Cyber Risk News

ICO Fines Soar to Over £4m in 2017 Ahead of GDPR

Info Security - Wed, 05/23/2018 - 08:48
ICO Fines Soar to Over £4m in 2017 Ahead of GDPR

The Information Commissioner’s Office handed out monetary penalties of over £4m during 2017, nearly £1m more than the previous year as the GDPR approaches, according to PwC.

The global consulting giant analyzed the ICO’s enforcement actions over the past year, looking at monetary penalties, enforcement notices, prosecutions and undertakings.

In total, 54 fines were handed out in 2017 with 14 of these (26%) more than £100,000. However, although the ICO has the power to fine up to £500,000, it has never issued the maximum penalty.

The largest number of incidents for which penalties were issued were marketing offences, although security breaches and misuse of data for profiling purposes also loomed large.

When the GDPR comes into force on Friday, it will have new powers to fine up to £17m, or 4% of global annual turnover. However, PwC lead partner for GDPR and data protection, Stewart Room, claimed the ICO has made it clear maximum fines won’t be the norm.

“It’s really about putting consumer rights at the heart of today’s data-centered world. There’s an option for organizations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust,” he argued.

“Signs of progress are very encouraging. At board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success.”

Room claimed that PwC’s own global GDPR Readiness Assessments over the past two years show that highly regulated sectors such as healthcare and financial services tend to have a slight advantage in terms of preparedness as they are more used to dealing with regulatory change.

As recently as January, a UK government report claimed that just 38% of businesses had even heard of the regulation.

Categories: Cyber Risk News

UK government promises new 'online safety legislation' - Tue, 05/22/2018 - 15:28
The UK government will set out new "online safety legislation" later this year, it has confirmed.
Categories: Cyber Risk News

New Variants Found in Spectre and Meltdown

Info Security - Tue, 05/22/2018 - 13:28
New Variants Found in Spectre and Meltdown

Two new variants of the Meltdown and Spectre vulnerabilities that can allow an attacker to gain access to sensitive information have been disclosed, according to a 21 May US-CERT alert.

Google and Microsoft announced that the new variants, 3a and 4, known respectively as Meltdown and Spectre, affect the central processing unit (CPU) hardware implementations, making them vulnerable to side-channel attacks.

Security researcher for Google Project Zero, Jann Horn, reported the issue after finding a new way to attack microprocessors while testing speculative execution behavior on Intel and AMD processors.

US-CERT wrote, “Meltdown is a bug that 'melts' the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.”

Rob Tate, distinguished security researcher at WhiteHat Security, said, "Once they can get code to run locally on a victim’s computer, highly skilled hackers have many tools at their disposal to expand their control and take over the machine. What made Meltdown/Spectre special was its universal nature in both working on many machines and being useful in many different scenarios on a given machine."

The vulnerabilities were assigned Common Vulnerability Exposure numbers. Variant 3a, a rogue system register read, was assigned CVE-2018-3640 while Variant 4, known as Speculative Store Bypass (SBB), was assigned CVE-2018-3639. Tate said Variant 4 is being discussed in a fairly narrow scope of accessing specific unpatched browsers' private data.

"If an attacker has access to run code on a machine, there are already a number of simpler (and more universal) techniques to try before resorting to this, and it’s far from the wide-reaching implications of the original Spectre. So, while patches should be applied when possible, Intel is right to call this a Medium," said Tate. 

The more commonly useful a vulnerability, the more it helps attackers simplify their process; thus, the easier it becomes for non-skilled hackers to compromise more computers.

In an industry where people are trained to expect speed, it's not uncommon to see the vast majority of people choose speed over security, said Renaud Deraison, co-founder and CTO of Tenable. “The speed of the chips inside our personal computers, our tablets and our phones is critical to their performance – everybody knows that."

“In this case," continued Deraison, "the vulnerabilities take advantage of the very features that make them fast. Intel optimized for performance and later learned they were facing a trade-off between security and performance."

In their security advisory, Microsoft wrote, “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”

Categories: Cyber Risk News

Georgia Votes in Primary amid Cybersecurity Suit

Info Security - Tue, 05/22/2018 - 11:49
Georgia Votes in Primary amid Cybersecurity Suit

Despite the continued development of a federal lawsuit regarding the cybersecurity of Georgia's voting machines against Georgia's Secretary of State Brian Kemp and others, today's highly competitive primary race for governor puts a focus on paperless voting machines, according to the Augusta Chronicle

Georgia is one of just five states with an all-electronic voting machine system that has no independent paper backup, leaving it especially vulnerable to election interference through hacking. Across the nation, about 20% of registered voters use paperless machines. While election officials are on board with upgrading these systems, they do say that the machines are accurate, according to the Augusta Chronicle.

"In many jurisdictions, the multimillion-dollar cost is a hurdle," the Augusta Chronicle said, but since the confirmation that Russians did indeed meddle in the 2016 election, many states are taking steps to replace the machines that do not produce paper records.

"In Georgia, the cost to switch to paper-based machines in the state’s 159 counties ranges from $25 million to more than $100 million, depending on the technology adopted," the Augusta Chronicle reported. 

But issues with voting accuracy are not exclusive to statewide elections. On 15 May, the Atlanta Journal Constitution reported, "A Fulton County judge ordered local elections officials to make available documents linked to a state investigation into potential irregularities of the December runoff that yielded a narrow victory for Mayor Keisha Lance Bottoms."

WXIA 11Alive, reported that "under Kemp’s watch there was a massive breach in 2015, potentially exposing the personal data of more than six million Georgians, traceable to one employee," but Kemp said extensive security measures and cyber-defense upgrades make the state’s current system reliable.

Security concerns, combined with all of the reported irregularities, have culminated in the law firm Morrison & Foerster representing, pro bono, a group of Georgia voters in the lawsuit, Curling v. Kemp, with the aim of making Georgia’s voting machines more resistant to cyber-attacks.

Morrison & Foerster partners David Cross and John Carlin are leading the team of attorneys working on the Curling v. Kemp case, and have secured an agreement over the preservation issues of the direct-recording electronic (DRE) voting machines.

“The goal of the suit," said Cross, "is to get the state to switch to a system (before the November election) that includes voter-marked paper ballots so votes can be audited and verified. In the time remaining before the midterms, that could mean having everyone cast a paper absentee ballot as one means of achieving this goal in the short term."

There are also varying options for long term solutions based on examples from other states. "The primary vulnerability is the ability to alter votes cast via DREs without a paper record to audit or otherwise verify the electronic voting records. Other vulnerabilities include the manner in which [Georgia] has stored voter registration information and the ability to access and even alter that information in ways that could affect the election. For example, a hacker could change assigned polling locations for certain voters to create confusion when they go to vote and effectively prevent them from voting,” Cross said.

Categories: Cyber Risk News

3.2 Million Files Revealed on AWS S3 Bucket

Info Security - Tue, 05/22/2018 - 11:27
3.2 Million Files Revealed on AWS S3 Bucket

A Los Angeles County nonprofit that provides health and human services accidentally exposed about 3.2 million files on an unsecured AWS S3 bucket, according to the UpGuard cyber risk team.

211 LA County, a nonprofit organization serving LA County, was reportedly left publicly exposed online. The content revealed in the downloadable files was widespread. In addition to access credentials for the 211 system operators and email addresses for contacts, "included in the more than 3 million rows of call logs are 200,000 rows of detailed notes," UpGuard wrote in a 17 May post. 

The call notes included personally identifiable information for people reporting the problem. Among those were “persons in need, and, where applicable, their reported abusers, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns,” according to UpGuard.

The information, stored in an Amazon AWS S3 bucket located at the subdomain “lacounty,” was inadvertently misconfigured to be publicly and anonymously accessible, according to UpGuard. “Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information,” the UpGuard post stated.

While the leak itself is not remarkable in size, the exposed information is highly sensitive, and is possibly the ultimate example of how important it is to know if the service you're using is risk-appropriate for the information being stored, said Sam Bisbee, CSO, Threat Stack.

“When you see an organization expose such sensitive data, it should serve as a reminder that companies must maintain an understanding of whether the service they use is risk-appropriate for the type of data they store there,” Bisbee said.

While UpGuard made efforts to contact 211 LA County after their 14 March analysis that revealed the sensitive information was accessible, they were not able to connect with a member of the 211 LA County information security team until 24 April.

UpGuard confirmed that after only 24 hours, the bucket was no longer publicly accessible. “Amazon S3 access rules can be set for both the bucket as a whole and for the files within it. In the case of the “lacounty” bucket, permission settings allowed anyone to list the contents; some of the files inside, however, had additional rules preventing public users from downloading them,” the UpGuard post said.

Threat Stack research indicates that nearly three-quarters of companies have critical AWS cloud security misconfigurations. “So, every reported cloud data leak is a lesson to companies that they need to proactively find ways to create transparency within their cloud infrastructure so that they can effectively manage the security of their data and systems,” Bisbee said.

Categories: Cyber Risk News

Global Fraud Hits £3.2 Trillion

Info Security - Tue, 05/22/2018 - 10:22
Global Fraud Hits £3.2 Trillion

Experts have urged organizations to focus more on fraud prevention after new figures were released revealing that doing so could add a staggering £44 billion to the UK economy.

Researchers at the University of Portsmouth’s Centre for Counter Fraud Studies teamed up once again with tax and advisory firm Crowe, Clark and Whitehill to produce The Financial Cost of Fraud 2018 report.

Once again, the findings are based on representative samples of items of expenditure in each organization and whether incorrect payments are the result of error or fraud. In total, it reviewed 600 loss measurement exercises related to £15.6 trillion of expenditure in 40 sectors globally.

Fraud is costing the global economy £3.2 trillion annually, and in the UK stands at £110bn.

Although this is a drop from last year’s estimate of £125bn, in some organizations losses can reach more than 10% of total expenditure, the report claimed.

Since 2008, there has been a massive rise of 49.5% in average losses, that amounts to 6.8% of total expenditure over the period.

Head of forensic and counter fraud at Crowe, Clark and Whitehill, Jim Gee, has told Infosecurity in the past that the cyber-element of fraud is “inextricably linked” to the overall picture, as digitization takes hold across the globe.

The findings come after other reports showed a continued uptick in cyber-driven fraud in the UK. Cifas claimed identity fraud jumped 1% last year, with cyber comprising 84% of the figure.

In addition, a PwC report from February revealed that almost half of UK organizations (49%) have suffered from cyber-related fraud in the past two years.

Crowe, Clark and Whitehill argued that visibility into the problem is a vital first step towards mitigating fraud risk.

“It is also the case that work to measure losses is highly cost-effective,” it said. “Efforts to reduce losses are helped by greater knowledge about the scale of the problem. The data shows that organizations which re-measure the same area of expenditure have consistently lower loss rates.”

Categories: Cyber Risk News

DrayTek to Issue New Firmware After Zero-Day Attacks

Info Security - Tue, 05/22/2018 - 09:23
DrayTek to Issue New Firmware After Zero-Day Attacks

Taiwanese router-maker DrayTek is working to issue an emergency security update after reports emerged that customers had been hit by a zero-day attack.

The vulnerability in question allowed hackers to change the router DNS settings, enabling them to take unsuspected users to phishing or other malicious sites.

An urgent noticed posted by the company had the following:

“We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.”

DrayTek urged users in the meantime to check their DNS settings and correct them if altered or restore them from a config back-up.

“We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated,” it added.

The affected models are: Vigor2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220; BX2000; 2830nv2; 2830; 2850; and 2920.

There are thought to be in the region of 800,000 DrayTek routers in the wild globally, although it’s not known how many are vulnerable to the bug.

Nominet researcher Sion Lloyd argued that because DNS is the underlying protocol that directs internet traffic, it is overlooked by admins and therefore seen as a prime target by hackers.

"In order to mitigate or prevent attacks prior to patching hardware, security teams should pay heed to their threat intel feeds, which will include blacklisted domains/IP addresses, and make sure this data is applied in a timely manner,” he added. “Blocking known bad identifiers is a game of cat and mouse, but it is an effective way of severing connections to servers which are out to abuse your users. Also monitoring for changes to configuration files or DNS traffic being sent to new or unexpected servers would give an alert that something might require remediation."

Categories: Cyber Risk News

Greenwich Uni Hit by £120K ICO Fine

Info Security - Tue, 05/22/2018 - 08:55
Greenwich Uni Hit by £120K ICO Fine

Greenwich University has had the dubious honor of becoming the first university in the UK to be fined by the Information Commissioner’s Office (ICO).

The privacy watchdog slapped the £120,000 fine down after a 2016 incident in which the personal details of nearly 20,000 staff, students and alumni were stolen in a breach.

The hackers managed to infiltrate the university’s network after targeting multiple vulnerabilities in a microsite from 2004 which was still up and running.

The stolen PII included the contact details of 19,500 people such as names, addresses and telephone numbers. For around 3,500 of these people, much more sensitive data including information on extenuating circumstances, details of learning difficulties and staff sickness records was also taken and subsequently posted online.

That will certainly have increased the size of the fine significantly, as the ICO takes a dim view of organizations that fail to protect data which, if leaked, could cause significant distress to the individual.

The ICO claimed Greenwich University didn’t have the technical and organizational measures in place to ensure a breach would not occur.

The university is just lucky the incident happened in 2016 rather than next week, when the GDPR will empower the ICO to levy even higher fines if it chooses.

”Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said ICO head of enforcement, Steve Eckersley.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

Proofpoint cybersecurity specialist, Adenike Cosgrove, argued that data breaches are the new normal.

“As in this case, human error can mean the difference between a normal day and a data protection disaster. In additional to technical controls, employees must also be trained on the working practices required of the GDPR,” she added. “What we’re seeing from a lot of organizations is a situation where technology solutions and processes are in place to a certain degree, but the equally important employee awareness aspect is still yet to be adequately addressed.”

Categories: Cyber Risk News

Bank Robbing? There's a Vulnerable Web App for That

Info Security - Mon, 05/21/2018 - 17:29
Bank Robbing? There's a Vulnerable Web App for That

Gone are the days when criminals masked their identities and busted into a bank declaring, "This is a stick up!" According to Bank Attacks 2018, published today by Positive Technologies, cybercriminals are reaping big financial gains with relatively low risk by going online to rob banks. 

Analysis of information systems performed by the company for banks over the past three years found that attackers can obtain unauthorized access to financial applications at 58% of banks.

While banks are well armed against external attacks with strong perimeter protections, they remain susceptible to insider threats, according to the report. "Whether by puncturing the perimeter with social engineering, vulnerabilities in web applications, or the help of insiders, as soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries," Positive Technologies wrote in a press release.

Using techniques similar to those of the Cobalt gang, known for its attacks on financial institutions, penetration testers compromised the workstations used for ATM management at one-quarter (25%) of the banks tested. 

The report also noted that during the reconnaissance stage of collecting information about the target, many criminals search for malicious insider on web forums. These unscrupulous insiders are willing to share company information for a fee. Using stolen credentials and phishing campaigns are the most common and effective techniques criminals use to access banks because "it is both difficult and risky to organize attacks on servers or web applications, since the attackers are very likely to get caught," the report said.

Vulnerabilities in web applications leaves many banks at risk. Still, remote access is another dangerous feature that often leaves the door open to access by external users. "The most common types are the SSH and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42 percent of banks," the report said.

"The good news is that it's possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, in the press release.

"Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It's critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM solutions substantially simplify and improve the effectiveness of incident management."

Categories: Cyber Risk News

#IRMS18 Can Blockchain be Compliant with GDPR?

Info Security - Mon, 05/21/2018 - 14:59
#IRMS18 Can Blockchain be Compliant with GDPR?

Speaking at the IRMS Conference in Brighton, Dyann Heward-Mills, CEO, HewardMills focused on emergence of Blockchain, and the need for GDPR compliance.

She called the relationship between the regulation and distributed ledger “critical” as data protection officers need to understand its impact, how it sits with data subject rights and the Right to be Forgotten.

“Critical is the implementation of privacy by default and design with the technology,” she said. “When presented with a technology like Blockchain, what does a DPO do? Well you conduct your data protection impact assessment over the technology.”

She agreed that it is “very robust and secure and unlikely to be encountering challenges” regarding loss of personal data, but how does it sit with data retention?

From a regulatory perspective, Heward-Mills acknowledged that there is no central regulation required, but is it desired? In terms of how GDPR applies to Blockchain, she asked the audience if encrypted data and metadata is still considered to be personal information?

“Where there are decentralized systems, how does the legislation actually apply? Is it still fit for purpose?”

Looking at the key principles, she rated Blockchain against the principles of Article Five of the GDPR:

These were as follows:

“Processed lawfully, fairly and in transparent manner” – Not transparent due to encryption

“Collected for specified, explicit and legitimate purpose” – Arguably legitimate – for authentication purposes

“Adequate, relevant and limited to what is necessary” – Not necessary, ledger exists forever

“Accurate and where necessary, kept up to date” – May not be accurate, and no way to delete it

“Identification for no longer than necessary” – Not necessary, ledger exists forever

“Processed in a manner that ensures its security” – Secure, due to encryption

Heward-Mills said that with the GDPR, privacy by design was one of central pillars but with Blockchain, it is decentralized, everyone has a ledger and how is it possible to regulate in a decentralized way of operating?

She acknowledged that there is an “opportunity to shape the approach of supervisory authorities in this context” as the regulators were still figuring out how to work with such technology.

Following on with the role of the DPO in this, she said there will be a critical role in shaping how the regulators respond to this emerging technology, but what we can offer “is the voice of corporate reality and challenges that are presented in using this technology.”

She said: “This is a really exciting time. Given that the regulator wants to receive perspectives from practitioners, I think we have a real opportunity to shape the future of this technology.”

Concluding, Heward-Mills said that there is some uncertainty on how it is evolving and how it is being regulated, but it is growing in importance and there will be more discussion on how it is applied.

“It is not always anonymous and it is possible through different data sets to decode on use and individuals behind the ledger and either we need to find some exemption in terms of how Blockchain is perceived, and its application under data protection laws, but the law needs to be updated as there are certain principles that are so incompatible fundamentally.”

Categories: Cyber Risk News

Roaming Mantis Preys on Multilingual Victims

Info Security - Mon, 05/21/2018 - 14:25
Roaming Mantis Preys on Multilingual Victims

A new wave of Android malware originally seen targeting victims across Asia via DNS hijacking has evolved into multilingual malware, broadening its attack surface and evading detection as it spreads across Europe and the Middle East, according to new research from Kaspersky Lab.

Roaming Mantis, Android malware distributed through DNS hijacking, was discovered earlier this year but has since evolved beyond targeting smartphones in Asia. The malware now supports 27 languages and has extended into Europe and the Middle East, adding a phishing option for iOS devices and a PC crypto-mining capability.

Designed to steal user information, the malware also provides attackers with control over the compromised device. Researchers believe a financially motivated Korean- or Chinese-speaking cybercriminal group is behind the operation.

“The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese,” security researcher Suguru Ishimaru wrote in an 18 May SecureList blog post.

"But, of course, this multilingualism is not limited to the landing page," Ishimaru continued. "The most recent malicious apk (MD5: 'fbe10ce5631305ca8bf8cd17ba1a0a35') also was expanded to supports 27 languages."

Researchers believe the attackers used an automatic translator to expand their initial set of languages into dozens of others and infect more users, but they have changed more than the languages.

Though the criminal group originally targeted Android devices, it is now targeting iOS devices as well, “using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘’,” Ishimaru wrote.

While an authentic DNS server would recognize that such a domain name doesn’t exist, Ishimaru said, “a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘’ in the address bar of the browser.”

An additional feature included in the extended translations of the malware is PC web mining for the most popular crypto-currency among cybercriminals, Coinhive, accomplished via a special script executed in the browser.

Categories: Cyber Risk News

Parent and Teen Data Leaked from Monitoring App

Info Security - Mon, 05/21/2018 - 14:20
Parent and Teen Data Leaked from Monitoring App

A security researcher discovered two leaky servers of a California-based company, TeenSafe, which left the email addresses and passwords of parents and teens unprotected. According to ZDNet at least one of the servers used by the TeenSafe app leaked data from tens of thousands of accounts.

TeenSafe is an app, available for both iOS and Android, for parents who wish to monitor the texts, calls, locations and even the social media exchanges of their teens. The parents enter their email addresses and those of their teenagers. The database stores not only the email and password information but also the child’s device name and the device’s unique identifier, as reported by ZDNet.

“Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data,” ZDNet wrote.

UK-based security researcher Robert Wiggins found the issue with one server containing production data – live customer information – while the second server stored test data. In a tweet to Infosecurity Magazine, Wiggins said, “It appeared to be intercepting the phone’s requests to iCloud for FindMyPhone and other bits related to iCloud.”

Wiggins said the problem was with the type of service running: its default was set for no password and no SSL. “They should’ve firewalled it off to IP’s only,” Wiggins said.

The TeenSafe website claims that it uses “industry-leading SSL and vormetric data encryption to secure your child’s data,” ensuring parents, that their “child’s data is encrypted – and remains encrypted – until delivered to you, the parent.” However, the leaked data discovered by Wiggins was in plaintext. 

"It is sad to see a company charged with storing our kids' Apple ID passwords get this wrong, especially after Amazon introduced several new features to avoid this back in November. Both parents and data custodians should not assume that data is being properly stored. Just saying your website uses SSL is no longer enough," said James Lerud, head of the Verodin behavioral research team.

Companies charged with storing sensitive data should actively disclose what steps they are taking to perform continuous validation, added Lerud. "Parents/customers should start expecting assurances before trusting a company with their data." 

Categories: Cyber Risk News

#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

Info Security - Mon, 05/21/2018 - 12:23
#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

As the final few days countdown until the GDPR becomes law, the Information Commissioner’s Office (ICO) reassured conference delegates that the regulation is an opportunity rather than a barrier.

Speaking in the opening keynote at the IRMS conference in Brighton, Louise Byers, head of risk and governance at the ICO, who also acts as the regulator’s data protection officer, and is responsible for the ICO’s records and management team, opened by acknowledging that she is in a unique position but “faces some of the same challenges and some of the same conversations that you are facing today as well.”

She said that as “custodians of information and data, records management professionals have a unique role to play in safeguarding information rights,” and referencing a talk given in April by the Information Commissioner Elizabeth Denham, she said: “There’s never been a better time to be in data protection.”

In current times, she said that allegations surrounding Cambridge Analytica have provided an opportunity for the public to focus on privacy and how their data is handled.

“The GDPR rebalances the relationship between the public and organizations and it gives greater control over how their data is used, and it compels organizations to be transparent about their actions, but it doesn’t end there.”

Along with new regulations such as the NIS Directive and E-Privacy Directive, Byers said that “Friday is a beginning not an end,” and that “GDPR is not Y2K”, but an opportunity to revolutionize the way that businesses work and engage with those who are most important to you.

Byers said that those organizations that thrive under the rules will see an opportunity to commit to data protection and embed it in their policies, processes and culture, and that some organizations are “embracing it for the opportunity it presents rather than the perceived barriers it throws up.”

Regarding its position as the regulator of the GDPR, Byers said that “we’re expecting more of everything.” This includes: more breach reports as the law requires it; more complaints as people will be better informed of their rights; and greater engagement as businesses turn to the ICO for advice at the outset of projects.

This has allowed the ICO to “develop, to grow and reinvent ourselves.” This has seen a “fundamental” series of changes at the ICO including its mission in transparency in digital economy, recruitment, funding and its approach to technology with its new three year strategy

Byers went on to say that the ICO will “not be changing our approach to fines in four days time,” but its aim is to prevent harm, and put support and compliance at the heart of its regulatory action. 

While voluntary compliance is the preferred route, she said that action will be taken where necessary and this will be backed up with “hefty fines” which can be levied on those who organizations who persistently, deliberately or negligently flout the law.

In conclusion, Byers said that its 12 Steps to GDPR compliance has been downloaded six million times in two years, and it will updating its guidance on how things change in the future. In her position as data protection officer for the GDPR, Byers identified three key areas to achieve compliance:

  • The first regards information rights and records management, as this is “the starting point for everything as it enables you to know what you have got, and who knows what you have." 
  • The second is collaboration, as securing senior buy-in is crucial, and work with all parts of the organization to identify key players.
  • The third is communications, both internal and external, and working with all areas of the business to deliver strong communications around the requirements and the importance of breach reporting and recording. 

“If I had to sum up the impact of GDPR in one word, it would be people,” she said. “This is all about individuals, balancing the law and increasing the public’s trust and confidence in the way their data is handled.”

Categories: Cyber Risk News

#IRMS18: ICO Dismisses Brexit Impact on GDPR

Info Security - Mon, 05/21/2018 - 11:21
#IRMS18: ICO Dismisses Brexit Impact on GDPR

Brexit should not affect the UK’s participation in enforcing GDPR.

Speaking in the opening keynote at the IRMS conference in Brighton, Louise Byers, head of risk and governance at the Information Commissioner’s Office (ICO), said that the response to “this uncertainty” has been to set two clear goals:

  • The first is to maintain a high value of data protection for UK citizens and consumers wherever their data resides. “It includes uninterrupted data flows to Europe and the rest of the world and legal certainty for business and law enforcement.
  • The second is to continue to play a full role in EU institutions and maintain a strong working relationship with the European Data Protection Board, the EU body in charge of the GDPR.

“We’re making progress on both fronts,” she said. “The Government has made good on its promise to fully implement the GDPR and it is going further through the Data Protection Bill and other legislation. In two recent speeches, the Prime Minister made the case for an ongoing role for the ICO in the European landscape.”

Byers admitted that is was unclear what that future role will include, but the ICO remains deeply committed to being embedded in the EU data protection community.

Categories: Cyber Risk News

Man Gets 15 Years for DDoS Revenge Campaign

Info Security - Mon, 05/21/2018 - 10:38
Man Gets 15 Years for DDoS Revenge Campaign

A New Mexico man has been handed down a 15-year prison sentence for launching DDoS attacks against former employers and business competitors and public services.

John Kelsey Gammell pleaded guilty on January 17, to one count of conspiracy to cause intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm.

He was sentenced late last week to 180 months behind bars, plus restitution to his victims to be decided at a later date.

Those victims include companies Gammell used to work for, companies that chose not to hire him, competitors of his business, law enforcement agencies and courts.

Washburn Computer Group, the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and Technical College, and the Hennepin County Sheriff’s Office were just some of those whose websites he targeted.

Between July 2015 and March 2017 he’s said to have launched attacks from his own computer and via multiple DDoS-as-a-service offerings on roughly three dozen target websites.

Gammell also used IP address anonymization services, crypto-currency to pay for “DDoS-for-hire” services, and fake email accounts to hide his identity, as well as encryption and drive-cleaning tools to conceal digital evidence on his machines at home, according to the DoJ.

Despite being a convicted felon, Gammell possessed several handguns and AR-15 assault rifle parts, which helped to bump up his sentencing further still.

The case highlights the ease with which even lone attackers can launch damaging attacks on organizations.

DDoS-as-a-service sites offer a range of packages starting at as little as $5 per month, although attacks typically cost as little as $25 per hour, according to research by Kaspersky Lab last year.

Categories: Cyber Risk News

New Mirai Variant Adds Three Exploits

Info Security - Mon, 05/21/2018 - 09:55
New Mirai Variant Adds Three Exploits

Security experts are warning of a new Mirai variant which features three exploits to target unpatched IoT endpoints.

The “Wicked” variant is named after some of the code strings found in it by researchers at Fortinet, they revealed late last week.

While the original version of Mirai used brute force techniques to compromise devices, Wicked relies on known exploits — used depending on the port the bot is connected to.

If connected to Port 8080, the malware will use a remote code execution (RCE) Netgear exploit which works on DGN1000 and DGN2200 v1 routers, and is the same tool used by the Reaper botnet to compromise target machines.

For Port 81, an RCE exploit is used that targets CCTV and DVR devices.

An old command injection vulnerability (CVE-2016-6277) is exploited via Port 8443 to compromise Netgear R7000 and R6400 devices.

For Port 80, the black hats have added a technique which hijacks compromised web servers with malicious web shells already installed.

“After a successful exploit, this bot then downloads its payload from a malicious website, in this case, hxxp://{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot,” explained Fortinet.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

In fact, it is believed that the same author, who used the pseudonym “Wicked” in an interview last April is responsible for Owari, Sora, Omni and Wicked.

“This also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” the researchers argued.

Categories: Cyber Risk News

Google Set to Remove Green Padlock from HTTPS Sites

Info Security - Mon, 05/21/2018 - 09:04
Google Set to Remove Green Padlock from HTTPS Sites

Google has announced it is changing the way it marks up secure HTTPS pages, removing the green padlock.

The web giant explained in a blog post at the end of last week that “users should expect that the web is safe by default,” and so will only be told in future if they site they’re visiting is not secure.

“Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the ‘Secure’ wording and HTTPS scheme in September 2018 (Chrome 69),” wrote Chrome Security product manager, Emily Schechter.

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red ‘not secure’ warning when users enter data on HTTP pages.”

The move could confuse consumers looking out for a padlock in the short term, but ultimately should be seen as a positive move in forcing businesses to improve the security of their sites, argued Venafi VP EMEA, Craig Stewart.

“However, as we’ve already seen from the depreciation of SHA-1 certificates, organizations are typically slow to react to warnings of this kind and can often underestimate the task at hand. Many organizations do not properly track which certificates they have applied where, and have thousands of certificates that they are unaware of,” he added.

“Just the task of discovering these and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes. This is why businesses need to take control of their security and use automation to enable them to be agile in applying new changes such as switching from HTTP to HTTPS certificates.”

Categories: Cyber Risk News

Small-Business Owners Unaware of Looming GDPR

Info Security - Fri, 05/18/2018 - 16:35
Small-Business Owners Unaware of Looming GDPR

With only a week remaining before the General Data Protection Regulation (GDPR) goes into effect across the European Union, nearly a quarter of small-business owners are completely unaware and unprepared for its impact, according to data released in Shred-it's eighth annual Security Tracker report released 17 May.

The research, conducted by Ipsos, surveyed 1,000 small-business owners with fewer than 100 employees, as well as a second sample group that included more than 100 C-suite executives from businesses with over 250 employees.

"The research makes clear that there is a huge disparity in terms of preparedness and focus based on the size of businesses," Shred-it wrote in a press release. While 97% of C-suite executives at large companies have a basic understanding of GDPR, only 78% of small-business owners possess at least a basic awareness of the forthcoming regulations.

"Almost half (47%) of leadership at large firms report having detailed GDPR knowledge, but "that figure for small businesses is just 10%," Shred-it wrote.

Brian Vecci, technical evangelist at Varonis said, "While some companies have prepared for the GDPR for months and even years, others have only recently realized they need to comply and have to scramble a bit to catch up."

Everyone is in the final countdown, but with only one week until the deadline, Vecci said, "Companies need to zero in on their sensitive data and, more importantly, discover the data at risk that could ultimately knock them out of the GDPR compliance ring. Companies need to make sure they know what sensitive data they have and where that data might be at risk and cause them problems after May 25."

Neil Percy, VP of market development and integration EMEA at Shred-it, agreed, stating, “Companies need to audit their current data flows and assess where confidential information may be at risk, either in digital or physical form, and take steps to restrict accessibility and delete or, if in physical format, securely destroy it when necessary.”

There are additional provisions within the regulations that small businesses need to be aware of. In a 16 May blog post, Shawn Ryan at Imperva wrote (emphasis Ryan's), “One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority 'without undue delay and, where, feasible, not later than 72 hours after having become aware of it.'”

Categories: Cyber Risk News

2018: Scariest Year of Evil Things on the Internet

Info Security - Fri, 05/18/2018 - 15:28
2018: Scariest Year of Evil Things on the Internet

Acts of evil on the internet are on the rise, according to the 2018 Internet of Evil Things survey. In its fourth consecutive year, the survey, conducted by Pwnie Express, polled more than 500 security professionals and found their collective responses to be "the scariest survey results we've seen yet."   

The report indicates that security professionals have a heightened concern for growing threats, with 85% of respondents believing their country will suffer a major critical infrastructure cyber-attack in the next five years.

"The attack on a Schneider Electric safety system was considered a watershed moment because it demonstrated how hackers 'might cause physical damage to a plant, or even kill people by sabotaging safety systems before attacking industrial plants,'" the report quotes Reuters as saying.

In addition to confronting issues with malware and ransomware, the survey found that nearly one-third of respondents reported being part of a distributed denial-of-service (DDoS) attack. Of those, more than 22% discovered attacks on wireless communications or access points. 

While many respondents (64%) admitted to being stressed and uneasy about the lack of security in the internet of things (IoT), "one in three respondents said that their organizations were unprepared to detect connected device threats." Despite nearly half (49%) of respondents admitting that they are concerned about consumer IoT devices, only 23% said they can monitor devices like smartwatches and other types of IoT devices.

Satya Gupta, CTO and co-founder, Virsec, echoed the concerns of survey respondents but noted that, while understandable, anxiety needs to be turned into actionable security.

"There is still a gap in understanding between IT and OT [operational technology]," Gupta said. "While most of the concern focuses on the devices (is my refrigerator spying on me?), most attacks come through IT channels. Especially in the ICS [industrial control system] space, the real dangers are from IT systems that automatically control myriad sensors, switches and other devices. Hacking a one-off device will cause limit damage, but hacking an ICS SCADA system can bring down an entire power plant or worse."  

Despite the risks, security professionals continue to be left out of purchasing decisions. Only 60% of survey respondents said that they have a role in the purchasing approval process for IT devices, which includes computers, mobile devices, and servers. 

While 75% of security professionals said that they have a security policy in place for IT devices, only 35% have security policies for their building OT/IoT devices.

Categories: Cyber Risk News

Customer Consent Allows Leak of Location Data

Info Security - Fri, 05/18/2018 - 14:34
Customer Consent Allows Leak of Location Data

Whether stolen or accidentally leaked, the location data of mobile phone customers has been making headlines for much of May. The latest announcement came yesterday from KrebsOnSecurity, with news that a bug in the website of US-based tracking firm LocationSmart was leaking real-time location information of mobile phone customers.

What is known is that the vulnerability was discovered in a free demo tool available on LocationSmart’s website and was revealing to virtually anyone who wanted it the general whereabouts for customers of AT&T, Sprint, T-Mobile, and Verizon.

After KrebsOnSecurity verified the tool was leaking information "without the need for any password or other form of authentication or authorization," LocationSmart took the service offline.

However, in an email to Infosecurity Magazine, LocationSmart confirmed that Carnegie Mellon University security researcher Robert Xiao was only able to locate the subscribers by personally obtaining their consent.

With its enterprise mobility platform, LocationSmart said it strives to bring secure operational efficiencies to customers. "All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber."

Tim Erlin, VP of product management and strategy at Tripwire, said that the increased connectivity and access that we gain comes at a price. “Connections go both ways. Consent and comprehension aren’t the same thing. Consumers routinely consent to sharing data without understanding what that really means. "

"LocationSmart’s service was vulnerable to abuse, and those types of errors occur. The surprise isn’t about a vulnerable service but about the content of that service. No one wants to imagine that they can be tracked without cause.”

The email from LocationSmart also confirmed that it has disabled the vulnerability in the consent mechanism of its online demo identified by the researcher.

"We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability," LocationSmart wrote.

The company said it is continuing its efforts to verify that no subscriber’s location was accessed without their consent and that no other vulnerabilities exist. "LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process," the company wrote.

Categories: Cyber Risk News