Cyber Risk News
Tens of millions of passengers from at least two Asian airlines have had their personal data compromised after workers at the parent company left them exposed via an AWS server, it has emerged.
Although it’s unclear how long the data had been exposed for, security researchers have pointed to at least 35 million records circulating online and linked to an individual with the moniker “Spectre.”
They belong mainly to passengers of Lion Air companies Malindo Air and Thai Lion Air, and include names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates, and more.
There are suggestions that a third Lion Air brand, Batik Air, may also be affected.
An official statement from Malindo Air reveals little except that, along with AWS and the airline’s e-commerce partner GoQuo, it is investigating.
“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS),” it claimed.
“We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.”
The firm urged its passengers to change passwords on their Malindo Miles accounts and basically sit tight.
Reports suggest a misconfigured S3 bucket was again responsible for the security snafu, perhaps dating back to August.
The mistake or oversight that led to the Lion Air breach was most likely a very simple one, argued Stephan Chenette, co-founder and CTO of AttackIQ.
“Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs,” he added.
“To protect customer data, organizations should employ continuous security validation tools to identify and prioritize gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.”
The Infosecurity Magazine Online Summit is happening next week! Join thousands of professionals from around the world and gain access to industry leading education sessions covering the latest infosec trends & technology for free. Do not miss this great opportunity to earn upto 12 CPEs in just two days. Register Now http://bit.ly/2XY1eCX
Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend.
The new user authentication rules mandated by the European Union's revised Payment Services Directive (PSD2) were introduced by the UK's leading acquirer on Saturday, September 14.
Barclaycard analyzed transaction data from September 14 and 15 to check what effect the new two-step authentication rules were having. The company found that merchants had not experienced an increase in abandoned transactions, nor had they seen a spike in declined payments.
"Our data offers encouraging news for merchants, whose transaction volumes have been, so far, unaffected by the go-live of SCA," said Paul Adams, director of acquiring at Barclaycard Payment Solutions.
SCA legislation officially came into force across Europe on September 14; however, the European Banking Authority (EBA) has given each member state the option to apply for extensions.
One country that took them up on the offer was the UK, which secured an 18-month extension to the deadline. The UK's financial regulator, the Financial Conduct Authority (FCA), announced in August that the country's payments and e-commerce providers would have until March 14, 2021 to achieve full compliance.
Action will not be taken by the FCA before that date against firms that haven't implemented SCA, provided that "there is evidence that they have taken the necessary steps to comply with the plan." However, the FCA is expecting third-party providers to implement SCA for online banking by March 14, 2020.
The new SCA legislation requires that all European Economic Area (EEA) transactions go through a two-factor authentication process, unless they qualify for an exemption. Transactions that are exempt include contactless payments below €50/£30; payments made at unattended terminals, such as parking lot payment machines; and recurring payments of the same value to the same merchant, such as subscription payments.
Customers can also skip two-factor authentication for payments made to trusted merchants by whitelisting that merchant with their issuer.
To help merchants prepare for the changes required by SCA, Barclaycard, which handles nearly half of the nation’s credit and debit card transactions, has launched Barclaycard Transact, which went live over the weekend.
The fraud protection solution allows businesses to benefit from SCA exemptions while making sure that all high-risk transactions still go through two-factor authentication, in accordance with the regulation.
Adams said: "We have designed Transact to help our customers get the most out of the incoming regulation, by enabling them to provide a smooth payment experience for their shoppers, while at the same time reducing risk and managing fraud."
A previously undocumented threat group has been mounting what appear to be supply-chain attacks against IT providers in the Middle East.
Since July 2018, Tortoiseshell Group has targeted at least 11 organizations, using a deadly mix of custom-made and off-the-shelf malware. The majority of the companies to come under virtual fire are based in Saudi Arabia.
Tortoiseshell's nefarious activities were spotted by researchers at Symantec, who have recorded activity stemming from the group as recently as July 2019.
At two of the organizations unfortunate enough to be attacked by Tortoiseshell, several hundred network computers ended up being infected with malware. Researchers believe that this unusually large number of compromised consoles is indicative of the group's desire to infiltrate particular computers.
The exact intentions of the attackers are unknown, though Symantec's researchers believe that the threat group's end goal was to compromise the computers belonging to the customers of the IT firms targeted. And you can bet that they weren't going to all this trouble just to change people's screensavers to a goofy picture of an adorable puppy.
Evidence gathered by the researchers suggests that the attackers were able to gain domain admin–level access to the networks of at least two of the IT providers upon which they preyed.
Gavin O'Gorman, an investigator with Symantec Security Response, said: "Tortoiseshell deployed its information-gathering tools to the Netlogon folder on a domain controller, on at least two victim networks. This results in the information-gathering tools' being executed automatically when a client computer logs into the domain.
"This activity indicates the attackers had achieved domain admin–level access on these networks, meaning they had access to all machines on the network."
Highlighting the inherent danger in hackers' gaining access at this level, O'Gorman said: "Shamoon is a good example of one of the worst-case scenarios, where an attacker can wipe every computer on a network by obtaining domain-level access."
The unique component used by Tortoiseshell is a piece of malware called Backdoor.Syskit, which is run with the "-install" parameter to install itself. Once it has settled its virtual butt on the couch of a computer, the malware collects and sends the machine’s IP address, operating system name and version, and MAC address to the C&C server.
Tortoiseshell's last observed activity occurred in July, but there's every chance they'll be back for more.
O'Gorman said: "Groups tend to not go away, but rather they use different tools, and so it becomes difficult to connect their various attacks. For some groups we have been able to identify their activity spanning more than 10 years."
An American cybersecurity consulting firm has opened its first overseas site in the southern Irish city of Kilkenny.
The new office in the Republic of Ireland will become the European Headquarters and Security Operations Centre (SOC) for growing company Security Risk Advisors (SRA). SOC's current staff of three will grow to seven by mid-October and is expected to swell to 52 over the next five years.
Having an office in Europe allows SRA to offer around-the-clock system monitoring to its US-based clients. It will also help the company support its growing European clientele and is likely to attract new customers east of the Atlantic.
SRA's managing director, Tim Wainwright, said: "The proximity to top colleges and industry-leading companies, in addition to the quality of life in the South East region, made the decision to open our first international office in Kilkenny an easy one."
Wainwright has already chosen his favorite local watering hole, and the honor goes to Cleere’s Bar & Theatre in Kilkenny’s Irishtown.
Support for SRA's international expansion is being provided by Ireland's inward investment promotion agency, the IDA.
"The IDA walked us through incentives and hosted our initial visit. They introduced us to local stakeholders and helped us fill out paperwork. They have continued to work with us in support of setting up our office," said SRA’s Amanda Larsen.
Irish minister of state at the Department of Housing, Planning, and Local Government, John Paul Phelan TD, said: "The decision to locate their office here is testament to Kilkenny’s highly skilled workforce, as well as its strong network of nearby educational institutions like Waterford IT and Carlow IT, which provide companies like SRA with the talent they need to succeed and grow.
"This announcement is a great boost for the city, and I wish SRA every success in Kilkenny."
SRA was founded as a virtual organization in Pennsylvania's largest city, Philadelphia, back in 2010, by a home-grown team of four Philly locals. Since then, the company has grown 20% on average every year and now employs around 140 people.
The company's growth strategy of mentoring a large number of university hires was so successful that in 2017 SRA opened a physical office on the city's Market Street.
Two years of success followed, causing SRA to outgrow its original space. In June of this year the company announced the expansion of its office in Philadelphia to accommodate 25 additional employees, together with the opening of a new site in Rochester, New York.
Indicating that SRA plans to implement a similar growth strategy at their new European HQ, Larsen said: "We will be working closely with the Waterford Institute of Technology and Institute of Technology Carlow. The South East region has such a great amount of tech talent."
A new government-backed report has warned that the growing use of automation and machine learning algorithms in policing could be amplifying bias, in the absence of consistent guidelines.
Commissioned by the Centre for Data Ethics and Innovation (CDEI), which sits in the Culture Department, the report from noted think tank the Royal United Services Institute (RUSI) will lead to formal recommendations in March 2020.
It’s based on interviews with civil society organizations, academics, legal experts and police themselves, many of whom are already trialing technology such as controversial AI-powered facial recognition.
The report claimed that use of such tools, and those used in predictive crime mapping and individual risk assessments, can actually amplify discrimination if they’re based on flawed data containing bias.
This could include over-policing of certain areas and a greater frequency of stop and search targeting the black community.
It also warned that the emerging technology is currently being used without any clear over-arching guidance or transparency, meaning key processes for scrutiny, regulation and enforcement are missing.
RUSI claimed that police forces need to carefully consider how algorithmic bias may result in them policing certain areas more heavily, and warned against over-reliance on technology which could reduce the role of case-by-case discretion. It also said that discrimination cases could be brought by individuals unfairly “scored” by algorithms.
“Interviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight,” the report concluded.
“It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology.”
OpenText head of AI and analytics, Zach Jarvinen, argued that the best way of avoiding bias in AI is to implement “ethical code” at the data collection phase.
“This must begin with a large enough sample of data to yield trustworthy insights and minimize subjectivity. Thus, a robust system capable of collecting and processing the richest and most complex sets of information, including both structured data and unstructured, and textual content, is necessary to generate the most accurate insights,” he added.
“Data collection principles should be overseen by teams representing a rich blend of views, backgrounds, and characteristics (race, gender, etc.). In addition, organizations should consider having an HR or ethics specialist working in tandem with data scientists to ensure that AI recommendations align with the organization’s cultural values.”
A third of British adults are concerned about hackers interfering in future general elections or referendums, according to new research from SANS Institute.
The global IT training organization polled over 2000 individuals to better understand their concerns about the impact of cyber-related issues on society.
It found that 34% believe cyber-attackers could influence the democratic process in future.
A long-awaited parliamentary committee report issued earlier this year claimed that while it was difficult to say definitively if there was "successful" interference in the 2016 EU referendum, “there is, however, strong evidence that points to hostile state actors influencing democratic processes.”
Russia in particular came under scrutiny for the pro-leave propaganda circulated by its state-backed media outlets RT and Sputnik.
Election interference can also be more insidious: a senate report out in July argued that Russian hackers likely compromised voting infrastructure in all 50 states ahead of the 2016 Presidential election.
Just a fifth of UK adults responding to the SANS Institute poll said they thought the UK is well prepared to defend itself against future cyber issues, and nearly half (45%) claimed there’s not enough security experts in the workforce to protect the country from attack.
However, less than one in 10 (6%) said they thought being a cybersecurity professional was an important job in society, highlighting the major PR challenge facing the industry in trying to get more people to consider a career in the sector.
SANS Institute CTO, James Lyne, argued that it is the role of government, industry and parents and teachers to emphasize the important role cybersecurity professionals play in defending democracy and economic growth.
“The findings of the poll demonstrate a lack of awareness of what cybersecurity practitioners do to protect our national interests, economy and personal finances,” he added. “The UK will only be prepared to cope with the evolving geopolitical cyber-frontier if we can educate and nurture greater numbers of cyber-defenders and instil a sense of urgency in that new generation of cybersecurity professionals.”
The research was conducted to promote the beginning of the latest annual Cyber Discovery program, which aims to educate and inspire 13-18-year-olds in the UK to be the cybersecurity stars of tomorrow.
The US government is suing Edward Snowden for violating a non-disclosure agreement (NDA) in the publication of a new book.
The civil suit alleges that the former government contractor published the book, Permanent Record, without first submitting it to the CIA and NSA for review, as per the agreements he signed. It alleges Snowden has also discussed intelligence matters in public speeches, further violating the NDA.
Yet despite its allegations, the US government doesn’t want to prevent publication of the book; instead it wants to seize all proceeds, naming his publishers as co-defendants so that no money can be transferred to the whistleblower.
“Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor,” said assistant attorney general Jody Hunt of the Department of Justice’s Civil Division.
“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations. This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”
However, Snowden’s attorney and director of the American Civil Liberties Union (ACLU), Ben Wizer, has hit back, arguing that the book contains no information that hasn’t already been published by “respected news organizations.”
“Had Mr Snowden believed that the government would review his book in good faith, he would have submitted it for review. But the government continues to insist that facts that are known and discussed throughout the world are still somehow classified,” he added.
“Mr Snowden wrote this book to continue a global conversation about mass surveillance and free societies that his actions helped inspire. He hopes that today’s lawsuit by the United States government will bring the book to the attention of more readers throughout the world.”
The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost.
Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.
Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.
In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.
Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."
Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.
Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"
Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity.
He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."
A follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago.
In the 2013 study SOHOpelessly Broken 1.0, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.
An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research, dubbed SOHOpelessly Broken 2.0, could affect millions of IoT devices.
For their latest study, ISE tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.
The results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.
"We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: 'It can't really be this easy, right?'" said ISE researcher Joshua Meyer.
Conducting the study has changed how Meyer uses IoT devices. He said: "I will be more selective of any IoT devices I purchase for personal use. I am also more aware of the features provided by my devices and disable all of the ones that aren't necessary to its security."
After completing the study, ISE sent vulnerability reports and proof-of-concept (PoC) codes to affected vendors. While the majority of companies acknowledged the reports, TOTOLINK and Buffalo have not yet responded.
Asked if any plans were afoot for a SOHOpelessly Broken 3.0, Ramgattie said the team is looking into starting a new IoT/Embedded Device research project mid-2020.
Ramgattie elaborated: "We aren't sure if it is going to be the same format as SOHO 1.0 and SOHO 2.0. We might mix things up and pick a smaller set of manufacturers and narrow in on new attack surfaces we have been wanting to dive into for a long time.
"We might also research more enterprise devices, different protocols, and more complex data-processing workflows."
America's National Cyber League (NCL) has published official college rankings for the very first time, and the University of Nevada has come out on top.
Cyber-savvy students at the Reno-based university prevailed against 5,026 students from 419 schools across the nation to achieve victory in the NCL's spring 2019 season. This impressive win contributed heavily to Nevada's securing the pole position on the inaugural NCL leaderboard published last week.
In second place was the University of Hawaii at Manoa, followed by California State University at Chico, which took third. Lingering at the bottom of the board in 100th place was Grossmont College, a community college in California.
The NCL has been challenging high school and college students to demonstrate their cybersecurity skills by taking part in two cybersecurity competitions staged annually since 2011. Entrants step onto a virtual field of competition to solve a series of puzzles based on real-world scenarios.
Previous challenges included identifying hackers from forensic data, breaking into simulated bank websites, and staging a recovery from a ransomware attack. The University of Nevada's winning team, the Nevada Cyber Club, completed all the challenges set in this year's spring season with 99.26% accuracy.
Club member and computer science and engineering major Bryson Lingenfelter, speaking after his team's unequivocal victory, said: "I've learned a tremendous amount in three seasons of competing in NCL, and it's a major inspiration for my plans going forward with Cyber Club. NCL is how many of us got started with the club, and I hope to expand our use of competitions as learning tools in the future to engage even more people with cybersecurity."
Competing in the NCL does more for students than simply give them a chance to vaunt their talent and learn new skills. Thanks to industry-leading cybersecurity skills-evaluation technology from Cyber Skyline, NCL competitors can obtain scouting reports of their performance, which they can use for hiring purposes.
"Cyber competitions like NCL provide a way for cybersecurity students to demonstrate their skills to employers, especially with many entry-level jobs requiring experience," said Franz Payer, CEO of Cyber Skyline.
"The new Cyber Power Rankings highlight the top schools producing new cybersecurity professionals. We're excited for what competitions can do to help address the cyber talent shortage.
A new testing service has been launched with the aim of gauging and ranking job candidates based on their technical skillsets.
TechRank, created by Pioneer Labs, is run by tech consultants and sources, tests and objectively ranks tech talent, helping companies hire the best and most capable person for tech-based roles. TechRank seeks to eliminate the subjectivity of personality and interview charm and to ensure that jobs are offered based on genuine skillsets.
Candidates take the TechRank test online, opting for the specific area relevant to their skills. Candidates are then logged in the TechRank system and alerted if a suitable job is advertised. Employers can sort candidates by their skill level quicker and more accurately than reading through large numbers of CVs.
TechRank was co-founded by Gurvinder Singh, Co-CEO, Pioneer Labs, and he explained how TechRank was born out of frustration.
“We were finding it highly time-consuming and difficult to find great tech talent. It was a constant problem. So, we asked ourselves what needed to change and how this could be facilitated – the answer was clearly testing. It’s great for both the candidate and the employer. We trailed the system in our own business and found that it worked really well. It made a huge difference to Pioneer Labs so we decided to create a version that other businesses could use – and TechRank was born.”
Speaking to Infosecurity, Singh said: “We are looking to disrupt tech recruitment. We believe tech recruitment has been broken for far too long. It’s been very difficult for employers to be sure they are hiring people with the right skills; skills that are suitable for the specific job they are being asked to do. Some people look great on paper, perform brilliantly at interview, but simply don’t have the level of knowledge required for the job on offer.
“In the future, I believe CVs will become obsolete in the tech industry. Skills matter more than words and finding the best skilled people is where companies, which are trying to build or maintain market share via technology, will be competing most vigorously.”
Researchers have discovered 15,000 private webcams around the globe which could be accessed by anyone with an internet connection, raising serious security and privacy concerns.
Working for Wizcase, white hat Avishai Efrat located the exposed devices from multiple manufacturers including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.
They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.
By failing to put in place even cursory protection on the devices, these owners are exposing not only the webcam streams themselves but also, in some cases where admin access is possible, user information and approximate geolocation. In these cases, Efrat was also theoretically able to remotely control the device view and angle.
Control of such feeds and personal info could allow attackers to rob the premises being monitored, blackmail users, and even steal PII for identity fraud.
The problem lies with the cameras’ remote access functionality. In some cases UPnP was enabled without additional protections like password authentication or IP/MAC address whitelisting, whilst in others unsecured P2P networking was used.
“Web cameras manufacturers strive to use technologies which make the device installation as seamless as possible but this sometimes results in open ports with no authentication mechanism set up. Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections,” explained Wizcase web security expert, Chase Williams.
“If these devices have open network services, then they could be exposed.”
Wizcase urged webcam operators to change the default configuration of their device in order to: whitelist specific IP & MAC addresses to access the web camera, add strong password authentication and disable UPnP if P2P networking is being used.
It also advised users to configure a home VPN network so the webcam would no longer be exposed to the public-facing internet.
A notorious botnet has begun sending out spam again after a several month hiatus, which could spend bad news for organizations around the world.
Emotet has been dormant for around four months, but starting pumping out spam on Monday morning, with phishing emails sent in German, Polish, English and Italian, according to Malwarebytes.
The firm said that an uptick in command-and-control (C2) server activity forewarned it of a return to the front line for the infamous botnet.
In this new campaign, users are tricked into opening an attached document and enabling macros, triggering a PowerShell command which will try to download Emotet from compromised sites, often those running WordPress.
“Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware,” warned Malwarebytes.
“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.”
Linked to the North Korean Lazarus Group, Ryuk is thought to have made almost $3.8m for its operators in the six months to January 2019.
Like Trickbot, Emotet was originally a banking Trojan that was re-written to function as a malware loader. Its operators sell access to the botnet for clients to use as a malware distribution network.
According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018 alone. In July last year, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.
The vast majority of vulnerabilities in ports are found in just three, making it theoretically easier for organizations to defend them against attack, according to Alert Logic.
The security vendor analyzed 1.3 petabytes of security data, over 2.8 billion IDS events, 8.2 million verified incidents, and common vulnerabilities for more than 700 SMB customers, in order to compile its Critical Watch Report for 2019.
It claimed that 65% of vulnerabilities it found in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are linked to SSH (22/TCP), HTTPS (443/TCP) and HTTP (80/TCP).
RDP/TCP comes in fourth place, which is no surprise as it has already been patched several times by Microsoft, including one for the Bluekeep bug which Redmond warned could provide attackers with WannaCry-like “wormable” capabilities.
The number of vulnerabilities in a port is a good indication of its popularity and it’s no surprise that the top three ports for flaws are also ones exposed to the public-facing internet, Alert Logic said.
However, the findings may provide useful intel for security teams in smaller companies to help them reduce their attack surface quickly and easily.
“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic,” the report advised.
“Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities.”
Alert Logic also urged IT security teams to patch and harden any device, software or service connected to ports and to tackle any new vulnerabilities as they appear, as well as changing all default setting and passwords and running regular configuration checks.
The report found that most unpatched vulnerabilities in the SMB space are over a year old, and that misconfigurations, weak encryption and unsupported Windows versions also represent serious risks.
Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training.
Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a cybersecurity training course.
According to the Commercial Appeal website, all Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. However, Massey told Infosecurity Magazine that "there was no policy that mandated the cyber training for elected officials."
Explaining why he refused to complete the cybersecurity training after being instructed to do so by the city's IT Director, Massey said: "I was not aware of any alderman having to take the cyber training in the past, so I thought it was unusual for a city employee to suddenly claim the authority to demand that elected officials click a link to take the training this year.
"I simply disregarded the emails with the training links until I received a notice from the IT Director advising me that he intended to restrict my government email account."
Massey responded to the imposed restriction by setting up a personal email account—email@example.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines.
Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers.
Commenting on Massey's argument cited by Commercial Appeal that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own."
Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, added "Mr. Massey just needs to take the training. It's 45 minutes..."
Massey responded to Janda's comments by stating: "All the elected officials have used and/or currently use personal electronic devices and personal emails addresses for government correspondence."
According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.
Massey, who has never personally been a victim of a cyber-crime, said: "In my experience the threat of hackers and dangers of cybercrime are probably greater than what is reported in the media, but cities should not get a false sense of security by having city employees and elected officials click a link that provides 45 minutes of generic instruction on how to avoid cyber-crimes."
He added: "I think it would be appropriate and more beneficial for a cyber security specialist to give the entire Board of Mayor and Alderman a presentation on cyber security and allow aldermen to discuss whether more should be done."
The personal data of almost every citizen of Ecuador has been leaked online in a catastrophic data breach.
The names, phone numbers, and financial information of approximately 20 million Ecuadoreans were found on an unsecured cloud server by researchers working on a web-mapping project at security company vpnMentor.
The enormous 18GB cache of data included personal information relating to individuals who were deceased as well as to the country's living population of approximately 17 million. Personal information relating to 6.7 million Ecuadorean children was among the data leaked.
Exposed files revealed a large amount of sensitive personally identifiable information, such as family records, marriage dates, education histories, employment records, and official ten-digit government ID numbers called cédulas de identidad.
"This data breach is particularly serious simply because of how much information was revealed about each individual," wrote Noam Rotem and Ran Locar from vpnMentor. "Scammers could use this information to establish trust and trick individuals into exposing more information."
Tax records and financial records revealing the account balances of customers of a large Ecuadorean bank were among the data breached.
Rotem and Locar wrote, "Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank."
A simple search of the leaked data would enable anyone to put together a list of wealthy Ecuadoreans that would be the envy of kidnappers everywhere. Taken as a whole, the data revealed not just who had large amounts of money in the bank but also where they lived, if they were married, if they had children, what cars they drove, and the license plates of their vehicles.
Within the leaked records researchers also found an entry and national identification number for WikiLeaks founder Julian Assange, who was granted political asylum by Ecuador in 2012.
Rotem and Locar found the exposed data in a number of files saved on a server located in Miami, Florida, which was set up and maintained by Ecuadorian marketing and analytics company Novaestrat.
After discovering the data cache, vpnMentor contacted Novaestrat. The Ecuador Computer Emergency Security Team restricted access to the unsecured server on September 11, 2019.
The breach follows a similar incident that took place recently in another South American country. Last month, a server was found that exposed the voter records of 80% of Chile's 14.3 million citizens.
A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures.
An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.
Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds.
The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.
On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."
In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."
PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."
The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts.
"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."
Israeli police have arrested several employees of a domestic company that makes cyber-surveillance tools and raided its offices over the weekend, according to local reports.
Although a court order has prevented many details of the case from making it into the public domain, including the identity of the suspects, the arrests were apparently made under charges of fraud, smuggling and money-laundering.
The individuals are thought to be staff at Ability Computer & Software Industries and Ability Security Systems, subsidiaries of Ability, which markets itself as providing interception technology for mobile cellular and satellite communications.
Founded in 1994 by “military and communication experts,” Ability claims to count governments, military, law enforcement and border control agencies as its customers.
However, there are suspicions that the firm may have broken Israeli laws around the export of specific security-related technologies, according to Haaretz.
The Israeli defense ministry is said to have suspended Ability subsidiaries from its official list of registered defense export companies after it exported geolocation systems without a license.
The firm is also facing a backlash from US regulator the SEC over an anti-fraud investigation dating back to 2017 about its 2015 merger with shelf company Cambridge Capital Acquisition Corporation.
Ability also paid out $3m last year to settle out-of-court with investors who said they’d been misled about the state of the firm’s finances.
The police investigation is being undertaken by the International Crime Investigations unit alongside the Director of Security of the Defense Establishment, according to the report.
The news comes just weeks after the Israeli government made moves to ease the process for exporting cyber-weapons to certain countries, despite warnings from the UN and others that such tools are being used by despotic governments to crack down on dissent.
The US Treasury has finally announced sanctions on three notorious North Korean state hacking groups, which it accused of attacks designed to generate money for the country’s illegal weapons program.
The Office of Foreign Assets Control (OFAC) said on Friday that the sanctions would apply to Lazarus Group, Bluenoroff and Andariel. It effectively demanded that global banks block any transactions related to the groups.
All three entities have been pegged as under the control of the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency.
Lazarus Group is the largest and best known, having been blamed for the destructive malware attack on Sony Pictures Entertainment and WannaCry. Along with Bluenoroff hackers it is also said to have launched the daring $80m cyber-heist on Bangladesh Bank.
While Lazarus Group targets range far and wide — including government, military, financial, manufacturing, publishing, media, entertainment, international shipping and critical infrastructure — Bluenoroff was apparently set up explicitly with the aim of making money to overcome global sanctions on North Korea.
Andariel, meanwhile, is apparently focused on hacking ATMs, stealing customer information to sell on the dark web, and stealing from online gambling sites, as well as hacking South Korean military systems to gather intelligence.
The groups’ efforts also focused on cryptocurrency exchanges in a bid to generate more funds for Pyongyang’s missile and nuclear weapons programs, the Treasury claimed.
This chimes with allegations from the UN, denied by North Korea, that the hermit nation had amassed a trove of $2bn from “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries.
“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence.
“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”
The UK government is in hot water again after Freedom of Information (FOI) requests revealed its Environment Department has misplaced hundreds of laptops and mobile devices over recent years.
Security vendor Absolute Software sent requests for info to the Department for Environment, Food, and Rural Affairs (DEFRA) and non-departmental public body the Environment Agency, which it sponsors.
They revealed that the two organizations lost a combined 540 devices over the past three financial years: DEFRA accounting for 100 of these and the Environment Agency reporting a total of 440.
Mobile phone losses were most common, with the Environment Agency again losing the lion’s share (363) and DEFRA just 63.
The Environment Agency misplaced 59 laptops over the period, with just 35 going missing from DEFRA, while only 21 tablet computers were lost in total – three from DEFRA and 18 from the Environment Agency.
Yet despite the headline stats, it’s the Environment Agency which appears to be improving its device security processes. It recorded an overall decrease of 24% in lost IT kit over the three-year period, while DEFRA witnessed a 43% increase.
A spokesperson from the Environment Agency played down the findings, claiming they should be seen in the context of the public body’s 10,000+ nationwide staff.
“Due to the nature of our work, we have operational staff working in the field to protect the environment and support our incident response capabilities,” the statement noted.
“Because of this there is always a risk that exposure to threats concerning mobile technology will be increased. All staff are required to work in accordance with our IT and security policies so that we continue to work toward minimizing losses, and risk associated with losses.”
Absolute Software vice-president, Andy Harcup was less forgiving, branding the losses “unbelievable.”
“Every single lost device is a potential goldmine of confidential information and should be properly secured so that if stolen it can be tracked, frozen and recovered,” he argued.
“It’s also critical that government agencies have capabilities in place so that when mobile devices are exposed to threats outside of their control, they are able to locate the devices whether they are on or off the network, and wipe the data on the devices in order to comply with critical regulations like GDPR.”
These are just the latest two government bodies to have had their device security policies scrutinized: the Ministry of Defence recorded a 300% increase in losses of both devices and sensitive data over the past two financial years, according to Absolute Software.