Info Security

Subscribe to Info Security  feed
Updated: 35 min 43 sec ago

Alexa Turned Spy, Able to Snoop on Users

Thu, 04/26/2018 - 15:25
Alexa Turned Spy, Able to Snoop on Users

Amazon put a quick stop to an issue in Alexa’s skill set after Chexmarx researchers reported that her skill set could be expanded to listen in on users not just some of the time but all of the time.

According to a Checkmarx research paper, Alexa skills can be developed in different languages using the Alexa skill set, which integrates with the AWS-Lambda function. The personal assistant device is always listening for the user’s voice so that when recognized, Alexa is activated.

Under normal circumstances, users receive an audio indication after tasks are completed to let them know that Alexa has gone to sleep. This makes it clear that she’s no longer recording. Yet, the researchers were able to augment Alexa’s skills so that she was continually recording.

"We went through the whole process of how Alexa communicates with the user and tried to take the view of the hacker and go step by step to see how we could leverage something that might seem benign, that might not seem risky but make it a risk," Amit Ashbel, cyber security evangelist at Checkmarx, told ZDNet.

The researchers chose the seemingly benign calculator skill as the hiding spot for the malicious task. Any user who activated the app would then unknowingly install the eavesdropper skill. Once Alexa solved all of the requested math problems, she stayed on despite the user thinking the session was over.

As the microphone function was still activated, the device both listened to and transcribed whatever tidbits of information Alexa overheard. "You think the session is over, but actually it is continuing all the time, recording your words and sending your transcription to the hacker. There's no limit to the length of the session, the number of words or sentences, it just keeps on going until you turn it off," said Erez Yalon, manager of application security research at Checkmarx.

Notable from the video is the obvious flaw in the attack itself. Alexa remains lit up like a Roman candle, an indication that the device is still active.

After Checkmarx disclosed their research to Amazon, the problem was resolved so that silent cycles are no longer permissible. "It now also detects longer than usual sessions and warns users, so maybe they've mitigated future attacks," Yalon added.

Categories: Cyber Risk News

Fight to Get SMBs PCI Compliant a Losing Battle

Thu, 04/26/2018 - 14:29
Fight to Get SMBs PCI Compliant a Losing Battle

Being in compliance with different regulations has a bottom-line impact on business, but smaller organizations lack the time and knowledge necessary to engage with PCI (Payment Card Industry) programs. 

That's according to the Acquirer PCI Sentiment Survey recently released by Sysnet Global Solutions. The feeling among acquiring organizations is not good, with less than 10% expressing that they were happy with their current compliance rate.

While most acquirers understand that the smaller merchants likely don't understand what they need to do, 64% of the respondents said that small merchants don't make security enough of a priority. In order to drive compliance, an overwhelming majority of respondents said that improved communication (76%) and education (72%) along with managed security and compliance service (72%) would be most helpful.

Less than half (48%) felt that technology services such as P2PE (Point-to-Point Encryption) would effectively drive compliance, while only 44% saw charging noncompliance fees as initiatives that would drive smaller merchants toward compliance.

The survey revealed a lack of consensus on whether to charge noncompliance fees and for how long they should be levied. While 21% felt it was appropriate to charge PCI noncompliance fees indefinitely, the same number said that it was never appropriate to charge a fee. The remaining 58% agreed that fees should not be charged beyond two years time.

Perhaps the most interesting statement, with which 52% of respondents agreed, was that "Some acquirers view noncompliance fees as unethical, describing PCI noncompliance fee revenue as ‘a drug the industry needs to wean itself off.'"

More than half of the participants agreed that noncompliance fees contribute to merchant attrition. One respondent commented that these charges are "taking advantage of customers by forcing them to pay extra fees and carry all the risks associated with noncompliance."

When asked if they felt it was likely that regulations might be introduced to control PCI charges, 60% of the participants answered that they somewhat agreed.

Interestingly, less than half of the survey respondents agreed that PCI DSS (Data Security Systems) does enough to ensure a small business is actually protected against cyberattacks. "Some feel that PCI DSS does not drive good practices and behaviors for small merchants, while others believe that it only provides the tool to use to defend against cyberattacks," the survey noted. 

Fifty-four percent of the senior executives at acquiring institutions said that they currently provide cybersecurity tools that help to reduce PCI scope.

Categories: Cyber Risk News

Cadence in Chaos: Sounds of DDoS in NetFlow Logs

Thu, 04/26/2018 - 13:48
Cadence in Chaos: Sounds of DDoS in NetFlow Logs

For those who appreciate the healing power of music, new research could prove to be a magical security tool. By correlating traffic types from NetFlow logs with sounds of instruments, researchers at Imperva were able to translate changes in network traffic into song.

Inspired by a TED Talk called "Can We Create New Sense for Humans" presented by Dr. David Eagleman, adjunct professor in the Department of Psychiatry & Behavioral Sciences at Stanford University, Imperva's team wondered whether tapping into the sense of sound could change the way they interpret network traffic.

"Auditory perception, we learned, has a lot of advantages oversight, especially in terms of processing spatial, temporal and volumetric information. The ability to register the most delicate differences in frequency resolution and amplitude opens up a Pandora’s Box worth of possibilities in data perception," Imperva wrote in a blog post.

Turns out that sonification is an effective monitoring tool, so they set to work to figure out how to make the internet sing. In order to collect NetFlow data, they created a Python 3 script, then processed the data into Open Source Control messages which were then converted into sound using a Ruby-based algorithmic synthesizer.

Assigning different instrumental sounds to the varied traffic types created a melody that revealed the ebb and flow of the traffic levels and also revealed shifts in pitch and volume.

A significant shift in traffic would be the harbinger of a DDoS attack. So as not to rely solely on shifts in volume as an alert, the team decided to add an additional mechanism that would really sound an alarm bell and activate a mitigation service. Their choice? The sound of a tomato being squeezed.

"I think we can confidently say this was the first time a tomato has been used in DDoS mitigation. No less important, we’re fairly certain that this was the first time that Wemos or similar technologies (e.g., Arduino) have been used to interact with a Sonic Pi, which was sort of the whole point," the researchers wrote.

The Imperva team proved that cybersecurity research can be both pleasant and fun. More importantly, what they have created could have great potential when it comes to mitigating DDoS attacks. They hope to see the sonorous songs of data become more commonplace in the future of security monitoring.

Categories: Cyber Risk News

DWP to Splash £15m on GDPR as Deadline Approaches

Thu, 04/26/2018 - 09:56
DWP to Splash £15m on GDPR as Deadline Approaches

The UK Department for Work and Pensions (DWP) is to spend nearly £15m on GDPR compliance, in line with estimates for FTSE 100 firms and indicative of the size of the compliance burden placed on many large organizations.

The figures for the DWP came from a new report from think tank Parliament Street, which issued Freedom of Information requests to all government departments on their GDPR compliance spending.

Only a handful replied, but the findings revealed a huge disparity between the DWP spending of £14.7m and the figures given by The Treasury (£201,000), the Department for Transport (£547,000) and the Ministry of Justice (£547,000).

Included in the DWP’s spending plans were a program of education and awareness raising for all staff, system remediation and a review of the existing records storage arrangements.

It’s unclear whether it is spending on average more than other government departments, and if those figures are so high as a result of poor planning.

However, the think tank recommended the creation of a central government online hub to share GDPR compliance resources, strategies and best practices and to help them negotiate discounts on legal advice, software licenses and more.

The report also recommended government departments put more work out to tender to specialist organizations, claiming: “too much of this work is managed ‘in-house’ and external organizations should be given the opportunity to contribute to the process.”

In fact, the £15m figure touted by the DWP is pretty much in line with the estimated average spend of FTSE 100 companies, according to separate research from management consultancy Sia Partners.

“The minimum and average implementation cost per employee is consistent across firm size, with implementation costing £300-£450 on average per employee across all sectors,” the firm claimed.

Aside from banks, which have the highest spend, there are two distinct groups: £15m-£19m for energy, commodities & utilities, retail goods and technology & telecommunications firms; and all other sectors spending around the £5m-£11m mark.

A new report from KPMG this week revealed that over half (54%) of global organizations don’t feel ready for the GDPR, which lands in a month’s time.

Categories: Cyber Risk News

Two-fifths of UK Firms Suffered Attack or Security Breach in 2017

Thu, 04/26/2018 - 09:40
Two-fifths of UK Firms Suffered Attack or Security Breach in 2017

Some 43% of UK businesses have experienced a security breach or cyber-attack in the past 12 months, a slight drop from a year previously, according to the latest government research.

The Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 is comprised of interviews with over 1500 UK businesses and 50 follow-up in-depth interviews.

Although the figure dropped overall for firms hit by a breach or attack, from 46% last year, it rose from 68% to 72% for large businesses.

Breaches were found to be more common among organizations holding personal data on customers (47%), where BYOD policies operate (49%) or where they use cloud computing.

The average cost per breach has increased consistently over the past three years and now stands at over £22,000 for large businesses, according to the study.

Of concern given the impending arrival of the GDPR, is that despite most senior management (74%) saying they prioritize cybersecurity, just 30% have a dedicated board member responsible for security and 20% never update their senior managers on cybersecurity issues.

In this regard, not much has changed from the previous year, according to the government.

Also worrying is the fact that only 20% of respondents claimed to have sent staff on internal or external cybersecurity training courses in the past 12 months, while 10% even claimed that those currently in cybersecurity roles don’t have the skills required to do their jobs effectively.

Unfortunately, awareness of government initiatives and communications around cybersecurity remains low. Just 3% recalled using government information, advice or guidance, with most organizations unaware of most initiatives,” said McAfee chief scientist, Raj Samani.

“Given that 84% of organizations that used government resources found the information useful, it is clear that more needs to be done to promote their use. With such a wealth of information and partnerships with leading security providers, it is imperative that more is done to promote and educate businesses on what resources they have and how it can help.”

Categories: Cyber Risk News

Insider Breach Costs Rise to $8.7m+

Thu, 04/26/2018 - 08:51
Insider Breach Costs Rise to $8.7m+

The cost of an insider-related breach has escalated to over $8.7m, according to the latest research from the Ponemon Institute.

The analyst was commissioned by ObserveIT to poll 700 IT and security practitioners around the world in order to compile the 2018 Cost of Insider Threats study.

While the cost of an insider security incident stood at nearly $8.8m, the average global cost of a regular breach according to IBM is $3.6m, less than half.

The average insider threat also takes on average more than two months to contain, according to the report.

Most respondents (64%) said negligent employees accounted for the majority of incidents, followed by malicious insiders (23%).

All types of insider threat activity are increasing. Since 2016, the average number of incidents involving malicious insiders has soared by 53%, while employee/contractor negligence has increased by 26%. The average number of credential theft incidents has more than doubled over the past two years, increasing by 170%.

That’s fuelling an increase in imposter attacks – the most expensive type of insider incident at an average of $648,846. This is followed by malicious insider incidents ($607,745) and contractor negligence ($283,281).

“Insider threats continue to threaten organizations across the globe, ultimately resulting in loss of mission critical data, downtime and lost productivity, and even reputational damage,” said ObserveIT CEO, Mike McKee.

“Understanding the growing costs and time associated with preventing and managing insider threats, organizations need to invest in a holistic cybersecurity solution to assist with real-time detection, deterrence, education and prevention.”

The latest Verizon DBIR found that insiders were to blame for a quarter (28%) of all breaches analyzed and that user error was a factor in 17% of breaches.

A separate report from Gemalto released recently also highlighted the dangers of negligent insiders.

Although accidental loss was the cause of just 18% of data breaches, it accounted for 76% of the total 2.6bn records compromised over the previous year, the security vendor claimed.

Categories: Cyber Risk News

Major Takedown of Site Selling Cyberattacks

Wed, 04/25/2018 - 15:22
Major Takedown of Site Selling Cyberattacks

Administrators of the world's largest DDoS-as-a-service website webstresser.org were only yesterday reaping the rewards of their illicit enterprise. Today, they are under arrest thanks to the cooperative effort of international law enforcement agencies.

Eruopol reported the success of Operation Power Off, an investigation led by the Dutch police in combination with the UK's National Crime Agency and a dozen other law enforcement agencies from around the world. As of today, the site has been shut down and its infrastructure has been seized.

DDoS attacks are widely disruptive as they knock services offline. As of April 2018, webstresser.org had 136,000 registered users who successfully orchestrated four million attacks targeting financial and government agencies. Last year, the site was used to launch a series of attacks on UK high street banks – causing hundreds of thousands of pounds of damage.

When once it was sophisticated hackers who were conducting these attacks, the widespread availability and very inexpensive access to these as-a-service attacks allows anyone to purchase and launch an attack that can paralyze the internet. 

“The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as the web of profit continues to gain momentum," said Gregory Webb, CEO, Bromium.

Recently released academic research, Into the Web of Profit, commissioned by Bromium and carried out by Dr. Mike McGuire, senior lecturer in criminality at Surrey University, found that Crimeware-as-a-Service earns cybercriminals $1.6bn per year, with DDoS-attack hires generating $13m of revenue per year. There are an average of six-and-a-half million DDoS attacks per year. 

"It’s a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimizing millions of users in a moment from anywhere in the world. We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks," said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).

Though some individuals may only see their involvement as playing around with low-level fringe cybercrime, DDoS attacks are illegal, and perpetrators who conduct the attacks can be charged a hefty fine, receive a prison sentence, or be penalized with a combination of both.

Categories: Cyber Risk News

Keep Hackers Locked out of Hotel Rooms

Wed, 04/25/2018 - 13:36
Keep Hackers Locked out of Hotel Rooms

It’s rare to check into any hotel today and be handed an actual door key. Global hotel chains and hotels worldwide have transitioned from the lock and keys of old to an electronic system so that guests need only swipe a card in front of the door. But researchers at F-Secure Cyber Security Services have discovered that room keys can be hacked, allowing nefarious actors entrance into any room in the building.

Using an ordinary electronic key – whether it was tossed in the garbage or long expired – researchers exploited a flaw in the Vision software from VingCard (now ASSA ABLOY). Hotels worldwide rely on VingCard's electronic lock system software to secure millions of hotel rooms, yet the researchers were able to create a master key that allowed them to open any room they wished.

"We could not believe our eyes when the lock finally opened with a master key we had created (from a regular room key). On paper, the system looked pretty solid. It was the combination of minor issues that allowed us to create a practical attack against the system,” said Tomi Tuominen, practice leader at F-Secure.

The choice to target a brand known for its quality and security was intentional, but it was not an overnight success. It took several thousand hours to gain an in-depth understanding of the system's design and identify inconspicuous security flaws. The researchers persisted through considerable amounts of trial and error intent on finding a way to bypass the electronic lock without leaving a trace.

"Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys,” said Timo Hirvonen, senior security consultant at F-Secure.

Once they succeeded, they disclosed the vulnerability to ASSA ABLOY, the lock manufacturer, and worked with them over the course of the past year to implement software fixes that have been made available to the affected properties.

In a statement released by F-Secure, Tuominen credited the ASSA ABLOY R&D team for their willingness to address the reported issues.

Categories: Cyber Risk News

GDPR Too Close, Half of Global Companies Not Ready

Wed, 04/25/2018 - 13:03
GDPR Too Close, Half of Global Companies Not Ready

With only one month remaining before the EU's General Data Protection Regulation (GDPR) goes into effect, many organizations are still scrambling to be in compliance. That could result in hefty fines and legal consequences for the majority of the 448 institutions surveyed by KPMG Global Legal Services. More than half (54%) reported that they are not in compliance.

According to the senior legal counsels who participated in the survey, one of the Achilles' heels for compliance preparedness is third-party vendors. Even the commercial suppliers of those companies that collect data from customers protected by the regulations need to be GDPR compliant, yet the survey found that an overwhelming majority of businesses have not confirmed whether their down-line vendors are adhering to the regulations.

"Surprisingly, many businesses haven’t looked at their supply chain as a potential risk for GDPR compliance. This is particularly challenging for global organizations, with thousands of suppliers, and could be costly if not addressed with the appropriate rigor needed under the GDPR," said Juerg Birri, KPMG's global head of legal services.

An additional obstacle that many organizations face is that many boards do not understand or take seriously the full impact of these new regulations. Of the businesses that reported having board-level support, 69% have appointed a data protection officer, 55% document all of their data processing activities, and nearly half (49%) feel their employees are mostly or fully aware of their obligations under GDPR.

Other recent surveys report similar findings. Technology industry association CompTIA recently conducted a survey of 400 US companies on their GDPR readiness and found that only 22% of firms have started developing their compliance plans. “Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.

According to a CompTIA press release, "About one-third of the firms surveyed do not believe GDPR will have an impact on their current or future approach to business in the EU. Another third indicate GDPR may negatively impact their desire to engage in business activities in countries governed by GDPR. The remaining one-third of firms are unsure."

Only 13% of those companies surveyed by CompTIA reported being fully compliant with GDPR. 

Categories: Cyber Risk News

US Child Identity Fraud Victims Lost $2.6bn Last Year

Wed, 04/25/2018 - 10:00
US Child Identity Fraud Victims Lost $2.6bn Last Year

Over one million US children fell victim to identity fraud last year, resulting in losses of $2.6bn, according to a new study from Javelin Strategy & Research.

The research firm polled 5000 adults who live in a household with a dependant child or have done so in the past six years.

It found the impact on children of data breaches can be more severe than for adults: 39% of child breach victims were then defrauded, versus 19% of notified adults.

Two-thirds of child fraud victims are under eight, and it’s thought that because they have limited financial records on file, children offer fraudsters a great opportunity to open new fake accounts in their name. However, because few kids have plastic, card fraud is rare.

Thus, while adults are targeted for the value of their account, children are targeted for the value of their identity.

This has proven to be a goldmine for the fraudsters, who can on average steal $2303 from their victims — more than twice the mean fraud amount for adult fraud victims. The impact is even greater because while adult victims usually get their money back, the families of child ID fraud victims paid on average $541.

Interestingly, 60% of child ID fraud victims know the fraudster, versus just 7% of adult victims. Javelin claimed that many of these scammers abuse the legitimate access they have to the personal information of their victims.

The report also claimed that children who are bullied online are more than nine-times more likely to be victims of fraud than those who are not bullied.

“In many cases, fraud and bullying are not perpetrated by the same individual but arise from the same underlying vulnerabilities,” said Al Pascual, senior vice-president at Javelin. “Children who are unprepared to protect themselves from online risks are likely to encounter individuals who wish to target them emotionally or financially. Bullied children also may be more vulnerable to fraud as they are taken advantage of when they seek friendship online.”

The report urged parents to monitor their children’s bank accounts, pay attention to breach notifications and train their kids to be more savvy about protecting their identity.

Categories: Cyber Risk News

Altaba Fined $35m for Yahoo Breach Notification Failings

Wed, 04/25/2018 - 09:22
Altaba Fined $35m for Yahoo Breach Notification Failings

The company formerly known as Yahoo has agreed to pay a $35m penalty to the Securities and Exchange Commission after failing to notify the market promptly about a breach of hundreds of millions of accounts.

The December 2014 breach of around 500 million accounts resulted in usernames, email addresses, encrypted passwords, birthdates, phone numbers and security questions ending up in the hands of alleged Russian state hackers.

Last year, the Department of Justice charged four Russians: FSB officers Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, and two cyber-criminals they are said to have conspired with, Alexsey Belan and Karim Baratov.

The latter has pleaded guilty and is currently awaiting sentencing, although the others are thought to be at large.

The SEC claimed that Yahoo’s senior management and legal department knew “within days” of the intrusion that hackers had stolen the crown jewels but failed to investigate properly or consider whether investors needed to know.

In fact, the firm failed to notify over several quarterly and annual reports, saying only in its SEC filings that it faced the risk of breaches.

This meant that the incident was only disclosed when Verizon came to buy the company in 2016.

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said SEC regional office director, Jina Choi. “Public companies should have controls and procedures in place to properly evaluate cyber-incidents and disclose material information to investors.”

The breach is separate to the 2013 incident which the firm admitted last year hit all three billion accounts.

Although Verizon subsequently received a major $350m discount on the original agreed price for Yahoo, it is still picking up the pieces financially of the company’s past mistakes, with ongoing lawsuits pending.

However, this fine will be owed not by Verizon but the new Yahoo holding company known as Altaba.

Categories: Cyber Risk News

Ukrainian Energy Ministry Site Downed in Drupal Ransomware Attack

Wed, 04/25/2018 - 08:50
Ukrainian Energy Ministry Site Downed in Drupal Ransomware Attack

Unpatched CMS software installations appear to have been targeted by ransomware attackers over the past few days, taking down the Ukrainian energy ministry among others.

The widely reported attack on the ministry site is said to have been an isolated incident in that it didn’t affect any other parts of the Ukrainian government.

Although attacks in the past have been blamed on Moscow, there are signs that this raid was the work of cyber-criminals.

For one, the attack did not target the country’s critical infrastructure, unlike previous threats which have caused power outages for hundreds of thousands in December 2015 and 2016.

The ransomware message was also written in English and demanded just 0.1 Bitcoin ($927). The payment address used previously appears only to have received around £100.

Security researcher Kevin Beaumont named it as Vevolocker, a variant around since mid-2017.

“Somebody posted the source code online which is causing more people using it,” he tweeted.

However, AlienVault security researcher Chris Doman claimed the compromised site also includes the contact details and “tag-sign” of the hacker.

“What has probably happened here is that a hacktivist has hacked the site for fun, then the criminal ransomware attacker has used their backdoor to try and make some money,” he argued.

Other experts suggested the attacks were automated and targeted a critical vulnerability in the Drupal CMS software which was patched a month ago.

“While many people might be quick to cast blame on Russia for this incident, I believe this was probably not the case. Looking over the internet archive of this site, it appears that they were running Drupal 7 which is currently under active attack by automated attackers armed with Drupalgeddon2 exploits,” explained Tripwire researcher Craig Young.

“Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix.”

He said the incident underscores the need for organizations to patch promptly and ensure they maintain up-to-date back-ups of their content.

Categories: Cyber Risk News

Isolated, Air-Gapped Cypto-Wallets Hacked

Tue, 04/24/2018 - 13:28
Isolated, Air-Gapped Cypto-Wallets Hacked

He who holds the private keys owns all of the bitcoins. For those who manage their cryptocurrency in offline, or "cold," wallets under the premise that they cannot be compromised, recent news from researcher Dr. Mordechai Guri from Ben-Gurion University of the Negev, Israel, raises some alarms. Guri demonstrated that cold wallets can be infected with malicious code, allowing an attacker to access the wallet’s private keys.

Because cold wallets are presumably safer than storing their keys in "hot," or online, wallets, many cryptocurreny owners keep their bitcoin wallets isolated in air-gapped PCs so that they are away from the internet and not connected to any network, Wi-Fi or Bluetooth.

In addition to publishing a white paper, Guri also demonstrated the attack method’s effectiveness using malware called bridgeware, which successfully leaks the bitcoin private key over air gap via ultrasonic signals in only 3 seconds.

BeatCoin: Leaking bitcoin private key from air-gapped wallet

The discovery isn’t new, nor is it the first time a hacking technique was used to compromise an isolated machine. Rather, Guri’s experiment showed that private cryptocurrency keys can be stolen using out-of-band communication methods.  

Malware can be preinstalled, delivered during the initial installation of the wallet, or pushed through a removable media. Once the malware is installed, there are a variety of exfiltration methods an attacker can use, and Guri evaluated several, including physical, electromagnetic, electric, magnetic, acoustic, optical and thermal.   

“This research shows that although cold wallets provide a high degree of isolation, it’s not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin’s private keys) can be exfiltrated from an offline, air-gapped wallet … within a matter of seconds,” Guri noted.

The PC and keyboard are removed in the second video to demonstrate an additional exfiltration method – a technique known as a RadIoT attack. In about 15 seconds, Guri successfully transmits private keys from a Raspberry Pi to a nearby smartphone over air gap by way of electromagnetic signals. 

BeatCoin2: Leaking bitcoin's private keys from air-gapped wallets

"I think that the interesting issue is that the airgap attacks that were thought to be exotic issues for high-end attacks may become more widespread," Guri wrote in an email to Ars Technica. "While airgap covert channels might be considered somewhat slow for other types of information, they are very relevant for such brief amounts of information. I want to show the security of 'cold wallet' is not hermetic given the existing air-gap covert channels."

Categories: Cyber Risk News

Improved Security Standards for Electric Grids

Tue, 04/24/2018 - 11:21
Improved Security Standards for Electric Grids

In an effort to address the growing threat of cyber-attacks to the national power grid, the Federal Energy Regulatory Commission (FERC) approved revised reliability standards for cybersecurity management controls.

The Critical Infrastructure Protection standards, developed by the North American Electric Reliability Corporation (NERC), were first proposed in October 2017. As threats to critical infrastructure increase, the government moves to improve its ability to respond to cybersecurity attacks. 

The revised Critical Infrastructure Protection (CIP-003-07) requires responsible entities to have a policy for declaring and responding to CIP exceptional circumstances and clarifies electronic access control for low-impact BES Cyber Systems.

An exceptional circumstance, as defined in the NERC glossary, is "a situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or bulk electric system reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability." 

Recognizing the need to mitigate the risk a cybersecurity incident resulting from malicious code delivered through external devices such as laptops or USBs, the standards commission directed NERC "to conduct a study to assess the implementation of Reliability Standard CIP-003-7 to determine whether the electronic access controls adopted by responsible entities provide adequate security."

The findings of NERC's study must be submitted within 18 months of the revised standards effective date.

"Because most electric utilities were likely planning to implement electronic and physical access controls for low-impact BES Cyber Systems by September 1, 2018, FERC’s recent rule should provide them with more clarity about exactly what sort of electronic access needs to be protected," said Daniel Skees, partner, Morgan Lewis. 

“Low-impact” facilities are far more numerous than high- and medium-impact facilities and include the oldest technology in a utility’s infrastructure. According to Skees, "The biggest challenge will be in identifying which facilities need to be compliant and mapping all of the electronic access into and out of those facilities so that appropriate electronic access controls can be applied."

Only after that analysis and cataloging process is complete can utilities implement the new controls. 

In practice, the revised standards will present some challenges. Employees operating largely independently will be required to follow these processes correctly, often without supervision, said Skees. "Failures can be subject to significant fines, but any process requiring human controls is almost inherently going to have occasional failures."

The revised standards also include changes to the NERC glossary that either retire or clarify terms and aid to avoid ambiguity and simplify the electronic access control requirements. 

Categories: Cyber Risk News

Facebook Cybersecurity University Graduates US Veterans

Tue, 04/24/2018 - 11:07
Facebook Cybersecurity University Graduates US Veterans

Though it’s not quite graduation season, 33 US military veterans celebrated the completion of their 12-week course and became the first class to graduate from Facebook Cybersecurity University for Veterans on Saturday, April 21.

Narrowing the cybersecurity skills gap demands that organizations get a little creative about how they train and recruit. That’s why Facebook partnered with CodePath.org and more than 200 students and professors across nine universities and colleges.

While Facebook tries to regain user trust, it is training veterans across every military branch to become defenders of the digital world. The 33 participants, all of whom had to have some background in IT or computer science, embarked on a cyber boot camp of sorts.

Over the course of the 12 weeks, the program focused on delivering the fundamentals of web application security. The veterans applied that foundational knowledge to gain a better understanding of offensive and defensive skills through a hands-on approach.

“They learned the basics of cybersecurity and common vulnerabilities and attacks, and they received hands-on practice in both exploitation techniques and strategies for protecting and hardening applications,” Facebook Security wrote in a post.

They met in Menlo Park, California, where they partook in a variety of sessions and labs as they reviewed broader security topics through videos and projects. Open source competitions allowed Facebook to bring the students closer to the real-world experiences of cyber-risk and -defense.

Facebook Cybersecurity University

One of the few women in the program, Courtney Kivernagel, told KQED that the program revealed a grit and tenacity she didn't know she had, not even after six years in the Air Force. “This was harder than basic training in some aspects, just because some of the problems they threw out at you. [They were like,] 'Into the deep end, here you go,'” Kivernagel said.

The graduation celebration comes at an optimal time for Facebook and the industry at large. The commitment to hiring thousands of new security professionals is a challenge for enterprises around the globe, particularly when only 137 schools in the US offer information security courses.

Providing these types of nontraditional learning opportunities opens the door for a more varied workforce to enter into the cybersecurity field. The social network has the ability to tap into a wider pool of candidates, and veterans are ideal candidates to fill the pipelines.

“We’re really proud of how this program shaped up, and even more so of the veterans who committed to improving their expertise. The security industry needs to be more reflective of the people we aim to protect, and we want to help improve the number of security professionals working to help defend people online,” said Stephanie Siteman, information security program manager at Facebook.

Students, veterans or professors who wants to learn more about the opportunities Facebook is offering for education and diversity in cybersecurity can send an email to infosecpartnership@fb.com.

Categories: Cyber Risk News

Experts: Switch Off Wi-Fi and Ditch Paperless Voting Machines

Tue, 04/24/2018 - 10:32
Experts: Switch Off Wi-Fi and Ditch Paperless Voting Machines

A bipartisan group of former state election specialists, intelligence officials and voting experts have urged local state officials to ditch paperless voting machines as part of a $380m security overhaul.

The funds were released by Congress to help states upgrade their election systems in the wake of Russian cyber-attacks ahead of the 2016 presidential election.

The Department of Homeland Security (DHS) claimed last year that a total of 21 state systems were targeted by Kremlin hackers ahead of the election. Although actual compromises were confined to a small number of states, there are fears that the hackers will use the intelligence they gained to potentially cause greater disruption next time around.

Now a group of experts has signed an open letter to state election officers urging them to follow best practices in replacing paperless voting machines with systems that count a paper ballot. This would crucially preserve a record of the vote itself in case any suspicions are raised.

They also recommended the prohibition of any wireless connectivity on voting machines to limit risk exposure, and that election websites, voter registration systems and election night reporting systems are “defended against threats of intrusion and manipulation.”

The experts also suggested “robust post-election audits in federal elections” by checking a small sample of paper ballots, and argued that officials should be trained in how to incorporate security into election processes.

The group comprises big hitters such as former DHS secretary, Michael Chertoff; former NSA and CIA boss Michael Hayden; former US ambassador to NATO, Douglas Lute; cryptography expert Bruce Schneier; former deputy US CTO, Nicole Wong; and many more.

The recommendations chime roughly with those of the Senate Select Committee on Intelligence, announced last month, and best practice advice from the National Institute of Standards and Technology (NIST), as well as other leading experts.

Categories: Cyber Risk News

Security Fears as TSB Customers Able to Access Other Accounts

Tue, 04/24/2018 - 09:19
Security Fears as TSB Customers Able to Access Other Accounts

Nearly two million UK banking customers are reportedly experiencing difficulties using their account online, with some able to access other users’ funds after an IT upgrade went wrong.

The IT project was trailed by TSB for some time and customers were told they wouldn’t be able to access accounts over the weekend as it transferred systems from an old Lloyds Bank platform to a new state-of-the-art in-house IT system.

However, reports suggest customers are still affected by the IT snafu, with many taking to social media to vent their anger.

There have been numerous calls for compensation, while one customer said he was given access to another user’s £35,000 savings account, £11,000 ISA and a business account on Monday night.

Regulators the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) are said to be investigating the incident.

The TSB website appears to be bereft of any advice or updates on the issue, which betrays poor planning and incident response.

However, an official statement had the following:

“We are currently experiencing large volumes of customers accessing our mobile app and internet banking which is leading to some intermittent issues with people accessing our services. We are really sorry for the inconvenience this is causing our customers and want them to know we are working as hard and as fast as we can to resolve this problem.”

Bill Curtis, chief scientist at software intelligence firm CAST, argued that many banks haven’t upgraded their IT systems because of their complexity.

“Moving forward, banks must dedicate time and effort to understand the risks held by their software architecture, especially those firms undergoing huge mergers or digital transformation projects,” he added. “We have already seen the ramifications of IT outages which cause undue stress to their customers.”

Mark Adams, regional vice-president for UK and Ireland at Veeam, claimed banks and other organizations must meet customers’ heightened expectations about service levels and downtime.

“Customers need the confidence and trust that digital transactions and the handling of data will always work as expected. With the GDPR only a month away from being enforced, this is a timely reminder for businesses to ensure personal data is subject to the most rigorous of standards and service levels,” he argued.

“It appears from the reports today that customers were not notified of the breach and the errors, instead finding out for themselves when using the online platform of mobile application. This isn't acceptable.”

Categories: Cyber Risk News

UK Financial Sector Must Improve Collaboration: Report

Tue, 04/24/2018 - 08:30
UK Financial Sector Must Improve Collaboration: Report

The UK finance industry must improve collaboration with government and law enforcement to disrupt the cybercrime business model more effectively, according to a new report from KPMG and UK Finance.

The report, Staying ahead of cybercrime, claimed that the industry spent a whopping $360 billion on IT in 2016 and spends three times more on cybersecurity than other sectors.

However, as cyber-criminals get better at finding the gaps in the way financial services firms work, the industry must come together to better address the problem.

While organized crime is agile, flexible, transnational and able to recruit and reward success, banks and similar are faced with an IT skills crisis, highly regulated processes, legacy systems and legal constraints, the report argued.

The answer is to work together to make the hackers’ business model less profitable, by reducing their revenue, increasing their cost base and/or making operations more risky.

This could be done by: raising the bar on security across the industry; regulatory reform to improve automated information sharing; active defense to deny criminals access to infrastructure; improving fraud and cybersecurity links to block exploitation of data; blocking cash-out and monetization faster; and working with police to increase the personal risk to the cyber-attacker.

Kirill Kasavchenko, EMEA principal security technologist at Netscout Arbor, broadly agreed with the report’s findings.

“Looking forward, we must admit that some aspects of security threats cannot be mitigated by any single organization alone. Terabit-scale DDoS attacks of 2018 are a good example: if the trend of growing DDoS attacks stays, there will be just a few organizations globally able to handle the threat. Therefore, the industry should be open to collaborate not only on best practices and information exchange, but also on the collective mitigation,” he argued.

“All organizations should be aiming for this proactive stance, rather than wishing attacks away. This is true for all sectors, but more so for financial services organizations who are particularly at risk due to the amount of sensitive data and money they store. The simple truth is that we can do more together than separately.”

Mark Weir, director of cybersecurity at Cisco UK & Ireland, claimed the collaborative spirit could be found in two industry groups: the Cybersecurity Tech Accord and the Cyber Threat Alliance.

“Ultimately, cyber-criminals are continuing to get more sophisticated and powerful, and we need to join forces if we are to ever regain control of the cyber-storm,” he argued.

Categories: Cyber Risk News

Healthcare Targeted by Hacker Group Orangeworm

Mon, 04/23/2018 - 15:55
Healthcare Targeted by Hacker Group Orangeworm

Previously slithering beneath the radar of security researchers, newly identified hacker group Orangeworm has surfaced as a problem for the healthcare sector. Symantec Telemetry noted that the group has infected only a small number of victims. It largely goes after healthcare more than any other industry, with the majority of its victims (17%) located in the US.

The hacker group has been targeting organizations across several industries since 2015, though it is deliberate and methodic in choosing their victims. According to Symantec, almost 40% of their victims are comprised of healthcare providers, pharmaceuticals, IT solution providers for healthcare and healthcare industry equipment manufacturers.

In addition to companies in the US, several organizations throughout Europe have been targeted, with the largest (5%) numbers in the UK and Hungary. Saudi Arabia, India and the Philippines have reported higher rates of victims, yet the location of 10% of those attacked remains unknown. 

Once the group gained access to the victim's environment, the attackers executed a range of commands that allowed them to gather a wide range of information. Commands include displaying recently contacted addresses per available network interface, system version information, IP address configuration information for any available network interfaces and account policy and network configuration information. 

They then deployed a backdoor Trojan that installed Kwampirs malware. Symantec wrote, "The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear."

Though an older method, Kwampirs aggressively self-propagates, which has proven to be a viable attack method on legacy systems, common across the healthcare industry. It's interesting to note that copying itself over network shares and cycling through the extensive command-and-control (C&C) servers are what Symantec considers noisy, suggesting that Orangeworm wasn't really worried about being detected.    

"Symantec says it does not have any information that could help determine the threat group’s origins, but the company believes Orangeworm is likely conducting corporate espionage," Security Week reported.

After analyzing the attacks over the last several years that Orangeworm has been active, Symantec believes that this is either an individual or a small group, not a state-sponsored actor.

Categories: Cyber Risk News

Infrastructure of APT Group Crouching Yeti Uncovered

Mon, 04/23/2018 - 14:29
Infrastructure of APT Group Crouching Yeti Uncovered

The well-known Russian-speaking advanced persistent threat (APT) group Crouching Yeti, has long been targeting servers worldwide. But today Kaspersky Lab announced it has uncovered infrastructure used by the group, also known as Energetic Bear.

Since 2010, Kaspersky Lab has been tracking the APT group renowned for targeting energy facilities across the globe. The goal of the group has been to gain access to valuable data from victim systems, which they've done successfully most often by using watering hole attacks, where the attackers injected websites with a link redirecting visitors to a malicious server.

Multiple servers outside of the industrial sector from organizations in Russia, the US, Turkey and European countries had been compromised in 2016 and 2017 and used as intermediaries to conduct attacks on other resources.

"In the process of analyzing infected servers, researchers identified numerous websites and servers used by organizations in Russia, U.S., Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack. Some of the sites scanned may have been of interest to the attackers as candidates for waterhole," Kaspersky Lab wrote in a press release

Intruders scanned a wide range of websites and servers, using publicly available tools for analyzing servers, and researchers also discovered a modified sshd file with a preinstalled backdoor that was used to replace the original file and then authorized with a master password.

“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organizations through watering hole attacks, among other techniques. Our findings show that the group compromised servers not only for establishing watering holes but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” said Vladimir Dashchenko, head of vulnerability research group Kaspersky Lab ICS CERT.

“The group’s activities, such as initial data collection, the theft of authentication data and the scanning of resources, are used to launch further attacks. The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties,” Dashchenko added.

More details on this recent Crouching Yeti activity can be found on the Kaspersky Lab ICS CERT website.

Categories: Cyber Risk News

Pages