Cyber Risk News
A known threat group targeting industrial safety systems in the Middle East is using similar attacks on industrial systems in the United States, according to new research from Dragos. The Xenotime group has been labeled the most dangerous threat activity group because it is the only group intentionally compromising and disrupting industrial safety instrumented systems.
Though Dragos has not identified the specific targets of the latest attack on industrial controls systems in the US, it has reported that the attacks resembles the Russian attack on US critical infrastructure reported by US-CERT earlier this year, noting that the malware shows similarities to Trisis, which was used in an attack last year in Saudi Arabia.
In a 24 May blog post, Dragos wrote, “Industrial safety systems are highly redundant and separate controls which override and manage industrial processes if they approach unsafe conditions such as over-pressurization, overspeed, or over-heating. They enable engineers and operators to safely control and possibly shutdown processes before a major incident occurs. They’re a critical component of many dangerous industrial environments such as electric power generation and oil and gas processing.”
In the December 2017 attack on Schneider Electric’s Triconex safety instrumented system, attackers moved between networks using credential capture and replay after it configured the malware based on the functions of the system within the industrial control (ICS) environment. The level of sophistication noted in the Trisis malware framework indicated that the group had a deep knowledge of the Triconex infrastructure and processes.
“This means it’s not easy to scale—however, the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes. Dragos’ data indicates XENOTIME remains active,” Dragos wrote.
“Both attacks started with social engineering to persuade employees to open phishing emails or visit watering hole websites. Attackers then gained administrative access to IT networks, from which they’ve identified IT/OT touch points to make their way into industrial control systems,” said Oren Aspir, CTO at Cyberbit.
Most ICS attacks leverage IT/OT convergence, which is why Oren said that companies managing industrial control networks should abandon the assumption that IT and OT can be fully segregated. “Start treating OT security at the same level of seriousness as they approach IT security. It starts with obtaining visibility in your OT network. Today organizations can deploy, within days, solutions for OT visibility and detect anomalies. These could have easily detected this attack.”
The GDPR regulations empower citizens by enabling them to file complaints against companies that are not in compliance, which is exactly what Reuters reported that Max Schrems, a privacy activist in Austria, has done.
Schrems, who has reportedly filed legal cases against Facebook, Google, Instagram, and WhatsApp, told Reuters that US tech giants are trying to force users to consent to their new privacy policies without providing a "yes or no" option.
Schrems has long been awaiting today's deadline and is no stranger to relying on the law to protect personal data. The South China Morning Post reported that he won a landmark European court ruling in 2015 and recently established a charity called None of Your Business to prevent tech giants from harvesting consumer data.
The impact of the regulations is also notable with US companies that are not reportedly breaking the law. TwitterMoments wrote, "A number of high-profile websites, including the Chicago Times and LA Times, are temporarily unavailable in Europe after new European Union rules on data protection came into effect. The General Data Protection Regulation (GDPR) gives people in the area more rights over how their information is used. Companies that fail to comply with the new law are subject to fines of up to 4% of global revenue."
Not everyone fears the immediate consequences of noncompliance, though. "The EU regulators aren’t going to be slapping you with a 4% fine anytime soon. As the ‘The Verge’ reported earlier this week, not even the regulators are ready (or funded) to do this. With that said, I think back to Douglas Adam’s advice, ‘Don’t panic.’ Even the Facebooks and Twitters of the world don’t have all the answers," said Anupam Sahai, vice president of product management at Cavirin.
Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management said, "For companies that have been working diligently on preparations and are essentially compliant, this is the time to focus on the finer points of the regulation and to put policies and processes in place to ensure that the ecosystem of service providers, vendors, and partners can be managed in a comprehensive but streamlined manner. Larger companies should have a Data Protection Officer (DPO) in place, and SMBs [small to medium-sized businesses] should assign equivalent responsibilities to a senior employee, retaining outside expert help when needed.”
More than one in three healthcare providers have suffered a cyber-attack over the past year, with 10% paying a ransom or other extortion-related fee, according to Imperva.
The vendor polled over 100 healthcare IT professionals at the recent 2018 Healthcare Information and Management Systems Society (HIMSS) Conference in the US.
Unsurprisingly given the sizeable number that had suffered an attack, 77% of respondents said they were very concerned about a cybersecurity event hitting the organization while 15% admitted they needed to do more to improve their cyber-defenses.
Ransomware (32%) was the biggest concern in terms of online threats. That’s understandable, given the WannaCry attack of May 2017 devastated large parts of the NHS, leading to an estimated 19,000 cancelled operations and appointments.
Worryingly, over a quarter (26%) of respondents claimed they don’t have an incident response plan in place — something required by the new GDPR.
In addition, 28% said their healthcare organization (HCO) doesn’t even have chief information security officer (CISO).
A recent report from Verizon revealed that healthcare was the number one sector affected by breaches, accounting for 24% of the total number analyzed over the preceding year. It was also revealed to be the only sector in which insider threats (56%) outweighed those from external attackers (43%).
Answering questions on the insider threat, respondents to the Imperva poll said they were most concerned about careless users (51%). While 27% claimed a lack of tools to monitor employees and other activities makes detecting insider threats difficult.
“Attackers understand the value of the data held by healthcare organizations, and as a result, they are quickly becoming a sweet spot for hackers looking to steal large amounts of patient records for profit,” argued Imperva CTO, Terry Ray.
“There have been a number of incidents recently where cybercrime has impacted hospitals and left them unable to access patient data, which demonstrates the consequences of a successful attack. It is crucial that healthcare organizations take steps to protect their data. To retain patient trust, organizations must provide an excellent defense at all times.”
Chinese security researchers have discovered 14 vulnerabilities in connected vehicles which could be used to remotely control a number of BMW models.
The team from Tencent’s Keen Security Lab tested several car models over a year, focusing on the Head Unit, Telematics Control Unit and Central Gateway Module.
“Through mainly focusing on the various external attack surfaces of these units, we discovered that a remote targeted attack on multiple internet-connected BMW vehicles in a wide range of areas is feasible, via a set of remote attack surfaces (including GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth protocol),” the report noted.
“Therefore, it’s susceptible for an attacker to gain remote control to the CAN buses of a vulnerable BMW car by utilizing a complex chain of several vulnerabilities existing in different vehicle components. In addition, even without the capability of internet-connected, we are also able to compromise the Head Unit in physical access ways (e.g. USB, Ethernet and OBD-II). Based on our testing, we confirm that all the vulnerabilities would affect various modern BMW models.”
Attacks that lead to remote control of the CAN bus could enable third parties to interfere with steering, brakes, accelerator and other key physical functions of the vehicle.
Affected models including the BMW i Series, X1 sDrive, 5 Series, and 7 Series. The researchers reported their findings to BMW in February and the manufacturer has been rolling out mitigations remotely and via optional software updates from dealerships since then.
Natan Bandler, CEO of Cy-oT, argued the research shows that connected car vulnerabilities often arise in overlooked areas such as the info-tainment system.
“It’s always the innocent items, the ones that are invisible and the ones that we tend to neglect that are the easiest way in for a hacker,” he argued.
"We need to think from the point of view of the attacker. They’re looking for the path of least resistance; areas that are uncovered, neglected and that no one cares about, and entertainment systems are exactly this.”
Privacy International has launched a new investigation into a swathe of shadowy data companies to see if they comply with the new EU General Data Protection Regulation (GDPR), which came into force today.
The GDPR has been several years in the making, and introduces strict new obligations for organizations on how they process and protect customer and employee data as well as how they seek consent for using that data.
The rights group claimed that the business model of many data companies raises significant question marks over compliance with the new law, which is EU-wide but also applies to any organization which processes data on EU citizens.
Non-consumer facing data companies such as Acxiom, Criteo and Quantcast “amass and exploit” large quantities of consumer data without directly interacting with the data subject, according to Privacy International.
If they collect this data without the user’s knowledge, use it to profile users, or share it with another company for a different purpose to that stated at the time of collection, they could be in breach of the GDPR, the group claimed.
To launch the campaign, Privacy International has sent letters to a selection of the companies involved to find out more on how they handle personal data.
The non-profit claimed that companies and governments are increasingly exploiting not just data that consumers willingly provide but information they can “observe, derive, and infer” in order to manipulate people’s lives without accountability.
Privacy International legal officer, Ailidh Callander, welcomed the GDPR.
“It's been a long time coming, and the GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing more stringent obligations on companies, strengthening rights of individuals, and increasing enforcement powers,” she added.
“GDPR is a key tool to empower individuals, civil society, and journalists to fight against data exploitation."
The group has also joined the Center for Digital Democracy and Public Citizen in writing to almost 100 US companies asking that they implement GDPR for users globally, as Microsoft and other tech giants have promised.
One year into his role as CSO, Yassir Abousselham sits down in Las Vegas with Eleanor Dallaway to talk about life as a chief security officer at enterprise identity provider, Okta
Tell me about your career path before you joined Okta
Prior to my appointment at Okta, I worked as CISO for the fintech company SoFi. Before that, I spent five years at Google working on corporate DLS security and in the security for payments vertical. Previously I worked in security at EY.
For a technology professional, working at Google is the Holy Grail. How did you manage to tear yourself away to pursue a new role?
Working at Google gave me great access and visibility into doing technology and security at scale. Google attracts a lot of sharp engineers, so I was exposed to a lot of good interaction and visibility. It was a fantastic experience. At some point however, for anyone in security, you want to take the next step and manage security from A to Z at one company. That wasn’t something I could do at Google and I felt ready to make that move.
So, how is your role as CSO for a technology vendor different to being a CSO at an end-user?
The scale of the challenge makes it more interesting. It takes a special mindset to do security for a security company.
In addition to successful authentication attempts, we also see attack attempts against our customers and our platforms. We don’t stop at analyzing traffic – we have to be able to harden the platform in a way that protects both Okta and Okta customers. Businesses are trusting us with their applications and their data and that is a great responsibility. We have to be ahead of the attacker to block those attacks.At some point, you want to take the next step and manage security from A to Z at one company. That wasn’t something I could do at Google and I felt ready to make that move.
You mentioned a ‘special mindset’ that is required – what does that entail?
You need the evil bit – to be able to think like an attacker. This should be the whole security team and indeed the whole company. We have to instill the culture that we (and our customers) are targets. You have to stay on the cutting edge of those attacks and harden the platform.
You have to also understand the business and your customers’ expectations. You need to understand the investment that customers are making in you as a vendor and become the customer advocate. We have to protect Okta, but also our customers.
Your CEO, Todd McKinnon, talked about security whilst never sacrificing usability or customer experience. How do you manage to balance the two?
Historically people thought that increasing security meant changing or hindering the customer experience.
We are gradually changing that by providing a much better user experience. We are talking about lessening password authentication, using multiple technical components to consume the contextual signals to maintain a higher level of assurance that you are who you say you are. Moving forward, we can rely more on context and behavior. We want to establish normal and react to abnormal.
As an industry, are we doing better at improving the security bar?
There is a concerted effort to raise the bar. There’s absolutely no question about the importance of information security. But how it is done depends on the company, the industry, the compliance requirements. The will to raise the bar and make the change is always there, but the speed it takes to make changes is different – we’re getting faster, but sometimes it’s not fast enough.
Attackers can move faster – they don’t have to comply and are agile and persistent. As an industry, we need to continue trying to make these changes faster and streamline the processes standing in the way of raising the bar – compliance, governance and finding talent.
How hard is it to find great talent to hire in your security team?
We have to stay steps ahead of the attacker and that cutting-edge talent is very hard to find. Once you hire, you then have to be able to retain. To retain these highly-qualified engineers you have to give them highly complex cutting-edge problems. That’s the number one motivation for these types of individuals. They have to buy into your vision as a company and see a culture aligned with their beliefs and vision.
What do you consider your one main ambition within your role at Okta?
For now, automation is at the top of my agenda. Trying to automate as much as possible. I want to help customers get better at doing security. That’s what I want to keep doing - understanding how they use Okta products and how to make them more secure. I also want to continue to improve usability without impacting security.
In the aftermath of a fatal crash that killed a pedestrian, the state of Arizona barred Uber Technologies, Inc. from road-testing its self-driving car program. Now, the company announced on 23 May that it will close down the self-driving vehicle program in Arizona, a move that will affect more than 300 jobs, according to the Wall Street Journal.
A spokeswoman for Uber said that the company will not be eliminating all of their autonomous vehicle programs and will resume operations this summer with a limited focus, testing fewer cars with smaller routes in Pittsburgh and two cities in California. Uber will first have to nail down a testing permit in California, Reuters reported.
Uber has been waiting for the National Transportation Safety Board (NTSB) to release the preliminary report from its investigation of the crash. Released today, the report stated, "The inward-facing video shows the vehicle operator glancing down toward the center of the vehicle several times before the crash. In a postcrash interview with NTSB investigators, the vehicle operator stated that she had been monitoring the self-driving system interface. The operator further stated that although her personal and business phones were in the vehicle, neither was in use until after the crash, when she called 911."
While NTBS continues to collect information and Uber prepares to return self-driving cars to the road, the company hopes to soar to new heights with its announcement that it will invest $23.4 million into developing an all-electric vertical takeoff and landing aircraft in France over the next five years, according to CNN.
"France is a perfect home for our next step forward with its strong history of research and development, world class engineers and a unique role in aviation worldwide," Uber said in a statement to CNN.
As Uber calculates its best strategy to move forward, Apple races full speed ahead, veering away from BMW and straight toward Volkswagen. After waiting for BMW to take its foot off the brakes for several years now, Apple has decided to partner with a new company to get the wheels turning on its self-driving car design.
"Apple has signed a deal with Volkswagen to turn some of the carmaker's new T6 Transporter vans into Apple's self-driving shuttles for employees – a project that is behind schedule and consuming nearly all of the Apple car team's attention, said three people familiar with the project," CNBC reported.
Multiple cybersecurity organizations have signed a memorandum of understanding (MoU) aimed at enhancing cooperation on cybersecurity and defense, according to a press release from Europol.
The European Union Agency for Network and Information Security (ENISA), the European Defense Agency (EDA), Europol and the Computer Emergency Response Team for the EU Institutions, Agencies and Bodies (CERT-EU) have come together to establish a framework by which the organizations can collaborate with each other.
The signed MoU serves as a symbol of strength that exists among the different EU agencies and will focus on deepening their cooperative efforts in the areas of exchanging information, education and training; cyber-exercises; technical cooperation and strategic matters, as well as any additional areas deemed important.
Collaborative efforts among the groups will improve the ways in which the organizations use existing resources while hopefully reducing redundancy and leveraging their widespread expertise to enrich the services provided by the parties.
Driven in part by the 2014 Cyber Defence Policy Framework, which called for increased cooperation among civil-military parties, academic institutions and the private sector, the collaboration has been in the making since 2016. The newly developed cooperation of agencies also aligns with the Joint Communication on Cyber issued in 2017.
"ENISA welcomes the opportunity to work closely with our partner organisations. Cybersecurity is a shared responsibility, and it is only by cooperating closely with all relevant stakeholders that the EU has a chance to address cybersecurity challenges," Dr. Udo Helmbrecht, executive director of ENISA, told Europol.
Steven Wilson, head of Europol’s European cybercrime centre (EC3), said, "This MoU illustrates how a safe and open cyberspace can only be achieved through enhanced cooperation and commitment. Through their participation, all parties involved demonstrate that they are willing to join forces and recognise that together we can provide the necessary response to cyber related threats. From EC3, we welcome the opportunity to enter a new era of working together with our MoU partners and are delighted to share our expertise and experience."
Congress has passed an anti-fraud measure as part of the Economic Growth, Regulatory Relief, and Consumer Protection Act, with one of the bill's sections establishing guidelines to help prevent synthetic identity fraud. Synthetic identity fraud is a tactic where criminals fashion identities made up, in part, from credit-inactive Social Security numbers (SSN).
Cybercriminals will then use those identities to secure loans and commit other online crimes. When cybercriminals use parts of an individual's identity – particularly those of children – years can pass before the victim realizes their identity has been compromised. Often, said Robert Capps, VP of business development, NuData Security, these individuals are denied a school loan or other form of credit due to false indicators of their fraudulent behavior.
Section 215 of the act details the steps that will be taken to enhance consumer protections using fraud protection data, defined as an individual's name, SSN and date of birth. Currently the system for checking SSNs takes multiple days and requires the individual's handwritten signature.
Through the use of a database maintained by the Social Security Administration (SSA), financial institutions and service providers will be able to validate identities much more quickly. Permitted entities that have been issued certifications from SSA will be able to access an electronic identification validation system in order to compare fraud protection data for accuracy in real time, with batches of submissions not to exceed 24 hours.
Proactively trying to prevent a consumer or child from becoming a victim of fraud is an important step for Congress.
“Synthetic identity theft is one of the reasons many e-commerce companies and financial institutions are turning to multilayered solutions that incorporate passive biometrics and behavioral analytics," Capps said. "With these technologies, even when the consumer’s static information (such as social security numbers, date of birth and other data) is stolen, the breached credentials cannot be used to log into someone else’s account or to make a fraudulent transaction – making the stolen data useless."
“Stolen data is often used in automated attacks to create new accounts or try to find a user’s password," he continued. "With passive biometrics and behavioral analytics these attempts are thwarted, rendering the stolen data from fraudsters valueless. The hundreds of data points analyzed by these technologies help identify a legitimate user or a fraudster, protecting consumers, merchants and institutions.”
The act also provides regulatory relief for small community banks and credit unions and now awaits the president’s review.
Facebook dominated attempts to phish unsuspecting netizens in the first quarter of the year, accounting for 60% of all social network phishing attacks during the period, according to Kaspersky Lab.
The Russian AV vendor claimed in its Spam and phishing in Q1 2018 report to have blocked 3.6 million attempts to visit fraudulent social media pages.
Following Facebook, Russian social platform VK (21%), and LinkedIn (13%) were most commonly spoofed — with victims tricked into handing over names, log-ins, and even credit card numbers.
The reasons are pretty straightforward: cyber-criminals follow the money, and with over two billion active monthly users, there’s more opportunity to generate revenue by spoofing one the world’s most popular social networks.
Overall, the main targets for phishers remain internet portals, banks, online stores and payment services, with financial phishing the most popular (44%) type, according to the report.
Crypto-currency ICOs also represent a potentially lucrative event for cyber-criminals to leverage.
Around £26,000 was stolen through a phishing site claiming to offer investment opportunities for a rumored Telegram ICO, while £62,000 was stolen from victims via a single phishing email linked to the launch of “The Bee Token” ICO, Kaspersky Lab claimed.
The vendor also warned users of an increase in fake GDPR privacy notices, which require users to fill in their details in order to ‘access’ their accounts.
“We urge users to pay close attention to the new regulation and carefully study any notifications related to it,” it added. “Links should be checked before clicking: they should not contain redirects to third-party sites or domains unrelated to the service on whose behalf the message was sent.”
Germany was the number one target of malicious emails (15%) followed by Russia (6%) and the UK (5%).
However, the country with the largest percentage of users affected by phishing attacks in Q1 2018 was Brazil (19%).
The UK’s attorney general has clarified the government’s position on state-sponsored cyber-attacks, saying the country will fight back against any nation seeking to cause it harm and continue to attribute serious online threats.
Speaking at the Chatham House Royal Institute for International Affairs on Wednesday morning, Jeremy Wright became the first minister to set out the UK’s opinion on how international law applies to cyberspace.
“The UK considers it is clear that cyber-operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter,” he argued.
“If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber-operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber-operation to disable air traffic control systems which results in the same, ultimately lethal, effects.”
Wright also claimed the UK would continue to work to name and shame the countries which launch such attacks, claiming that if more states get involved in such work the assessment will be more certain.
“It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community,” he added.
It’s unclear why the government chose this time to state its position but it can’t be a coincidence that state-sponsored attacks have increased over the past year. In November 2017, NCSC boss Ciaran Martin pointed to Kremlin attacks on the UK’s critical infrastructure, and in April this year the GCHQ body issued a joint alert with the US authorities of further Russian attack campaigns.
That’s in addition to the WannaCry ransomware attack that caused major outages at the NHS — subsequently blamed on North Korea.
However, Priscilla Moriuchi, director of strategic threat development at Recorded Future, argued that public naming and shaming is a double-edged sword.
“On one hand [it] allows companies, individuals, and governments to tailor their responses to and assess the risk involved in intrusions, intellectual property theft, and customer data loss. Public attribution puts a cyber-intrusion into context and assists governments in defining norms of behavior in cyber-space,” she said.
“On the other hand, there is scant evidence that public attribution deters nations from conducting cyber-enabled espionage. Naming and shaming may dissuade nations from executing destructive or disruptive cyber-attacks because of the real-world, life-and-death consequences, however public attribution as a deterrent for cyber-espionage or intellectual property theft remains unproven."
Security experts are warning of a major new destructive malware campaign targeting half a million home routers around the world with a particular focus on Ukraine.
Cisco Talos announced the discovery of the sophisticated, state-sponsored VPNFilter malware system on Wednesday, claiming there are code overlaps with the notorious BlackEnergy malware linked to Kremlin hackers.
“While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country,” the firm warned.
The malware itself has already infected at least 500,000 SOHO routers from Linksys, MikroTik, NETGEAR and TP-Link in 54 countries, as well as some QNAP network-attached storage (NAS) devices.
“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Cisco continued.
“We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”
The modular nature of the malware means it could be used for a number of reasons: there are capabilities to “kill” infected devices, covering the attackers’ tracks, and to steal website credentials and monitor Modbus SCADA protocols.
The group behind has created “an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs,” such as obfuscating the source of a larger scale attack, stealing data, or launching a major destructive attack, Cisco claimed.
To help them, the attackers also created a private TOR network to improve data sharing and co-ordination of infected devices.
It’s unclear whether the campaign is linked to the joint technical alert issued by the UK and US governments last month which blamed the Kremlin, however a DoJ notice on Wednesday attributed VPNFilter to the notorious Russian APT28 group which has been implicated in the hacking of Democratic Party officials ahead of the US election.
The DoJ said it was actively looking to disrupt the threat.
In the meantime, Cisco urged owners of infected devices and ISPs to reset to factory default and reboot them, as well as to update patches immediately.
“Everyone knows what happened in the latest elections,” he began, “it made us rethink democracy and the impact that technology has on it.” That, he declared, is an identity problem.
“Confidence in technology is being eroded. People are doubting technology, which is a real shame. There is a risk of missing out on technology and using it for good,” McKinnon continued.
The Okta CEO and co-founder was optimistic about being able to solve identity, and thus “the challenge of our time. We have the platform, the connections, the ecosystem and the expertise to solve this,” he said.
The Okta vision is to enable anyone and any business to use any technology, said McKinnon, “and the best way of doing that is to connect everything.”
Okta’s key, core objective is enablement and that, McKinnon advised, is how they think about – and measure – customer success. “With so much technology, potential is amazing, but complexity gets in the way. You need a center of gravity and that center needs to be identity,” he argued.
“We believe that privacy and data security are individual rights, and that every organization in the world should have the best technology available to protect their identities,” McKinnon added.
As more companies embrace the productivity of a mobile workforce, the fact that work is being conducted from potentially unsecured Wi-Fi networks puts enterprise security at risk. According to The 2018 Duo Trusted Access Report, it's not clear that security is keeping pace with the rapid evolution of how and where employees work.
For the third consecutive year, Duo Security has looked at the security state of employees, contractors, devices, and applications. The 2018 report reflects the analysis of nearly 11 million computers, laptops and smartphones from which a half-a-billion user access requests to corporate applications and data were received per month.
In an enterprise-sized organization, mobility and growth have driven a 24% increase in the average number of unique networks that customers and enterprise organizations are authenticating from and a nearly 50% jump in users accessing from two or more distinct IP addresses.
While the numbers reflect that enterprise access is growing more fluidly, the growth also "means more work is being conducted from potentially unsecured Wi-Fi networks, which could include homes, airports, coffee shops, or other public spaces. These external, untrusted networks may introduce potential risks to corporate applications and data," Duo Security wrote in a press release.
Related to the mobile workforce is the problem of mobile updates. The report found that more than 90% of Android devices and nearly 60% of iOS devices are out of date. Additionally problematic is the boom in successful phishing, which reportedly takes only 12–13 minutes on average. In 62% of phishing campaigns, at least one set of credentials is being captured.
Flash continues to inch toward its demise, with a nearly 200% jump in browsers with Flash uninstalled. Where 80% of Chrome users were loading at least one page of Flash content per day in 2014, the report said that number is down to only 4% in 2018, according to Google.
Despite more organizations feeling that they are getting worse at preventing data breaches, the number of businesses that feel better prepared to respond to incidents is on the rise, according to the latest survey from the not-for-profit industry body the Institute of Information Security Professionals (IISP).
In its third year, the IISP survey asked organizations two correlating questions about data breaches. Questions look to understand how protected from a breach companies feel, as well as how prepared they are to respond to and recover from a security incident.
The number of organizations that feel they are getting worse at preventing a security breach doubled this year, up to 18% from only 9%. According to the survey report, "The only figure that showed growth of any significance was in the percentage of people that thought we had got worse as an industry at defending systems."
In a press release, Piers Wilson, director at the IISP, said, "These results reflect the difficulty in defending against increasingly sophisticated attacks and the realization that breaches are inevitable."
The survey results indicate that both budget constraints and the skills shortage contribute to the challenges of breach prevention. As the threat landscape continues to evolve, budgets are not growing at scale. The 2017–2018 survey results showed "a drop in the number of businesses where budgets are rising from 70% to 64%, and an increase in businesses where budgets are falling from 7% up to 12% (the same level as 2015)."
Additionally, the lack of highly skilled candidates continues to be a concern, with 18% of respondents identifying a deficit in resources, 18% reporting a shortage of skills and 14% reporting insufficient experience as key factors in the skills and people shortage.
Part of the problem with the skills shortage is the impact and disruption caused by emerging technologies. Of the emerging technologies that respondents said were "very disruptive," the top two were the internet of things (66%) and artificial intelligence and machine learning technologies (49%).
“We have seen AI and machine learning used in defensive security systems for some time, and this is now starting to become part of a wider automation approach,” said Wilson. “But like the IoT, AI can also be exploited by cybercriminals, so we need to have the people and technologies to respond and mitigate these emerging risks."
Dasan's gigabit-capable passive optical network (GPON) home routers are again the target of zero-day exploits using a new botnet called TheMoon, according to researchers at Qihoo 360 Netlab.
While activity of TheMoon botnet emerged in 2014, it's only been seen adding internet of things (IoT) device exploits into its code since 2017, Qihoo 360 Netlab researchers wrote in a 21 May post. TheMoon is the latest to "join the party" of botnets attacking GPON home routers.
Earlier this year, Qihoo 360 Netlab researchers analyzed TheMoon, identifying it as a code for a family of malicious code. Since April 2017, researchers have been monitoring TheMoon family and its evolution.
In the most recent attacks, the researchers noted that the attacking payload looks different on TheMoon, which is why they have classified it as a zero-day. "We tested this payload on two different versions of GPON home routers, all work. All these make TheMoon totally different," the researchers wrote.
In an effort to prevent future attacks, the researchers chose not to disclose the details of the payload attack; however, they did identify features of this new dark side of TheMoon, which include the scanner IP (18.104.22.168 Brazil/BR São Paulo "AS28573 CLARO S.A."), the scanning ports (80, 8080, 81, 82, 8888, with the GPON scan only on port 80) and the download server (domstates.su).
This latest report confirms what has frequently been observed about the cycle of zero-day and botnet attacks on connected devices in the IoT world: they are vulnerable targets. "They are no match for ingenious hackers with automated discovery tools and a well-stocked experimental laboratory of potential victims, namely the internet," said Ashley Stephenson, CEO, Corero Network Security.
"The larger the population of any particular device or software stack, the greater the motivation and reward for hacking it," he said. "In this case, a reported population of one million Internet accessible GPON devices makes for a huge potential payback if you can develop an exploit to pwn them into bots. We should expect additional exploit vectors to be discovered in the future.”
Phishing continues to dominate the fraud landscape, accounting for nearly half of all attacks, but mobile fraud has jumped 650% over the past three years, according to RSA Security.
The security vendor’s Q1 2018 Fraud Report found phishing to account for 48% of all attacks during the quarter, followed by Trojans (24%) and brand abuse 21%).
The report uncovered a decline in use of traditional web browsers to conduct fraud, 62% in 2015 to 35% today, whilst the mobile app’s share of fraudulent transactions has risen from 5% to 39% over the same period.
However, as an attack type, mobile attacks comprised just 6% of the whole, linked to over 8,000 rogue apps in Q1. Some 82% of fraudulent e-commerce transactions spotted by RSA originated from a new device in Q1 2018, indicating the lengths scammers are going to in order to avoid detection.
RSA also confirmed the increasing role of legitimate social networks in unwittingly helping fraudsters to sell their wares.
“Social media provides the perfect control station for cyber-criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces,” explained RSA Fraud & Risk Intelligence Unit director, Daniel Cohen.
“Social media’s scalability, anonymity and reach is providing cyber-criminals with the perfect disguise; they can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming.”
The firm noted that Reddit has worked to ban a number of sub-reddits dedicated to fraud, where hackers were apparently exchanging contacts and advertising services and sharing info on which dark web fraud forums to use.
However, the problem appears to be rife on Facebook. Journalist Brian Krebs reported last month to have found over 100 private discussion groups dedicated to fraud and cybercrime, after just a couple of hours of searching
At Oktane 18 in Las Vegas, Okta announced that organizations will be able to eliminate the login password as a primary factor of authentication by combining signals such as device, location, and network context, with threat intel from Okta’s new ThreatInsight functionality.
“The best password is no password at all”, said Todd McKinnon, CEO and co-founder, Okta. “Today’s threat actors are targeting the weakest point of your company’s security – your people – and too many are successfully compromising employee accounts due to poor or stolen passwords.”
Okta’s incident response team sees and takes action against threats and suspicious activity across its ecosystem and making those insights available to customers through Okta ThreatInsight.
Elias Oxendine IV, Global Director of IT Security at the Brown-Forman Corporation, is using Okta ThreatInsight to get insight into authentication attempts. “Brown-Forman is one of the largest American-owned distilled beverage companies, responsibly building alcohol brands such as Jack Daniel’s, Woodford Reserve and Korbel. We’re committed to providing a safe, inclusive workplace and secure customer experience, and ensuring the right people have access to sensitive company resources is at the heart of making that happen.”
The National Bank of Canada is using the capability to give its customers a secure online experience according to Alain Goffi, vice president, IT Infrastructures at the National Bank of Canada. "National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience.”
The FBI has admitted that “programming errors” led to it significantly over-estimating the number of locked devices which it can’t access for investigations because of strong encryption.
Director Christopher Wray claimed in January that the Bureau was unable to access the content of 7775 devices, using the example to argue as his predecessor had done for new laws or changes in policy at Apple and other tech firms enabling the FBI to access such phones with a court order.
He described the situation as an “urgent public safety issue” and has referred to the figure several times since when discussing in public the challenge facing law enforcers of “going dark.”
However, in a statement seen by the Washington Post, the FBI now claims that it made its calculations from three different databases, leading to some duplicates being counted.
“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ it admitted.
A new audit could take weeks to complete but it is thought the real figure could be closer to 1000 devices.
The FBI has been locked in a stand-off with Apple and the tech community for years over access to encrypted devices. Whilst the Feds claim backdoor-ing phones isn’t required, its demands would amount to exactly that, say tech experts.
In February, a group of world-renowned cryptography experts signed an open letter backing a senator’s demands that the FBI explain the technical basis for its repeated claims encryption backdoors can be engineered without impacting user security.
These experts included Bruce Schneier, Paul Kocher, Steven Bellovin, and Martin Hellman — the latter winning the 2015 Turing Award for inventing public key cryptography.
The EFF claimed it was “not surprised” by the revelations.
“The scope of this problem is called into doubt by services offered by third-party vendors like Cellebrite and Grayshift, which can reportedly bypass encryption on even the newest phones,” it claimed.
“The Bureau’s credibility on this issue was also undercut by a recent DOJ Office of the Inspector General report, which found that internal failures of communication caused the government to make false statements about its need for Apple to assist in unlocking a seized iPhone as part of the San Bernardino case.”