Info Security

Subscribe to Info Security  feed
Updated: 40 min 59 sec ago

Dunkin' Donuts Parent Settles Cyber-attack Lawsuit

Mon, 09/21/2020 - 17:38
Dunkin' Donuts Parent Settles Cyber-attack Lawsuit

The parent company of Dunkin' Donuts has agreed to pay hundreds of thousands of dollars in costs and fines to settle a lawsuit that accused the company of glazing over multiple cyber-attacks. 

The suit was filed against Dunkin' Brands Group Inc. in state Supreme Court in Manhattan in September last year by the state of New York's attorney general Letitia James. 

James alleged that Dunkin' neglected to inform customers of cyber-attacks that took place between 2015 and 2018 that compromised the accounts of thousands of customers. 

Attackers used automated credential stuffing and brute-force attacks to steal money from customer accounts created through Dunkin's free mobile app or website.

James alleged that Dunkin' failed to inform customers that attacks had taken place, despite being warned repeatedly about the issue by its app developer. 

During the summer of 2015, Dunkin's app developer provided the company with a list of 19,715 accounts that had been compromised by attacks over a sample period of just five days, but the donut seller failed to tell customers or upgrade its security, according to the lawsuit.   

When the lawsuit was filed, Dunkin's chief communications officer Karen Raskopf told Infosecurity Magazine that there was "no basis for these claims" and that the company looked forward "to proving our case in court."

However, on Tuesday, Dunkin' Brands Group Inc. agreed to $650,000 in fines and costs to settle the lawsuit, according to Reuters. The company further acquiesced to carrying out an upgrade of its security protocols.

Under the terms of the settlement, Dunkin' customers will be notified of the cyber-attacks that took place between 2015 and 2018 and will be advised to reset their passwords. 

Dunkin' has further agreed to give refunds for unauthorized transactions that occurred on their Dunkin' brand stored-value cards.

Dunkin' has not confirmed or denied any wrongdoing in relation to the cyber-attacks. The settlement of the suit requires a judge's approval.

The company, which is based in Canton, Massachusetts, has around 8,000 branches nationally, including 1,000 Dunkin' locations in New York. 

Announcing the settlement, James punned: "Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”

Categories: Cyber Risk News

Minnesota Suffers Second-Largest Data Breach

Mon, 09/21/2020 - 16:42
Minnesota Suffers Second-Largest Data Breach

Hundreds of thousands of Minnesotans are receiving letters warning them that their data may have been exposed in the second-largest healthcare data breach in state history.

The letters were sent to individuals who had donated to or been a patient of Allina Health hospitals and clinics or Children’s Minnesota, a two-hospital pediatric health system in the Twin Cities.

Breach notifications warned that personal data may have been exposed following a ransomware attack on third-party vendor Blackbaud in May 2020. The South Carolina company is one of the world's largest providers of education administration, fundraising, and financial management software. 

To date, over 3 million people in the United States have been impacted by the attack on Blackbaud, which has also impacted a number of universities, charities, and organizations in the United Kingdom. 

Attackers gained access to copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud computing systems. Individuals impacted by the breach have been warned to monitor their medical bills for any instances of fraud. 

In a statement regarding the incident, Children's Minnesota shared: "Based on our investigation and review of the affected Blackbaud database, the incident involved limited patient information that the Foundation received in connection with its fundraising efforts, including: full names, addresses, phone numbers, age, dates of birth, gender, medical record numbers, dates of treatment, locations of treatment, names of treating clinicians, and health insurance status."

Allina Health has notified more than 200,000 patients and donors that their data may have been exposed as a result of the attack on Blackbaud.

statement on Allina's website seeks to reassure customers by rather optimistically telling them: "Blackbaud did pay the cybercriminal’s demand with confirmation that the copy of the data that they removed had been destroyed."

Patients and donors at Regions Hospital and Gillette Children's Specialty Healthcare in Minnesota have also received data breach notifications this month as a result of the attack on Blackbaud.

The Blackbaud-related breach of hundreds of thousands of records is the second-largest health data breach ever to have been reported in Minnesota. The largest breach, of 11,500,000 records, was reported in July last year by Optum360, LLC.

Categories: Cyber Risk News

Cyber-Criminals Spoof Texas Government

Mon, 09/21/2020 - 15:52
Cyber-Criminals Spoof Texas Government

Cyber-criminals have tried to receive free goods by posing as the Texas government and emailing out Requests for Quotes (RFQs).

The multi-layered email attack, in which threat actors pretended to be from the Texas Department of State Health Services, was discovered by researchers at Abnormal Security

"If unsuspecting salespersons were to respond to this initial request, attackers could establish a line of communication and eventually follow-through with the requested goods," noted researchers. 

Using what appears to be a genuine government purchase order, the attackers attempted to obtain products worth hundreds of thousands of dollars without handing over a penny.

Attackers addressed an email to the sales department, expressing intent to purchase 20 laptops and 200 external hard drives. Attached to the email was a fake order form that featured a convincing phone number and billing address. 

"Although this purchase order contains a government billing address, the government entities will not receive payment from the fraudulent vendor," noted researchers. "The attackers' goal is to retrieve merchandise, and later profit from the resale of the stolen goods."

To obfuscate their true location and identification, the attackers leveraged several convincing domains and masked their true location by using a VPN service. 

"The email appears to be sent from a domain, while the reply-to is from," observed researchers. "Finance-nycgov.usa is a domain that was registered just 2 months ago (07/06/2020) to a resident in Washington State and is an impersonation of 

"In addition, the received-spf has a domain, and the IP originates from a VPN service based out of Denver, CO."

Careful attention had been paid by the attackers to the fine details. The deceptive email included the genuine logo of Texas Health and Human Services, and the request appeared to be sent by John William Hellerstedt, MD, the genuine commissioner of Texas Health. 

Researchers noted: "The phone number provided is not associated with the 'bill to' address, although the area code is in Texas and does match the area code for the department of state health services phone number. This is a social engineering tactic aimed to engage recipients into requesting the ship to address, either by email or phone.”

Categories: Cyber Risk News

UK Home Office Data Loss Incidents Surge by 120%

Mon, 09/21/2020 - 14:13
UK Home Office Data Loss Incidents Surge by 120%

The UK’s Home Office department reported a 120% rise in data loss incidents during the financial year 2019-20.

Figures from the Home Office’s Annual Report and Accounts 2019-20 that were compiled by the think tank Parliament Street showed that there were 4204 individual incidents in 2019-20 compared to 1895 in 2018-19.

The most common type of data loss in the last financial year was inadequately protected electronic equipment, devices or paper documents from outside secured government premises, with 2404 incidents occurring in 2019-20, representing a 242% increase on the previous year.

This was followed 946 incidents of lost electronic equipment or documents from secured government premises, a rise of 552% from the 145 recorded in 2018-19.

Of the 4204 incidents recorded in 2019-20, 25 were highlighted as particularly severe and the Information Commissioners Office (ICO) had to be notified. Encouragingly, this was a decrease on the 35 severe incidents that took place in the previous year. Unauthorized disclosure was the cause of 11 of the 25 severe incidents in 2019-20, and 26 out of 35 the year before.

Andy Harcup, VP sales, Absolute Software, commented: “It’s vital that key government departments like the Home Office take data security seriously. These figures indicate a myriad of losses of critical devices and data, some of which was so serious it had to reported to the regulator.

“It’s not uncommon for a missing file or laptop to fall into the wrong hands, giving hackers and cyber-criminals access to critical public data. Key to tackling this problem is the implementation of sophisticated and robust end-point security, providing IT professionals within the department with full visibility and control over their device: meaning they can freeze or access a laptop, file or device, even if it lands in the wrong hands.”

Earlier this year, the Home Office was found to have breached the GDPR 100 times in its handling of EU citizens’ data in the space of just five months.

Categories: Cyber Risk News

Twitter Boosts Account Security for US Election Hopefuls

Mon, 09/21/2020 - 11:01
Twitter Boosts Account Security for US Election Hopefuls

Twitter has announced new measures designed to improve the security of certain high-profile accounts ahead of the upcoming US elections in November.

The social media firm said that chosen accounts would receive in-app notifications requiring or “strongly recommending” the new measures.

Accounts will be required to use a strong password, with those currently on weak log-ins prompted to change their credentials next time they use the app.

Twitter is also enabling “password reset protection” by default: this reduces the chances of unauthorized password changes by requiring the legitimate account holder to confirm their email address or telephone number before making changes.

Finally, the firm is strongly encouraging selected account holders to switch on two-factor authentication, to provide an extra layer of security against unauthorized log-ins.

Designated accounts will include those of the executive branch and Congress, governors and secretaries of state, US news outlets and political journalists, and “Presidential campaigns, political parties and candidates with Twitter election labels running for US House, US Senate or governor.”

In the future, Twitter claimed it would be rolling out: “more sophisticated detections and alerts” to help it respond more quickly to suspicious activity, increased defenses against malicious account takeover and expedited account recovery support.

The news comes just weeks after multiple high-profile accounts including those of Barack Obama and Presidential candidate Joe Biden were hijacked following a social engineering attack on Twitter staff.

Two teens and a man in his early twenties were subsequently arrested and slapped with charges related to the cryptocurrency scam.

Earlier this month, the Chinese government decried as “abominable” an apparent account hijacking attack on UK ambassador Liu Xiaoming’s account.

Although no group has subsequently claimed responsibility for the incident, the account “liked” comments critical of Beijing and one that appeared to contain pornographic content.

Microsoft claimed recently that state-sponsored hackers from China, Iran and Russia have been probing Trump and Biden campaigns for geopolitically useful information.

Categories: Cyber Risk News

US CISA: Agencies Must Patch Zerologon Bug by Monday

Mon, 09/21/2020 - 09:30
US CISA: Agencies Must Patch Zerologon Bug by Monday

The US Department of Homeland Security (DHS) has issued an emergency directive designed to force all civilian government agencies to patch a high-risk Windows vulnerability.

CVE-2020-1472 is a critical elevation of privilege bug which exists when an attacker uses the Netlogon Remote Protocol to establish a vulnerable secure channel connection to a domain controller, according to Microsoft. It affects Windows Server 2008 onwards.

Dubbed “Zerologon,” the flaw was fixed in the August Patch Tuesday, although proof-of-concept exploits started to appear over the past week.

As such, it now poses an “unacceptable risk” to the federal civilian executive branch that requires “immediate and urgent action,” the Cybersecurity and Infrastructure Security Agency (CISA) said on Friday.

“The vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, could allow an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services,” it explained.

“Applying the update released on August 11 to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).”

The resulting emergency directive 20-04 requires all civilian government agencies to patch all Windows Servers with a domain controller role by 23.59 EDT this evening, or remove them from the network.

ExtraHop CISO, Jeff Costlow, argued that the Zerologon bug is easy for attackers to exploit

“The first PoC’s have shown that unauthenticated attackers are able to obtain full administrator privileges on Active Directory systems,” he added.

“Any organizations without the ability to detect exploit attempts will remain at high risk if they delayed the patch as there is no way to know if they were exposed in between the time of reporting and the system update. We urge organizations to patch immediately and be aware that their system might have already been compromised.”

Categories: Cyber Risk News

US Judge Blocks Trump’s WeChat Ban

Mon, 09/21/2020 - 08:30
US Judge Blocks Trump’s WeChat Ban

A US district court judge has blocked a recently announced ban by the Trump administration of popular Chinese app WeChat, citing free speech concerns.

Judge Laurel Beeler in San Francisco granted an injunction, stating that the government hadn’t convinced in its argument that the ban was due to national security concerns, and that the “balance of hardships tips in the plaintiffs’ favor.”

The Commerce Department had on Friday issued an order requiring Google Play and the Apple App Store to block the Tencent-owned app, which is estimated to have around 19 million users in the US.

As well as blocking this order, Beeler’s judgement also put paid to other demands from the government which would have impacted other “transactions” with WeChat, making it potentially unusable for many.

“Certainly, the government’s overarching national security interest is significant,” wrote Beeler, “but on this record – while the government has established that China’s activities raise significant national security concerns – it has put in scant little evidence that its effective ban of WeChat for all US users addresses those concerns.”

Although it began life as a messaging app in the WhatsApp mould, WeChat has grown into something much broader over the years to include payments and social media capabilities. It’s now used by over a billion consumers, most of whom are based in China.

However, given its Chinese ownership, the app has been viewed with increasing suspicion in Washington as a potential tool for government-led surveillance.

“Like TikTok, WeChat automatically captures vast swaths of information from its users. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information,” Trump wrote in his original executive order in August. 

“In addition, the application captures the personal and proprietary information of Chinese nationals visiting the United States, thereby allowing the Chinese Communist Party a mechanism for keeping tabs on Chinese citizens who may be enjoying the benefits of a free society for the first time in their lives.”

Categories: Cyber Risk News

Paladin Appoints Former NCSC CEO

Fri, 09/18/2020 - 16:00
Paladin Appoints Former NCSC CEO

The former CEO of the UK government’s National Cyber Security Centre (NCSC) has joined Paladin Capital Group as a managing director. 

The appointment of Ciaran Martin by the global cyber and deep tech investor, headquartered in Washington, DC, was announced today.  

Previously, Martin was hired as director of security and intelligence at the Cabinet Office in 2008, later accepting the position of constitution director there in 2011. In 2014, he became head of cybersecurity at Government Communications Headquarters (GCHQ) before starting up the NCSC in 2016 and serving as its first CEO. 

“Ciaran Martin is an exceptional talent in the cyber sphere and we’re profoundly pleased to have him join the Paladin team," said Michael Steed, founder and managing partner. 

"His understanding of the ever-evolving threat landscape and knowledge of the technologies required to meet those challenges will help us assess potential investments and support our portfolio companies in their growth."

Paladin is a venture capital investor in early stage companies that develop products and services that defend, monitor, and secure our shared critical digital infrastructure. The company invests in businesses based in EMEA, North America, and Asia. 

Martin will be based in Paladin’s European headquarters in the UK, where he will assist with the development of Paladin’s presence in the growing European cybersecurity early-stage market. 

Paladin's newest managing director will also be part of the company's global Strategic Advisory Board, advising the company on threats, trends, risks, and opportunities in cybersecurity for businesses and governments. 

This role is in addition to Martin’s position as Professor of Practice at the Blavatnik School of Government at the University of Oxford.

“I am delighted to be working with the Paladin team," commented Martin. "I learned in Government that whether it’s in the UK, Europe, the US or globally, the common cyber threats we face can only be solved if there is a strong, innovative private sector taking care of huge swathes of the problem.

"That presents enormous economic opportunities for talented technologists and entrepreneurs, and I’m looking forward to being part of a venture capital team helping them to succeed."

Categories: Cyber Risk News

Netwalker Goes After Nurses' Data

Fri, 09/18/2020 - 15:29
Netwalker Goes After Nurses' Data

The cybercrime gang Netwalker claims to have exfiltrated data from the College of the Nurses of Ontario in a ransomware attack.

A screenshot of data allegedly swiped from the college was posted on Netwalker's website, where the college's name has been added to a growing list of the gang's victims.

In a sparsely detailed statement issued yesterday, the college acknowledged that it had been impacted by a cybersecurity incident but didn't specify what had occurred.

The statement read: "The College of the Nurses of Ontario (CNO) is in the process of resuming normal operations following a cyber security incident. Upon discovery of the incident on September 8, CNO took immediate steps to contain the incident and engaged a leading cyber-security firm that is assisting with remediation and conducting a comprehensive forensic investigation." 

As a result of the incident, a number of services offered by CNO are temporarily unavailable, including the public register Find a Nurse, the nurse renewal portal Maintain Your Membership, and the portal for applicants. 

CNO said that investigators are still trying to find out whether any personal information was compromised as a result of the incident.

As the governing body for nurses in Ontario, the CNO could have personal information on all the state's 121,488 registered nurses, 59,967 registered practical nurses, and 3,864 nurse practitioners.

CNO data that Netwalker claims to have stolen apparently pertains to the college's human resources department.

Ontario Nurses Association (ONA) president Vicki McKenna told CBC News of her disappointment that the registered nurses her association represents hadn't been directly informed of the incident. 

“I’m outraged that I didn’t know as a member of the college that this had happened,” said McKenna.

Michael Hurley, the regional vice president for the Canadian Union of Public Employees, said nurses could be placed in physical danger if their address data was stolen.

"I’m concerned about who will have access to private information about these nurses, some of whom have restraining orders against their partners, or have partners who have expressed an intent to be violent," said Hurley.

In July, the FBI issued a flash alert warning that Netwalker ransomware attacks were on the rise, targeting US and foreign health agencies, education entities, private companies, and governments.

Categories: Cyber Risk News

OneSpan Appoints New Chief Technology Officer

Fri, 09/18/2020 - 15:15
OneSpan Appoints New Chief Technology Officer

Cybersecurity firm OneSpan has announced the appointment of Ajay Keni as its new chief technology officer (CTO).

Keni will replace Benoit Grangé in the post, who will take up a new position as chief technology evangelist, in which he will “focus on sharing OneSpan’s technology vision and deep industry insights with customers, partners and the broader financial services market.”

As CTO, Keni will be tasked with guiding the expansion of OneSpan’s anti-fraud offerings to secure remote banking transactions, in particular the development and delivery of future product innovations. He has more than 20 years of experience in leading technology and product teams, and was former head of product, engineering, quality and DevOps for Oracle’s software-delivered and SaaS-delivered Identity and Access Management products.

He also played a major part in developing Oracle Cloud’s identity strategy as well leading its identity cloud service and key management cloud service.

The move is part of OneSpan’s vision to further transform the global financial services market through secure transaction solutions. Current offerings include identity verification, risk analysis, mobile application security, multi-factor authentication, e-signatures and agreement automation.

Keni commented: “OneSpan has an exciting future ahead in identity and anti-fraud technologies. There is clear market demand for OneSpan’s solutions, a strong worldwide banking customer base and a global team executing on this important and essential work in a digital world.”

Scott Clements, CEO of OneSpan, added: “OneSpan’s trusted identity strategy envisions a cloud-centric technology stack that can be deployed in private, public and hybrid environments; one that will see the company further transition toward a cloud-first offering. Ajay is a proven leader who brings experience in product innovation and in implementing open cloud technologies that can be easily integrated and deployed at scale.”

Categories: Cyber Risk News

#GartnerSEC: Cybersecurity Leaders Must Start Preparing for the Next Decade

Fri, 09/18/2020 - 14:50
#GartnerSEC: Cybersecurity Leaders Must Start Preparing for the Next Decade

Cybersecurity leaders need to prepare for the long-term picture as well as deal with current day-to-day issues, according to Toby Bussa, VP analyst at Gartner, speaking during the Gartner Security and Risk Virtual Summit.

As we emerge from a decade of substantial change in the cybersecurity landscape, Bussa expects to see a similar evolution occur in the years up to 2030. “The last 10 years have been interesting, and we anticipate the next 10 years to be even more so,” he stated.

Bussa began by outlining the ways how the cybersecurity landscape has been radically reshaped during the past 10 years. These include advances in IT, such as the explosion in cloud services and Internet of Things (IoT) devices that have expanded the attack surface, privacy and data protection emerging as a much more prominent issue, the rise in cyber-attacks conducted by nation states and ransomware becoming more sophisticated and targeting large organizations.

With this in mind, anticipating further changes over the coming decade will be critical in preventing disruption to business performance and staying ahead of cyber-criminals.

The first expected trend outlined by Bussa is the increasing “balkanization” of the digital world in which enterprises operate. This is borne out of the competing interests of digital nationalists and digital globalists; those who want tight controls over the use of the internet and those much more comfortable with sharing data outside of boundaries.

For example, online filtering is heavily practised in certain digital boundaries, leading to scenarios where “consumers in one part of the world may be unable to access information in other parts of the world because of regulatory concerns.” Bussa added: “What the future of the internet looks like is an important backdrop for what cybersecurity leaders may need to contend with in the future.”

He also stated that technology itself may become balkanized: both in general IT and cybersecurity. This is a result of nation states increasingly developing their own technologies that are used only within certain geopolitical areas. Bussa said this phenomenon is already beginning to take effect and it “is certainly going to be a consideration for cybersecurity leaders, both to contend with the IT that’s being employed by their enterprises but also in the security technologies that they would employ.”

Another area cybersecurity leaders must consider for the coming decade is the likelihood of more regulation and regulatory complexity. Businesses are becoming increasingly digitalized, a trend further accelerated by the COVID-19 pandemic. Bussa noted that “regulators are going to continue to respond and try to understand the impact of these technology innovations on how businesses are moving forward, and this will likely be expressed as laws.”

Anticipating and preparing for these types of trends is therefore crucial to gaining an advantage over cyber-actors. In particular, he cited the need for the concept of “cyber-safety” to the come to the fore, with a broader focus on the “life, kinetic and high risk events that can harm an organization or its customers,” rather than just traditional IT security.

Organizational resiliency should be another focus for cybersecurity leaders, in light of the greater range of potential disrupters and threats, ranging from geopolitical issues to natural disasters and new regulations, according to Bussa. An example of this has been seen with the huge shift to remote working during the COVID-19 pandemic, which cyber-criminals have quickly sought to take advantage of.

Bussa concluded by stating that while many events cannot be predicted, cybersecurity leaders can take steps now to ready their organizations for future trends. However, this requires a fundamental shift in the role CISOs play. “Think about how you shift your role as a cybersecurity leader away from someone who’s going to be viewed as the scapegoat when things go wrong towards being a trusted advisor and guide to the organization by embracing a longer-term view and better understanding of what the future may hold,” he said.

Categories: Cyber Risk News

Cyber-fraud Prevention Company CEO Charged with Fraud

Fri, 09/18/2020 - 13:27
Cyber-fraud Prevention Company CEO Charged with Fraud

The CEO of a cyber-fraud prevention company has been arrested and charged with fraud.

Adam Rogas is accused of using fraudulent financial data to obtain over $123m in financing for Las Vegas–based tech company NS8 and pocketing $17.5m of the cash for himself. 

The 43-year-old Las Vegas resident was arrested yesterday in the District of Nevada, where he is expected to appear before a judge today. 

The accused is a co-founder of NS8 and served as its CEO, CFO, and a member of its board of directors. Rogas also had primary responsibility for the company’s fundraising activities.  

In a statement released yesterday, FBI Assistant Director William F. Sweeney Jr. said: “It seems ironic that the co-founder of a company designed to prevent online fraud would engage in fraudulent activity himself, but today that’s exactly what we allege Adam Rogas did."

A complaint unsealed today in Manhattan federal court alleges that Rogas provided NS8's finance department with bank statements that had been altered to show tens of millions of dollars in both customer revenue and bank balances that did not exist. 

"In the period from January 2019 through February 2020, between at least approximately 40% and 95% of the purported total assets on NS8’s balance sheet were fictitious," stated the United States Department of Justice yesterday. "In that same period, the bank statements that Rogas altered reflected over $40 million in fictitious revenue."

In the fall of 2019 and the spring of 2020, Rogas allegedly used this fictitious revenue in fundraising rounds through which NS8 issued Series A Preferred Shares and obtained approximately $123m in investor funds.

NS8 conducted a tender offer with the funds raised from investors. Rogas received $17.5m in proceeds from that offer, personally and through a company he controlled.

Rogas is further accused of supplying falsified bank records to auditors that conducted due diligence on behalf of potential investors. 

He is charged with one count of securities fraud, one count of fraud in the offer or sale of securities, and one count of wire fraud. If convicted, he could be sentenced to up to 45 years in prison.

Categories: Cyber Risk News

#GartnerSEC: Ensuring Buy-In for Security Awareness

Fri, 09/18/2020 - 13:05
#GartnerSEC: Ensuring Buy-In for Security Awareness

Ensure management adoption and employee engagement in your security awareness program by delivering suitable content in an understandable language.

Speaking at the Gartner Security and Risk Virtual Summit, senior director Brian Reed said that getting investment and support for a security awareness program “depends on persuasive justification, and negotiation skills.”

Asking why gaining support is so important, Reed said that COVID-19 lockdown “provided a unique example of how security can meet the needs of a crisis and an upheaval” and it would be a shame to “waste a crisis” so companies should use this as a security awareness teaching moment.

“The majority of the cost of security awareness is going to come in people and capital, the capital spend requires spending not just on a security awareness tool, but in delivering that content,” he said. “A lot of the organizational negotiation may center around how much training an organization needs, or what the time investment you may need from participants is. Reed said this is worth considering, as well as what the rewards and consequences are.

“There is also the notion that it is always someone else’s problem and not necessarily mine,” he said, saying charts to determine roles and responsibilities can help resolve these issues from the beginning, as well as highlight skills and competencies that the organization has or is missing. He said typically people fall into one of three types:

  • People who will not do the right thing no matter what they are told
  • People who will do the right thing provided they are told what the right thing is
  • People who will do the right thing instinctively every time

Reed said the vast majority are in the middle section, and will do the right thing provided they are told what the right thing is and if they can be shown and empowered to do the right thing. The third group could also be identified as potential security champions, when other employees do not feel comfortable going to the security or IT teams.

When it comes to organizational buy-in, Reed said this is critical for when you’ve got your users on board, “and you’re accurately setting expectations.” The main ways to get buy-in across the organization include respecting the user’s time and speaking in a language that both security and management understand “as there is often a disconnect with the language being used at a business and technical level.”

Another factor is to utilize active listening techniques to demonstrate that you’ve heard the audience’s concerns, and you’re building the case for security awareness by addressing their concerns and actively pursuing resolutions.

He went on to explain that a program should be tailored for a specific country or culture, and that “seduction is a better tool than imposing security awareness programs out of fear” as you want to induce people into knowing this is can be an enabler for your business and not just another compliance training effort.

Reed concluded by saying we should “embrace and celebrate our organization’s history, and we must recognize what progress and transition looks like, and ultimately we should answer the questions of purpose and value and tie them to our security strategy.”

Categories: Cyber Risk News

#GartnerSEC: Combine Security and Customer Experience Online to Tackle Fraud

Fri, 09/18/2020 - 10:30
#GartnerSEC: Combine Security and Customer Experience Online to Tackle Fraud

Creating trust on the internet requires the aligning of effective online fraud protection with good customer experience, according to Jonathan Care, senior director analyst at Gartner.

Speaking during the Gartner Security and Risk Virtual Summit, he observed that currently, many e-business fraud prevention teams are overly focused on loss prevention; indeed, 58% of Gartner clients have stated that fraud prevention blocks the goal of having a frictionless customer experience. Yet the two go hand-in-hand. Care said: “Many security failures and omissions can be traced to poorly designed UX.”

Trust often means something different to customers than it does for those in the cybersecurity sector, and if security measures impede user activities, it can prove a source of frustration, potentially leading to the loss of business. “Often this comes from a poorly designed security experience,” noted Care.

This includes upfront demands for sensitive security information and lack of device and channel crossover with regard to security requests. Care stated: “As a consumer, it shouldn’t matter to me if I am transacting via a web portal, a mobile app, or even interacting via the contact center.”

In addition, when online channels are targeted by hackers, this also causes “a reduction in engagement due to the loss of trust. We see a drop in traffic and therefore commerce revenue.”

It is therefore critical that online businesses find a model that combines safety with a seamless customer experience. Care believes there are three pillars to achieving this. Firstly, a commitment to prioritizing trust and safety to ensure the customer experience is slick, including with security measures like authentication.

The second is customizable customer flows, in which the risks associated with individual customers at any point in time are assessed to determine the level of security required. This can be achieved be detecting soft signals such as the use of behavioral analytics and device measurement to see whether additional authentication is needed. Care commented: “When the transaction risk is high and when the trust in the customer is low, then we need to bring in that identity proof.”

The third is the utilization of automated fraud solutions, which use analytics and machine learning to “govern a strongly defined rules base.” For example, this may include the option to redirect a customer to a manual, in-person interaction.

This requires a change in mindset, processes and technologies, according to Care. In terms of the technologies that are needed to underpin this approach, adoption of fraud detection systems that adapt to the user journey are vital, particularly those that incorporate machine learning methods, such as identity graph evaluation and analytics.

This must be done incrementally, as systems should constantly evolve to meet the changing threat landscape, as well as retain flexibility to meet new customer preferences.

Care concluded: “For consumer-facing e-businesses, trust and safety must govern the user experience and not loss prevention.”

Categories: Cyber Risk News

Business Owners Targeted by HMRC #COVID19 Tax Relief Scam

Fri, 09/18/2020 - 09:35
Business Owners Targeted by HMRC #COVID19 Tax Relief Scam

UK business owners have been targeted by a new phishing scam that attempts to gain sensitive information, including payment details, by impersonating Her Majesty’s Revenue and Customs (HMRC), according to an investigation by accountancy firm Lanop Outsourcing.

In emails purporting to be from the HMRC, recipients are told that their VAT deferral application has been rejected. This follows an initiative by the UK government to allow businesses to defer VAT payments between March and June 2020 until March 31, 2021 in order help struggling companies during the COVID-19 lockdown. At least 100 business owners have so far reported receiving this scam.

The message, which uses official HMRC branding and graphics, begins by saying “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: the claimant is in arrears.”

A false document is also attached which the email claims there are “more details and a full report on your application.” It also shares a one-use password to open the document and suggests the original application has been reshared.

The victim is then redirected to a false website and asked to enter sensitive information such as email, passwords and payment details, which are then harvested by the hacker.

This is the latest in a number of phishing scams associated with financial relief measures introduced by the UK government during the COVID-19 pandemic. Others have included an attempt to steal personal and financial details of self-employed workers using the Self-Employment Income Support Scheme (SEISS) and the harvesting of data of UK workers who are expecting COVID-19 tax relief grants.

Commenting on the story, Steve Peake, UK systems engineer manager at Barracuda Networks, said: “This phishing attack is the latest in a series of HMRC-branded email scams, designed to trick business owners into handing over confidential data. With many companies struggling due to the disruption caused by the COVID-19 outbreak, we have seen a real uptake in the number of COVID-19 related attacks targeting business owners and employees. In fact, we recently observed a 667% spike in coronavirus-related spear-phishing attacks from February compared to March, during the start of the UK’s lockdown. Thus, it was only a matter of time before hackers targeted the government’s VAT deferment scheme as a new route to obtaining the bank details of unsuspecting victims.

“Socially engineered service impersonation attacks using trusted brands is unfortunately a growing practice which can be a very successful method of attack, especially when combined with the current world situation. Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organizations lacking the layered security approach that modern day email security requires.”

Categories: Cyber Risk News

#GartnerSEC: Understand the Destination of Digital Transformation for Better Buy-In

Fri, 09/18/2020 - 09:30
#GartnerSEC: Understand the Destination of Digital Transformation for Better Buy-In

Security and risk leaders need to know where their plans for digital transformation are going.

Speaking in the closing keynote of the Gartner Security and Risk Virtual Summit, distinguished VP analyst Mary Mesaglio said leaders are facing four current crises in health, climate, economic and social issues, and this can lead to “transformation fatigue” as leaders are asked to accelerate digital transformation during volatile times.

“So how do we deal with this notion of fatigue with this notion that we have to double down on acceleration? The first rule is to know what we want to change into. I work with a lot of executive teams and know what they want to transform into, but that is not enough to drive the change,” Mesaglio explained.

She said the issue is the people who do the changing are led by you, and it is difficult to determine a clear and motivated endgame for them: “you’ll find the people lower down are not that clear.” Mesaglio highlighted five questions that can be asked to figure out what the transformation is, and why:

  • What are you transforming into and why?
  • Can you tell me that in under two minutes – this is a test of clarify, but are you sure what the destination is and where you’re going?
  • Can you do it using no corporate speak? Use real language and not just buzzwords
  • Can you do it in a way that would be comprehensible and motivating to the front line – to those doing the changing?
  • Would your peers say it too? Not using the same words, but with the same coherence “as you don’t want transformation schizophrenia as it leads to bad things”

She added: “It’s a high bar, but it is necessary for any change you want.” Mesaglio said that, too often, corporate messages use pictures of young, beautiful people and the message doesn’t make sense, “this is why you need a real destination and real language.

“If you are undergoing fatigue and still need to digitally accelerate, the first rule is to know what you want to transform into; this is a non-trivial exercise regardless of if you are a small or a large team,” she concluded. “Make sure you know, that there is no corporate speak as that is not going to save you and once you know that, don’t assume a big problem needs a big solution.”

Categories: Cyber Risk News

Pure Storage to Acquire Portworx to Expand Multi-Cloud Data Services Offering

Fri, 09/18/2020 - 08:30
Pure Storage to Acquire Portworx to Expand Multi-Cloud Data Services Offering

IT firm Pure Storage has entered into a definitive agreement to acquire Portworx, a Kubernetes data services platform. The deal, which is believed to be worth around $370m, is part of Pure Storage’s plan to expand into the market for multi-cloud data services to support Kubernetes and containers.

There has been substantial growth in the use of the cloud native stack to process data into value and insight in recent years, and currently 95% of new applications are developed in containers. It has also been predicted by Gartner that 85% of global businesses will be running containers in production, which is a huge rise from 35% in 2019. In order to keep up with the scaling up of multi-cloud deployments, organizations are likely to require storage services platforms to address challenges in data resiliency, mobility, security, backup and recovery.

Currently, Portworx is the Kubernetes Data Services Platform most used by Global 2000 companies to provide persistent storage, high availability, data protection, data security and cloud mobility for containers deployed in hybrid cloud architectures. Users include Carrefour, Comcast, GE Digital, Kroger, Lufthansa and T-Mobile.

Pure Storage now aims to combine this with its data-platforms and Pure Service Orchestrator software to provide a more comprehensive offering to customers.

Charles Giancarlo, chairman and CEO at Pure Storage, commented: “As forward-thinking enterprises adopt cloud native strategies to advance their business, we are thrilled to have the Portworx team and their ground breaking technology joining us at Pure to expand our success in delivering multi-cloud data services for Kubernetes. This acquisition marks a significant milestone in expanding our modern data experience to cover traditional and cloud native applications alike.”

Murli Thirumale, CEO at Portworx, added: “The traction and growth we see in our business daily shows that containers and Kubernetes are fundamental to the next-generation application architecture and thus competitiveness. We are excited for the accelerated growth and customer impact we will be able to achieve as a part of Pure.”

Categories: Cyber Risk News

US Indicts Two Over Cyber-Intrusion Campaign

Thu, 09/17/2020 - 17:51
US Indicts Two Over Cyber-Intrusion Campaign

The US has indicted two Iranians in connection with the theft of hundreds of terabytes of sensitive data from computers in America, Europe, and the Middle East. 

Hooman Heidarian, aged 30, and Mehdi Farhadi, 34, were allegedly involved in a slew of coordinated hacks perpetrated to make money or for political reasons. 

Data stolen in the attacks and later allegedly sold on the black market by the defendants included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research. 

The defendants are further accused of politically motivated hacking on behalf of Iran to steal information relating to dissidents, human rights activists, and opposition leaders. 

Heidarian, otherwise known as Neo, and Farhadi, also known as Mehdi Mahdavi and Mohammad Mehdi Farhadi Ramin, are both from Hamedan, believed to be one of Iran’s oldest cities. 

According to the ten-count indictment, since at least 2013, the defendants have been responsible for a coordinated campaign of cyber-intrusions into computer systems around the world. 

Among the campaign's victims are several American and foreign universities, a think tank in Washington, DC, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and governments and other entities they identified as rivals or adversaries to Iran. 

In addition to the alleged theft of highly sensitive data, the defendants are further accused of vandalizing websites. Using the pseudonym “Sejeal,” the defendants allegedly posted messages appearing to signal the demise of Iran’s internal opposition, foreign adversaries, and countries marked out as rivals to Iran, including Israel and Saudi Arabia.

Tools and tactics allegedly used by the defendants to gain and maintain unauthorized access to victim networks included vulnerability scanning tools, session hijacking, SQL injection, malicious programs installations, and keyloggers.

The pair are further accused of developing a botnet tool, which facilitated the spread of malware, denial of service attacks, and spamming to victim networks. 

Each defendant is charged with conspiracy to commit fraud and related activity in connection with computers and access devices; unauthorized access to protected computers; unauthorized damage to protected computers; conspiracy to commit wire fraud; access device fraud; and aggravated identity theft.

Categories: Cyber Risk News

Fatality After Hospital Hacked

Thu, 09/17/2020 - 17:00
Fatality After Hospital Hacked

A woman in need of urgent medical treatment has died after a hospital under cyber-attack was unable to admit her. 

Attackers struck the Düsseldorf University Clinic (DUC) last Thursday, causing IT systems at the major hospital to fail. Because of the attack, a woman seeking emergency treatment at the hospital on Friday night died after she had to be transported to a hospital in another city for treatment.

Treatment of the deceased woman was delayed by an hour as she had to travel an additional 20 miles to a hospital in Wuppertal. 

The DUC said that computer forensic experts investigating the incident determined that threat actors had managed to exploit a vulnerability in "widely used commercial add-on software." The software that contained the weakness was not named by the hospital.

Following the attack, systems at the DUC gradually crashed, preventing the hospital from being able to access data. As a result, operations were postponed, and emergency patients were redirected to alternative healthcare providers. 

Hospital staff said that they believe data temporarily placed off limits as a result of the cyber-assault has not been irretrievably lost. A week on from the attack, the DUC's IT systems are slowly being restarted. 

In what may have been a deadly mistake by the attackers, it seems the real target of this cyber-crime may have been Heinrich Heine University, with which the DUC is affiliated.

News agency DPA reported that 30 servers at the hospital were encrypted last week and an extortion note was left on one of the servers, according to a report from North Rhine-Westphalia state's justice minister.

The note was addressed to the Heinrich Heine University and not the DUC. It asked for the university to make contact but did not mention a specific ransom demand. 

Düsseldorf police used the contact details given in the note to reach out to the attackers, informing them that their attack had impacted a hospital. The attackers subsequently provided a digital decryption key and made no attempt to extort money. 

Communication with the attackers has since broken down. An investigation has been launched that could see the perpetrators charged with negligent manslaughter.

Categories: Cyber Risk News

Stalkerware Banned from Google Play Store

Thu, 09/17/2020 - 16:23
Stalkerware Banned from Google Play Store

Google has told app developers to remove from its Play Store stalkerware capable of operating behind the scenes without the user's consent.

The tech giant yesterday issued an update to its Developer Program Policy requiring all apps that track users and send their data to another device to include an "adequate notice or consent" and show a "persistent notification" that the actions of the user are being tracked.

While an exception was made for apps used by parents to track their children, Google said that stalkerware was not to be used to track an adult without their consent. 

The update states: "Only policy compliant apps exclusively designed and marketed for parental (including family) monitoring or enterprise management may distribute on the Play Store with tracking and reporting features, provided they fully comply with the requirements described below."

App developers were told that they can no longer present their product as an aid to spying or a secret surveillance solution. Nor can they hide or cloak tracking behavior in an attempt to mislead users about an app's true functionality.

App developers have until October 1 to comply with the directives. 

Google has also said that, starting October 21, it will remove any apps "that engage in coordinated activity to mislead users."

Christoph Hebeisen, director of security intelligence research at Lookout, a California provider of mobile phishing solutions, welcomed Google's new approach to the stalkerware permitted in its app store.

“The use of mobile technology for surveillance in abusive relationships is a disturbing trend. Google's move to curb such apps on Play is a step in the right direction," said Hebeisen.

Lookout already considers any app that doesn't make it clear tracking is taking place to be malicious. Users receive alerts when surveillance-ware that is independent of the stated purpose of the app is deployed. 

Hebeisen said: "We consider such apps malicious if the app doesn't show a persistent notification, hides its icon, masquerades as something other than its true functionality or hides a part of its functionality. We apply this logic no matter if the app has been loaded from an official app store or sideloaded onto the device.”

Categories: Cyber Risk News