Months After Using Home-Made Fraud Device

A convicted cyber-criminal once dubbed “the acid house king” has been sentenced to 20 months behind bars for a new fraud campaign which saw him use a bizarre home-made device.

Tony Muldowney-Colston, aka Tony Colston-Hayter, of Brighton, pleaded guilty to nine counts of possession of an article for use in fraud and two counts of making or supplying an article for use in fraud.

Metropolitan Police officers had launched an investigation into his activities in January, before obtaining a search warrant for an address linked to the fraudster in June.

While searching the property they found a hard drive containing passport and identity card data, 32 credit cards, and a spreadsheet containing names, addresses, e-mail addresses and phone numbers linked to a private members’ club in central London.

More surprisingly, police found a strange home-made contraption which Muldowney-Colston apparently used to distort his voice whilst on the phone to banks in an attempt to impersonate legitimate customers.

The machine reportedly also played pre-recorded bank messages to trick victims.

These unconventional methods enabled him to access funds of over £500,000 from the accounts he was able to pry open.

“The scam carried out by Muldowney–Colston affected hundreds of people across the UK, and had the potential to affect many more. He is an audacious criminal who only recently was released from prison for carrying out very similar offences,” said detective inspector Philip McInerney, from the Met’s Cyber Crime Unit (MPCCU).

“He shows no concern for the welfare of any individual or organization, and has made it clear he will use a range of methods to achieve significant financial gain for himself. I am very grateful to our partners in the banking industry who have worked closely with us on this and a number of investigations.”

Muldowney-Colston was jailed in 2014 for over five years for masterminding a cyber-attack on computers at branches of Barclays and Santander that netted the gang £1.3m.

Prior to that he shot to fame by popularizing rave culture in the 1980s, something that earned him the nickname of the acid house king.

Categories: Cyber Risk News

ICO Slaps £200K Fine on Nuisance Text Biz

Info Security - Fri, 12/14/2018 - 09:42
ICO Slaps £200K Fine on Nuisance Text Biz

The Information Commissioner’s Office (ICO) has fined a London-based company £200,000 for sending millions of nuisance texts to unsuspecting consumers.

Tax Return Limited sent a staggering 14.8 million text messages between July 2016 and October 2017 without gaining proper consent first.

The firm claimed in its defense that consent had been given through third-party websites, but the ICO ruled that these privacy policies were too vague and generic. What’s more, neither Tax Return nor the third party service provider it used for its campaign were listed on the policies.

“Spam texts are a real nuisance to people across the country and this firm’s failure to follow the rules drove over 2,100 people to complain,” claimed ICO director of investigations, Steve Eckersley.

“Firms using third-party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third-party consent is also not enough and companies will be fined if they break the law.”

The ICO has the power to fine firms up to £500,000 for breaking the Privacy and Electronic Communications Regulations (PECR): the regime which governs marketing calls, emails, texts and faxes.

Tax Return is just one of many firms to have been fined large sums by the regulator over the past few years.

Last month the ICO fined ACT Response of Middlesbrough £140,000 for sending 496,455 marketing calls to subscribers of the Telephone Preference Service (TPS) who had signed up specifically to avoid nuisance calls. Secure Home Systems (SHS) of Bilston, West Midlands, was fined £80,000 for making calls to 84,347 TPS-registered numbers.

Other offending firms include Keurboom Communications (£400K), Miss-Sold Products UK (£350K), and Your Money Rights (£350K), among many more.

Campaigners have called on the government to come good on its promise to directly fine directors of companies which breach the PECR. A current loophole means many seek bankruptcy to escape punishment, only to go on to set up new businesses.

Categories: Cyber Risk News

Texas Hospital Discloses Third-Party Breach

Info Security - Thu, 12/13/2018 - 15:10
Texas Hospital Discloses Third-Party Breach

The payment information of more than 47,000 patients was potentially compromised after the Baylor Scott & White Medical Center in Frisco, Texas, suffered a third-party data breach, according to the hospital’s notice of a data security incident.

The hospital disclosed that it had sent letters to more than 47,000 patients and guarantors, alerting them to the possibility that their payment information, which could include partial credit card information, might have been compromised. “Medical-related data breaches are lucrative because malicious actors can try to sell data to advertisers based on health conditions,” said Justin Jett, director of audit and compliance for Plixer.

The disclosure notice states: “On September 29, 2018, the hospital discovered an issue with a third-party vendor’s credit card processing system. The hospital immediately notified the vendor and terminated credit card processing through them. An investigation determined the inappropriate computer intrusion occurred between September 22-29, 2018. There is no indication the information has been further disclosed or misused by any other unauthorized individuals or entities.”

While the hospital’s information and clinical systems were not impacted and no medical information was compromised, the data that might have been accessed includes names, address and date of birth, as well as medical record numbers and the dates of service. Insurance provider information and account numbers, along with the last four digits of the credit card, account balances and invoice numbers, could also be among the information compromised in the data breach.

“The Baylor Scott and White Medical Center-Frisco felt firsthand the effects of a third-party breach, as they were forced to notify over 47,000 patients that their payment information had been exposed,” said Fred Kneip, CEO, CyberGRX. “We are at a pivotal point in the evolution of cyber-attacks, where organizations are called to move beyond previous, static approaches to third-party cyber-risk management that are unable to scale with our growing ecosystems. As a result, the industry must foster collaboration across the board, where organizations work with their third parties to mitigate risk before they become a target for attackers.”

Categories: Cyber Risk News

Ruling provides lessons for tech contractors - Thu, 12/13/2018 - 15:07
A court in Scotland has highlighted how technology suppliers can successfully raise claims for relief for delays caused to their work, and how the businesses engaging those suppliers might properly resist those claims.
Categories: Cyber Risk News

Precise Location Data Tracked by Mobile Apps

Info Security - Thu, 12/13/2018 - 14:45
Precise Location Data Tracked by Mobile Apps

Earlier this week, the New York Times published its findings from an investigation into the location data that is tracked by mobile apps and used to help advertisers. The investigation revealed was that more than 75 companies “receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information.”

Despite the claim that the data is anonymous, the Times concluded that the information collected is quite precise, revealing the user’s location with surprising accuracy. The data is used by advertisers who then market ads to users based on their locations.

“It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder,” according to the Times.

While these revelations might be shocking, these often unauthorized harvesting activities have been going on for years and seem only to be escalating in frequency and the granularity of that information, according to Chris Olson, CEO of The Media Trust.

Still, the tables could slowly be turning as consumers begin to understand how to better protect their privacy. “Consumers are only slowly waking up to how much information on their every move is being gathered, analyzed and sold by legitimate entities and bad actors alike," Olson said. 

In addition, new laws on consumer data privacy like GDPR and California’s Consumer Privacy Act are being proposed. Combined with the recently proposed US federal consumer data privacy bill, these efforts “are shining much needed light on these unrestrained practices and their perpetrators."

“Just as GDPR is forcing companies across all industries and around the world to change how they operate, so too will the rest. And there will likely be a cumulative effect once regulations that are sweeping across the world begin to penalize violators. Although some laws set limits on the size of companies they cover, consumers will likely expect all companies, regardless of size or the number of consumers they track, to align their processes with the laws. This would also mean that companies of all sizes will have to carefully map and monitor all the third parties they do business with for any data processing that might violate their digital policy,” said Olson.

Categories: Cyber Risk News

Android Malware Steals from PayPal Accounts

Info Security - Thu, 12/13/2018 - 14:23
Android Malware Steals from PayPal Accounts

What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from PayPal accounts, even with 2FA on.

The malware reportedly disguises itself as a battery optimization tool, and threat actors distribute it via third-party apps. “After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts,” researchers wrote.

In a video recording, researchers demonstrated an attempt to steal money from a PayPal account after the user had logged into the app. While the researchers were analyzing the malware, the PayPal app attempted to send €1,000, which failed when the app requested that the user link a new card due to insufficient funds.

The malware also attempted to steal login credentials and used phishing screens in overlay attacks on Google Play, WhatsApp, Skype, Viber and Gmail. “The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions,” researchers wrote.  

According to Will LaSala, director of security solutions, security evangelist, OneSpan, the attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and demonstrates how easily an overlay attack can hijack a strong application.

“What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device.  What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.”

Categories: Cyber Risk News

China’s MSS Linked to Marriott Breach

Info Security - Thu, 12/13/2018 - 11:21
China’s MSS Linked to Marriott Breach

The Chinese government is responsible for the massive breach recently disclosed by Marriott International, according to new reports.

Two people briefed on the ongoing investigation told the New York Times that the attackers are suspected of working for China’s sprawling Ministry of State Security (MSS).

The hack, it is claimed, was part of a major intelligence gathering operation that also included the notorious breach of the Office of Personnel Management (OPM). Its aim is to build up detailed profiles on US executives and government officials with security clearance.

With the passport information stolen as part of the trove, Chinese spies could theoretically keep tabs on the movements of such individuals more easily. Marriott is said to be a favorite hotel provider for US government and military personnel.

Combined with the information from the OPM, it’s thought that the hotel data could help the MSS identify possible US spies and even recruit their own agents, as well as the Chinese citizens that may have been helping them.

The revelations are likely to cause extra turbulence for the Sino-US trade deal currently being hammered out and the 90-day ‘truce’ agreed by the two presidents in Buenos Aires.

It also presages a new swathe of action from Washington designed to open the kimono on Chinese cyber-espionage activity.

It’s predicted we’ll see a fresh round of indictments of Chinese military and intelligence operatives, and possibly the declassificiation of an US intelligence report detailing Beijing’s concerted attempts to build a huge data lake of American citizens’ information.

The indictments are thought to be linked to “Cloud Hopper” (APT10), a group that has spent years targeting the managed service providers of large companies.

An official with knowledge of the plans said they could also include making it harder for Chinese telecoms firms to get hold of key components. Any such move would likely enrage Beijing and only accelerate its cyber-espionage-fuelled efforts to become self-sufficient in tech.

Sam Curry, CSO at Cybereason, argued that Washington is rapidly changing its stance on China.

“The appropriate response is one that is on the political, diplomatic, economic, and military domains where cyber is a factor and not the only star,” he added. “Cyber is both a domain in its own right and a component of all the others. So the administration needs to plan a response to the political situation, using cyber as a tool."

Categories: Cyber Risk News

Over 40,000 Stolen Government Logins Discovered

Info Security - Thu, 12/13/2018 - 10:26
Over 40,000 Stolen Government Logins Discovered

Over 40,000 credentials for accounts on government portals around the world have been leaked online, and are most likely up for sale on the dark web.

Russian security firm Group-IB said usernames and cleartext passwords were available for various local and national government entities across more than 30 countries.

It’s not clear exactly how they were discovered, although the firm claims readily available keyloggers and info-stealing malware enabled the hackers responsible to harvest the info over time. It’s thought they may be part of an even bigger trove of sensitive data which has been refined for sale.

Hundreds of accounts on the websites of the US Senate, the Internal Revenue Service, the Department of Homeland Security and NASA were among those affected, according to Bloomberg.

Also hit were portals of the Israel Defense Forces, the Italian defense and foreign ministries, and Norway’s Directorate of Immigration, as well as government sites in France, Poland, Romania, Switzerland and Georgia.

Over half (52%) of victims were in Italy, followed by Saudi Arabia (22%).

Attacks in the US reportedly took place in the past year while other countries have been targeted since June 2017.

Group-IB has informed the authorities in the relevant countries, aware of the potentially serious national security implications of the leak.

Andrea Carcano, co-founder of Nozomi Networks, claimed the attackers likely used phishing attacks to spread the info-stealing malware.

“It is therefore extremely important that government organizations dedicate time and resources into training employees not to click on links, attachments and fraudulent emails that are professionally manufactured to target specific individuals,” he added.

“While it is unclear how much data the compromised login details will provide attackers, the governments affected should still try to do everything possible to limit their access. The first step would be to update login and password information for employees affected.”

Categories: Cyber Risk News

Apache Misconfig Leaks Data on 120 Million Brazilians

Info Security - Thu, 12/13/2018 - 10:02
Apache Misconfig Leaks Data on 120 Million Brazilians

The identity numbers of 120 million Brazilians have been found publicly exposed on the internet after yet another IT misconfiguration.

The data relates to Cadastro de Pessoas Físicas (CPFs): ID numbers issued by Brazil’s central bank to all citizens and tax-paying residents. The size of the leak represents data on over half the population of South America’s biggest country.

Researchers at InfoArmor’s Advanced Threat Intelligence Team found the database exposed on an Apache web server in March, after a simple internet search.

“Upon closer examination of the server that was discovered by InfoArmor’s researchers, it was found that someone had renamed the ‘index.html’ to ‘index.html_bkp,’ revealing the directory’s contents to the world. Anyone who knew the filename or navigated to it would have unfettered access to all the folders and files within,” its report explained.

“Two simple security measures could have prevented this: not renaming the main index.html file or prohibiting access through .htaccess configuration. Neither of these basic cybersecurity measures were in place.”

Only weeks later, after the firm unsuccessfully tried to contact the SQL host, did the issue get fixed.

“What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated domain that redirected to its login panel,” it explained.

“Although InfoArmor cannot be sure that was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function.”

The security firm warned that “it is safe to assume” either a nation state or cybercrime group now has the leaked information.

Ilia Kolochenko, CEO of High-Tech Bridge, said a thorough investigation is required by the Brazilian government.

“The major question here is how did this highly sensitive and confidential data go online on a third-party server in a flagrant violation of all possible security, compliance and privacy fundamentals? Who else has access to this data and its copies?” he argued.

Categories: Cyber Risk News

New evidence standards set for digital health tech - Wed, 12/12/2018 - 16:24
New evidence standards have been developed to help inform investment in new digital health technologies by NHS bodies in England.
Categories: Cyber Risk News

Bug Hunting Is Cybersecurity's Skill of the Future

Info Security - Wed, 12/12/2018 - 15:48
Bug Hunting Is Cybersecurity's Skill of the Future

The vast majority of white hat hackers who reported that they were looking for jobs in cybersecurity said that their bug hunting experience helped them land a job, according to Bugcrowd’s 2018 Inside the Mind of a Hacker report.

The report looked at the community of white hat hackers to better understand the skill sets and career aspirations of more than 750 security researchers and found that 41% of white hat hackers are self-taught. In addition, 80% of bug hunters said that their experience in bug hunting has helped them get a job in cybersecurity.

"Bug bounties have impacted my life by teaching me skills that I didn't know from doing traditional pentesting," said Phillip Wylie, a top-performing security researcher for Bugcrowd based out of Texas in today's press release. "I really enjoy being involved in the security and hacking community and I now teach ethical hacking at a community college. It's important to share knowledge in our community so we can push ourselves to be better."

“Cybersecurity isn’t a technology problem, it’s a people problem – and in the white hat hacker community there’s an army of allies waiting and ready to join the fight,” said Casey Ellis, founder and CTO at Bugcrowd in the release.

“Bug hunting is a perfect entry point for would-be infosecurity professionals to gain real-world experience, as well as for seasoned professionals to hone their skills and supplement their income. With cybercrime expected to more than triple over the next five years, bug hunting addresses the dire need for security skills at scale.”

A career in bug-hunting can be quite lucrative, with the research showing that the average total payouts for the top 50 hackers totaled around $150K, with the average submission payout coming in at $783. While hackers are finding and submitting plenty of bugs, 15% of hackers have the ambition of being a top security engineer at tech giants like Google and Facebook, yet only 6% have the desire to someday be a CISO.

Some hackers (24%) only spend an average of 6–10 hours a week bug hunting, which could be a function of the fact that more than half of the white hat hacker community are hunting bugs on top of their regular 9–5 positions.

The report also highlighted the continued gender imbalance that plagues the industry, with women representing a mere 4% of the global hacking community.

Categories: Cyber Risk News

Microsoft, PayPal and Google Top the Brands Hit by Phishing

Info Security - Wed, 12/12/2018 - 15:14
Microsoft, PayPal and Google Top the Brands Hit by Phishing

Email phishing continues to be the most common method of attack, and according to new research from Comodo Cybersecurity Microsoft, PayPal and Google are the top three brands most targeted by phishing.

In its Global Threat Report 2018 Q3, researchers in Comodo’s threat research lab found that phishing represents one of every 100 emails received by enterprises, with 19% of those attacks targeting Microsoft, followed by 17% targeting PayPal and 9.7% going after Google.

According to the report, 63% of the emails a business receives are clean, while 24% are spam, and only 1.3% of business emails are phishing attempts. Of those, there were three subject lines that were used with great frequency.

In 40% of the phishing emails examined, the subject line was related to PayPal and read, “Your account will be locked.” Another 10% of phishing emails targeted FedEx and read “Info,” while the third-most popular headline, “August Azure Newsletter,” appeared in 8% of the phishing emails and targeted Microsoft.

While malicious attachments remain the top method of infection, phishing URLs are also gaining popularity and represent 40% of the total phishing emails analyzed. In one example, researchers discovered an email claiming to be a survey of that Azure newsletter. The message contained what appeared to be an authentic URL and Microsoft logo, which made it very difficult for users to determine whether it was legitimate. If users clicked on the link, they were delivered to a malware-laden web page, where they were covertly infected.

The report also found that there was a surge in malware deployment in advance of major national elections across the globe, as well as correlations of malware detection both prior to and immediately following geopolitical crises.

“These correlations clearly stand out in the data, beyond the realm of coincidence,” said VP of Comodo's cybersecurity threat research labs Fatih Orhan. “It is inescapable that state-actors today employ malware and other cyber-threats as both extensions of soft power and outright military weapons, as do their lesser-resourced adversaries in asymmetric response.”

Categories: Cyber Risk News