Feed aggregator

Thousands Warned Over Home Group Data Breach

Info Security - 2 hours 38 min ago
Thousands Warned Over Home Group Data Breach

The Home Group – one of the biggest housing associations in the UK – has warned around 4000 customers that their personal details may have been stolen after the company suffered a data breach.

As reported by the BBC, Home Group said the breach involved customer names, addresses and contact information, but no financial data. The organization explained that the breach was identified by a third party cybersecurity expert and affected customers in properties in England, including those in the North East, North West and Yorkshire.

The issue was resolved within 90 minutes, according to Home Group spokespeople.

Chief financial officer, John Hudson, said: “We were made aware of a potential data vulnerability and immediately responded to and resolved the issue.

“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.

“We have contacted all customers affected and I want to reassure all our customers that their information is secure and that we follow strict guidelines and protocols when it comes to data sharing and cybersecurity.”

Commenting on the news, Javvad Malik, security awareness advocate at KnowBe4, said:“It’s unclear at this moment how the company was breached, but it is encouraging to see the company was able to quickly respond to the breach, and inform its affected customers once notified by a third party.”

However, he added, companies should be building their own detection capabilities so that they are not reliant on third parties to disclose any breaches.

“Similarly, while the company claimed to have resolved the issue within 90 minutes, that is still ample opportunity for records to be accessed and copied,” Malik argued.

Categories: Cyber Risk News

Trend Micro Tackles Cloud Misconfigurations with Latest Acquisition

Info Security - 3 hours 50 min ago
Trend Micro Tackles Cloud Misconfigurations with Latest Acquisition

Trend Micro has announced the acquisition of Australian start-up Cloud Conformity, in a deal which will see it expand its cloud security portfolio to include mitigations for customer misconfigurations.

Following the reported $70m deal, Trend Micro is offering the Cloud Security Posture Management (CSPM) company’s solution immediately to its global customers.

Cloud Conformity offers a single pane of glass via which companies can gain complete visibility into their AWS and Azure environments, receive alerts and prioritize remediation to improve security, governance and compliance efforts.

Crucially, this will help customers get on top of a common challenge facing many today: how to correctly configure cloud deployments so as not to expose the organization to possible cyber-risk.

Trend Micro cited Gartner findings that by 2023, 99% of cloud security failures will be the customer’s fault, and that “through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.”

Incidents of data leaks resulting from such misconfigurations hit the headlines virtually every week. Just today, Infosecurity reported on an exposed database hosted on AWS which leaked the travel and personal details of US military and government employees.

“We have been laser focused on building integrated security for the cloud since its birth over a decade ago, unlike other vendors who are now attempting to stitch together disparate cloud technologies,” said Trend Micro CEO, Eva Chen.

“As more enterprises move to the cloud, our customers feel they’re operating amid a wild-west approach to cloud implementations that leave them with unmanaged risk. As an AWS technology partner of the year for 2019, Cloud Conformity understands these implementations and the risks. Its offering perfectly complements our own portfolio and provides immediate value to customers. Both the people and technology are a great fit for Trend Micro.”

Categories: Cyber Risk News

US Military Personnel Exposed in Latest Cloud Data Leak

Info Security - 4 hours 8 min ago
US Military Personnel Exposed in Latest Cloud Data Leak

Researchers have discovered another unsecured Elasticsearch database, this time exposing data on thousands of travelers including US military and government employees.

The research team at vpnMentor discovered the online database hosted on AWS infrastructure, on September 13. It belonged to Autoclerk, a reservations management system now owned by hotel chain Best Western Hotels and Resorts Group.

The database contained over 179GB of data, often sourced from third party travel and hospitality platforms including OpenTravel, HAPI Cloud, and Synxis. Among these were hundreds of thousands of bookings and reservations, exposing personal details such as: full name, date of birth, home address, phone number, dates & costs of travel, and masked credit card details.

For ordinary travelers caught in leaks like this, there is the risk of follow-on phishing attacks and identify fraud attempts, as well as a chance that attackers could target their home while they are away.

However, there are even more concerning national security implications for the government personnel data exposed in the incident.

“One of the platforms exposed in the database was a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of US government and military personnel, as well as independent contractors working with American defense and security agencies,” explained vpnMentor.

“The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.”

The firm urged US government officials to urgently vet any third-party contractors to ensure they follow strict data security protocols when handling sensitive information of this kind.

The data in question was left exposed for nearly a month, until the database was closed on October 2.

Cloud database misconfigurations have become an Achilles’ heel for many organization, argued DivvyCloud CTO, Chris DeRamus.

“Companies must adopt robust security strategies that are appropriate and effective in the cloud, at the same time as adoption of cloud services — not weeks, months or years later,” he added.

“Automated cloud security solutions can detect misconfigurations such as an unprotected database in real time and trigger immediate remediation, so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.”

Categories: Cyber Risk News

German Automation Giant Still Down After Ransomware Attack

Info Security - 4 hours 42 min ago
German Automation Giant Still Down After Ransomware Attack

One of the world’s biggest producers of automation tools is still crippled over a week after it was hit by a ransomware attack.

German giant Pilz was forced to notify the prosecutor’s office and Federal Office for Security in Information Technology after suffering a targeted cyber-attack the Sunday before last.

However, despite setting up an incident response team to locate the source of the attack and resolve the disruption, it warned that outages will continue for several more days.

“Since Sunday, October 13, 2019, all server and PC workstations including the communication network of the automation company have been affected worldwide. The website is currently only partially functional,” it noted in a status update.

“As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network.”

The IT disruption appears to have affected delivery of shipments and communications, although email came back online around the world on Friday. The last update from the company yesterday claimed that deliveries had restarted in “certain areas.”

It’s unclear which these are, however: Pilz operates in over 70 countries around the world, across Europe, Asia Pacific and the Americas.

The firm offers a range of products vital to automate industrial environments, including: configurable safety controllers; programmable safety systems; safety sensors; operator and visualization systems; networks; system and application software; drive technology; integrated standard and safety automation systems.

Pilz is the latest in a long-line of large enterprises targeted by ransomware authors looking for a big ROI on attacks.

Back in March, Norsk Hydro, the world’s number one aluminium producer, was hit by the LockerGaga variant in an attack which is said to have cost the firm at least $41m. More recently, US mailing technology company Pitney Bowes and French media giant Groupe M6 were both caught out.

Ransomware detections grew 77% from the second half of 2018 to the first six months of this year, according to Trend Micro.

Categories: Cyber Risk News

Ad Targeting Gamers Successfully Cuts Cybercrime

Info Security - Mon, 10/21/2019 - 19:20
Ad Targeting Gamers Successfully Cuts Cybercrime

An advertising campaign warning that DoS attacks are illegal has proved successful in reducing cybercrime. 

In a new study, researchers from the University of Cambridge and the University of Strathclyde looked at four different cybercrime prevention methods employed by law enforcement agencies in the US and UK. 

The results showed that while high-profile arrests caused only a two-week reduction in the number of cyber-attacks taking place, targeted messaging campaigns and the takedown of infrastructure led to a sharper and longer-term reduction in cybercrime.

Sentencing was found to have no widespread effect on reducing crime, perhaps because attackers in one country weren’t affected by sentences meted out elsewhere.

The research, which was presented today at the ACM Internet Measurement Conference in Amsterdam, focused particularly on denial of service (DoS) attacks. These attacks generate a large amount of traffic that overwhelms end users or web services, taking them offline. 

DoS attacks can be purchased easily from so-called "booter" service websites for just a few dollars. This cheap and accessible form of attack is popular within the gaming community as a way of wreaking revenge on another user. 

"Law enforcement are concerned that DoS attacks purchased from a booter site might be like a ‘gateway drug’ to more serious cybercrime," said Ben Collier from Cambridge’s Department of Computer Science & Technology, the paper’s first author. 

Collier and his colleagues from the Cambridge Cybercrime Centre used two datasets with granular data about the attacks from booter sites, and then modeled how the data correlated with different intervention tactics from the National Crime Agency (NCA) in the UK, the Federal Bureau of Investigation (FBI) in the US, and other international law enforcement agencies.

From late December 2017 to June 2018, the NCA targeted young gamers in the UK with Google adverts explaining that DoS attacks are illegal. The adverts would appear when a user searched for booter services.

"It’s surprising, but it seems to work, like a type of digital guardianship," said Collier. "At the exact moment you get curious about getting involved in cybercrime, you get a little tap on the shoulder.

"It might not work for people who are already involved in this type of cybercrime, but it appeared to dramatically decrease the numbers of new people getting involved."

Categories: Cyber Risk News

Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Info Security - Mon, 10/21/2019 - 18:39
Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Avast has fended off a sophisticated cyber-espionage attack with the help of Czech intelligence.

The global manufacturer of antivirus products announced today that its network had been breached, in what is thought to be an attempt to gain information regarding the company's CCleaner software.

Avast identified suspicious behavior on its network on September 23. Together with the Czech police's cybersecurity division and the Czech intelligence agency Security Information Service (BIS), the company launched what they describe as "an immediate, extensive investigation." 

Evidence gathered by Avast over the ensuing weeks, and verified by an external forensics team, pointed to an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to the company's VPN address range. 

The incident, which took place on October 1, was originally dismissed as a false positive. However, a review found that a threat actor had compromised the credentials of an Avast user who was associated with the internal IP. 

The hacker then managed to complete a successful privilege escalation to obtain domain admin privileges and access the company's internal network, in an attack Avast has dubbed 'Abiss.' 

Avast researchers wrote: "The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider."

Analysis of the external IPs revealed seven attempts to gain access to Avast's network had been made between May 14 and October 4, 2019. 

Avast researchers wrote: "Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions."

To track the actor, Avast left a temporary VPN profile open while they took action to protect their software and their end users, including disabling and resetting all internal user credentials.

"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure," wrote Avast researchers.

Categories: Cyber Risk News

Most Effective Phishing Tactic Is to Make People Think They've Been Hacked

Info Security - Mon, 10/21/2019 - 17:45
Most Effective Phishing Tactic Is to Make People Think They've Been Hacked

New research into phishing attacks has shown that the most clicked on email subject lines are those that relate to online security concerns.

report released today by security awareness training company KnowBe4 revealed that emails with titles that trick people into believing that they've already been hacked are the most likely to be opened. 

To produce the Q3 2019 Top-Clicked Phishing Tests Report, KnowBe4 researchers sent out thousands of simulated phishing emails with various subject lines, then observed which ones drew clicks. The organization also examined "in-the-wild" email subject lines that include actual emails users received and reported to their IT departments as suspicious. 

The results found that simulated phishing test emails with the subject "Password Check Required Immediately" were the most clicked on, with 43% of users falling for this security-based ruse.

The next most clicked on subject titles, which each lured in 9% of users, were "A Delivery Attempt was made" and "Deactivation of [[email]] in Process."

Interestingly, subject lines promising vast riches or the spiciest of romances were not among the top ten most clicked. Instead, people were hooked by work-based subject lines offering basic information or the promise of relatively modest gains. 

The subject line "New Organizational Changes" hooked 4% of users, and 7% couldn't resist clicking on an email with the subject line "Updated Employee Benefits." While 4% of users gave in to the urge to open a message titled "Staff Review 2018," 6% were intrigued enough by a message called "Revised Vacation & Sick Time Policy" to give it a click. 

A further tactic that proved successful was using the universal lure of food. Researchers found that 8% of users opened a simulated phishing email with the subject line "New food trucks coming to [[company_name]]." 

"As cybersecurity threats persist, more and more end users are becoming security minded," said Stu Sjouwerman, CEO of KnowBe4. 

"They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so [users] need to remain vigilant."

Categories: Cyber Risk News

Chartered Institute of Information Security Calls for Better Collaboration on Skills and Pathways

Info Security - Mon, 10/21/2019 - 12:28
Chartered Institute of Information Security Calls for Better Collaboration on Skills and Pathways

Speaking four months after the IISP was renamed as the Charted Institute of Information Security (CIIS), CEO Amanda Finch said the re-branding was “great for us, as it puts on the map” after three and a half years of application.

Speaking at Plymouth University's Secure South West conference, she said that chartered status was important as it is “recognizing us as a proper profession” and that the CIIS is “the only pure play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security.”

She said that cybersecurity is still “badly defined” as a term, and work is needed to make it a profession. Admitting that we cannot be “renaissance people who do everything,” the profession has grown from when you needed to be generalist to consider multi-disciplined areas, taking in physical science, psychology, legal, compliance and different skill sets.

The CIIS determines that professionalism depends on:

  • An agreed body of knowledge and skills that professionals need to have to work effectively in the field
  • Ways to provide those skills through education and training programs
  • Ways to accredit this process (both those identifying the body of knowledge and those teaching it) and attest that the individual has acquired those skills
  • The mastery of certain defined skill sets through these processes
  • Ways to demonstrate that practitioners have acquired those skills and can apply them competently
  • Ways practitioners can refresh that knowledge through continuing education
  • Codes of Ethics to ensure that practitioners act professionally

Finch argued that we need to recognize what we do have, and what we need to be developing to attract the best people. “We’ve been helping organizations to develop capabilities using development methodologies and frameworks” and also accrediting for competencies as, she said.

“So we developed a methodology to look at existing capabilities and skills and developing teams in this environment,” Finch said.

While companies may not always get “people with 100% of skills,” they should look at a person’s potential, “what basic skills you want them to have and upskill them.”

There will still be a need for specialists though, and to bring in expertise where it is needed, she said, concluding that we need to work as a community to bring the best talent in, and find good pathways to “demonstrate we’re a profession and make sure people come to us.”

Categories: Cyber Risk News

Chinese National Gets 40 Months for Exporting US Military Kit

Info Security - Mon, 10/21/2019 - 10:30
Chinese National Gets 40 Months for Exporting US Military Kit

A Chinese national will spend over three years behind bars after pleading guilty to conspiring to illegally export US military technology back home.

Tao Li, 39, violated the International Emergency Economic Powers Act and was sentenced to 40 months behind bars last week.

Between December 2016 and January 2018, he’s said to have worked with others back in China to buy radiation-hardened power amplifiers and supervisory circuits — components used for military and space applications due to their ability to withstand extreme heat and high levels of radiation.

These components would ordinarily require a license to export out of the US, although the Commerce Department does not grant such licenses to China.

To try and circumvent the ban, Li used various aliases to contact individuals in US companies, seeking to obtain the parts, agreeing to pay a “risk fee” to the firms if they agreed to export the components to China.

Li wired funds from an account in China to a bank in Arizona to complete a deal, before undercover agents stepped in, lured him to the US and arrested him at Los Angeles International Airport in September 2018. Agents from Homeland Security Investigations (HSI) and the Office of Inspector General’s Defense Criminal Investigative Service (DCIS) led this operation.

“This case is one of many involving illegal attempts to take US technology to China. Li attempted to procure highly sensitive US military technology in violation of our export control laws,” said assistant attorney general John Demers

“Such laws are in place to protect our national security, and the Department of Justice will continue to vigorously enforce them. We don’t take these crimes lightly and we will continue to pursue them.”

The news comes just days after a new CrowdStrike report revealed the true extent of China’s efforts to gain a technological and military advantage over the US. It detailed a multi-year campaign involving forced technology transfer, joint ventures, physical theft of IP from insiders and cyber-enabled espionage which helped a state-run company build the C919 commercial airliner.

Categories: Cyber Risk News

Trojanized Tor Browser Steals Users’ Digital Currency

Info Security - Mon, 10/21/2019 - 09:15
Trojanized Tor Browser Steals Users’ Digital Currency

Researchers have discovered a Trojanized version of the popular Tor Browser, which has already stolen tens of thousands of dollars’ worth of digital currency from users.

Targeted at Russian users, the malicious variant is distributed via spam messages on local forums and in Pastebin posts which have been SEO-d to rank high for users searching for terms including drugs, cryptocurrency, censorship bypass, and Russian politicians, according to Eset.

Two domains registered in 2014 are used to spread the malware; tor-browser[.]org and torproect[.]org. In essence, the package is a version of the popular anonymizing tool from 2018 (v 7.5) with some of its default browser settings and extensions altered to disable updates and ensure the malware authors can modify the product.

The hackers also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed in every webpage.

“The only JavaScript payload we have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets,” explained Eset senior malware researcher, Anton Cherepanov.

“Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the Trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.”

At the time of writing, Eset had discovered at least 500,000 downloads of the Trojanized Tor browser and three bitcoin wallets under the control of the hackers filled with around 4.8 bitcoin ($40,000). However, they are also likely to have generated a pile of QIWI cash from victims.

The scheme takes advantage of the fact that the Putin regime is increasingly pushing Russia to adopt an online censorship apparatus akin to China’s. Earlier this year, Putin signed a new law that could allow the government to cut access to foreign servers.

Categories: Cyber Risk News

US Lawmakers Call on Apple to Reverse Hong Kong App Ban

Info Security - Mon, 10/21/2019 - 08:45
US Lawmakers Call on Apple to Reverse Hong Kong App Ban

A group of US lawmakers has criticized Apple’s decision to withdraw an app used by Hong Kong protesters at the behest of Beijing, branding it “deeply concerning.”

The tech giant pulled HKmaplive from the App Store last week, claiming that it was used by the demonstrators to target police officers, and was therefore endangering their physical security.

However, its decision to censor after pressure from the Chinese government has angered senators and representatives in the US, including Ron Wyden, Marco Rubio, Ted Cruz and Alexandria Ocasio-Cortez.

They argued in an open letter that the move contradicts Apple’s purported belief that “our values drive our curation decisions.”

“You have said publicly that you want to work with China’s leaders to effect change rather than sit on the sidelines and yell at them,” it read. “We, too, believe that diplomacy and trade can be democratizing forces. But when a repressive government refuses to evolve or, indeed, when it doubles down, cooperation can become complicity.”

The app is nothing more than a tool for law-abiding protesters “defending their promised autonomy” to avoid clashes with an increasingly aggressive local police force, they said. One teenage protester was shot point blank by an officer earlier this month, despite the latter carrying non-lethal deterrents to repel violent demonstrators.

“We urge you in the strongest terms to reverse course, to demonstrate that Apple puts values above market access, and to stand with the brave men and women fighting for basic rights and dignity in Hong Kong,” the letter concluded.

However, it’s unlikely to sway the Cupertino giant, which has already banned thousands of apps from its China App Store, including various VPNs and titles designed for use by ethnic Tibetan and Uyghur minorities.

The news comes as an emboldened Beijing grows increasingly intolerant of any views seen as critical of its repressive one-party regime.

An NBA team is facing substantial financial losses after a player came out in support of Hong Kongers, while game developer Blizzard said it was banning a player and taking his prize money after he expressed similar views. The group of lawmakers penned a separate letter to the latter company, which is part-owned by Chinese giant Tencent.

Categories: Cyber Risk News

US Girl Scouts Launch First National Cybersecurity Challenge

Info Security - Fri, 10/18/2019 - 17:54
US Girl Scouts Launch First National Cybersecurity Challenge

Girls across the United States of America will take part in the country's first ever National Girl Scouts Cyber Challenge tomorrow. 

Over 3,000 girls have signed up to practice their cybersecurity skills by solving a hypothetical ransomware attack on a moon base. Participants will form an incident response team that must find out who hacked the system and how they did it.

The adrenaline-filled simulation will incorporate both “plugged” stations that will require the girls to utilize traditional coding and hacking skills on laptops and tablets, as well as “unplugged” stations where they must solve written codes. 

The exciting event will allow girls to gain first-hand experience of how coding and cybersecurity are applied in the real world. No prior cybersecurity experience is necessary to take part, as organizers hope to inspire girls who haven't ever tried their hand at cybersecurity to give it a go and see if they like it. 

The challenge is being piloted at participating councils in Georgia, Colorado, Maryland, Texas, California, Arizona, Alabama, Ohio, Massachusetts, and Florida. If it proves successful, Girl Scouts of the USA (GSUSA) plans to roll the event out to all 111 of their councils.  

Presenting the challenge is US defense contractor Raytheon, which in November 2018 committed to a multi-year partnership with GSUSA to encourage girls to pursue computer science careers. Last year, with Raytheon's support, GSUSA launched its first ever national computer science program for middle and high school girls.

A spokesperson for Raytheon said: "Our future needs innovators, engineers and cybersecurity experts and we're finding them right here in today's Girl Scouts. They are cracking cyber challenges while fulfilling their potential. 

"Thanks to events like the Girl Scouts Cyber Challenge brought to you by Raytheon, more girls are seeing themselves as tomorrow’s innovators, engineers, cybersecurity experts and tech leaders."

A spokesperson for GSUSA said: "Raytheon is collaborating with Girl Scouts to help close the gender gap in STEM fields by helping prepare girls to pursue careers in fields like cybersecurity, computer science, artificial intelligence, and robotics. 

"Together, Raytheon and Girl Scouts are reaching girls during formative school years, where research shows peer pressure can sometimes deter girls from pursing their interest in STEM." 

Categories: Cyber Risk News

Italians Rocked by Ransomware

Info Security - Fri, 10/18/2019 - 16:55
Italians Rocked by Ransomware

Italy is experiencing a rash of ransomware attacks that play dark German rock music while encrypting victims' files. 

The musical ransomware, called FTCode, was detected by security analysts at AppRiver in malicious email campaigns directed at Italian Office 365 customers. 

Targeted inboxes have received emails with malicious content posing as resumes, invoices, or documents scans. The emails include a Visual Basic script (.vbs) file that downloads and blasts out Rammstein hits while encrypting files on the victim's computer. 

"The .vbs file initially launches PowerShell to download and play an mp3 file from archive.org. At first glance, we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix," wrote AppRiver researchers.

As victims are treated to rousing renditions of "Du Hast" and "Engel," the script reaches out to a different domain to pull down a Jasper malware loader. This .vbs file enables threat actors to load additional malware of their choosing.

Once the files on the user's computer have been encrypted, a note is left on the victim's desktop, directing the user to download, install, and visit an onion site for further instructions. 

In an attempt to establish trust with the user and show that decryption is actually possible, the onion site offers the visitor a chance to test file decryption with one file before they pay the full ransom. 

The cost of the ransom is set at $500 if paid within the first three days, after which it rapidly increases to $25,000. 

David Pickett, security analyst at AppRiver, warned users not to take risks on links sent by strangers and to be particularly wary of any content that asks to be enabled. 

He said: "Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with, such as script files (.vbs, .js, .ps1, .bat, etc.).  

"Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute."  

Categories: Cyber Risk News

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Info Security - Fri, 10/18/2019 - 15:49
Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Five months on from a ransomware attack that brought the city to its knees, Baltimore has purchased cyber-insurance for the first time.

On May 7, Baltimore became the second US city to fall victim to a new strain of ransomware called RobbinHood. The attack took all the city's servers offline with the exception of essential services. As a result, real estate transactions were suspended, water billing was disrupted, and city employees were unable to access key documents and email. 

While Baltimore's mayor, Bernard C. "Jack" Young, won praise for not paying hackers the $76,000 ransom they demanded to decrypt the files affected by the attack, the city now faces a massive recovery bill. So far, the attack is estimated to have cost the city $18m in direct costs and lost or delayed revenue, and the figure is expected to rise. 

In a bid to protect itself from future threats, on Wednesday Baltimore approved not one but two cyber-insurance policies, each of which offers $10m in liability coverage and has a $1m deductible. 

After a competitive bidding process involving 17 different carriers, Baltimore opted to purchase a plan from Chubb Insurance costing $500,103 in premiums and a second plan from AXA XL Insurance for $335,000. Each policy will provide the city with coverage against cyber-attacks for a period of one year. 

Lester Davis, a spokesman for Mayor Young, said: "The city is going to reassess every year. They will have to go through this process again when the terms are nearing maturity."

Mayor Young said that having cyber-insurance did not dictate how Baltimore would respond to future cyber-attacks. 

Asked whether the city was more likely to pay hackers now that it had coverage, Young said: "I would talk to my team and decide that way."

Frank Johnson, who was Baltimore's chief information officer at the time of the attack, stepped down permanently from the role earlier this month after being placed on unpaid leave in September. Todd Carter, who was acting as interim CIO for the city, has now taken on the CIO position full time. 

Categories: Cyber Risk News

UK Government Announces Major New Cybersecurity Partnerships

Info Security - Fri, 10/18/2019 - 09:26
UK Government Announces Major New Cybersecurity Partnerships

The UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors.

Although details are few and far between at this stage, the government claimed that the project could help to protect more UK businesses from remote cyber-attacks and breaches, while boosting new business opportunities and productivity.

According to the government’s own data, around 60% of mid-sized and 61% of large businesses in the UK have suffered a cyber-attack or breach over the past year.

The Arm tie-up is part of the government’s Digital Security by Design initiative, also backed by Microsoft and Google.

"Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyber-threats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite.

“Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.”

Alongside this push, the government announced a further £18m through its Strategic Priorities Fund, designed to help tackle online fraud, privacy abuses and misinformation online.

The government also announced six new “prosperity partnerships” — a £40m project designed to bring public and private sector bodies together with academia to develop emerging technologies. On board so far are Jaguar Land Rover, Eli Lilly and Company, Toshiba Research Europe, Microsoft, M Squared Lasers, Siemens and Nikon.

The first partnership, announced today, is between Toshiba Research Europe, University of Bristol, GCHQ and Roke Manor Research and will aim to develop more resilient wireless networks to tackle financial extortion, terrorism and destructive attacks.

“Secure Wireless Agile Networks (SWAN) and the wider Prosperity Partnership initiatives bring together a cadre of engineers from industry, government and academia with invaluable commercial insights and in-depth technical skills capable of delivering holistic solutions for a productive, healthy, resilient and connected nation,” said professor Mark Beach of the University of Bristol.

"This UKRI scheme uniquely brings together partnerships who are ideally positioned to deliver technology for the wider benefits of society."

Categories: Cyber Risk News

New US Privacy Bill Would Intro Jail Time for CEOs

Info Security - Fri, 10/18/2019 - 09:05
New US Privacy Bill Would Intro Jail Time for CEOs

A US senator has introduced a new privacy bill which he claims goes further than the EU’s GDPR, introducing prison sentences for culpable CEOs.

Introduced by Ron Wyden, the Mind Your Own Business Act would create a national “Do Not Track” system enabling consumers to stop companies from tracking them online, selling or sharing their data, or targeting ads based on personal information.

Like the GDPR, it would issue maximum fines of up to 4% of annual revenue to non-compliant firms, but unlike the EU law, could also levy 10-20 year criminal sentences for executives who knowingly lie to the FTC.

“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said.

“I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”

Other provisions in the bill include: the levying of new tax penalties on CEOs who lie about privacy protections; a requirement for firms to conduct privacy assessments on the algorithms that process consumer data; and the establishing of new privacy and cybersecurity standards.

However, it’s unlikely the legislation will become law. In the meantime, states are enacting their pwn privacy laws, with California leading the way.

Categories: Cyber Risk News

DNC Russian Hacking Group Makes a Comeback

Info Security - Fri, 10/18/2019 - 08:33
DNC Russian Hacking Group Makes a Comeback

Security researchers have uncovered new activity from the notorious Kremlin-backed APT29, or Cozy Bear, group, in an information-stealing campaign targeting foreign governments.

APT29 was pegged for the infamous cyber-attacks on the Democratic National Committee (DNC) in the run-up to the 2016 US Presidential election, which many believe helped to install Donald Trump in the White House.

However, up until now there had been little other evidence of activity from the group except from a phishing campaign in November last year.

Now ESET researchers claim to have uncovered a new operation from the group dating back to 2013, after it discovered three new malware families: PolyglotDuke, RegDuke and FatDuke.

Targets for Operation Ghost include foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country.

The vendor claimed to have discovered multiple attack techniques often used by the group, including use of Twitter and other social sites to host C&C URLs; steganography in images to hide payloads/C&C comms; and use of WMI for persistence.

In addition, the researchers found that some machines infected with PolyglotDuke and MiniDuke had been infected with CozyDuke just months earlier.

“We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known,” explained ESET.

“In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.”

The group’s MO is to steal credentials and move laterally through networks, sometimes using admin credentials to compromise machines. PolyglotDuke uses social sites for C&C as well as steganography; RegDuke uses Dropbox as a C&C server; MiniDuke is a second stage backdoor; and FatDuke represents the third stage, featuring functionality to steal logins and data.

Categories: Cyber Risk News

A New Strain of Malware Is Terrorizing Docker Hosts

Info Security - Thu, 10/17/2019 - 18:25
A New Strain of Malware Is Terrorizing Docker Hosts

For the first time in history, researchers have discovered a crypto-jacking worm that spreads via unsecured Docker hosts. 

Researchers at Unit 42 said that the new strain of malware has spread to more than 2,000 Docker hosts by using containers in the Docker Engine (Community Edition).

The new worm has been named Graboid after the fictional subterranean sandworms that made a fairly poor show of hunting humans in nineties flick Tremors. Just like its onscreen predecessors, the Graboid is quick but relatively incompetent. 

Graboid is designed to work in a randomized way that researchers said holds no obvious benefits. The malware carries out both worm-spreading and crypto-jacking inside containers, picking three targets at each iteration.

Researchers wrote: "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior. 

"If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts." 

Graboid doesn't hang around for long, mining cryptocurrency Monero for an average of just over four minutes before picking new vulnerable hosts to target. The worm works by gaining an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host. 

Researchers warned that Graboid's nip could potentially turn into a powerful bite and advised organizations to safeguard their Docker hosts. 

Researchers wrote: "While this crypto-jacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored." 

Tim Erlin, VP, product management and strategy at Tripwire, advised developers to tackle security sooner rather than later. 

He said: "DevOps tends to favor velocity over security, but when you have to stop what you’re doing to address an incident like this, you’re losing the velocity gains you might have experienced by leaving security out of the DevOps lifecycle. Addressing security through incident response is the most expensive method to employ."

Categories: Cyber Risk News

Imposter Emails Plague Healthcare Industry

Info Security - Thu, 10/17/2019 - 17:15
Imposter Emails Plague Healthcare Industry

A study looking at cyber-attacks on the healthcare industry has found that 95% of targeted companies encounter emails spoofing their own trusted domain. 

To create the Protecting Patients, Providers, and Payers 2019 Healthcare Threat Report, cybersecurity company Proofpoint analyzed nearly a year’s worth of cyber-attacks against care providers, pharmaceutical/life sciences organizations, and health insurers.

Hundreds of millions of malicious emails later, it was clear to researchers that cyber-criminals were not just attacking infrastructure, but were also using email to directly target people.

Analyzing data spanning the second quarter of 2018 to the first quarter of 2019, researchers found that at each healthcare organization attacked, an average of 65 staff members were targeted. 

Researchers observed a preference for certain keywords in the spoof emails attackers sent when attempting to con money or information out of the patients and business partners of healthcare organizations. When sending emails designed to look like they came from a healthcare provider, criminals commonly used the words "payment," "request," and "urgent" in the subject line.

Healthcare organizations targeted by impostor emails received 43 messages of this type in Q1 2019—a 300% jump from a year ago and more than five times the volume in Q1 2017. Not a single organization analyzed in the study saw a decrease in impostor attacks over that period, and more than half were attacked more often in Q1 2019 than they were in Q1 2017. 

The average impostor attack spoofed 15 healthcare staff members on average across multiple messages. 

According to researchers, threat actors were adept at knowing just what to put in an email to spur healthcare staff into transferring money or sharing sensitive information.

Researchers wrote: "Attackers have grown skilled at researching their targets and using social engineering to exploit human nature. Some lures are just too well researched, expertly crafted, and psychologically potent to resist every time.

"Social engineering works because it taps into the way the human brain works. It uses deep-rooted impulses—such as fear, desire, obedience, and empathy—and turns them against you. And it hijacks your normal thought process to spur you to act on attackers’ behalf."

Morning was the attackers' favorite time to strike, with the largest volume of imposter email sent between 7 a.m. and 1 p.m. in the time zone of the targeted organization. 

Categories: Cyber Risk News

Recruitment Sites Expose Personal Data of 250k Jobseekers

Info Security - Thu, 10/17/2019 - 16:08
Recruitment Sites Expose Personal Data of 250k Jobseekers

The personal details of 250,000 American and British jobs seekers have been exposed after two online recruitment companies failed to set their cloud storage folders as private. 

Names, addresses, contact information, and career histories were compromised as a result of the oversight by US jobs board Authentic Jobs and UK retail and restaurant jobs app Sonic Jobs.

Each company stored the resumes of hopeful job applicants in cloud storage folders known as buckets. The buckets were provided by the world's biggest cloud service, Amazon Web Services (AWS), which stores data in servers connected to the internet.

Applicants' data was exposed when both companies set the privacy settings on their buckets to public instead of private. This error meant that the resume of someone who applied for a job could be viewed and also downloaded by anyone who knew the location of the buckets.

Authentic Jobs, whose client list includes accounting firm EY and newspaper the New York Times, made at least 221,130 resumes publicly accessible. A further 29,202 resumes were exposed by app Sonic Jobs, which international hotel chains Marriott and InterContinental often use to recruit new staff. 

According to Sky News, which revealed the bucket-related breaches yesterday, the total number of resumes exposed may be higher. 

After being warned of the exposure by Sky News, both companies changed their bucket settings to private. 

"We take security and privacy very seriously and are looking into how this happened," Authentic Jobs said in an email.

Security researcher Gareth Llwellyn, who discovered the bucket breaches, said: "By finding and closing these buckets we can protect people who placed their trust in these businesses and—hopefully—start drawing attention to the dangers of storing personal data in a woefully insecure manner."

Authentic and Sonic will now join Verizon, Dow Jones, GoDaddy, and WWE on a growing list of organizations that have exposed data via publicly configured AWS buckets. 

Llewellyn said that the onus is on companies to ensure the data that they store in the cloud is being stored safely.  

"Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn't preclude them from ensuring the data entrusted to them is safe," he said.

Categories: Cyber Risk News