Cyber Risk News
In an effort to address the growing skills gap in the cybersecurity industry, a team of former Royal Marines Commandos have launched a business providing free cybersecurity training, accredited qualifications and careers for ex-service members looking for a path back to the civilian life while maintaining their roles as security defenders.
Crucial Academy offers accredited training courses covering both offensive and defensive cybersecurity, information assurance and threat intelligence. The courses, developed by former military personnel, include a module that gives students real-world experience, but unlike graduates of other training providers, Crucial Academy graduates will reportedly begin their new careers free of debt.
Course developers have already made a successful transition to notable cybersecurity companies and financial technology companies, and they bring that wealth of experience to their offerings at Crucial Academy at its proclaimed state-of-the-art training facility in Brighton, England.
The first cohort began its courses at the end of June and completed its work last week, and the next cohort is slated to begin soon. In order to take the courses, candidates must first undergo a rigorous selection process that assures they are the proper match for the training.
“I was proud to serve my country and I wanted to give something back to the military for all the skills and experiences the Marines gave me, and I know my colleagues feel the same,” Crucial Group’s chief executive and former Royal Marine Commando Captain Neil Williams said in a press release.
“People who have spent time in the forces have an incredible work ethic, resilience and a security-driven mindset that makes many very well suited to a career in cybersecurity," Williams continued. "Following my experience of leaving the forces, I know that the transition can be very challenging. We’re pleased to be able to help give them a pathway into a successful career – and in a sector where they can make such a difference.”
After successful completion of the training, qualified Crucial Academy candidates are introduced to a cybersecurity career with one of the academy’s commercial partners, an additional offering that also benefits businesses by helping them to meet their growing demand for qualified cybersecurity personnel. According to a 2016 skills gap analysis from ISACA, there will be an estimated a global shortage of 2 million cybersecurity professionals by 2019.
“The other benefit to our model of course is that it also helps businesses future-proof their recruitment and growth plans by providing a pipeline of trained cybersecurity professionals,” Williams said.
Russia prevented nearly 25 million cyber-attacks and other criminal acts during the football World Cup, according to the Kremlin. The Moscow Times reported that Russian President Vladimir Putin praised the world of the country's security forces, along with international cooperation, ensuring a safe tournament.
“I expect that your close and constructive interaction will continue and will contribute to ensuring the security of our states and our citizens in the future,” Putin was cited as saying.
Ahead of the World Cup, a cooperation center staffed by law enforcement officers from 34 countries was opened to monitor potential fan violence. Facilitating coordination between officers from 32 countries - those which qualified for the tournament - the center hosted at least six British police officers, and the hosts of the next World Cup 2022, Qatar.
A survey conducted by Lastline at Infosecurity Europe 2018, found that 72% of security professionals believed an attack was likely during the World Cup given the fact that attacking high-profile international events is trending among cyber-criminals.
During the World Cup, many organisations have come forward warning of potential risks to attending and non-attending fans. Researchers from McAfee warned fans to be wary of malicious apps and phishing emails created to specifically target football supporters. According to the alert issued last week: "Some fans have looked to the “Golden Cup” app to stream data and records from past and present games, not knowing that cybercriminals have also used the app to install spyware on devices of unsuspecting fans.
"This threat campaign, called Android/FoulGoal.A, looks like a typical sporting app with general information and background around the games. However, in the background and without user consent, the app silently transfers information to cybercriminals, including victims’ phone numbers, installed apps, device model, and manufacturer, available internal storage capacity, and more."
It has also been reported that around 100 Israeli military individuals fell victim to a honeypot attack that came in the form of a malicious World Cup score tracking app and two fake online dating apps. They were available on Google Play.
David Grout, Southern Europe Technical Director, FireEye, said that while the numbers quoted by President Putin are high, they are not unexpected: "Vladimir Putin’s statement that government security services have thwarted 25 million cyber-attacks linked to the FIFA World Cup may seem like a surprisingly high number, but not necessarily for those who work in the field. Every major event, whether sporting, political or otherwise, are likely to attract cyber attacks. The 2018 World Cup is no exception. Before the competition had even started there was evidence of Phishing attacks.
"This included phishing attacks that started several weeks before the tournament and carried on throughout," he explained. "These campaigns use several levers such as low-cost ticket offers, the chance to win a trip to Russia, promotions for items related to the World Cup (national team jerseys, mugs featuring players etc). The main goal in this type of attack is to recover your banking information and force you to go through with the transaction to get the card number information, expiration date and also CCV.
"There were also risks from state-sponsored groups attempting to destabilse the IT and EO infrastructure used during the World Cup. Historically we’ve seen an acceleration of attacks and leaks of information trying to discredit the actions of an organisation tied to an event, the most notorious example being the APT28 campaign against the world anti-doping agency (WADA)."
In the aftermath of the 13 July announcement that the Mueller investigation indicted 12 Russian military officials, Americans have debated everything from the legitimacy of the investigation to the consequences of the election interference, but Sen. Rand Paul (Ky.) told CNN, “We should now spend our time protecting ourselves instead of having this sort of witch hunt on the president. I think we need to be done with this and start actually protecting our elections from foreign countries."
Experts in the cybersecurity industry agree, noting that the indictments serve as a reminder that US national and election security remain vulnerable to threats from phishing campaigns. As local, state and federal officials take another look at their election security infrastructure prior to the 2018 midterms, email security must sit atop the priority list, according to founder and CEO of IRONSCALES Eyal Benishti.
“Any forthcoming phishing mitigation strategy must prioritize humans and machines working together to not just identify threats, but to remediate them and share the attack intelligence with other government and elections organizations in real time," said Benishti. "The consequences of keeping the status quo intact with email security and phishing mitigation are too severe to ignore."
Despite President Trump’s tweet that the investigation is a “rigged witch hunt,” security commentators tend to agree with Sen. Paul. According to Jonathan Reiber, Illumio's head of cybersecurity strategy and former chief strategy officer for cyber policy in the Office of the Secretary of Defense, the new indictment does two main things.
“First, with its detailed breakdown of the GRU’s hacking tactics and capabilities, it shows how dangerous the Russians are and how important it is for everyone to stay vigilant, verify information sources and invest in cybersecurity capabilities to prevent breaches from occurring and spreading," said Reiber.
“In play-by-play granular detail, the indictment shows how Russia hacked key US political personnel and amplified that stolen data to the Nth degree through DCLeaks (a Russian front organization), social media and contact with specific persons. The tactical take-away is clear: breaches will happen and organizations need to invest in capabilities to stop intruders in their tracks,” he said.
Spear-phishing attacks remain pervasive and have the potential to wreak havoc on local, state and national elections. “This attack vector can be weaponized to impact international affairs, take down critical infrastructure or steal important intelligence,” said Cofense CTO and co-founder Aaron Higbee.
“Additionally, recent news demonstrates that threat actors are continually using clever phishing techniques to bypass next-generation perimeter technologies, as seen this month with the ZeroFont technique used to breeze by AI-based email security controls," continued Higbee. "Friday's announcement reinforces the need to empower humans in our phishing defense practices worldwide, as relying on technology, AI and machine learning alone isn’t enough to stop these attacks before the damage is done.”
A high-level government report has found that Irish elections are exposed to interference through cyber-attacks and the spread of "fake news". Reported by the Sunday Independent this weekend, the unpublished report found that social media and search engines were most at risk of being used to influence the outcome of the country's elections.
The report was compiled by the Interdepartmental Group on the Security of Ireland's Electoral Process and Disinformation. It consulted a wide range of officials and examined the experience of governments in other countries before drafting the report.
Within it, there was found to be a low-level risk of election interference when votes were being counted, as well as being adversely impacted through either broadcast or print media.
"Overall, the assessment finds that risks to the electoral process in Ireland are relatively low, taking into account factors already in place," the report states. "It is recognized, however, that the spread of disinformation and the risk of cyber-attacks on the electoral system pose more substantial risks."
However, a 2018 study conducted by MIT found that fake news reached more people, penetrated deeper into social networks and spread much faster than accurate stories. Statistically, a false story reaches 1500 people six-times quicker, on average, than a true story does.
Speaking to The Atlantic in March 2018, Soroush Vosoughi, a data scientist who led the study, said: "It seems to be pretty clear that false information outperforms true information, and it that is not just because of bots. It might have something to do with human nature."
The expert group, which is led by the Department of Taoiseach, was established following the publication of Fianna Fail TD for Kildare North James Lawless's Online Advertising and Social Media (Transparency) Bill in 2017. It aims to introduce laws which would prevent organizations in other countries from paying for online political advertising in Ireland, similar to what was seen in the 2016 US presidential elections.
Those found guilty of the crime could be fined up to €10,000 or imprisoned for five years, and would also make it a criminal offence to knowingly spread fake news online.
The United States' director of national intelligence issued a "red alert" warning on a dangerous new level of cyber-warfare during a Washington think tank conference. He also spoke of Russia as one of the "worst offenders" ahead of US President Trump's meeting with Russian President Vladimir Putin in Finland.
Dan Coats addressed the Hudson Institute last Friday, commenting: "Today, the digital infrastructure that serves this country is literally under attack." He compared the "warning signs" to the same ones "ignored" ahead of the September 11 terrorist attacks.
"It was in the months prior to September 2001 when, according to then-CIA Director George Tenet, the system is blinking red. And here we are nearly two decades later, and I'm here to say, the warning lights are blinking red again," Coats said.
His comments were backed up on Saturday by John Podesta, the former chairman of Hilary Clinton's presidential campaign, who said to CNN: "As the director of national intelligence said, the red lights are blinking, but I think the White House is essentially asleep at the switch."
As well as China, Iran, and North Korea, Coats talked about Russia as being the "most aggressive foreign actor" and that they "continue their efforts to undermine our democracy." Targets for these attacks include the federal government, the US military, state and local government and U.S. businesses. He also talked about the risks to the 2018 midterm elections, but was quick to point out that it shouldn't be the only focus: "Focusing on the potential impact of these actions, on our midterm election, misses the more important point: these actions are persistent, they're pervasive, and they are meant to undermine America's democracy on a daily basis, regardless of whether it is election time or not.
"What's serious about the Russians is their intent," he continued. "They have capabilities, but it's their intent to undermine our basic values, undermine democracy, create wedges between us and our allies."
The comments came the same day the Justice Department announced the indictment of 12 Russian military intelligence agents, accusing them of trying to hack Democrats' emails and computer networks during the 2016 election.
Back in February, Crowdstrike CTO, Dmitri Alperovitch, told CNBC that the US government was exceptionally vulnerable to cyber-attacks, and despite its "very good" intelligence operations, their "procurement process is so archaic that they are not actually able to buy the technologies they need to protect themselves fast enough."
Senior executives at most US organizations believe the cybersecurity of their firms is above board, according to a new survey of 500 senior IT executives. The survey included responses from interviews conducted with executives across multiple sectors in the US and 10 other countries.
Results of the survey conducted by FICO revealed that 68% of US firms said they are better prepared for data breaches than their competitors, reflecting an 8% increase since last year. Canadians were more likely to rate their firm a top performer for cybersecurity among the executives interviewed from the US, UK, Canada, Brazil, Mexico, Germany, India, Finland, Norway, Sweden and South Africa.
Within the US, the most confident sectors were power and industry providers, with 86% rating their firms above average or top performers. Respondents from the the financial services sector were the least confident, with only 60% rating their firms as either above average or in the range of top performers. Telecommunications providers fell between those two industries, with 72% of respondents ranking their firm as having above-average cyber-readiness, yet only 44% of telecommunications providers believe their firm’s cybersecurity position will improve in a year’s time.
“Firms have a lot to lose when it comes to their privacy and security risk and must have an accurate picture of how protected they really are,” said Doug Clare, vice president for cybersecurity solutions at FICO. “These figures point to the fact that many firms don’t know how they compare against their competitors, which could lead to an under-investment in cybersecurity protection.”
Maxine Holt, research director at Ovum, which FICO commissioned to conduct the survey, said, “IT leaders have greater funding than ever to protect organizations from the continuously evolving threat landscape and meet complex compliance demands.”
“These same IT leaders are undoubtedly keen to believe that the money being spent provides their organization with a better security posture than any other – but the rapid pace of investment, often in point solutions, rarely takes an organization-wide view of security.”
Researchers at Imperva published their discovery of a new comment spam campaign that is leveraging the popularity of the World Cup to trick people into clicking on links that take them to shady betting sites.
The campaign, which mainly targets WordPress sites, is launched by a botnet and implemented in the form of comment spam. Despite its being one of the oldest tricks in the hacker’s book, comment spam is still pretty popular.
The comments appear to be little more than meaningless, generic text generated from a template and posted in the comment sections of blogs and news articles. When researchers sifted through the comments, they discovered a pattern: The linked sites offered betting services on 2018 FIFA World Cup matches.
Using the spray-and-pray technique, the spambot attempts to post a comment to the same URI across multiple sites, even those sites that might be vulnerable or don’t have a comments section. Researchers found that the top 10 links advertised by the botnet lead to World Cup betting sites, with eight of those top advertised sites containing links to the same betting site.
“In the weeks before the World Cup, the botnet had emphasized other, non-spam attacks, including unsuccessful attempts to invoke remote code execution (RCE) via PHP and to abuse unrestricted file upload to WordPress sites,” the researchers wrote.
Commenting on the discovery, Johnathan Azaria, security researcher at Imperva, said, “Our research once again highlights that attackers follow public trends and essentially go where the money is."
“In this campaign, attackers are taking advantage of the popularity of the World Cup. Anyone who visits the betting sites could easily be duped into handing over sensitive information to attackers,” Azaria said.
Researchers suspect that this is a botnet for hire, orchestrated by the betting sites in an attempt to increase their SEO and "reflects how malicious or unsolicited campaigns tend to intensify during events that draw large audiences who keep track of developments online, are enticed to purchase products online from sponsoring organizations or both," said Chris Olson, CEO of The Media Trust.
Aviation Security Identity Cards (ASICs) are intended to prevent criminals and terrorists from gaining access to restricted areas in airports, as well as to airplanes, but Australian-based Aviation ID, a company that issues ASICs, has been hacked.
The company, which services regional and rural airports throughout Australia, reportedly received emails alerting it to the possibility that the ASIC application had been stolen. As is now required under Australia’s new privacy act, which went into effect in February 2018, Aviation ID notified hundreds of people who had applied for or renewed their ID cards that their information might have been compromised.
Reported yesterday by Australian Broadcast (ABC), the hack of the third-party supplier isn't necessarily big in number, but it's serious in terms of airport security, as airports are part of Australia’s critical infrastructure.
“A localized portion of our website has been intentionally accessed by an unauthorized entity,” Aviation ID managing director Ian Barker told the ABC.
"Unfortunately, we cannot confirm exactly what information has been accessed; however, personal information that may have been breached includes name, street address, birth certificate number, drivers licence number, Medicare card number and ASIC number," said Barker.
Australian Federal Police (AFP) confirmed that it is investigating the hack and declined to comment on any details. Commentators have speculated about the motives of such an attack. “The attackers may have accessed the database for the cards that are created and used to authenticate authorized personnel on the airport grounds,” said Pravin Kothari, founder and CEO of CipherCloud.
“Did the cyber-attackers also steal the graphics files and images necessary to reproduce and clone these ID cards?" Kothari continued. "Beyond the security risks, the data to produce the ID cards seems to have included names of the airport personnel, addresses, birth certificate numbers, driver's license numbers, Medicare card numbers and more. This comprehensive data could enable ID theft and even worse, financial fraud.”
Within two days of news that GandCrab 4.0 ransomware was being distributed by compromising websites disguised as download sites for cracked applications, a newer version (v4.1) was found using the same method, according to Fortinet’s FortiGuard Labs.
A distinction not observed in the previous version is that GandCrab now includes an additional network communication tactic, as well as an unusually long hard-coded list of compromised websites to which it connects. “We found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab,” researchers wrote.
One binary reportedly has the ability to include almost a thousand unique hosts that have been compromised. Upon connecting to a URL, the malware then sends encrypted data of its victims, some of which included IP address, user name, computer name, network domain and a list of installed AVs .
“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes," said the researchers. "With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humor."
Concerning reports from this week that alleged an “SMB exploit spreader” threat prompted researchers – who did not observe this functionality in their previous analysis – to return to their analysis, particularly since rumor suggested that this new version of GandCrab malware could self-propagate.
In the aftermath of global ransomware attacks, security experts fear such a threat. Their investigation found “a module that is now being called 'network f**ker' is supposed to be responsible for performing the said exploit...we could not find any actual function that resembles the reported exploit capability."
"We have provided this analysis to help prevent the possibility of unnecessary panic in the community," they wrote. "It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative."
E-commerce sites in the US and Western Europe are estimated to lose a whopping $18.6bn this year through fraud, according to a new Forrester report.
The market analyst compiled its figures from LexisNexis estimates that in 2017 the cost of fraud was just over 2% of revenue for e-tailers, and that the regions are expected to generate $859bn in revenues this year.
In response to the growing losses, it claimed that the fraud management solutions market would grow from $5bn last year to reach $10.4bn by 2023; a CAGR of 12.9%.
Although traditional enterprise solutions are expensive — typically ranging from $750,000 to $1.2m, with implementation adding another 40-50% in costs — they can automate and improve the accuracy of risk scoring, reducing false positives, the report claimed.
This can in turn reduce the investment needed in fraud personnel to review transactions.
However, customer friction remains a key differentiator for effective modern fraud prevention platforms, argued Forrester.
The report claimed that technological advances like AI will help to drive improvements in the accuracy and effectiveness of solutions going forward.
“It’s time consuming for fraud and risk management professionals to continually update fraud models, and it’s increasingly difficult to identify fraud across multiple channels including mobile,” it said. To combat these threats, fraud management solution vendors are incorporating artificial intelligence tools, such as supervised and unsupervised machine learning, into their products.”
It also pointed to Blockchain as “the next evolution in fraud management.”
“Blockchain is a distributed and secure database, making it a trusted repository for device ID and known fraudster blacklists. Blockchain already secures payments and can be extended to enterprise fraud management,” the report claimed.
The importance of fraud prevention was highlighted recently by PayPal’s $120m acquisition of Simility, a pioneer in friction-free anti-fraud technology featuring machine learning.
Reports are emerging of a new sextortion campaign in which victims are asked to pay thousands of dollars in Bitcoin to keep quiet a supposed webcam video of them watching porn.
The unsolicited email attempts to trick the user into believing the extorter as it opens by revealing a genuine password linked to the recipient’s email address.
It then proceeds as follows:
“Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!)”
The victim is then required to make a massive Bitcoin payment — sometimes as high as $2900 — to stop the blackmailer sharing the ‘video’ with their contacts.
Several recipients of the email contacted KrebsonSecurity, claiming the password was correct but nearly a decade old. The credentials most likely have been obtained from a historic data breach or dark web site.
Back in December 2016 the National Crime Agency (NCA) was forced to launch an awareness-raising campaign around online extortion, claiming thousands may be falling victim to webcam-based attacks every year.
It claimed that at least four suicides in the UK have been linked to sextortion, with the nature of the crime meaning it is likely being vastly under-reported.
The number of global organizations affected by crypto-mining malware more than doubled from the second half of 2017 to the first six months of this year, according to new data from Check Point.
The security vendor claimed in its Cyber Attack Trends: 2018 Mid-Year Report that the figure rose from just under 21% in the second half of last year to 42% in H1 2018, with cyber-criminals making an estimated $2.5bn over the past six months.
Those behind the trend are getting more sophisticated in how they spread crypto-mining malware, according to the report.
Where once the main threat vector was a simple website compromise, today infections could come via Facebook Messenger, YouTube ads or Google Play apps.
“Crypto-miners today target anything that could be perceived as being in their way. As a result, we have witnessed crypto-miners targeting SQL Databases, industrial systems, a Russian nuclear plant, and even cloud infrastructure. Crypto-miners have also highly evolved recently to exploit high-profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates,” the report claimed.
“The mobile arena was not deprived of crypto-mining attacks either. Last April, an Android Cryptominer dubbed HiddenMiner targeted numerous devices, continuously mining Monero until the devices’ resources were drained.”
Perhaps unsurprisingly, the top three most common malware variants spotted in H1 2018 were all crypto-miners.
Check Point also revealed that hackers are increasingly turning their attention to cloud storage and infrastructure, both in crypto-mining attacks and data theft.
Organizations are doing themselves no favors here by using weak passwords for their cloud accounts or even leaving credentials freely available on public source code repositories, the vendor added.
It claimed that 51% of organizations worldwide have experienced cloud-based attacks over the past year.
The report also pointed to an uptick in cross-platform malware, thanks to the rise in the number of consumer-connected devices and the growing market share of non-Windows operating systems.
Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures.
“Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures,” researchers wrote. In their work, the researchers also discovered several cases of potentially unwanted programs (PUPs), revealing that along with their ability to sign malicious code, bad actors are also able to control a range of Authenticode certificates.
Gaining this type of unauthorized access has traditionally been easy for attackers using drive-by downloads and phishing, according to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. “And while endpoint security achieved some increases in efficacy over the last five years with the evolution of end point protection platforms, we only ever treated the symptom – and the not cause – of permissive access," Gumbs said.
“If an attacker can use a trusted signed certificate to install malware, then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network," he continued. "While this development is a worrying one, applying a least access privilege model would reduce the threat greatly.”
Because the value of stolen data will more than make up for the cost of a stolen certificate, malicious actors are inclined to pay for certificates in order to fly under the radar of most protection tools so that they can hide in plain sight as authorized software. “Malware purveyors seem focused on deep technical things until you see their real focus is actually a core business concept: ROI. Criminals are in it for the revenue, and they understand you have to spend money to make money," added Jonathan Sander, chief technology officer at STEALTHbits Technologies.
The underground economy is growing because many organizations are rapidly expanding their use of code signing certificates. “They are foundational components in many applications and DevOps environments. Unfortunately, in many cases code signing certificates are secured by unsuspecting teams that are focused on delivering code quickly, which allows attackers to intercept them,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Organizations must have full control over every code signing certificate they use, especially during the software development pipeline and signing process,” Bocek said.
"While the data showed the gender pay gap in cybersecurity (-8%) is lower than the national average for all industries, this gap magnified when considering the average salary for a U.S.-based cybersecurity practitioner exceeds $100,000," the study wrote.
Despite the fact that women make up 47% of the workforce and hold more than half of all bachelor’s and advance degrees, women still earn less than their male counterparts and comprise only 11% of the cybersecurity workforce, according to the 2017 Global Information Security Workforce Study.
Women hold fewer senior positions, as well, despite their higher levels of education. “This statistic has not changed since 2013, suggesting the industry needs to take a new approach to recruiting female cybersecurity practitioners if it intends to fill today’s 300,000 vacant cybersecurity positions,” InfoSec Institute wrote.
The study found that female students who commit to a career in cybersecurity confront challenges in the workplace that make them feel disenfranchised regardless of the certifications they hold. It states, “To analyze how much gender bias impacts women practitioners at a variety of certification levels, we pulled compensation and demographic data for 15 various IT and security certifications.”
Using data from PayScale.com, InfoSec Institute reported that on average women earn $103,052, while men who hold the same certificates earn $111,183. The InfoSec Institute report found that much needs to change in terms of gender pay disparity, but there is also good news.
Women in cybersecurity have the potential to earn far higher salaries than in other roles – doubling and sometimes tripling the national average for women in other industries. And with 300,000 open cybersecurity positions today and another 2 million projected openings by 2019, the industry needs all qualified candidates.
Hacks, breaches and security intrusions are in the headlines on a day-to-day basis, but these hacks aren’t all created equal. According to new analysis from HackerOne, the kind of intrusion differs by industry and breach type.
The Hacker-Powered Security Report 2018 compiled comprehensive analysis on the hacker-powered security environment, including a deep dive into different types of hacks across a wide variety of industries. The report also looked at the prevalence of each attack and found that cross-site scripting (XSS) vulnerabilities were the most common across every industry.
The report data was derived from the hacker community and from HackerOne’s platform data from May 2017 to April 2018. The company analyzed 78,275 of the security vulnerability reports it received in 2017. It’s worth noting that ethical hackers reported those vulnerabilities to over 1,000 organizations through HackerOne.
The total number of critical vulnerabilities reported increased by 26% over 2017. There were 38 times more insecure storage vulnerabilities reported in 2017 than in 2016. Many of these insecure storage vulnerabilities resulted in major breaches.
For healthcare and technology industries, of the top 15 vulnerability types reported, nearly 8,000 were related to information disclosure. The results of the analysis suggested that organizations are “vastly underprepared for effective discovery, communication, remediation and disclosure of vulnerabilities as 93% of the Forbes Global 2000 list do not have a policy to receive, respond and resolve critical bug reports submitted by the outside world. It means we are less safe as a society.”
In contrast, the analysis suggests that hackers and enterprises have much reason to be optimistic. The potential to earn a living as a hacker has grown substantially, with hackers in over 100 countries taking home $31m. Top earners brought home 2.7 times the median salary of a software engineer in their home country, with some reportedly earning up to 16 times more.
Other key findings that bode well for hackers is that governments are paving the way for widespread adoption of bug bounty programs and many enterprises are adopting vulnerability disclosure policies (VDPs).
“Latin America had the largest uptake of VDPs and bug bounty programs, with an increase of 143% year over year. North America and the Asia Pacific region each increased 37%, and Europe, the Middle East, and Africa saw a combined 26% increase in the past year,” the report wrote.
Unknown and unsecure domains continue to be a problem for businesses.
According to RiskIQ’s The Anatomy of an Attack Surface: Five Ways Hackers are Cashing In report, the five ways were determined to be:
- Modern websites are made up of plug-ins, third party applications and many can be vulnerable to common vulnerabilities and exposures
- Shadow IT and M&A activity creates a monolith of unmanaged pages, domains and servers
- Phishing domains pretending to be recognized websites
- Mobile app stores continue to offer blacklisted apps
- Cryptomining software is prevalent on websites
RiskIQ mapped the global internet attack surface over a two week period and found that 3,495,267 new domains were created (249,662 per day) and 77,252,098 new hosts, and these included 1,713,556 Wordpress plug-ins and 1,814,997 CMS instances overall. Of the Alexa top 10,000 domains, 3390 were running one potentially vulnerable web component; 1,036,657 potentially vulnerable web components were found overall.
Fabian Libeau, VP of EMEA at RiskIQ, said that most attacks are still about making money. “People underestimate the complexity of the business,” he told Infosecurity. “A lot of focus was put on policy audits, like data center access controls, and financial services generally understood it but they do e-commerce with their customers and a lot of the issues are not about being focused.”
The second finding determined that organizations lack a complete view of their internet assets, with RiskIQ claiming that new customers typically find 30% more assets than they thought they had. Its research on the FTSE30 found each has: 9896 dormant websites, four websites with expired certificates, 616 websites collecting PII and 120 websites with a potential critical score CVE.
Libeau added that 50 websites studied were running the Private Web Server function of Windows 2000. He said: “Maybe they don’t think they are doing anything wrong if no-one knows about it?”
In Q1 of 2018, RiskIQ found 26,671 phishing domains impersonating 299 unique brands. Regarding cryptomining, an average of 495 new hosts were running miners each week in Q1, while 11 instances of cryptomining were found on FTSE30 websites.
“Some of the cryptomining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them,” the report said.
RiskIQ said that a takedown of a rogue domain can often be done in minutes, but often the attacker reappears with new domains after they have found new IP addresses.
Jay Huff, EMEA marketing director at RiskIQ, told Infosecurity that one of the problems is that “lots of companies don’t have external threat recognition, they have endpoint and network security but are lacking in an external firewall.”
Sensitive military documents detailing restricted information on tanks and drones have been discovered for sale on the dark web, after they were stolen by exploiting known vulnerabilities.
In June, Recorded Future made contact with an individual attempting to sell a cache of information including maintenance books and lists of airmen assigned to the MQ-9 Reaper drone.
The materials are not technically classified but could be of interest to a foreign power, the firm said.
More worrying was how the hacker managed to access the information.
“Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines,” the firm revealed.
The flaw in question was first revealed in Netgear routers in 2016 and can be locked down by changing the default FTP authentication credentials. However, Recorded Future claimed to have identified over 4000 routers still exposed to this kind of attack.
“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents,” it added. “The captain whose computer was compromised recently completed the Cyber Awareness Challenge and should have been aware of the required actions to prevent unauthorized access. In this case, setting the FTP password.”
Recorded Future then observed the same cyber-criminal attempting to sell information which appeared to have been stolen from the US military or a Pentagon official.
This included “a dozen various training manuals describe improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics.”
The incident should serve as something of a wake-up call to the US military in that it highlights what a “single hacker with moderate technical skills” was able to achieve in just a week.
Breached online firm Timehop has revealed more details about a security incident which affected 21 million people, which will be an interesting test case for GDPR regulators.
The firm originally said it discovered a network intrusion on July 4 resulting in the compromise of names, email addresses and phone numbers.
However, in an update on Wednesday it claimed the breached data also included dates of birth, gender of customers and country codes.
It provided a handy breakdown of which breached records were in scope for the GDPR: including 2.9 million name and email address combinations and 2.2 million name, email address and DOB records.
The firm admitted “messing up” with its incident response.
“In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything,” it said.
“With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed.”
It will be interesting to see whether Timehop’s efforts at transparency appease regulators, given that it was incapable of spotting the initial unauthorized use of one of its admin’s credentials to log-in to a third-party cloud platform on December 19 2017.
After creating a new admin account, the hacker logged in on three separate occasions looking for PII, according to Timehop. By the time of a fourth log-in at the end of June, PII had unwittingly been moved into the cloud environment. The attacker then waited until the July 4 holiday before logging in again and stealing the database.
The ICO has said in the past that “those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”