Info Security

Subscribe to Info Security  feed
Updated: 1 hour 48 min ago

Drupal Patches Critical Remote Access Bypass Bug

Fri, 08/18/2017 - 19:36
Drupal Patches Critical Remote Access Bypass Bug

Popular content management system (CMS) Drupal has released several patches to address concerning vulnerabilities, including one in Drupal 8 Core engine that could allow remote attackers to view, create, update or delete website content.

This critical access bypass vulnerability joins two moderately critical bypass bugs in the patch round. Drupal Core 8.x versions prior to 8.3.7 are vulnerable, according to the Drupal Security Team.

The more severe issue (CVE-2017-6925) only affects entities that “do not use, or do not have, UUIDs (Universal Unique Identifier), and entities that have different access restrictions on different revisions of the same entity,” Drupal said in its warning.

A second access bypass vulnerability in the Core Engine allows unauthorized persons to view files (CVE-2017-6923)

“When creating a view, you can optionally use Ajax to update the displayed data via filter parameters,” Drupal noted. “The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax.”

The last flaw (CVE-2017-6924) allows users to post comments on webpages, even if they don’t have the permission to do so.

“When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments,” Drupal explained. “This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.”

So far, no working exploits have been uncovered. Mitigation for all Drupal 8 CVEs includes updating to the latest version, Drupal 8.3.7; also, administrators should make sure they have enabled access restrictions on the view.

Categories: Cyber Risk News

Faketoken Info-stealer Hitches a Ride with Taxi Apps

Fri, 08/18/2017 - 19:32
Faketoken Info-stealer Hitches a Ride with Taxi Apps

The Faketoken malware is not such an old dog, and now has learned some new tricks for stealing bank card information. It infects Android devices—and, straying from its previous MO of targeting banking applications—can now spoof taxi and ride-share apps, among other things.

According to Kaspersky Lab, in the past year or so since its discovery, Faketoken has worked its way up from primitive bankbot capabilities like intercepting mTAN codes, to being able to encrypt files and eavesdrop on communications. While the modifications continue, its focus is spreading too, to the point where it can overlay about 2,000 financial apps to capture user credentials.

Now, Kaspersky has detected a new variant with a mechanism for attacking apps for booking taxis, hotels and flights, and for paying traffic tickets.

The malware, which likely sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures, begins by monitoring all of the calls and apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it back to command and control. By the same token, when a user launches a targeted application, Faketoken substitutes its UI with a fake (but identical) one, prompting the victim to enter his or her bank card data.

Also, to get around two-factor authentication, the malware can steal incoming SMS messages and forwarding them to command-and-control servers too.

As for how widespread this is, the good news is that this version could represent a trial only.

“To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions,” researchers said in a posting. “According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.”

Obviously, users should avoid downloading anything from unknown senders of text messages, and beware unofficial app stores.

Categories: Cyber Risk News

Global Security Spending to Top $86.4bn This Year

Fri, 08/18/2017 - 18:21
Global Security Spending to Top $86.4bn This Year

Worldwide spending on information security products and services will reach $86.4 billion in 2017, an increase of 7% over 2016, with that amount expected to grow to $93 billion in 2018, according to the latest forecast from Gartner.

Security testing, the GDPR and the rise of managed services will all contribute to this.

Within the infrastructure protection segment, Gartner forecasts fast growth in the security testing market (albeit from a small base), due to continued data breaches and growing demands for application security testing as part of DevOps. Spending on emerging application security testing tools, particularly interactive application security testing (IAST), will contribute to the growth of this segment through 2021.

Security services will continue to be the fastest growing segment, especially IT outsourcing, consulting and implementation services. However, the firm said that hardware support services will see growth slowing, due to the adoption of virtual appliances, public cloud and software as a service (SaaS) editions of security solutions, which reduces the need for attached hardware support overall.

"However, improving security is not just about spending on new technologies,” said Sid Deshpande, principal research analyst at Gartner. “As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.”

The report also found that the EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65% of data loss prevention (DLP) buying decisions today through 2018. The GDPR will have a global effect since multinationals will also need to adhere to the new law.

Gartner found that while organizations are working toward strengthening their knowledge of the regulation, those with some form of DLP already implemented are determining what additional capabilities they need to invest in (specifically, integrated DLP such as data classification, data masking and data discovery). In addition, organizations that do not already have strong DLP in place are looking to increase their capabilities.

"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," said Deshpande.

And finally, to deal with the complexity of designing, building and operating a mature security program in a short space of time, Gartner found that many large organizations are looking to security consulting and ITO providers that offer customizable delivery components that are sold with managed security service (MSS). By 2020, 40% of all contracts will be bundled with other MSS security services and broader IT outsourcing (ITO) projects, up from 20% today.

As ITO providers and security consulting firms improve the maturity of the MSS they offer, customers will have a much broader range of bundling and service packaging options through which to consume MSS offerings. The large contract sizes associated with ITO and security outsourcing deals will drive significant growth for the MSS market through 2020.

Categories: Cyber Risk News

Hiring More People is Top Need for Better Security in 2017

Fri, 08/18/2017 - 10:07
Hiring More People is Top Need for Better Security in 2017

Hiring more ‘people’ is top of the list of needs to improve security in businesses this year, according to findings from Tripwire.

The firm surveyed 108 pros at Black Hat USA last month and revealed that more than two-thirds (70%) of respondents who said ‘people’ consider hiring ‘experienced professionals’ as a priority whilst 30% said that they were willing to hire inexperienced individuals and training them on the job.

Organizations are clearly still struggling to cope with a lack of staff amid the ongoing cyber skills gap, something that looks set to continue over the next few years. It is therefore not a great surprise that companies see bolstering workforces as key to strengthening their security.

“I think this is an acknowledgement that technology will never solve the problems we face,” Adrian Davis, managing director EMEA, (ISC)2, told Infosecurity. “Security is people and is about creating processes, mind-sets and environments where individuals can work to their best in a secure manner (often without realizing it). People are essential to creating these processes, mind-sets and environments and it is these that have a much higher impact than technology.”

Therefore, as Nigel Harrison, acting CEO at Cyber Security Challenge UK explained, it’s encouraging to see that almost a third of companies would consider taking on less-experienced staff and giving them the training they need to succeed.

“In my experience, when looking at job adverts, companies quite often end up over-specifying the qualifications that they expect their security team to have at the outset,” he said. “Indeed, there have been many cases of companies advertising entry-level roles and demanding qualifications which cannot be achieved without a number of years of experience in the industry.

“The key skills that companies should be looking for from those that they hire is aptitude and mind-set; if an individual has these traits then the rest can be taught.”

Davis echoed similar sentiments, stating that only by expanding the talent pool and looking beyond the ‘experienced professional’ will the industry be able to meet the demands placed on it and grow for the future.

“Additionally, this gives us the opportunity to recruit across a wider group of individuals and experience, expanding our knowledge base and bringing in new ways of thinking and tackling problems,” he added.

Categories: Cyber Risk News

ICO Fines Islington Council for Parking System Privacy Snafu

Fri, 08/18/2017 - 09:45
ICO Fines Islington Council for Parking System Privacy Snafu

Privacy watchdog the Information Commissioner’s Office (ICO) has been busy again, this time fining Islington Council for exposing citizens’ personal data via a parking system website.

The London borough was fined £70,000 following issues with its Ticket Viewer system, which allows people accused of parking offences to view the offence via CCTV footage.

A fault in the system’s design meant 89,000 people were at risk of having their personal information accessed by others. In some cases, this included highly sensitive medical details related to appeals, the ICO claimed.

A member of the public first brought the issue to light, informing the council that by changing the URL, anyone could access system folders containing personal data.

After investigating, it found there had been unauthorized access to 119 documents 235 times from 36 unique IP addresses, affecting 71 people, the ICO revealed.

The watchdog claimed Islington Council should have tested the system thoroughly before it went live and then regularly after that, as per best practice.

“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that,” said ICO enforcement manager, Sally Anne Poole.

“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”

The ICO used the announcement to remind local authorities that much work still lies ahead in preparing for the forthcoming EU General Data Protection Regulation when it comes into force in May 2018.

The new law would have required Islington Council conduct a comprehensive privacy impact assessment before launching the Ticket Viewer system.

Fines under the new regime could go far higher than the current maximum of £500,000 which the ICO is able to levy; up to 4% of global annual turnover or €20m (£17m), whichever is higher.

Categories: Cyber Risk News

LG Hit by WannaCry-Like Ransomware

Fri, 08/18/2017 - 09:28
LG Hit by WannaCry-Like Ransomware

Security experts are scratching their heads after ransomware identical to WannaCry was found on LG self-service kiosks in South Korea this week.

The kiosks, in LG service centers, seem to have first become affected on Monday morning, with the state-run Korea Internet & Security Agency (Kisa) called in to help.

“We found that samples of the malicious code were identical to the WannaCry ransomware attack. More investigation is still needed to determine the exact cause,” a Kisa spokesperson said.

LG maintained that the service center network was shut down before the ransomware even had a chance to encrypt key files or demand payment.

Security updates were applied to the affected kiosks, which seems to have done the job, according to The Korea Herald. That could indicate that in spite of the huge publicity surrounding WannaCry when it spread globally this May, they still hadn’t patched a key Microsoft SMB vulnerability the threat exploited.

WannaCry is thought to have hit over 200,000 computers in more than 150 countries when it landed on May 17.

Jovi Umawing, malware intelligence researcher at Malwarebytes, argued that WannaCry is just one of several worms “constantly scanning the internet for vulnerable hosts.

“Therefore existing infected machines will continue to 'broadcast' to the outside until they are taken offline. In the meantime, any computer that has its SMB ports exposed and where the patches haven't been applied, will be compromised when it comes up online,” she added.

“Although ransomware is what most are focused on at the moment, remember that other malware can also take advantage of a number of vulnerabilities that WannaCry attacks. The worm, MicroBotMassiveNet, is one example. We cannot stress enough on the importance of keeping and maintaining an up-to-date system."

Tripwire EMEA manager, Dean Ferrando, likened the reappearance of the threat to Conficker.

“Conficker hit us in 2008 with a similar attack, causing an outbreak globally. Companies patched and secured their systems but months after the outbreak, Conficker was still infecting companies that hadn’t taken the necessary precautions,” he explained.

Categories: Cyber Risk News

Maersk Admits NotPetya Might Cost it $300m

Fri, 08/18/2017 - 08:55
Maersk Admits NotPetya Might Cost it $300m

Danish shipping giant Maersk has revealed that a recent ‘ransomware’ attack on its systems may have cost the company as much as $300m, highlighting the importance of effective cybersecurity.

The multi-national firm was hit in the NotPetya attacks at the end of June, which the Ukrainian security services has blamed on the Kremlin.

“In the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco,” said Søren Skou, CEO of A.P. Moller – Maersk, in a statement this week.

“Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect the cyber-attack will impact results negatively by USD 200-300m.”   

The ransomware caused “significant business impact especially within the container business”, according to the firm.

The revelations highlight the high financial stakes of getting cybersecurity right in a modern organization.

Petya/NotPetya is now believed to have been an attempt to cause destruction and chaos among Ukrainian businesses, landing as it did a day before the country’s Constitution Day.

Although disguised as ransomware, with a classic payment screen flashed up to victims, there was actually no way for the perpetrators to provide a decryption key, according to Eset.

In fact, the code was designed to modify a target machine’s Master Boot Record in a way that made it completely unrecoverable, the researchers said.

The attack was originally intended to destabilize the Ukraine, according to the SBU.

However, it appears as if it managed to spread outside the country via the VPNs of infected multi-nationals which had operations in the country.

Maersk is certainly one of those, but it wasn’t alone. International law firm DLA Piper, German drug maker Merck and British Nurofen manufacturer Reckitt Benckiser were also affected.

The latter said it might suffer a revenue hit of up to £100m.

Categories: Cyber Risk News

Cybersecurity Pros Aren't Getting the Training They Need, Including in DevOps

Thu, 08/17/2017 - 17:59
Cybersecurity Pros Aren't Getting the Training They Need, Including in DevOps

Despite the fact that the cybersecurity skills shortage is a well-known issue, software developers are not receiving the training they need to be successful—including in the realm of DevOps.

According to the 2017 DevSecOps Global Skills Survey, sponsored by Veracode, slightly less than half of respondents said their employers paid for additional training since their entry into the workforce – and nearly seven in 10 developers report that their organizations provide them with inadequate security training. Third-party training, either in the classroom or through e-learning, was identified by one in three surveyed as the most effective way to gain new, relevant skills – but the study confirmed that very few are afforded the opportunity (only 4%).

“WannaCry and Petya are just two recent examples of large-scale cyberattacks that further demonstrate the importance of security in today’s exceedingly digital world,” said Maria Loughlin, vice president of engineering at Veracode. “Despite this apparent need, security practices and secure software development isn’t required to earn a degree in IT or computer science.”

Although nearly 80% of respondents have a bachelor or master’s degree – with 50% reporting that they studied and earned degrees in computer science – there is still a lack of cybersecurity knowledge prior to entering the workforce. The survey found that 70% of respondents said the security education they received is not adequate for what their current positions require, and that they’re learning their most relevant professional skills on the job (65%).

Also, as DevOps becomes the prevalent approach to building and operating digital products and services, that gap could have real impact on the security and quality of the software that underpins the digital economy. The report found that while 65% of DevOps professionals believe it is very important to have knowledge of DevOps when entering IT, 70% are not receiving the necessary training through formal education.

In security, DevSecOps refers to the practice of integrating security into the development and testing of software for a “shift left” mentality for faster, better quality outcomes. Yet those surveyed said that their IT workforce is only somewhat prepared (55%) or not prepared (nearly 30%) with the skills necessary to securely deliver software at the speed of DevOps. In fact, nearly 40% of hiring managers surveyed reported that the hardest employees to find are the all-purpose DevOps gurus with sufficient knowledge about security testing. This poses a significant challenge, as more than 50% of organizations said that either the entire organization or some of their teams are currently utilizing DevOps practices.

“Our research with DevOps.com highlights the fact that there are no clear shortcuts to address the skills gap,” Loughlin said. “Higher education and enterprises need to have a more mature expectation around what colleges should teach and where organizations need to supplement education given the ever-changing nature of programming languages and frameworks. The industry will have to come together to ensure the safety of the application economy.”

Categories: Cyber Risk News

Web Application Attacks Much More Common Than Ransomware

Thu, 08/17/2017 - 17:45
Web Application Attacks Much More Common Than Ransomware

Beware Joomla, et al: An analysis shows that web applications are the soft underbelly of organizations—the chink in the armor that hackers can use to successfully compromise their operations.

That’s the word from Alert Logic, which conducted an analysis of more than 2 million security incidents that were captured and escalated in its systems during an 18-month evaluation period. The resulting 2017 Cloud Security Report found that that web application attacks accounted for 73% of all the incidents flagged. These affected 85% of all Alert Logic customers, with injection-style attacks such as SQL injection leading the pack.

In comparison, server-side ransomware represented only 2% of total incidents.

“While ransomware gets much mindshare in the cybersecurity industry and in media headlines, it accounted for only a small number of observed security incidents in the data set,” the report noted.

“We focused our analysis on incident types and the workloads and environments most at risk,” said Misha Govshteyn, senior vice president of Technical and Product Marketing at Alert Logic. “Cyber-attackers continue to seek the weakest spots in network defenses, and businesses need to understand how they are refocusing to take advantage of the changing attack landscape.”

The Alert Logic customers in the report data set represent a broad range of industries (452 unique SIC codes) and organization sizes, from small-to-medium-sized businesses to large-scale enterprises. About 82% of customer deployments analyzed hosted workloads in the cloud—either on an infrastructure-as-a-service platform or hosted private cloud—and approximately one-third maintained on-premises or cloud hybrid infrastructure.

The report showed that pure public cloud installations experienced the fewest security incidents. On average, customers running applications on public cloud platforms experienced 405 security incidents over the 18-month period, while on-premises customers experienced a 51% higher rate of security incident escalations (612), hosted private cloud 69% higher (684) and hybrid cloud 141% higher (977).

The results also showed that bad actors like content management systems and e-commerce platforms. 

“Vulnerabilities in ubiquitous third-party web application components, insecure coding practices and increases in exploit automation make content management systems and e-commerce platforms rich hunting grounds for hackers targeting web applications,” said the report. “Attacks targeting the Joomla content management system (CMS) accounted for 25% of total web application attacks observed followed by WordPress with 10% and Magento with 7%.”

Categories: Cyber Risk News

Uber Agrees to 20 Years of Privacy Audits by the FTC

Thu, 08/17/2017 - 17:43
Uber Agrees to 20 Years of Privacy Audits by the FTC

Long plagued by privacy issues, Uber has agreed to privacy audits for the next 20 years after the FTC found the ride-sharing company at fault for harming consumers.

There are twin transgressions, in the FTC’s eyes: First, the ride-hailing start-up had a system for monitoring employee access to consumer information, but it stopped using it after less than a year. Also, hackers stole more than 100,000 driver names and license numbers in a 2014 data breach, which the FTC said could have been easily averted using multifactor authentication. Combined, these amount to "deceptive privacy and data security claims,” the FTC said.

"Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said Maureen Ohlhausen, acting chairman of the FTC. "This case shows that, even if you're a fast-growing company, you can't leave consumers behind: you must honor your privacy and security promises."

In addition to the audits, Uber will be implementing a new privacy program as part of the settlement.

Some noted that the requirements from the States are changes that Uber would have had to make to continue operating in Europe anyway.

"Uber may offer cheap cab fares but underneath the surface is a company plagued by reports of sexism, a massive data breach and an unhealthy interest in the journeys taken by a journalist,” Lee Munson, security researcher for Comparitech.com, said via email. "While such an agreement with the FTC may sound incredibly arduous, [but] executives may be rubbing their hands together, safe in the knowledge that the FTC will point them in the right direction long before any EU nations start handing out fines of up to 4% of an organization’s annual turnover for nightmarish privacy issues."

Trust and privacy go hand in hand, another researcher told us.

“In the age of digital business and increasing cyber-risk, it’s critical for senior executives and boards to put the building of trust at the top of the priorities list,” Malcolm Harkins, chief security and trust officer at Cylance, said via email. “Trust is a function of two things: Competence and character. While I respect the work of Uber’s more recent executive hires, this settlement may be an indication of things that were lacking to deliver that trust earlier in Uber’s history. Not only for security, but for privacy, all organizations should have a set of principles in place to guide the placement of the anchor points for security and privacy to deliver trust. Equally important is the right governance model to oversee the evolution of trust throughout the company.”

Categories: Cyber Risk News

Ex-Secret Service Man Admits Laundering More Stolen Bitcoin

Thu, 08/17/2017 - 10:41
Ex-Secret Service Man Admits Laundering More Stolen Bitcoin

A disgraced former Secret Service sent to jail for stealing Bitcoin during an investigation into the Silk Road darknet marketplace has pleaded guilty to laundering even more of the digital currency.

Shaun Bridges, 35, of Laurel, Maryland, was sent to jail in December 2015 for six years after hijacking the Silk Road account of a site administrator to steal around $820,000 worth of crypto-currency.

However, before starting that sentence, he was arrested again on new charges relating to the alleged theft of 1606 Bitcoin; valued at the time at $359,000 but now worth a staggering $6.6m.

He has admitted using a private key to access a digital wallet belonging to the US government and transferring the currency to other wallets at other Bitcoin exchanges to which only he had access, according to the Department of Justice.

As part of his investigation into the Silk Road, Bridges is said to have worked with the US attorney’s office in Baltimore to obtain a seizure warrant for Bitcoin held in the Bitstamp digital exchange.

As part of the warrant, the 1606 Bitcoins were sent to a BTC-e digital wallet to which only Bridges had the private key.

BTC-e is a notorious exchange which police believe has been used by cyber-criminals to receive the proceeds of ransomware, dark net drug sales and more.

Its alleged operator, Alexander Vinnik, 37, is accused of laundering $4bn through the exchange and was indicted on 21 counts after being arrested in Greece in July.

Among the Bitstamp accounts seized by Bridges were those of DEA special agent Carl Force, working undercover to crack the Silk Road and its kingpin Ross Ulbricht, aka ‘Dread Pirate Roberts’.

Force was sentenced to six-and-a-half years behind bars for himself stealing Bitcoins from targets of the investigation, after trying to disguise his actions by inventing various online pseudonyms.

Bridges has pleaded guilty to one count of money laundering, with sentencing set for November 7.

A SANS Institute report earlier this month revealed that malicious insiders (40%) are more dangerous than accidental or negligent staff (36%).

Categories: Cyber Risk News

IT Insider Helped Alleged $5m Insider Trading Scheme

Thu, 08/17/2017 - 09:46
IT Insider Helped Alleged $5m Insider Trading Scheme

Five men have been charged with insider trading offenses after an IT consultant pleaded guilty to using his position as a trusted insider at an investment bank to facilitate the scam.

In his role at the unnamed bank, Daniel Rivas is said to have accessed sensitive M&A information from at least August 2014 to around April 2017, sending it to friends on more than 50 occasions for them to buy and sell securities.

His efforts netted them an estimated $5m.

Rivas first sent insider information to the father of his girlfriend, a James Moodhe of New York City, which he used to generate profits of $2m over three years.

The two have already pleaded guilty to conspiracy, securities fraud, fraud in connection with a tender offer, wire fraud and making false statements to law enforcement officials.

A separate SEC civil case reveals that Rivas tried to use his IT know-how to his advantage:

“To avoid leaving a trail of their communications, Rivas and Moodhe did not communicate through electronic means such as phone calls, text messages, or emails. Instead, Rivas tipped Moodhe through other methods. For instance, Rivas provided handwritten notes to Moodhe’s daughter.”

Rivas also passed information to Michael Siva, 55, of West Orange, New Jersey, a financial adviser; Roberto Rodriguez, 32, of Miami Gardens; Rodolfo Sablon, 37, of Miami; Jhonatan Zoquier, 33, of Englewood, New Jersey and Jeffrey Rogiers, 33, of Oakland, California.

“As alleged, the defendants took advantage of an insider at an investment bank to make millions in illegal profits, trading over 50 times in advance of confidential corporate information. The defendants allegedly used code words and encrypted messages to try to avoid law enforcement detection,” said acting US attorney, Joon Kim.

“But despite their efforts to hide their crimes, the defendants’ insider trading schemes have been exposed, and two have already pled guilty federal crimes. Those who seek to cheat the markets by trading on stolen inside information corrupt the integrity of our nation’s securities markets, and we are committed to stopping them and holding them accountable.”

New research from Dtex out this week revealed that IT pros overwhelmingly believe insider threats are more difficult to spot than attacks from third parties, and over half (51%) think such incidents are on the rise.  

Categories: Cyber Risk News

BYOD Drives Increase in Insider Threats

Thu, 08/17/2017 - 09:14
BYOD Drives Increase in Insider Threats

Over three-fifths of IT professionals believe that insider threats are more difficult to spot than attacks by malicious third parties, with the explosion in mobile endpoints a key challenge, according to Dtex.

The security vendor polled over 400 IT pros to compile its 2017 Threat Monitoring, Detection & Response Report.

Nearly half (48%) claimed that detecting and mitigating insider threats is one of the top two challenges facing IT security teams today, with 51% claiming that the threat grew last year.

In total, just 6% said that detecting internal attacks is easier than spotting external threats, highlighting the scale of the challenge facing security teams.

Most insider threats come about not as the result of a determined employee, but negligence, the report found. Nearly two-thirds (64%) of respondents cited inadvertent data breach/compromise as their top insider concern.

That’s why more than half (57%) pegged end-user training as the best way to mitigate the insider threat.

The challenge is compounded by an increasingly mobile workforce that can connect to the corporate network via their BYOD mobiles.

Some 55% of survey respondents claimed this to be behind a rise in insider attacks over the past year, followed by 51% who pointed to data leaving the network perimeter via mobile devices and web access.

The bad news is that less than a third (30%) said they felt confident in their organization's insider threat security posture, and just 37% in their organization’s overall security posture.

Dtex Systems CEO, Christy Wyatt, claimed humans are the weakest link for organizations as businesses struggle to pinpoint ways to detect the moment when an insider becomes an insider threat.

“Existing employee training protocols, malware detection tools, antivirus platforms and SIEMS alone lack context to reliably detect insider vulnerability,” she added.

The news follows a Haystax Technology report in March which claimed that three-quarters (74%) of organizations feel vulnerable to insider threats.

A SANS Institute study released earlier this month co-sponsored by Dtex actually ranked malicious insiders (40%) as more damaging than accidental or negligent staff (36%).

Categories: Cyber Risk News

Exploit Packages Lead to Five Million Attacks in Q2

Wed, 08/16/2017 - 10:50
Exploit Packages Lead to Five Million Attacks in Q2

Exploit leaks from the likes of the Shadow Brokers dominated the threat landscape in the second quarter, according to new stats from Kaspersky Lab.

The Russian AV firm detected over 342 million attacks in 191 countries in the period April-June this year, a fairly significant reduction from the 479m attacks seen in Q1.

However, over five million such threats spotted by the vendor came from leaked exploits; that is, malware designed to utilize software vulnerabilities to infect victim machines.

Such attacks are particularly dangerous as they typically don’t require user interaction to deliver malicious code.

The Kremlin-linked Shadow Brokers leak was particularly damaging, making public exploits thought to have been developed by the NSA.

These led to the notable WannaCry and NotPetya outbreaks which caused chaos and destruction across the globe, even at big-name organizations including international law firm DLA Piper, Danish shipper Maersk, German drug company Merck, and ad giant WPP.

Although many of the bugs exploited by such threats were not zero-day vulnerabilities, poor patch management on the part of many organizations appeared to leave them exposed to attack.

Office vulnerability CVE-2017-0199, for example, was first discovered and patched in April but 1.5m users were subsequently attacked, according to Kaspersky Lab.

The average number of exploit-based attacks seen each day is also growing, with 82% of all attacks detected in the last month of the quarter.

“The threat landscape of Q2 provides yet another reminder that a lack of vigilance is one of the most significant cyber-dangers,” warned Kaspersky Lab security expert, Alexander Liskin. “While vendors patch vulnerabilities on a regular basis, many users don’t pay attention to this, which results in massive-scale attacks once the vulnerabilities are exposed to the broad cyber-criminal community.”

Elsewhere in the report, crypto-ransomware attacks increased, with the vendor blocking these threats on 246,675 computers during Q2, versus 240,799 in Q1.

Categories: Cyber Risk News

Scottish Parliament Accounts Under Brute Force Attack

Wed, 08/16/2017 - 09:53
Scottish Parliament Accounts Under Brute Force Attack

The Scottish Parliament has been hit by a brute force attack designed to crack MSP and staff passwords, it has emerged.

The external attack appears to be targeting online accounts like the one suffered by parliament in June.

Although there’s no official info on the Scottish Parliament website, MSPs and staff have been informed by email by CEO Paul Grice, according to the BBC.

"Symptoms of the attack include account lockouts or failed logins,” the missive reportedly notes.

"The parliament's robust cybersecurity measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational."

The additional security measures in question appear to involve forcing a change to weak passwords, which begs the question why they were allowed in the first place.

Bitglass CEO, Rich Campagna, argued that passphrases are a better bet than long and strong passwords.

“These will still be lengthy, but made up of real words, so easier to remember,” he added. “It might seem simple, but the truth is, if a password takes too long to crack, hackers will simply move onto the next batch."

Jamie Graves, CEO of Edinburgh-based ZoneFox argued that the Scottish Parliament is institutionally well prepared to cope with cyber-attacks.

“What the Scottish Parliament has in its favor is a transparent, open culture and so unquestionably all staff will heed Sir Paul Grice's request to remain vigilant,” he explained. “A united, digitally alert team is one of the greatest tools organizations can deploy in their fight against hackers."     

However, the use of password-based systems is still troubling given the high stakes at play here.

Security expert Graham Cluley recommended a switch to two-factor authentication; a simple step which would confound hackers, crackers and phishers.

“If it's good enough for the cast of Game of Thrones it should be good enough for you,” he explained, referencing a move designed to tighten up security on the hit TV show.

Back in June, less than 1% of 9000 parliamentary accounts were compromised in a similar attack, also prompting calls for 2FA to be introduced across the board.

Categories: Cyber Risk News

UK Retail Data Breach Incidents Double in a Year

Wed, 08/16/2017 - 09:06
UK Retail Data Breach Incidents Double in a Year

The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC.

The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.

Contrary to some headlines making the news, this doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions.

Nevertheless, the stats highlight a growing problem for the UK’s retailers, and the need for further investments in cybersecurity, according to RPC.

Partner Jeremy Drew argued that cost pressures including rates and minimum wage increases and the declining pound can often take precedent.

“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” he added.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

David Kennerley, director of threat research at Webroot, argued that retailers need to focus both on their internal security and on ensuring customers stay safe online.

“Retailers need to keep PoS software up-to-date and deploy threat protection and detection on these devices, while not forgetting the importance of the physical security of PoS systems. Where possible, two-factor authentication should be used internally and by their customers. Online transactions should always require the CVV number is entered by the customer for every transaction,” he said.

“Retailers need to make sure all data that they store and transmit is encrypted, access is only given to those within the organization that need it to perform their job and at the same time ensure any third-party entities are maintaining the same high standards.”

Sports Direct and Debenhams Flowers are just two well-known brands breached over the past year.

Categories: Cyber Risk News

Unskilled Nigerian Behind Phishing Offensive Targeting World's Biggest Companies

Tue, 08/15/2017 - 18:08
Unskilled Nigerian Behind Phishing Offensive Targeting World's Biggest Companies

A relatively unskilled man in his mid-20s, operating from a location near the capital of Nigeria, is the kingpin behind a four-month cyber-offensive that has affected 4,000 organizations globally.

According to an investigation by Check Point, a range of companies have been targeted by cyberattacks which aim to infect their networks, steal data and commit fraud. The victims include a marine and energy solutions company in Croatia, a transportation company in Abu Dhabi, a mining company in Egypt, a construction organization in Germany, and so on—leading international names in industries such as oil & gas, manufacturing, banking and construction.

“Successful attacks on this scale are usually attributed to expert gangs of cybercriminals—often backed by a nation-state, with the aim of destabilizing economies,” Check Point researchers said. “[Instead], he is a Nigerian national, working on his own. On his social media accounts, he uses the motto ‘get rich or die trying’.”

His attack campaign uses fraudulent emails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies to trick them into revealing company bank details, or open the email’s malware-infected attachment. 

“It’s particularly striking that his techniques display a low level of cyber-skills,” the researchers said. “His fraudulent emails are crude and unsophisticated; there is almost no research or social engineering involved in creating them. The titles of the emails are generic, and phrased as “Dear Sir/Ms.”  The same mail is sent to numerous targets, all in blind carbon copy, urging victims to send back banking details, perhaps for future scams.”

The malware used is NetWire, a remote access Trojan which allows full control over infected machines, and Hawkeye, a keylogging program. These are old, generic and readily available online; and, he uses freeware to ‘scrape’ email addresses from corporate websites which he then uses as targets for his campaigns, Check Point said.

The ramifications are myriad: Both financial losses and the ability for follow-on attacks should both be concerns, the firm cautioned.

“In addition to the financial losses resulting from the attack, the malware used by the criminal to infect organizations gives remote control over infected machines, and can perform keylogging functions,” researchers explained “This enables harvesting of a variety of information from infected machines, such as details on the companies’ operations, assets and intellectual property. These can have a value far greater than the thousands of dollars obtained by fraud. What happens when the hackers realize the real value of these assets and start to exploit them?”

Check Point’s research team has notified law enforcement authorities in Nigeria and internationally, it said.

Categories: Cyber Risk News

Poll: Young Women Worry They Don't Have the Skills for Tech

Tue, 08/15/2017 - 17:22
Poll: Young Women Worry They Don't Have the Skills for Tech

Against the backdrop of a (now-fired) Google engineer’s screed against women in tech, a survey of more than 1,000 university students has identified a worrying crisis in confidence among young women with regards to their digital skills.

Conducted by KPMG and independent market research company High Fliers, the poll found that only 37% of young women are confident they have the tech skills needed by today’s employers, compared with 57% of young men. This is despite scoring on a par with their male counterparts when assessed on digital skills such as data manipulation and use of social media.

There is evidence that this lack of confidence could be putting many young women off applying for jobs: Almost three-quarters (73%) of female respondents said they have not considered a graduate job in technology.

“The issue here isn’t around competency—far from it—but rather how businesses understand the underlying capability of an individual and how to unlock it,” said Aidan Brennan, KPMG head of digital transformation. “I think this research highlights the work that needs to be done to show the next generation that when it comes to a career in tech, gender isn’t part of the equation.”

He added, “Competition for jobs is tough, and we know that female job seekers can be less likely to apply for a role than their male counterparts if they don’t feel they already possess every pre-requisite the job demands. Businesses committed to building a truly diverse workforce need to adapt their recruitment processes to reflect this, and ensure they don’t fall into the trap of listening only to those who shout about their capability loudest.”

The news on the heels of a memo penned by 28-year-old former Google engineer James Damore, whose assertions that “genetic differences” may explain “why we don’t see equal representation of women in tech and leadership” stirred a rousing debate over diversity in the workplace earlier in the month.

Google CEO Sundar Pinchai himself sent an employee memo, saying, "To suggest a group of our colleagues have traits that make them less biologically suited to that work is offensive and not OK.”

The controversy has underscored ongoing initiatives on the part of some companies to encourage more gender diversity.  

Anna Purchas, interim head of people at KPMG in the UK, said that the firm is already taking action to target women who are digitally capable, but may not yet be confident in their skills.

“We recruit around 1,000 graduates each year through our graduate recruitment process, Launch Pad, and we are proud to have reached a 50/50 gender split amongst our graduate intake,” she said. “However, to maintain this level of equality in an increasingly digital world, it’s vital that more women … have the confidence that their tech skills will be applicable for a role at a professional services firm like ours.”

Earlier this year KPMG launched ITs Her Future, an initiative aimed at encouraging more women to consider a career in tech, as well as Future Ready, an online tool designed to help young people who may not yet have experienced working in an office understand how the skills they do possess could be applicable in the workplace.

Categories: Cyber Risk News

Medical Devices in the Crosshairs with 36% of Orgs Attacked

Tue, 08/15/2017 - 16:49
Medical Devices in the Crosshairs with 36% of Orgs Attacked

Medical devices are increasingly interesting to hackers as this life-saving equipment joins the internet of things (IoT) ecosystem. More than one-third (35.6%) of surveyed professionals within that ecosystem said their organizations experienced a cybersecurity incident in the past year.

According to a Deloitte & Touche poll, identifying and mitigating the risks of fielded and legacy connected devices presents the industry's biggest cybersecurity challenge (30.1%).

"It's not surprising that managing cyber-risks of existing IoT medical devices is the top concern facing manufacturers, providers and regulators," said Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte. "Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls.”

He added, “Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product's entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic-bullet solution."

Additional cybersecurity challenges that connected medical devices presented to respondents included embedding vulnerability management into the design phase of medical devices (19.7%), monitoring and responding to cybersecurity incidents (19.5%), and lack of collaboration on cyber-threat management throughout the connected medical device supply chain (17.9%).

Jones continued, "Collaboration between providers, manufacturers and suppliers is key when it comes to bridging the gaps in medical device cybersecurity. This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely."

Beyond cybersecurity risk management itself, there are post-incident risk management efforts to worry about too. Few respondents (18.6%) say their organizations are "very prepared" to address litigation, internal investigations or regulatory matters related to medical device cybersecurity incidents in the next 12 months.

"As regulatory, litigation and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the timeline and size of cyber-incidents so the impact to intellectual property, client data and other areas can be addressed more quickly," said Scott Read, Deloitte Risk and Financial Advisory principal at Deloitte Transactions and Business Analytics. "Forensic analyses responding to regulator, litigant, or whistleblower concerns may even help predict the next moves of cyber-attackers."

Categories: Cyber Risk News

US Government Demands Data on Visitors to Anti-Trump Site

Tue, 08/15/2017 - 10:53
US Government Demands Data on Visitors to Anti-Trump Site

The US authorities are trying to force a web hosting firm to hand over details on over one million visitors to an anti-Trump site, in a move which has been branded unconstitutional.

DreamHost went public with the news after revealing that it’s been working with the Department of Justice for several months to try and seek a solution regarding its customer disruptj20.org.

That’s a site founded to protest the current White House administration.

Although it’s believed that some of its founders may have been involved in violence at the Trump inauguration, it’s unclear exactly what information the DoJ wants from DreamHost as its affidavit is sealed.

However, it has now demanded details not only of the site’s founders but also all visitors, as the hosting firm explained in a blog post:

“The request from the DOJ demands that DreamHost hand over 1.3 million visitor IP addresses — in addition to contact information, email content, and photos of thousands of people — in an effort to determine who simply visited the website. (Our customer has also been notified of the pending warrant on the account.)

That information could be used to identify any individuals who used this site to exercise and express political speech protected under the Constitution’s First Amendment. That should be enough to set alarm bells off in anyone’s mind. This is, in our opinion, a strong example of investigatory overreach and a clear abuse of government authority.”

The Department of Justice most recently filed a motion in a Washington DC Superior Court requesting an order compelling DreamHost to hand over the information. The hoster has filed arguments in opposition, claiming that the move is “a strong example of investigatory overreach and a clear abuse of government authority.”

Rights group the Electronic Frontier Foundation (EFF) is helping DreamHost with the case. It claimed there was no other explanation for the breadth of the search warrant “other than to cast a digital dragnet as broadly as possible”.

The EFF added in a statement:

“But the Fourth Amendment was designed to prohibit fishing expeditions like this. Those concerns are especially relevant here, where DOJ is investigating a website that served as a hub for the planning and exercise of First Amendment-protected activities.”

Categories: Cyber Risk News

Pages