Info Security

Subscribe to Info Security  feed
Updated: 37 min 49 sec ago

City of Los Angeles Teams Up with IBM to Fight Cybercrime

Fri, 09/20/2019 - 18:13
City of Los Angeles Teams Up with IBM to Fight Cybercrime

The City of Los Angeles and IBM are joining forces with the LA Cyber Lab to help local businesses combat cybercrime.

In a new project announced by IBM Security on September 17, the American multi-national IT company will provide technologies and data that will give the city's commercial movers and shakers an edge in the event of a cyber-attack.

As part of the project, business owners will be able to access two new free tools made available by the LA Cyber Lab, a non-profit providing threat intelligence to local businesses. 

The first tool is a mobile application that any citizen can use to submit and analyze suspicious emails to determine their risk and if they are phishing attacks. The second tool, and the real centerpiece of this collaborative effort, is the cloud-based Threat Intelligence Sharing Platform (TISP), developed in collaboration with TruSTAR

Functioning as a kind of digital neighborhood watch, TISP will allow users to circulate their spear-phishing concerns and educate themselves on the latest business email compromise (BEC) or ransomware campaigns. 

A neat feature of the platform is that it reviews suspicious emails submitted by users, extracting key information and searching over 25 common and unique data sources, to indicate the level of risk posed. It can also correlate key information in the email to the associated threat group and their latest attack campaign. 

"Public safety in the 21st century isn't just about protecting our physical streets and neighborhoods—we need to protect the digital presence that is part of everyday life for our residents and businesses," said Los Angeles' mayor, Eric Garcetti. 

"The Threat Intelligence Sharing Platform and mobile app will advance the LA Cyber Lab's work that has made our city a national cybersecurity model, all while better defending Angelenos from cyber-threats." 

In a bid to help other cities in the US know what to do in the event of a cyber-attack, IBM is hosting three complimentary training sessions for municipalities in the IBM X-Force Command Cyber Range in Cambridge, Massachusetts.

At each of the sessions, which will take place on October 22, November 19, and December 10, 2019, attendees will experience a simulated attack in order to practice their response. 

The attack may be simulated, but the threat is very real. In this year alone, more than 70 American cities have become the victims of ransomware. 

Kevin Albano, associate partner, IBM Security Services, IBM Security, said: "While a collaboration like this takes time and the right partners, the process itself was refreshing as a result of the city’s eagerness and dedication to improving cybersecurity for the area. The development of the LA Cyber Lab two years ago was the first real push in the right direction, and the development of these solutions is only continuing that goal and leading the charge for other cities to become more prepared."

Categories: Cyber Risk News

WeWork's WiFi Security Worryingly Weak

Fri, 09/20/2019 - 17:14
WeWork's WiFi Security Worryingly Weak

A lack of security on WeWork's WiFi network has left sensitive user data exposed.

In August, Fast Company revealed that WeWork had used the same WiFi password at many of its rentable shared co-working spaces for years, a password that appears in plain text on WeWork's app. 

The security of the real estate company's WiFi came under further criticism yesterday when CNET reported that the network's poor security had left sensitive data of WeWork users exposed.

Evidence of the exposure was provided by Teemu Airamo, who has been routinely running security scans on WeWork's WiFi network since May 2015. Airamo's scans, which were reviewed by CNET, show nearly 700 devices, including servers, computers, and connected appliances, leaking bank account credentials, email addresses, ID scans, and client databases, among other data.

Airamo said that multiple attempts made by him to alert WeWork's upper management to the security problem were met with indifference. 

WeWork has around 527,000 members renting out its 833 spaces in 125 cities around the world. The company filed for an initial public offering (IPO) in 2018. However, earlier this week the IPO was postponed until the end of the year after the company's reported valuation fell from $47 billion to under $20 billion. 

A spokesperson for WeWork said: "WeWork takes the security and privacy of our members seriously, and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.

"We are in a quiet period and can't comment beyond this statement." 

Commenting on this report, Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, said: "For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network where the attacker can connect to exposed file sharing services and tamper with connections to load fake websites.

"My recommendation for concerned WeWork customers is to set up a VPN for their own private use."

Categories: Cyber Risk News

US Air Force Bids $95m Cybersecurity Contract

Fri, 09/20/2019 - 15:50
US Air Force Bids $95m Cybersecurity Contract

The US Air Force is requesting quotes from vendors that can provide support for a cybersecurity project under a contract worth up to $95m.

Vendors of any size are being sought to support an experimental cybersecurity platform development team that is part of the Air Force's LevelUP program. 

The team's engineers are looking for vendors that can give them access to a secure DevOps platform in which they can build and test new products. Testing will be conducted at every security level and classification on private, public, and hybrid clouds. 

Bidding vendors will need to prove that their company can process data securely at the second-highest security level for Defense Department systems, impact level five. 

To provide the development team with the support it requires, vendors will have to access classified information, something they cannot do from their local cafe over a cappuccino. Vendors will only be considered for this valuable contract if they have access to a facility with a secret level of security clearance that they can use when they need to handle classified data.

A Blanket Purchase Agreement (BPA) for up to 15 cloud vendors is being drawn up by the Air Force Life Cycle Management Center, with a performance period of up to five years. To be eligible to receive a BPA, companies must be based in the United States with no foreign ownership or control.

Bidders have until 12:00 PM CST on October 16, 2019, to submit a quote via email. Two Ask Me Anything (AMA) sessions are planned for September 25 and October 3; however, times and locations are yet to be announced.

The LevelUP program, which is based at the Command, Control, Communications, Intelligence, and Networks Directorate Joint Base in San Antonio, Texas, was founded with the strategy to create two main products.

One product, Unified Platform, is a tool that aggregates cybersecurity incident data in a single platform that is visible not just across the Air Force, but to other military branches too. The other is LevelUP Cyber Works, a “cyber factory” in which to develop and field new capabilities at the speed and scale required in today’s cyberspace operations environment.

Categories: Cyber Risk News

Republicans U-Turn to Back $250m Election Security Boost

Fri, 09/20/2019 - 11:00
Republicans U-Turn to Back $250m Election Security Boost

In a surprise u-turn, senate Republicans have decided to back Democrat calls for an extra $250m to enhance the security of the nation’s voting infrastructure.

Speaking on the floor yesterday, senate majority leader Mitch McConnell said: “I’m proud the Financial Services & General Government bill will include a bipartisan amendment providing another $250 million for the administration and security of their elections, to help states improve their defenses and shore up their voting systems.”

Republicans have twice blocked attempts to bring legislation to the floor designed to improve election security, in 2018 and then again in July this year. Both times they claimed that states had still not spent the $380m they were given in 2018.

“This morning, after months and months and months of Republican resistance, and months of insistent Democratic pressure, senate Republicans have finally agreed to support our Democratic request for additional election security funding in advance of the 2020 elections,” responded senate minority leader, Chuck Schumer.

“A year ago, our Republican friends unfortunately and short-sightedly rejected this amendment. Well, maybe, just maybe, they are starting to come around to our view that election security is necessary; that if Americans don’t believe their elections are on the up-and-up, woe is us as a country and as a democracy.”

However, even this sum may not be enough to provide the safeguards needed to improve resilience against possible Russian intrusions.

Marian Schneider, president of election transparency non-profit VerifiedVoting, argued that more is needed to help states shore up their security ahead of the 2020 Presidential election.

“This amount falls short of the $600m that passed in the House, which is much closer to meeting the need for proper investment in election security. Congress has the obligation to protect the country from threats to national security and has the opportunity to act on this nonpartisan issue — after all, everyone votes on the same equipment,” she added.

“By making federal funds available, states will be able to replace aging, insecure voting equipment and implement modern security best practices, which include using voter-marked paper ballots and robust post-election audits. Despite the progress shown today, congress still needs to vote on bipartisan, comprehensive election security legislation to protect and ensure trustworthy elections backed by adequate funds for state and local governments to implement such measures.”

A senate report from July warned that Russian hackers had likely compromised voting infrastructure in all 50 states ahead of the 2016 election.

Categories: Cyber Risk News

Senior Execs Shun Cyber Risk as Concerns Grow

Fri, 09/20/2019 - 09:45
Senior Execs Shun Cyber Risk as Concerns Grow

Nearly 80% of global organizations now rank cyber-risk as a top-five business concern, but just 11% are highly confident they can assess, prevent and respond effectively to attacks, according to new research from Marsh and Microsoft.

The insurer has teamed up with the computing giant once again to poll 1500 global organizations for its 2019 Global Cyber Risk Perception Survey.

It found those ranking cyber-risk as a top-five concern had risen from 62% in 2017 to 80% this year, while those confident in being able to deal with a threat fell from 19% to 11% over the period.

Ownership of and engagement with cyber-risk management seems to be a key challenge for many.

Although 65% of respondents identified a senior executive or the board as main owner of this function, only 17% of executives and board members said they’d spent more than a few days in the past year focusing on the issue. Some 51% spent several hours or less.

Similarly, 88% of organizations identified their IT/IT security teams as primary owners of cyber-risk management, but nearly a third (30%) of IT respondents said they spent just a few days or less over the past year focusing on this.

At the same time, adoption of new technologies continues apace, often without adequate safeguards.

Half of respondents said cyber-risk is almost never a barrier to the adoption of new tech, and although three-quarters (74%) evaluate risks prior to adoption, just 5% said they do so throughout the technology lifecycle. A significant minority (11%) do not perform any evaluation.

The report also revealed that organizations were likely to hold their own cyber-risk management actions to a higher standard than that of their suppliers.

That’s despite the fact that 39% said the risk posed by their partners was high or somewhat high versus just 16% who admitted their own organization poses high risk to their supply chain.

“We are well into the age of cyber-risk awareness, yet too many organizations still struggle with creating a strong cybersecurity culture with appropriate levels for governance, prioritization, management focus, and ownership,” said Kevin Richards, global head of cyber-risk consulting at Marsh.

“This places them at a disadvantage both in building cyber-resilience and in confronting the increasing complex cyber-landscape.”

Categories: Cyber Risk News

Duo Indicted in $10m Tech Support Scam Case

Fri, 09/20/2019 - 08:38
Duo Indicted in $10m Tech Support Scam Case

Two individuals have been indicted as part of a crackdown on a $10m tech support scam operation.

Romana Leyva and Ariful Haque have now been charged with one count of wire fraud and one count of conspiracy to commit wire fraud, which could land them with a maximum 40 years each behind bars, according to an unsealed indictment.

It alleges that the fraud ring operated a classic tech support scam campaign targeting mainly elderly computer users.

After seeing pop-ups appear on their screens warning of a serious virus infection, they were urged to call a tech support number. Often these windows were branded with legitimate corporate logos to enhance legitimacy.

Doing so would take them through to an Indian call center, where operatives would use remote access tools to investigate the ‘problem’ before charging a fee — one-time, one-year or lifetime — to the victim and installing free anti-virus on their machine.

Around 7500 North American victims were scammed in this way, losing hundreds or thousands of dollars each.

In some cases, the fraudsters came back for more, claiming the original company that promised to provide tech support was going out of business and they wanted to refund the victim.

During this 'refund' process, they claimed to have reimbursed the victim too much money by accidentally adding an extra zero onto the amount. They then demanded the victim reimbursed them to the tune of thousands of dollars via gift cards, according to the indictment.

Nevada resident Leyva and New York-based Haque are accused of creating multiple fake companies to receive the fraudulently obtained funds, and of recruiting others to do so.

The scheme is said to have lasted from at least March 2015 to December 2018.

A report from Microsoft last year revealed that 63% of consumers globally experienced a tech support scam, down slightly from 68% in 2016.

Categories: Cyber Risk News

MITRE Names 2019's Most Dangerous Software Errors

Thu, 09/19/2019 - 18:12
MITRE Names 2019's Most Dangerous Software Errors

Eight years ago, a list of the world's most dangerous software errors was published by problem-solving nonprofit the MITRE Corporation. Yesterday saw the long-awaited release of an updated version of this rag-tag grouping of cyber-crime's most wanted.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list (CWE Top 25) is a roundup of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.

What makes these bad boys so lethal is that they are often easy to find and exploit. And once attackers have gotten their grappling hooks into the errors, they are frequently able to completely take over execution of software, steal data, or prevent the software from working.

Each error was given a threat score to communicate its level of prevalence and the danger it presents. Topping the table of treachery with a threat score of 75.56 and leading by a huge margin is "improper restriction of operations within the bounds of a memory buffer."

The second-most lethal error was determined to be "improper neutralization of input during web page generation," also known as cross-site scripting, which had a threat score of 45.69. 

In 2011, a subjective approach based on interviews and surveys of industry experts was used to create the list. In 2019, the list's compilers took a data-driven approach, leveraging National Vulnerability Database (NVD) data from the years 2017 and 2018, which consisted of approximately 25,000 CVEs. 

MITRE's goal is to release an updated list each year based on data from that specific year. Asked why the gap between the first two lists was so long, a MITRE spokesperson answered: "Based on the previous methodology employed for the 2011 CWE Top 25 List, it was clear that there was no basis upon which to credibly change the list. 

"As new methodologies were explored, and upon selection of the current data-driven approach, it became valuable to produce a new list because it would validate whether or not the new data-driven methodology would result in a different list. And, since it did result in a different list, community stakeholders now have a new list to consume that is evidence-based and different from the 2011 list."

The lists are indeed different, but both include some of the same offenders. Explaining why, the spokesperson said: "Significant work remains in the community to educate developers, improve analysis tools, and for consumers of software products to understand that weaknesses exist, and that they have the ultimate leverage with respect to evaluating products and selecting those products that deliberately work weaknesses out. 

"Effective security can exist only if a broad number of stakeholders demand that it does. The 2019 CWE Top 25 List is a tool that different stakeholders can use to understand what the most prevalent weaknesses are and how to orient themselves toward defending against them."

Categories: Cyber Risk News

Vacationers Hit by Skimming Attack

Thu, 09/19/2019 - 17:08
Vacationers Hit by Skimming Attack

People using mobile apps to book hotel rooms for their vacations have been targeted by a skimming attack. 

Research by cybersecurity company Trend Micro discovered that a series of incidents took place earlier this month in which the booking websites of two well-known hotel chains were hit by credit card–skimming malware known as Magecart. 

Both websites affected were developed by Spanish company Roomleader. One of the impacted brands has 73 hotels in 14 countries and is comparable in size and geographical distribution to Exe Hotels. The other undisclosed chain has 107 hotels in 14 countries and is comparable in size and geographical distribution to Eurostars Hotels. Exe and Eurostars both have websites powered by Roomleader.  

Attackers were able to pilfer data by replacing the original credit card form on the booking page of each website with a fake one, then stealing the data entered into the imposter form by the user. In this case, the thieves made off with users' names, email addresses, telephone numbers, credit card details, and hotel room preferences.

The researchers theorized that the reason why the attackers went to the trouble of creating a fake form may have been that the original form didn't ask users to fill in their credit card's card verification number, known as a CSC, CVV, or CV2.

To make the switch appear more legitimate, the digital bandits even prepared credit card forms in the eight different languages supported by the targeted hotel websites. 

Trend Micro's findings follow the discovery of another Magecart-using group by the company back in May of this year. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented: "There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place."

Categories: Cyber Risk News

Study Reveals Most Expensive State for Cyber Insurance

Thu, 09/19/2019 - 15:29
Study Reveals Most Expensive State for Cyber Insurance

Purchasing cyber insurance to protect your business from the ever-increasing number of threats will cost you more in Delaware than in any other US state. 

A new study by business insurer AdvisorSmith has found that the average cost of annual cyber insurance in the Blue Hen State is 8.34% higher than the national average and a staggering 32.49% higher than its cost in the cheapest state for cyber insurance, Arizona. 

Across America's 50 states and the District of Columbia, the cost of cyber insurance averaged out at $1,501 per year, or around $125 a month, but for Delaware business owners the price rose to $1,626.92 per year. In Arizona, where the cost of cyber insurance was 24.15% cheaper than the national average, policies were on average $1,139 per year.

The study was conducted using quote estimates gathered in August and September 2019, as well as rate filings supplied by over 50 insurance companies throughout America between January 2019 and September 2019. 

Premiums nationwide ranged from as low as $544 to as high as $2,642 for comparable insurance coverage, based upon companies with moderate risks. The premiums were based upon liability limits of $1m, with a $10,000 deductible and $1m in company revenue.

North Carolina was the second most expensive state for cyber insurance, with an average annual cost of $1,611. At the other end of the scale, after Arizona, Michigan and Minnesota offered the cheapest cyber insurance.  

Asked how the average cost of cyber insurance has changed since last year, AdvisorSmith's Adrian Mak said: "Premium increases in the cyber market are tracking at 5% or less, which is relatively stable for an insurance product."

The Marsh-Microsoft 2019 Global Cyber Risk Perception survey published yesterday found that only 17% of executives said they had spent more than a few days on cyber-risk over the past year. However, a little investment of time in their company's cybersecurity could save them money.

Mak said: "We are seeing insurance companies focus more on operational cybersecurity defenses, where they are raising premiums on companies that don’t address cybersecurity vulnerabilities, while charging less to companies that are following the latest cybersecurity best practices."

Describing how he expects the cyber insurance landscape to change going forward, Mak said: "The cyber insurance marketplace is expected to experience continued growth over the next decade. We expect more growth in the small and midsize business sector. Especially in small business policies, we are seeing cyber insurance bundled into package policies."

Categories: Cyber Risk News

Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq

Thu, 09/19/2019 - 11:45
Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq

Facebook has taken down hundreds of Facebook and Instagram Pages and accounts after two separate coordinated campaigns were discovered attempting to influence user behavior in Iraq and Ukraine.

It’s possible that the fake news operations were an attempt to peddle misinformation ahead of elections in the Middle East nation last year and in the eastern European country a few months ago.

The social network removed 76 Facebook accounts, 120 Pages, one Group, two Events and seven Instagram accounts linked to “coordinated unauthentic behavior” in Iraq. One of more of the Pages managed to garner around 1.6 million followers while 339,000 accounts followed at least one of the groups, it said.

“The people behind this activity used fake accounts to amplify their content and manage Pages — some of which were likely purchased,” explained Facebook head of cybersecurity policy, Nathaniel Gleicher.

“Many of these Pages merged with one another and changed names over time. They also impersonated other people and used their IDs to conceal their identity and attempt to avoid detection and removal.”

The content itself was largely critical of the US occupation and pro-Saddam Hussein, according to an analysis by the Atlantic Council’s Digital Forensic Research Lab (DFRLab).

A much bigger operation was taken down in Ukraine, where Facebook was forced to remove 168 accounts, 149 Pages and 79 Groups. Around 4.2 million accounts followed one or more of these Pages and around 401,000 accounts joined at least one of the Groups, while a whopping $1.6 million was spent on Facebook and Instagram ads, the social network revealed.

Facebook linked the activity to Ukrainian PR firm Pragmatico, despite attempts to conceal its involvement.

“The people behind this activity used fake accounts to manage Groups and a number of Pages — some of which changed their names over time, and also to increase engagement, disseminate content and drive people to off-platform sites posing as news outlets,” explained Gleicher.

According to another DFRLab analysis, there may have been political intent behind this campaign, although it was also an attempt to build a national audience for media conglomerate Znaj Media Holdings, which is linked to Pragmatico.

“The pages primarily posted local Ukrainian news content, much of which was lifted from other Ukrainian news outlets with only partial attribution,” it concluded. “This network may have been partially politically motivated — some of the pages launched personal attacks against particular Ukrainian politicians — and partially commercial in nature.”

Categories: Cyber Risk News

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

Thu, 09/19/2019 - 10:00
FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) have announced a partnership to combat cybercrime within the European financial services sector.

The FS-ISAC is an industry consortium dedicated to reducing cyber-risk in the global financial system, and the EC3 protects European citizens, business and governments from online crime.

The Memorandum of Understanding (MOU) between the two will aim to facilitate and enhance the law enforcement response to financially motivated cyber-criminals targeting banks and other financial institutions through a symbiotic intelligence sharing network.

The partnership is a response to the acceleration of sophisticated cyber-attacks in recent years affecting numerous countries and jurisdictions at once. The MOU will help foster a pan-European approach to intelligence sharing, ensuring the cross-border cooperation necessary for the detection, prevention and reduction of cybercrime. In addition to facilitating information sharing, the agreement will also enable education and resilience through training exercises and informational summits.

“Cyber-criminals are increasingly targeting financial services and institutions to the cost of citizens and businesses across the EU,” said Steven Wilson, head of EC3. “It is crucial to bring key stakeholders around the table to improve the coordinated response; this MOU with FS-ISAC builds a platform to allow us to do exactly that.”

Ray Irving, managing director of FS-ISAC, added: “Accelerated global digitalization combined with the growing sophistication of cyber-criminals demands a more concerted approach from both the public and private sector. Through a collaborative peer-to-peer network, FS-ISAC and EC3 are enabling intelligence sharing to better safeguard the global financial system.”

Categories: Cyber Risk News

NCSC: Nation State University Attacks Could Harm UK

Thu, 09/19/2019 - 09:30
NCSC: Nation State University Attacks Could Harm UK

The UK’s National Cyber Security Centre (NCSC) has been forced to issue a new report detailing the threat to the country’s universities from cyber-criminals and nation state operatives.

The NCSC argued that, while the sector has traditionally been one of the most open and outward-facing, both in terms of culture and technology, this makes the attackers’ job even easier.

The main threats are from untargeted cybercrime raids, such as ransomware and bulk personal info theft via phishing, and targeted ones like Business Email Compromise (BEC). However, it also highlighted the challenge posed by nation state hackers looking to steal cutting-edge research and IP.

“While it is highly likely that cybercrime will present the most evident difficulties for universities, state-sponsored espionage will likely cause greater long-term damage. This is particularly true for those universities which prize innovation and research partnerships. This damage will extend to the UK’s larger national interest and to those researchers whose work may give others the chance to 'publish first',” the report argued.

“Nation states almost certainly target universities for the data and information they hold. Cyber offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students,' or direct investment.”

The NCSC warned that attacks on UK universities by nation states could even threaten the long-term health of the country itself.

“There's a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimizing of other avenues to gain insight and advantage,” it added.

The GCHQ spin-off urged university IT teams to focus on: improving user security awareness; enhancing access controls, especially for sensitive data stores; and to revisit network design to segment high-value information.

Iranian hackers have been among the most prolific attackers of university IT systems: just last week more info emerged on the Cobalt Dickens group, which is targeting at least 380 universities worldwide in a major new phishing operation.

Categories: Cyber Risk News

Lion Air Breach Hits Millions of Passengers

Thu, 09/19/2019 - 08:40
Lion Air Breach Hits Millions of Passengers

Tens of millions of passengers from at least two Asian airlines have had their personal data compromised after workers at the parent company left them exposed via an AWS server, it has emerged.

Although it’s unclear how long the data had been exposed for, security researchers have pointed to at least 35 million records circulating online and linked to an individual with the moniker “Spectre.”

They belong mainly to passengers of Lion Air companies Malindo Air and Thai Lion Air, and include names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates, and more.

There are suggestions that a third Lion Air brand, Batik Air, may also be affected.

An official statement from Malindo Air reveals little except that, along with AWS and the airline’s e-commerce partner GoQuo, it is investigating.

“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS),” it claimed.

“We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.”

The firm urged its passengers to change passwords on their Malindo Miles accounts and basically sit tight.

Reports suggest a misconfigured S3 bucket was again responsible for the security snafu, perhaps dating back to August.

Airlines are an increasingly popular target for hackers, with both Cathay Pacific and BA suffering major breaches over the past year.

The mistake or oversight that led to the Lion Air breach was most likely a very simple one, argued Stephan Chenette, co-founder and CTO of AttackIQ.

“Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs,” he added.

“To protect customer data, organizations should employ continuous security validation tools to identify and prioritize gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.”

The Infosecurity Magazine Online Summit is happening next week! Join thousands of professionals from around the world and gain access to industry leading education sessions covering the latest infosec trends & technology for free. Do not miss this great opportunity to earn upto 12 CPEs in just two days. Register Now

Categories: Cyber Risk News

Barclaycard: So Far, So Good for Strong Customer Authentication

Wed, 09/18/2019 - 17:16
Barclaycard: So Far, So Good for Strong Customer Authentication

Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend. 

The new user authentication rules mandated by the European Union's revised Payment Services Directive (PSD2) were introduced by the UK's leading acquirer on Saturday, September 14. 

Barclaycard analyzed transaction data from September 14 and 15 to check what effect the new two-step authentication rules were having. The company found that merchants had not experienced an increase in abandoned transactions, nor had they seen a spike in declined payments.  

"Our data offers encouraging news for merchants, whose transaction volumes have been, so far, unaffected by the go-live of SCA," said Paul Adams, director of acquiring at Barclaycard Payment Solutions.

SCA legislation officially came into force across Europe on September 14; however, the European Banking Authority (EBA) has given each member state the option to apply for extensions. 

One country that took them up on the offer was the UK, which secured an 18-month extension to the deadline. The UK's financial regulator, the Financial Conduct Authority (FCA), announced in August that the country's payments and e-commerce providers would have until March 14, 2021 to achieve full compliance. 

Action will not be taken by the FCA before that date against firms that haven't implemented SCA, provided that "there is evidence that they have taken the necessary steps to comply with the plan." However, the FCA is expecting third-party providers to implement SCA for online banking by March 14, 2020.

The new SCA legislation requires that all European Economic Area (EEA) transactions go through a two-factor authentication process, unless they qualify for an exemption. Transactions that are exempt include contactless payments below €50/£30; payments made at unattended terminals, such as parking lot payment machines; and recurring payments of the same value to the same merchant, such as subscription payments.

Customers can also skip two-factor authentication for payments made to trusted merchants by whitelisting that merchant with their issuer. 

To help merchants prepare for the changes required by SCA, Barclaycard, which handles nearly half of the nation’s credit and debit card transactions, has launched Barclaycard Transact, which went live over the weekend.

The fraud protection solution allows businesses to benefit from SCA exemptions while making sure that all high-risk transactions still go through two-factor authentication, in accordance with the regulation.

Adams said: "We have designed Transact to help our customers get the most out of the incoming regulation, by enabling them to provide a smooth payment experience for their shoppers, while at the same time reducing risk and managing fraud."

Categories: Cyber Risk News

New Attack Group Targets Saudi IT Providers

Wed, 09/18/2019 - 15:50
New Attack Group Targets Saudi IT Providers

A previously undocumented threat group has been mounting what appear to be supply-chain attacks against IT providers in the Middle East.

Since July 2018, Tortoiseshell Group has targeted at least 11 organizations, using a deadly mix of custom-made and off-the-shelf malware. The majority of the companies to come under virtual fire are based in Saudi Arabia.

Tortoiseshell's nefarious activities were spotted by researchers at Symantec, who have recorded activity stemming from the group as recently as July 2019. 

At two of the organizations unfortunate enough to be attacked by Tortoiseshell, several hundred network computers ended up being infected with malware. Researchers believe that this unusually large number of compromised consoles is indicative of the group's desire to infiltrate particular computers. 

The exact intentions of the attackers are unknown, though Symantec's researchers believe that the threat group's end goal was to compromise the computers belonging to the customers of the IT firms targeted. And you can bet that they weren't going to all this trouble just to change people's screensavers to a goofy picture of an adorable puppy. 

Evidence gathered by the researchers suggests that the attackers were able to gain domain admin–level access to the networks of at least two of the IT providers upon which they preyed.  

Gavin O'Gorman, an investigator with Symantec Security Response, said: "Tortoiseshell deployed its information-gathering tools to the Netlogon folder on a domain controller, on at least two victim networks. This results in the information-gathering tools' being executed automatically when a client computer logs into the domain. 

"This activity indicates the attackers had achieved domain admin–level access on these networks, meaning they had access to all machines on the network."

Highlighting the inherent danger in hackers' gaining access at this level, O'Gorman said: "Shamoon is a good example of one of the worst-case scenarios, where an attacker can wipe every computer on a network by obtaining domain-level access."

The unique component used by Tortoiseshell is a piece of malware called Backdoor.Syskit, which is run with the "-install" parameter to install itself. Once it has settled its virtual butt on the couch of a computer, the malware collects and sends the machine’s IP address, operating system name and version, and MAC address to the C&C server. 

Tortoiseshell's last observed activity occurred in July, but there's every chance they'll be back for more.

O'Gorman said: "Groups tend to not go away, but rather they use different tools, and so it becomes difficult to connect their various attacks. For some groups we have been able to identify their activity spanning more than 10 years."

Categories: Cyber Risk News

US Cybersecurity Firm to Create 52 Jobs in Ireland

Wed, 09/18/2019 - 15:16
US Cybersecurity Firm to Create 52 Jobs in Ireland

An American cybersecurity consulting firm has opened its first overseas site in the southern Irish city of Kilkenny.

The new office in the Republic of Ireland will become the European Headquarters and Security Operations Centre (SOC) for growing company Security Risk Advisors (SRA). SOC's current staff of three will grow to seven by mid-October and is expected to swell to 52 over the next five years. 

Having an office in Europe allows SRA to offer around-the-clock system monitoring to its US-based clients. It will also help the company support its growing European clientele and is likely to attract new customers east of the Atlantic. 

SRA's managing director, Tim Wainwright, said: "The proximity to top colleges and industry-leading companies, in addition to the quality of life in the South East region, made the decision to open our first international office in Kilkenny an easy one."

Wainwright has already chosen his favorite local watering hole, and the honor goes to Cleere’s Bar & Theatre in Kilkenny’s Irishtown. 

Support for SRA's international expansion is being provided by Ireland's inward investment promotion agency, the IDA

"The IDA walked us through incentives and hosted our initial visit. They introduced us to local stakeholders and helped us fill out paperwork. They have continued to work with us in support of setting up our office," said SRA’s Amanda Larsen. 

Irish minister of state at the Department of Housing, Planning, and Local Government, John Paul Phelan TD, said: "The decision to locate their office here is testament to Kilkenny’s highly skilled workforce, as well as its strong network of nearby educational institutions like Waterford IT and Carlow IT, which provide companies like SRA with the talent they need to succeed and grow.

"This announcement is a great boost for the city, and I wish SRA every success in Kilkenny."

SRA was founded as a virtual organization in Pennsylvania's largest city, Philadelphia, back in 2010, by a home-grown team of four Philly locals. Since then, the company has grown 20% on average every year and now employs around 140 people.

The company's growth strategy of mentoring a large number of university hires was so successful that in 2017 SRA opened a physical office on the city's Market Street. 

Two years of success followed, causing SRA to outgrow its original space. In June of this year the company announced the expansion of its office in Philadelphia to accommodate 25 additional employees, together with the opening of a new site in Rochester, New York.

Indicating that SRA plans to implement a similar growth strategy at their new European HQ, Larsen said: "We will be working closely with the Waterford Institute of Technology and Institute of Technology Carlow. The South East region has such a great amount of tech talent."

Categories: Cyber Risk News

Government Report Warns of AI Policing Bias

Wed, 09/18/2019 - 11:05
Government Report Warns of AI Policing Bias

A new government-backed report has warned that the growing use of automation and machine learning algorithms in policing could be amplifying bias, in the absence of consistent guidelines.

Commissioned by the Centre for Data Ethics and Innovation (CDEI), which sits in the Culture Department, the report from noted think tank the Royal United Services Institute (RUSI) will lead to formal recommendations in March 2020.

It’s based on interviews with civil society organizations, academics, legal experts and police themselves, many of whom are already trialing technology such as controversial AI-powered facial recognition.

The report claimed that use of such tools, and those used in predictive crime mapping and individual risk assessments, can actually amplify discrimination if they’re based on flawed data containing bias.

This could include over-policing of certain areas and a greater frequency of stop and search targeting the black community.

It also warned that the emerging technology is currently being used without any clear over-arching guidance or transparency, meaning key processes for scrutiny, regulation and enforcement are missing.

RUSI claimed that police forces need to carefully consider how algorithmic bias may result in them policing certain areas more heavily, and warned against over-reliance on technology which could reduce the role of case-by-case discretion. It also said that discrimination cases could be brought by individuals unfairly “scored” by algorithms.

“Interviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight,” the report concluded.

“It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology.”

OpenText head of AI and analytics, Zach Jarvinen, argued that the best way of avoiding bias in AI is to implement “ethical code” at the data collection phase.

“This must begin with a large enough sample of data to yield trustworthy insights and minimize subjectivity. Thus, a robust system capable of collecting and processing the richest and most complex sets of information, including both structured data and unstructured, and textual content, is necessary to generate the most accurate insights,” he added.

“Data collection principles should be overseen by teams representing a rich blend of views, backgrounds, and characteristics (race, gender, etc.). In addition, organizations should consider having an HR or ethics specialist working in tandem with data scientists to ensure that AI recommendations align with the organization’s cultural values.”

Categories: Cyber Risk News

Third of Brits Concerned About Election Interference

Wed, 09/18/2019 - 09:55
Third of Brits Concerned About Election Interference

A third of British adults are concerned about hackers interfering in future general elections or referendums, according to new research from SANS Institute.

The global IT training organization polled over 2000 individuals to better understand their concerns about the impact of cyber-related issues on society.

It found that 34% believe cyber-attackers could influence the democratic process in future.

A long-awaited parliamentary committee report issued earlier this year claimed that while it was difficult to say definitively if there was "successful" interference in the 2016 EU referendum, “there is, however, strong evidence that points to hostile state actors influencing democratic processes.”

Russia in particular came under scrutiny for the pro-leave propaganda circulated by its state-backed media outlets RT and Sputnik.

Election interference can also be more insidious: a senate report out in July argued that Russian hackers likely compromised voting infrastructure in all 50 states ahead of the 2016 Presidential election.

Just a fifth of UK adults responding to the SANS Institute poll said they thought the UK is well prepared to defend itself against future cyber issues, and nearly half (45%) claimed there’s not enough security experts in the workforce to protect the country from attack.

However, less than one in 10 (6%) said they thought being a cybersecurity professional was an important job in society, highlighting the major PR challenge facing the industry in trying to get more people to consider a career in the sector.

Skills shortages currently stand at nearly three million globally, including 142,000 in EMEA, according to (ISC)².

SANS Institute CTO, James Lyne, argued that it is the role of government, industry and parents and teachers to emphasize the important role cybersecurity professionals play in defending democracy and economic growth.

“The findings of the poll demonstrate a lack of awareness of what cybersecurity practitioners do to protect our national interests, economy and personal finances,” he added. “The UK will only be prepared to cope with the evolving geopolitical cyber-frontier if we can educate and nurture greater numbers of cyber-defenders and instil a sense of urgency in that new generation of cybersecurity professionals.”

The research was conducted to promote the beginning of the latest annual Cyber Discovery program, which aims to educate and inspire 13-18-year-olds in the UK to be the cybersecurity stars of tomorrow.

Categories: Cyber Risk News

US Government Sues Edward Snowden Over Book

Wed, 09/18/2019 - 08:45
US Government Sues Edward Snowden Over Book

The US government is suing Edward Snowden for violating a non-disclosure agreement (NDA) in the publication of a new book.

The civil suit alleges that the former government contractor published the book, Permanent Record, without first submitting it to the CIA and NSA for review, as per the agreements he signed. It alleges Snowden has also discussed intelligence matters in public speeches, further violating the NDA.

Yet despite its allegations, the US government doesn’t want to prevent publication of the book; instead it wants to seize all proceeds, naming his publishers as co-defendants so that no money can be transferred to the whistleblower.

“Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor,” said assistant attorney general Jody Hunt of the Department of Justice’s Civil Division.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations. This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

However, Snowden’s attorney and director of the American Civil Liberties Union (ACLU), Ben Wizer, has hit back, arguing that the book contains no information that hasn’t already been published by “respected news organizations.”

“Had Mr Snowden believed that the government would review his book in good faith, he would have submitted it for review. But the government continues to insist that facts that are known and discussed throughout the world are still somehow classified,” he added.

“Mr Snowden wrote this book to continue a global conversation about mass surveillance and free societies that his actions helped inspire. He hopes that today’s lawsuit by the United States government will bring the book to the attention of more readers throughout the world.”

Categories: Cyber Risk News

New Banking Regs Increase Cyber-Attack Risk

Tue, 09/17/2019 - 17:09
New Banking Regs Increase Cyber-Attack Risk

report released today by Trend Micro has found that new European open-banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.

The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost. 

Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.

Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.

In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.

Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."

Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.   

Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"

Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity. 

He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."

Categories: Cyber Risk News