Cyber Risk News

Vote Leave Analytics Firm Hit with GDPR Notice

Info Security - Fri, 09/21/2018 - 09:21
Vote Leave Analytics Firm Hit with GDPR Notice

A controversial Canadian data analytics firm that helped Vote Leave target voters during the EU referendum could be facing the first ever GDPR fine to be issued by the UK data protection regulator.

Aggregate IQ (AIQ) processed voters’ personal data including names and email addresses for Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaigns, according to the Information Commissioner’s Office (ICO).

An enforcement notice claimed that the firm had failed to comply with articles 5 and 6 of the GDPR.

“This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing,” it explained.

“Furthermore the processing was incompatible with the purposes for which the data was originally collected. AIQ has also failed to comply with Article 14 of the GDPR in that it has not, to the commissioner’s knowledge, provided data subjects with the information set out in Articles 14 (1) and (2) and none of the exceptions set out in Article 14(5) apply.”

The ICO added that damage or distress could be caused for individuals because they have been “denied the opportunity of properly understanding what personal data may be processed about them,” and have not been able to exercise their rights under the GDPR.

Although the data was collected before the GDPR came into force, it was apparently retained and processed after that date.

Although the notice amounts more to a data protection technicality, it will be seized on by anti-Brexit campaigners as yet another example of what they see as an illegal leave campaign fought on lies and half-truths.

Vote Leave has already been fined and referred to the police by the Electoral Commission after it was found to have exceeded spending limits by gaining extra funding via BeLeave.

There are also links between AIQ and the infamous Cambridge Analytica, the firm which helped Donald Trump to the White House on the back of Facebook user data which was acquired by breaking developer rules at the social network. AIQ and Cambridge Analytica have both been suspended by Facebook as a result.

AIQ is reportedly appealing the ICO notice. Infosecurity has reached out to the ICO for more information.

Categories: Cyber Risk News

Over 90% of US Retailers Fail PCI DSS

Info Security - Fri, 09/21/2018 - 08:48
Over 90% of US Retailers Fail PCI DSS

Security in the retail industry has significantly worsened over the past year, to the point that over 90% of domains analyzed recently were found to be non-compliant with PCI DSS.

SecurityScorecard analyzed 1444 domains in the US retail industry from October 2017 to March 2018, discovering that although cyber-criminals had become increasingly sophisticated, IT security departments had largely failed to keep pace.

Application security was a particular challenge, with retail second only to the entertainment sector in its poor performance.

When it came to social engineering, often the first stage of an attack or data breach in the form of phishing emails, the sector performed worst out of the 18 appraised.

In 91% of retail domains analyzed, the business failed four or more requirements of the key PCI DSS standard, with requirement six — dealing with maintaining secure systems and applications — particularly troublesome for 98%.

This includes requirement 6.2, which mandates organizations keep up-to-date with security patches: applying critical ones within one month and others within three. Some 91% failed this requirement.

“A reason many retailers lack compliance with Requirement 6.2 is that the increased number of vendors makes mapping updates more time-consuming,” the report claimed. “A retailer that uses different vendors for cloud storage, operating systems, data backup, mPOS, and POS may have a hard time following every update for each of these. In addition, some updates may be critical security updates while others focus on better usability.”

As part of the PCI DSS requirement, organizations must also understand data flows and the systems, servers, and networks that need to be protected: another area of weakness for retailers, according to the report.

“As part of the process, organizations need to build firewall and router rules that restrict inbound and outbound traffic,” it explained. “These restrictions need to specify all ‘untrusted’ networks and hosts, especially wireless ones. As part of this restriction, no public access can occur between the internet and system components in the Cardholder Data Environment (CDE).”

The challenge is ensuring retailers move from “point-in-time” compliance to continuous efforts, SecurityScorecard argued.

Categories: Cyber Risk News

EU: Luxembourg McDonald's tax ruling was not illegal state aid - Fri, 09/21/2018 - 08:40
Tax rulings granted by Luxembourg in favour of McDonald's were not illegal state aid, the European Commission has concluded following an investigation.
Categories: Cyber Risk News

UK panel on competition in digital markets begins work - Thu, 09/20/2018 - 11:39
A panel of academics, led by a former economic advisor to the US government, has been given a few months to come up with recommendations on how the UK's competition regime could be updated to better account for developments in digital markets.
Categories: Cyber Risk News

Magecart Skimmed Newegg Cards for a Month

Info Security - Thu, 09/20/2018 - 10:45
Magecart Skimmed Newegg Cards for a Month

The infamous Magecart code has struck again, with an attack group this time using it to skim card details from customers of online retailer Newegg for a full month, according to researchers.

The US-based, tech-focused e-tailer has yet to release a statement on the news, but RiskIQ, which has been following Magecart closely over the past couple of years, posted an analysis of the attack yesterday.

Threat researcher Yonathan Klijnsma explained that, just like in the recently disclosed BA breach, the attackers made a concerted effort to blend in to the background to avoid detection.

They did this by first registering a domain similar to the primary domain, certifying it with a Comodo certificate for authenticity. The linked IP address hosted a back-end server where skimmed card info was apparently stored.

The attackers then struck on around August 14, inserting the Magecart code on the retailer’s payment processing page, where it remained hidden for a month.

“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways, explained Klijnsma.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script.”

The code worked on both mobile and desktop versions of the site, and with estimated visitors to Newegg regularly numbering over 50 million per month, this could point to another significant breach of card data, according to RiskIQ.

“The attack on Newegg shows that while third parties have been a problem for websites — as in the case of the Ticketmaster breach — self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer,” concluded Klijnsma.

“We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14 and September 18.”

Newegg claims it is still determining which customer accounts have been affected.

Craig Young, security researcher at Tripwire, argued that organizations should be monitoring certificate transparency logs more closely to spot the early warning signs of an attack.

“In this case, the attack campaign started with the attackers setting up an HTTPS server at,” he explained. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”


Newegg later posted a tweet to its timeline, saying it had learned that one of its servers had been injected with malware which was identified and removed from our site. "We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted."

Categories: Cyber Risk News

US antitrust law dubbed wrong tool for FRAND breaches - Thu, 09/20/2018 - 09:46
Holders of standard-essential patents (SEPs) should not automatically be considered to be in breach of US competition laws if they fail to licence their patents to others on fair, reasonable and non-discriminatory (FRAND) terms, a senior US official at the Department of Justice (DoJ) has said.
Categories: Cyber Risk News

Mirai Masterminds Escape Jail Time

Info Security - Thu, 09/20/2018 - 09:33
Mirai Masterminds Escape Jail Time

Three men responsible for creating and operating the infamous Mirai botnet have escaped jail time after agreeing to provide “substantial assistance” to the FBI in ongoing cases.

Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were charged with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. Jha and Normal also pleaded guilty to charges related to operating a click fraud botnet.

However, the three will not serve time behind bars. Instead, they have each been sentenced to five years of probation, 2,500 hours of community service, and restitution of $127,000 as well as giving up “significant amounts” of cryptocurrency seized by the Feds during their investigation.

Their involvement in Mirai is said to have ended in autumn 2016, when Jha posted the source code on a criminal forum.

It was used to launch some of the biggest DDoS attacks ever seen, against the website Krebs on Security and DNS provider Dyn, the latter taking down some of the biggest names on the web including Twitter, Spotify and Reddit.

The trio’s work did not end with Mirai, however: from December 2016 until February 2017 they apparently built a click fraud botnet comprising 100,000 mainly US-based devices including home routers.

The three have already co-operated extensively with the FBI, providing help which “substantially contributed” to complex investigations and broader defensive efforts by law enforcers and researchers, according to the DoJ.

But as part of their plea agreement they must continue to “cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Jake Moore, security specialist at ESET, argued that injecting hacker knowledge into the government may not be a bad thing, and could even save law enforcement money in the long-run.

“Although law enforcement lacks money and young blood, it does need updating with ethical hacking techniques that could be time consuming to train the older generations, not to mention it is a far more inviting and romanticized option than jail time for the criminals,” he added.

Categories: Cyber Risk News

ICO Fines Equifax £500K After 2017 Breach

Info Security - Thu, 09/20/2018 - 08:34
ICO Fines Equifax £500K After 2017 Breach

The Information Commissioner’s Office (ICO) has issued the maximum fine possible to Equifax in response to failings which led to a major 2017 breach.

The £500,000 penalty is only the second time the UK privacy watchdog has used the full extent of its powers and comes after a major incident at the credit agency exposed data on 15 million UK customers.

The breach itself affected nearly 146m customers around the world, mainly in the US, and involved highly sensitive data including Social Security numbers, driver’s license numbers, tax IDs and much more.

Equifax was widely criticized at the time for failing to patch a know Apache Struts vulnerability for several months. It was this flaw that hackers ultimately exploited to attack the firm.

The ICO’s investigation, carried out with the Financial Conduct Authority, found that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998. These included: failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

Data management systems were “inadequate and ineffective” and there were issues with data retention, IT system patching, and audit procedures, the ICO claimed.

Information commissioner, Elizabeth Denham, said the incident would have caused many UK consumers particular distress because they would not have been aware that the firm even held their personal data.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

It’s certain that the fine would have been many times greater had Equifax been investigated under the new GDPR regime.

Categories: Cyber Risk News

AsTech Consulting Combines with Moss Adams

Info Security - Thu, 09/20/2018 - 08:00
AsTech Consulting Combines with Moss Adams

Because the need for application security continues to grow with the rise of cloud technology, Moss Adams, an accounting, consulting and wealth management firm, announced today that it has combined with cyber-risk management firm AsTech Consulting to augment its application security capabilities.

Moss Adams will essentially acquire AsTech Consulting as of November 1, 2018, though the terms of what the company prefers to call a "combination" are not yet being disclosed. The deal, however, will give AsTech Consulting access to the existing Moss Adams infrastructure, resources and client relationships.

In an interview with Infosecurity Magazine, Eric Miles, partner in charge of the Moss Adams Advisory Services Practice, said, “When we add services or capabilities, it’s because our customers ask about them, and the need for application security is starting to skyrocket. Whether its with our technology clients or those who are not using self-developed software, they are beginning to recognize that their risks don’t sit within the perimeter any longer but within the app itself.”

AsTech Consulting has been in the application security business for 21 years, which is part of what made them such an appealing partner for Moss Adams. “We have a great reputation, but we are small,” said Greg Reber, CEO and founder of AsTech Consulting.

“For us, we wanted to expand our reputation to be able to reach a bigger audience and help more companies be secure. It was both the culture and the reputation of Moss Adams that made the company the best fit for us.”

Sixteen members of the AsTech Consulting team will join Moss Adams, including Reber, who will become a partner.

In preparing for the combining of the companies, AsTech Consulting has worked with the existing cybersecurity team at Moss Adams. “There is some overlap, but working together helped us understand each other. We found we have a common language through working on projects together,” Reber said.

“We are reaching an inflection point in public awareness in the need for this kind of security. Many mid-market companies are becoming more aware of the need for both perimeter and application security – or source code security, especially if they are developing their own apps, and we understand the source code issues.”

Categories: Cyber Risk News

Account Takeover Attacks Result in Phishing Scams

Info Security - Thu, 09/20/2018 - 05:00
Account Takeover Attacks Result in Phishing Scams

Attackers are successfully stealing the credentials of employees and using them in account takeover (ATO) incidents more frequently, which makes business email compromise (BEC) one of the most prevalent types of cyber fraud, according to Barracuda Networks.

The latest Threat Spotlight, looked at the motives behind ATOs and found that while hackers have myriad objectives, many will commonly use ATOs to launch phishing campaigns.

“Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks,” researchers wrote.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise (BEC) attack from the real employee's email address.”

From April to June 2018, 60 incidents occurred among the 50 randomly selected organizations. Of the 50 organizations, four to eight reported having at least one account takeover incident. The result for those companies that were compromised was that accounts were used for nefarious purposes.

A large majority (78%) of the total incidents resulted in a phishing email where the attacker usually impersonated the employee and requested that the recipients click on malicious links or open infected attachments.

Analysis of the incidents revealed that 17% were platforms for spam campaigns that appeared to come from reputable domains, while 5% of incidents involved internal email traffic in which the attacker asked the recipient to download an attachment.

Over the course of the three-month study, 50 different email accounts were compromised. Through examining the roles of the compromised employees, some of whom were compromised multiple times, researchers found that the total number of compromised employees was 60, with 6% of those identified as executives and 22% reportedly in sensitive departments.

Barracuda recommends that any request involving money made via email, particularly something like a wire transfer request coming from the CEO, not be honored without first having an in-person conversation or, at the very least, a phone call where the sender's identity has been verified. 

Categories: Cyber Risk News

Malicious Login Attempts Spike in Finance, Retail

Info Security - Thu, 09/20/2018 - 05:00
Malicious Login Attempts Spike in Finance, Retail

The new 2018 State of the Internet/Security Credential Stuffing Attacks report is out, and according to the report publisher, Akamai, worldwide malicious login attempts are on the rise.

Analyzing data gathered from its Intelligent Platform and attack data from across the company's global infrastructure, researchers found approximately 3.2 billion malicious logins per month from January through April 2018. In addition, 2018 has seen 1.4 million compromised usernames and passwords.

Botnets caused a monthly average increase of 30% between May and June 2018. During those two months, researchers detected over 8.3 billion malicious login attempts from bots.

The report clarifies that not all bots are bad, but credential-stuffing botnets are particularly malicious as the goals of credential-stuffing bots are to assume identity, collect information and steal money or goods.

Reviewing an eight-month period, from November 2017 through June 2018, researchers discovered more than 30 billion malicious login attempts. Using botnets to steal login information across the web, also known as credential stuffing, results in malicious login attempts. Given the likelihood that users repeat passwords across multiple sites, financially motivated hackers are known to target login pages for banks and retailers, which is why the report focused on the financial and retail sectors.

In examining one attack in which three botnets simultaneously targeted a credit union, researchers found that one of the botnets was not triggering a spike in malicious login attempts. The stealthiest of the three turned out to be the most concerning.

“Our research shows that the people carrying out credential-stuffing attacks are continuously evolving their arsenal. They vary their methodologies from noisier, volume-based attacks through stealth-like ‘low and slow’ style attacks,” said Martin McKeay, senior security advocate at Akamai and lead author of the State of the Internet/Security report, in a press release.

“It’s especially alarming when we see multiple attacks simultaneously affecting a single target. Without specific expertise and tools needed to defend against these blended, multi-headed campaigns, organizations can easily miss some of the most dangerous credential attacks.”

Categories: Cyber Risk News

Tech Giants Charged with Tracking Children

Info Security - Wed, 09/19/2018 - 15:51
Tech Giants Charged with Tracking Children

New Mexico’s attorney general, Hector Balderas, announced a lawsuit, filed against Google, Twitter, Tiny Lab Productions, MoPub, AerServ, InModi PTE, AppLovin and IronSource, on allegations that nearly 100 gaming apps targeting children contain illegal tracking software.

The apps, designed by Tiny Lab Productions, are marketed in the Google Play Store and are reported to collect personal data from children under 13 without first acquiring parent consent. Collecting the data give not only the defendants but also whoever they sell the data to the ability to track and profile children who can then be targeted for marketing purposes.

“These apps can track where children live, play, and go to school with incredible precision,” said Balderas. “These multi-million-dollar tech companies partnering with app developers are taking advantage of New Mexican children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.”

In total, 91 gaming apps are developed by Tiny Lab. Of all the apps, only five have not been a part of Google’s Designed for Families (DFF) program. Some of the apps include Angry Bunny Race: Jungle Road, Arctic Roads: Car Racing Game, DexLand, Dragon Fight: Boss Shooting Game, Dragon Panda Racing, Fun Kid Racing, Magic Elf Fantasy Forest Run and Pet Friends Park Racing.

As children gain more access to the internet both at home and in school, the games they download can pose unique risks to them, which has long been a concern for Balderas.  

“Parents should be aware of these risks and should know how to protect their children before purchasing an internet connected device for their children. Parents should be extremely selective of the apps they choose for their children,” Balderas’s office wrote in a press release.  

In addition to listing all 91 apps, the AG’s office included six pages with instructions on how to limit ad tracking across multiple devices.

Categories: Cyber Risk News

SMBs Fear Phishing, Fall Short on Cyber Training

Info Security - Wed, 09/19/2018 - 15:21
SMBs Fear Phishing, Fall Short on Cyber Training

In surveying 500 small to medium-sized businesses (SMBs) across the US, Webroot discovered that many businesses fail to recognize the many cybersecurity threats their businesses face, in large part because they lack in-house security expertise. According to The 2018 Webroot SMB Pulse Report, phishing scams ranked the number-one threat to SMBs.

The report also found that while 24% of respondents viewed phishing as the number-one threat to their organization, 20% of smaller businesses – those with up to 19 employees – believed they should be focused on defending against ransomware.

Overall, 24% of SMBs were unable to identify their top threat, with the smallest organizations being the least likely to state their greatest risk. Of those companies classified as medium-sized (20-99 employees), 28% fear human error as their greatest threat. However, SMBs do realize that implementing awareness training programs would potentially help mitigate risks from cyber threats.

“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it,” said Gary Hayslip, chief information security officer, Webroot, in a press release.  

“But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”

Despite their fears of falling victim to a phishing scam or a ransomware attack, SMBs aren’t providing comprehensive, ongoing security awareness training for their employees, according to the report. The majority (66%) of participating businesses with up to 19 employees offer no cybersecurity training to employees.

As businesses grow in size, the numbers tend to get a little bit better, with only 29% of companies in the medium-sized and 13% of large companies (those with 100 to 500 employees) failing to provide a cybersecurity training in the workplace.

“Phishing attacks are one of the most common security challenges companies face in keeping their information secure. It’s easy and it’s effective. Cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click,” said Aaron Sherrill, senior analyst at 451 Research.

“Yet 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions, wasting a lot of time and resources in the process. Small to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time consuming, cumbersome or costly.”

Categories: Cyber Risk News

No-deal Brexit: new e-notification service will replace OJEU - Wed, 09/19/2018 - 13:19
The UK will set up its own electronic tender notification platform to replace the Tenders Electronic Daily (TED) section of the EU Official Journal (OJEU) if it leaves the EU without a formal Brexit deal in place, it has confirmed.
Categories: Cyber Risk News

IoT Malware Detections Soar 273% Since 2017

Info Security - Wed, 09/19/2018 - 10:20
IoT Malware Detections Soar 273% Since 2017

New IoT malware detections have soared over 200% since 2017 to reach over 120,000, according to new stats from Kaspersky Lab.

The Russian AV vendor claimed to have spotted 121,588 modifications of malware targeted at smart devices in the first half of 2018, a 273% increase on the 32,614 detected for the whole of last year.

The most popular way to spread malware is brute-forcing of passwords: used in 93% of detected attacks. Most of the remaining cases used well-known exploits to access the devices, according to the vendor.

The most commonly compromised devices were routers, accounting for 60% of the total, followed by a long tail of other connected devices including DVRs, printers and even smart washing machines.

IoT endpoints represent an attractive target for hackers as they’re always on, connected to the internet and often not secured adequately with strong passwords and updated firmware.

The threat is such that the FBI was forced to issue a public service announcement recently warning home users of the dangers of unsecured devices: most notably that they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more.

“For those people who think that IoT devices don’t seem powerful enough to attract the attention of cyber-criminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes — and that security is implemented at the design stage, rather than considered as an afterthought,” argued Kaspersky Lab principal security researcher, David Emm.

“At this point, even if vendors improve the security of devices currently on the market, it will be a while before old, vulnerable devices have been phased out of our homes. In addition, IoT malware families are rapidly being customized and developed, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones.”

Earlier this year the British Standards Institution launched a kitemark scheme designed to improve baseline security in the IoT space by making it easier for buyers to spot reliable kit.

Categories: Cyber Risk News

Europol: Ransomware Will be Top Threat for Years

Info Security - Wed, 09/19/2018 - 09:20
Europol: Ransomware Will be Top Threat for Years

Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and crypto-jacking are emerging as serious challenges, according to Europol.

The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years.

DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.”

On the wane as a means of infection are exploit kits, with “spam, social engineering and newer methods such as RDP brute-forcing coming to the fore.”

Europol also highlighted the emerging threat of crypto-jacking as one to watch, as it offers cyber-criminals a “regular, low risk revenue stream.” Mobile malware was also flagged.

“Mobile malware has not been extensively reported in 2017, but this has been identified as an anticipated future threat for private and public entities alike,” said the report.

As for the underground economy fueling these threats, Europol claimed success in shutting down three major marketplaces in 2017 and said that nine others closed or “exit scammed." However, new sites have unsurprisingly emerged to take their place.

“The almost inevitable closure of large, global darknet marketplaces has led to an increase in the number of smaller vendor shops and secondary markets catering to specific language groups or nationalities,” the report explained.

Javvad Malik, security advocate at AlienVault, said the report is a good validation of many of the trends security experts in the vendor and research community are seeing.

“Collaboration appears to be one of the biggest and most prominent takeaways. Being able to establish trustworthy channels to collaborate and share information and intelligence is vital,” he continued.

“Notable by its omission, there is no mention of the role of bots by organized crime and state to push agendas and misinformation, even though there are increasing industry studies that points to these as being tools in the arsenal of attackers.”

Categories: Cyber Risk News

State Department Email Breach Hit Hundreds of Staff

Info Security - Wed, 09/19/2018 - 08:44
State Department Email Breach Hit Hundreds of Staff

The US State Department has confirmed an email security breach which may have affected hundreds of employees, exposing their personal information to attackers.

Reports emerged on Monday that the incident earlier this year affected “less than 1% of employee inboxes.”

“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” it reportedly noted. “We have notified those employees.”

According to State Department figures, it employees nearly 70,000 staff, meaning in the region of 700 could be affected by the breach.

It’s not known how the attack occurred, although it affected the department’s cloud-hosted email service and not a nominally more secure classified system.

Government auditors have criticized the department in the past for failing to meet cybersecurity best practice standards.

As a result, several senators wrote to secretary of state Mike Pompeo last week demanding an update on its efforts to comply.

“According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law — the Federal Cybersecurity Enhancement Act — requiring all executive branch agencies to enable MFA for all accounts with ‘elevated privileges’,” they noted.

“Similarly, the Department of State’s Inspector General (IG) found last year that 33% of Diplomatic Missions failed to conduct even the most basic cyber threat management best practices, like regular reviews and audits. The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of department personnel as well as department applications and operating systems'.”

Gary McGraw, vice president of security technology at Synopsys, argued that the department is not alone in lagging on cybersecurity.

“If the State Department has trouble rolling out two-factor authentication to protect the majority of its users, something that many corporations have had in place for years, how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” he added.

Sam Curry, chief security officer at Cybereason, claimed that the US government procurement process is holding it back.

“It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do," he argued. "Fundamentally this is likely a hack that led to a breach and not some type of insider issue."

Categories: Cyber Risk News

In the Battle Against IoT Threats, AI Is a Key Weapon

Info Security - Wed, 09/19/2018 - 01:49
In the Battle Against IoT Threats, AI Is a Key Weapon

The concept of defending a perimeter to thwart off cyber-attacks has long been disappearing. Since the advent of the internet of things (IoT), connected devices have created gaps in security by opening up new attack vectors. According to a new study, How AI and Automation Can Close the IT Security Gap in the Era of IoT, IT security teams are increasingly relying on artificial intelligence to close IoT-era cybersecurity gaps.

The global research study, conducted by the Ponemon Institute on behalf of Aruba, a Hewlett Packard Enterprise company, surveyed 4,000 security and IT professionals across the globe and found that when security systems incorporate machine learning and other AI technologies, they are better able to detect and stop IoT-targeted attacks.

According to the study, more than three-quarters of respondents believe their IoT devices are not secure. More than half (60%) said that IoT devices – even seemingly superfluous ones – pose a threat, yet two-thirds of respondents lack the ability to protect their devices.

“AI comes in because changes are not something that standard security techniques are well versed in. It’s hard to create visibility, but enabling technology like AI or ML [machine learning] is going to be so important for organizations attempting to achieve a strong security posture,” said Larry Lunetta, vice president of security solutions marketing, at Aruba.

The majority (68%) of respondents said AI-based products help reduce false alerts, while 63% said the technologies increase the overall effectiveness of the security team. For 60% of survey participants, AI-based technologies augment their investigation efficiencies, and 56% reported that implementing machine learning tools has afforded faster discovery of and response to attacks in which malicious actors have evaded perimeter defense systems.

Of the respondents, 25% are currently using some form of AI-based security solution, and an additional 26% have plans to deploy the tools within a year.

“Despite massive investments in cybersecurity programs, our research found most businesses are still unable to stop advanced, targeted attacks, with 45% believing they are not realizing the full value of their defense arsenal,” said Larry Ponemon, Ponemon Institute founder and primary researcher, in a press release.

“It’s become a perfect storm, with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, compounded by a lack of security staff with the necessary expertise to battle today’s attackers who are persistent, sophisticated, well trained and financed. Against this backdrop, AI-based security tools were viewed as a key weapon to help businesses keep up with increasing threat levels.”

Categories: Cyber Risk News

Injunction to Secure Georgia Elections Denied

Info Security - Tue, 09/18/2018 - 14:32
Injunction to Secure Georgia Elections Denied

A request for a preliminary injunction in the Georgia election security lawsuit was denied by a federal judge late last night. The plaintiffs, who have long been battling to have the state switch to using paper ballots, had their request denied by US District Judge Amy Totenberg.

In a 46-page order, Totenberg ruled against switching to paper ballots for the November election, but the court wrote frankly about the flaws of state officials and Georgia’s election systems.

“While Plaintiff’s motions for preliminary injunction...are DENIED, the Court advises the Defendants that further delay is not tolerable in their confronting and tackling the challenges before the State’s election balloting system,” Totenberg wrote in the order. She added that testimony and evidence “indicated that the Defendants and State election officials had buried their heads in the sand.”

“A wound or reasonably threatened wound to the integrity of a state’s election system carries grave consequences beyond the results in any specific election, as it pierces citizens’ confidence in the electoral system and the value of voting.”

While the preliminary injunction to secure the midterm elections in Georgia was denied, the judge’s recognition that the current system is critically unsecured is a partial win for the plaintiffs.  

“The court takes election officials to task for their 'head in the sand' approach to the extraordinary threat facing Georgia voters this fall and the little understanding they exhibited about election security. The court emphasizes that our case will move forward expeditiously with discovery in pursuit of a permanent injunction,” said the attorney for the Curling plaintiffs, David Cross, partner at Morrison & Foerster.

“Unfortunately, the court concluded that it’s too late to implement paper ballots this fall (the court noted that the timing of our motion for preliminary injunction was delayed by forces beyond our clients’ control). Ironically, the ineptitude demonstrated by certain state election officials in this case likely played a significant part in the decision that those officials could not manage a change now. We will continue the fight for all Georgia voters – and the Court makes clear that while we lost this initial battle, we are on track to win the war for safe, secure, transparent, honest elections in Georgia.”

Categories: Cyber Risk News

Former Anonymous Hacker Raises $2.5m for Startup

Info Security - Tue, 09/18/2018 - 13:52
Former Anonymous Hacker Raises $2.5m for Startup

After being convicted of hacking-related crimes related to the Guy Fawkes Night campaign in 2012, Adam Bennett, a former Anonymous hacker, received a two-year suspended prison sentence and 200 hours of community service, according to the Australian Financial Review. Fast-forward to 2018, and Bennett has successfully raised $2.5 million dollars from investors for his cyber startup, Red Piranha.

“I’ve always been a privacy advocate and passionate about keeping Australian businesses secure,” Bennett said in an email interview. “I wanted to build a company that helped those struggling to afford the right cybersecurity controls or didn’t have the knowledge or resources to implement them.”

According to Bennett, small and midsized business (SMBs) are largely overlooked when it comes to the development of cybersecurity products, particularly with regard to affordability and ease of use. Red Piranha was founded with the goal of giving SMBs a slight advantage in fighting off cyber-criminals in mind.

“After the conviction, I was approached directly by a number of people asking for help. It was clear that the SMBs that I was speaking to needed something affordable. That’s what led me to found Red Piranha and develop Crystal Eye, our main cybersecurity product and the first Australian-made unified threat management (UTM) platform designed specifically for SMBs,” said Bennett.

The company was born out of the frustration that SMBs are left open to attack because they lack the money and resources to protect themselves. Since Bennett founded the company, it has grown from a startup of just two people to a company with over 55 employees in just a few years.

“Investors and all our new clients are eager to work with us. Given that we’re the only company in Australia doing what we do, we don’t expect to be slowing down anytime soon,” he said.

Working to cement its position in Australia's cybersecurity landscape, the company has also found ways to help increase Australia’s national intelligence ecosystem. To that end, the company is working in partnership with organizations set up by a federal government initiative, such as AustCyber, the growth center for Australia’s cybersecurity industry.

Categories: Cyber Risk News