Info Security

Subscribe to Info Security  feed
Updated: 41 min 34 sec ago

Tanium HQ Moves Out of San Francisco

Wed, 12/02/2020 - 21:02
Tanium HQ Moves Out of San Francisco

The CEO and co-founder of a billion-dollar cybersecurity company has moved its headquarters out of San Francisco because it's "not the city it was."

Forty-year-old Orion Hindawi helped to build up two successful companies in the San Francisco Bay Area where he was born. Now he is relocating the head office of Tanium—the endpoint security and systems management company he started with his father David in 2007 —elsewhere. 

Orion Hindawi relocated his family to Seattle's Laurelhurst neighborhood in June, and his successful Silicon Valley entrepreneur father followed suit. Now the CEO is switching Tanium's base from Emeryville, California, to a location in Bellevue, Washington.

Tanium, which made over $430m in revenue last year, is a privately held company that enjoys the backing of Andreessen Horrowitz. At Hindawi's direction, the company's new HQ has been established on Kirkland's waterfront, a short drive from Seattle via the Evergreen Point Floating Bridge.

According to, Hindawi considered other locations, including Austin, Denver, and Nashville, before plumping for Washington state. 

At the end of November, Tanium signed a lease for nearly 7,000 square feet of office space on the 3000 Carillon Point building's fifth floor. Hindawi said that the company has plans to "expand pretty materially" in the Washington area and could be leasing around 50,000 square feet in the not-too-distant future.

Hindawi said tech-centric Silicon Valley offered little diversity and lacked the natural neighborhood feel of a more traditional mixed-use area. 

“I like the community feeling here,” said Hindawi, “It’s nice to have a little variety.”

He added that there were "some asymmetries in the way that the Bay Area works that just didn’t really work well for us.”

California is suffering from "a real governance issue" according to Hindawi, who said that Tanium will likely sublet a portion of the 65,000 square feet of office space they have hung onto in Emeryville. 

“San Francisco is not the city it was 20 years ago,” he said. "The center of gravity had shifted from the Bay Area up to Seattle."

Categories: Cyber Risk News

Fired US Cybersecurity Chief Considers Legal Action

Wed, 12/02/2020 - 16:46
Fired US Cybersecurity Chief Considers Legal Action

The former head of the US Cybersecurity and Infrastructure Security Agency (CISA) has hinted that he may take legal action against a lawyer who called him "a moron."

Christopher Krebs was fired last month by President Donald Trump via the social networking site Twitter after CISA's Rumor Control blog published a piece that suggested fraud was highly unlikely to have occurred in the United States' 2020 presidential election. 

Trump campaign lawyer Joe DiGenova said in an interview on Monday that Krebs “is a class A moron. He should be drawn and quartered. Taken out at dawn and shot."

DiGenova made the comments during an interview with radio talk show host Howie Carr. Carr's show airs on Newsmax.

Yesterday, on NBC's TODAY show, Krebs told host Savannah Guthrie that he viewed DiGenova's comments as "dangerous" and said that he may take legal action against the lawyer. 

“It’s certainly more dangerous language, more dangerous behavior. And the way I look at it is that we are a nation of laws, and I plan to take advantage of those laws," Krebs told Guthrie. 

"I’ve got an exceptional team of lawyers that win in court, and I think they’re probably going to be busy.”

Krebs said his legal team is currently looking at “available opportunities” to take action against DiGenova. 

Since being fired from his role at CISA, Krebs has publicly expressed his belief that Trump's campaign spread misinformation about the security of the election. 

During an interview for CBS’s 60 Minutes that aired on November 29, Krebs criticized Trump campaign attorney Rudy Giuliani for disseminating misinformation about the election, which Krebs claims was conducted securely. 

Referring to a news conference Giuliani recently held at the Republican National Committee headquarters, Krebs said: “It was upsetting because what I saw was an apparent attempt to undermine confidence in the election, to confuse people, to scare people. It’s not me, it’s not just CISA. It’s the tens of thousands of election workers out there that had been working nonstop, 18-hour days, for months. They’re getting death threats for trying to carry out one of our core democratic institutions, an election."

Categories: Cyber Risk News

Hackers Are Targeting US Think Tanks

Wed, 12/02/2020 - 15:58
Hackers Are Targeting US Think Tanks

Think tanks in the United States have been cautioned that they are being actively targeted by advanced persistent threat (APT) actors.

The warning was issued yesterday by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

CISA and the FBI advised America's think tanks to develop network defense procedures after observing APT actors performing "persistent continued cyber intrusions."

According to the warning, the malicious activity they detected was often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.

APT actors have used a variety of methods to gain initial access to their victims. Their tactics have included sending spear-phishing emails and exploiting third-party message services directed at both corporate and personal accounts.

Another malicious maneuver observed being utilized by APT actors was the exploitation of vulnerable web-facing devices and remote connection capabilities.

The FBI and CISA said the outbreak of COVID-19 had made it easier for APT actors to claim victims. 

"Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic," warned the FBI and CISA.

"Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks."

CISA and FBI urged individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement mitigation strategies.

"All organizations, including think tanks, are targets to nation-states and cybercriminals, and by phishing the human, they view it as the more accessible way into the systems and infrastructure," commented James McQuiggan, security awareness advocate at KnowBe4.

"Organizations need to maintain a strong security awareness training program and update it frequently to keep employees updated on the latest attack patterns and phishing emails.

"This action makes for a more solid security culture and allows the organization to work towards being a more substantial asset for the security department.” 

Categories: Cyber Risk News

Native Cloud Security Controls Still “Not Good Enough”

Wed, 12/02/2020 - 14:20
Native Cloud Security Controls Still “Not Good Enough”

Security has slowly embraced adoption of the cloud, but cloud security native tools are still not good enough.

In a roundtable discussion on exploring the cybersecurity threats faced by CISOs in enterprise and hybrid cloud environments, the subject of cloud security was outlined with regards to what is being done well, and what is being done badly.

Dr Ronald Layton, vice-president of converged security operations at Sallie Mae, said, in government, the use of cloud is prominent as a business case, but in the private sector “it makes business sense” as it can be customized for specific needs.

Joe Sullivan, chief security officer of CloudFlare, said security teams are often “dragged along when business leaders look at cost and opportunity and ability to focus on priorities of business and user experience” when it comes the cloud. However, they do not look at infrastructure, and when security teams look at the cloud, they see risk.

“Go to any large security conference and talk to security leaders, and they will say they have not moved to the cloud as they are uncomfortable with cloud products and resistant to what their company is doing,” he said.

Sullivan added that he felt security had “come around in the last couple of years, but security teams need to get with the program and appreciate risks and be involved and not be dragged along.”

John Kindervag, field CTO for Palo Alto Networks, agreed, saying native cloud security was “never good enough” as it is based on the Linux Kernel. He said there is a common misunderstanding that we think we can secure the cloud by using in-cloud security.

Layton said, when it comes to cloud deployment, you have two options: step by step, or “big bang” where you go all in. “Either way, you need to follow the golden rules: secure your S3 buckets, use DLP, turn on multi-factor authentication, and use micro-segmentation and business process. It is all about getting this right, as right today and may not look like that in six months.”

Mary Gardner, vice-president and CISO at F5 Networks, argued that there is a need to think about automation when we move to the cloud, and to build controls in to prevent mistakes from happening in the first place. “Most breaches are human error, such as publishing a private key on a Github account and making it available, and the more automation we use the more we are ahead of curve,” she said.

Kindervag explained that if you work in IT or cybersecurity, technology “is there to be adopted.” He said technology is now in place that would have been very hard to roll out 20 years ago, as now you can “flip a switch as technology is automated and cloud-based.”

Layton commented that the move to using cloud services is “all about adaptation” and moving from point A to point B. “The complexity increased and you have got to be adaptive to these things,” he said.

Categories: Cyber Risk News

#WebSummit: Common API Security Risks and How to Mitigate Them

Wed, 12/02/2020 - 14:06
#WebSummit: Common API Security Risks and How to Mitigate Them

Speaking during the online Web Summit 2020, Daniele Molteni, firewall product manager at Cloudflare, discussed the most common security threats for API traffic and outlined strategies for identifying vulnerabilities and defending critical infrastructure.

Molteni said that APIs are the lifeblood of modern internet-connected services but are also becoming increasingly challenging to secure for organizations.

“Over the last year, the growth of API traffic has been three-times faster than web traffic,” he explained. “There is a clear trend of more API traffic and the need to be more specific on protecting APIs” by investing in API security technology.

With regards to the common security risks that surround API traffic, Molteni cited threats that fall into three distinct groups.

These are: broken authentication and broken authorizations (group one), mass assignment, data exposure and injection attacks (group two), and abuse of resources and shadow APIs (group three).

Such security risks and threats are taking their toll on organizations too, he continued, adding that there are two main API security pain points affecting businesses right now.

The first is the “effect of API vulnerabilities on everyday operations,” which can result in software development velocity being reduced and frictions that hamper API adoption and growth.

The second revolves around the fact that common web security solutions are often not well-suited to securing API traffic, with high false positive rates, a lack of API-specific high value features and a lack of visibility of API traffic.

When it comes to addressing and mitigating API security risks and threats, Molteni said that there are two key principles for implementing a security strategy.

“The first is to manage access; access is one of the biggest things you need to control,” he explained. This should focus on controlling who makes requests and limiting the use of costly resources (backend, processing, serving, etc.).

“The second [principle] is scalability and efficiency when checking for vulnerabilities,” which involves having a strategy for narrowing-down and validating complex payloads when necessary.

In implementing these two principles, businesses should be able to put in place a ‘funnel-like,’ multi-layered incremental approach to removing the noise of API traffic – and “by removing the noise, you also remove what is actively malicious,” said Molteni.

However, he concluded with the advice that “there is no one-size-fits-all solution – and the security system you choose to implement depends on your infrastructure, data type and business goals.”

Categories: Cyber Risk News

Cloud Security Firm iboss Appoints Matt Hartley as Chief Revenue Officer

Wed, 12/02/2020 - 13:00
Cloud Security Firm iboss Appoints Matt Hartley as Chief Revenue Officer

Cloud security company iboss has announced the appointment of Matt Hartley as its new chief revenue officer.

Hartley joins the firm from Forescout Technologies where he most recently served as vice-president and brings more than 15 years of experience in building and leading high performance and customer-focused go-to-market teams to the role.

He will be responsible for helping increase adoption of the company’s security offerings, specifically its SASE cloud network services and zero-trust access solution.

Commenting on his appointment, Hartley said: “COVID-19 has accelerated what iboss has known for years; that security needs to live in the cloud in order to effectively protect users no matter where they go.

“As cases of the virus spike around the world and remote work policies endure, iboss appeals to organizations large and small looking to seamlessly implement cutting-edge security solutions.”

Paul Martini, iboss co-founder and CEO, added: “COVID-19 has accelerated a shift to remote work and that shift has exposed vulnerabilities for organizations that haven’t yet embraced modern security solutions.

“This is in part due to the fact that every organization today relies on the latest cloud software and applications to effectively do their jobs. iboss proudly offers seamless cloud migration and leading security solutions to ensure safety and uninterrupted productivity regardless of user location. As a result, we’ve partnered with many of the world’s largest organizations that recognized the need for network security delivered through the cloud.”

Categories: Cyber Risk News

Criminals to Favor Ransomware and BEC Over Breaches in 2021

Wed, 12/02/2020 - 12:07
Criminals to Favor Ransomware and BEC Over Breaches in 2021

The era of the mega-breach may be coming to an end as cyber-criminals eschew consumers’ personal data and focus on phishing and ransomware, according to the Identity Theft Resource Center (ITRC).

The US-based non-profit, which provides support to breach victims and regular updates on the scale of the challenge for businesses, made the remarks in its predictions for 2021.

It argued that cyber-criminals are relying less on stolen personal information and more on “poor consumer behaviors” such as password reuse to monetize attacks.

“Cyber-criminals are focusing on cyber-attacks that require logins and passwords to get access to corporate networks for ransomware or Business Email Compromise (BEC) scams. These attacks require less effort, are largely automated, the risk of getting caught is less, and the payouts are much higher than taking over an individuals’ account,” it said.

“The average ransomware pay-outs for all businesses have grown from less than $10,000 in Q3 2018 to more than $178,000 per event by the end of Q2 2020. Large enterprises are making average ransomware payments of over $1m. BEC scams cost businesses more than $1.8bn in 2019.”

The ITRC is already seeing a drop-off in data breach activity as a result. In October it claimed that the number of reported breaches up to Q3 was 30% lower than the same period in 2019, with 60% fewer individual victims.

It claimed that 2020 is on track to record the lowest number of breaches in the US in five years.

However, that doesn’t mean consumers are off the hook. Apart from individual phishing attacks, the ITRC warned that pandemic-related identity crimes will continue well in 2021, as stolen identities are used to fraudulently claim unemployment benefit.

“The ITRC’s Aftermath survey data shows an increase in identity crime re-victimization (28% in 2019 versus 21% in 2018) occurring before the massive increase in fraud/scams and identity crimes in 2020,” it continued. “The post-pandemic analysis should show an even greater rise.”

Categories: Cyber Risk News

Half of Docker Hub Images Feature Critical Flaws

Wed, 12/02/2020 - 11:15
Half of Docker Hub Images Feature Critical Flaws

Over half of publicly available Docker Hub container images contain at least one critical vulnerability, according to a major new study.

Cybersecurity startup Prevasio scanned all four million images hosted at Docker Hub, the world’s most popular repository service for Linux-based containers.

“Each image was executed in an isolated controlled environment,” it explained in a new report. “During the execution, Prevasio has analyzed each container’s behavior, scanned all of its files and also performed a full vulnerability assessment of its packages and software dependencies.”

In total, 51% of those images scanned contained one or more critical vulnerabilities.

Additionally, over 6000 were rated potentially harmful or malicious, although these only accounted for less than 1% of the total. Of these, the largest number (44%) were coin miners, followed by malicious npm packages (23%), hacking tools (20%) and Windows malware (6%).

The news should be concerning for a DevOps community that uses publicly available containers in large numbers to speed up the development cycle.

Earlier this year, a report from Sonatype found that a fifth (21%) of DevOps respondents who admitted suffering a breach related to their application development process said it was because of third-party components.

Earlier this year, Docker announced a partnership with Snyk which will integrate vulnerability scanning into the Docker workflow, although this would still leave the problem of malicious images.

Tim Mackey, principal security strategist at the Synopsys CyRC, argued that when they use third-party images from the Docker Hub, DevOps teams are implicitly stating that they trust the security practices of the author of that container image.

“Such implicit trust is risky from a security perspective, which is why many organizations are now creating hardened container images where the image hardening process is managed by a dedicated team skilled in operating system hardening, which is separate from the core development team,” he added.

“These hardened images are then pushed to an internal registry and policies are defined that only allow images originating from hardened images in that internal registry to execute in a production cluster.”

Categories: Cyber Risk News

Salesforce Set to Acquire Slack for $27bn

Wed, 12/02/2020 - 10:35
Salesforce Set to Acquire Slack for $27bn

Salesforce has entered into a definitive agreement to acquire Slack for around $27bn.

According to an announcement made yesterday, the deal will allow the combination of customer relationship management with enterprise communications and “create the operating system for the new way to work, uniquely enabling companies to grow and succeed in the all-digital world.”

The transaction is anticipated to close in the second quarter of Salesforce’s fiscal year 2022, subject to approval by the Slack stockholders, the receipt of required regulatory approvals and other customary closing conditions. The aim is to create the “most extensive open ecosystem of apps and workflows for business.”

The move will see Slack be deeply integrated into every Salesforce Cloud, acting as the new interface for Salesforce Customer 360. Slack will allow communications, collaboration and the ability to take action on customer information across Salesforce.

Upon the close of the transaction, Slack will become an operating unit of Salesforce and will continue to be led by CEO Stewart Butterfield. “Salesforce started the cloud revolution, and two decades later, we are still tapping into all the possibilities it offers to transform the way we work. The opportunity we see together is massive,” Butterfield said.

“As software plays a more and more critical role in the performance of every organization, we share a vision of reduced complexity, increased power and flexibility, and ultimately a greater degree of alignment and organizational agility. Personally, I believe this is the most strategic combination in the history of software, and I can’t wait to get going.”

Marc Benioff, chair and CEO, Salesforce, said: “Stewart and his team have built one of the most beloved platforms in enterprise software history, with an incredible ecosystem around it. This is a match made in heaven. Together, Salesforce and Slack will shape the future of enterprise software and transform the way everyone works in the all-digital, work-from-anywhere world. I’m thrilled to welcome Slack to the Salesforce Ohana once the transaction closes.”

Commenting, Stephen Kelly, chair of Tech Nation, said this acquisition reflects that, for software companies, the adage “grow fast or die slowly” applies more than ever.

“As organic growth of its CRM market leadership slows, acquisition has been a core engine for revenue growth and innovation,” Kelly said. “Salesforce has implemented multiple innovation acquisitions, as well as buying companies with customer bases in adjacent markets. The acquisition of Slack reflects all of these basic drives and is an increasingly strong offer as the coronavirus pandemic forces workers to adopt new forms of communication and collaboration software, putting this at the heart of daily life for office workers.”

Eric Christopher, co-founder and CEO of Zylo, said: “Salesforce’s acquisition of Slack brings together employees and customers in a single collaborative experience, which is exactly what’s driving the adoption of new SaaS applications. The challenge for companies now is to understand what they’ve invested in and whether those applications are being used to improve experience and effectiveness.

“They want to move from silos to integrated experiences and a central way to manage their growing portfolio of SaaS apps. Just as COVID-19 accelerated the adoption of SaaS for the digital workforce, this move will accelerate the move toward centralization of collaboration, experience and management. It will force the giants in both customer and employee engagement (Microsoft, Google, Amazon) to respond.”

Categories: Cyber Risk News

FBI: Block Email Forwarding to Stop BEC Attackers

Wed, 12/02/2020 - 09:45
FBI: Block Email Forwarding to Stop BEC Attackers

The FBI has warned businesses that cyber-criminals are exploiting an email forwarding vulnerability on remote workers’ webmail clients to make BEC attacks more successful.

In a Private Industry Notification released last week but just made public, the Feds explained that auto-forwarding rules are commonly used in BEC scams once attackers have compromised an employee’s inbox.

This means emails with specifically chosen keywords like “bank” and “invoice” are automatically sent on to the attacker’s inbox. They can then monitor communications between that employee and other users, and delete certain emails to hide their activity.

Eventually the attacker steps in, pretending to be a legitimate contact such as a supplier, and sends a fake invoice or similar to be paid by the employee’s company.

The FBI warned that if IT administrators don’t sync staff web and desktop email clients, then auto-forwarding rules updated by an attacker will only appear in the former, meaning security teams have no idea that a scam may be taking place.

“While IT personnel traditionally implement auto-alerts through security monitoring appliances to alert when rule updates appear on their networks, such alerts can miss updates on remote workstations using web-based email,” it continued.

“If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application.”

Even if a bank or law enforcement sounds the alarm, a victim organization may still miss the rule update unless they audit both applications, giving attackers even more time, the FBI added.

This oversight led to a $175,000 loss at a US medical equipment company in August 2020, it warned.

The alert urged administrators to ensure desktop and web email clients are running the same version to enable easy syncing and updates. It also advised them to prohibit automatic email forwarding to external addresses and to monitor for suspicious behavior such as last-minute changes in established email addresses.

Categories: Cyber Risk News

2020: A Unique Year for Data Privacy Issues

Wed, 12/02/2020 - 09:10
2020: A Unique Year for Data Privacy Issues

COVID-19 has meant 2020 has been a “year like no other” in regard to data protection and privacy issues, according to Jonathan Armstrong, partner at Cordery, speaking during the 2020 UK and EU Data Protection Review and Outlook for 2021 webinar hosted by Spirion.

He noted that the sudden shift to remote working that many organizations had to undergo as a result of lockdown restrictions measures back in March has raised a number of new concerns in this field. One of these is the growing use of new third parties, in particular startup companies and businesses that have changed their services in response to the pandemic. Therefore, undertaking due diligence of such companies, and assessing whether they could be trusted with data, has been a big issue this year for many organizations, according to Armstrong.

Another issue has been health checks for people entering an organizations’ premises in light of the pandemic, which raised concerns over intrusiveness. “Some employers have got into difficulties with tracking health data onto an HR employment file,” said Armstrong, noting that the retailer H&M was fined 35.2m for collecting too much data on employees, with health checks being one aspect of that.

Additionally, monitoring remote staff productivity has led to new data privacy claims and investigations, “particularly with things like Office 365 where there is functionality out of the box to monitor employee productivity.” Armstrong added: “There are always challenges with this type of data, particularly when individuals perceive the organization is going to lose headcount and they may lose out.”

Armstrong also outlined important areas of litigation this year, one of which is increasing numbers of employees exercising data subject rights, such as requesting organizations to disclose the information they hold about them. This is particularly important as “the volumes of data can be more significant in a working from home environment.” He noted, for instance, that some organizations are routinely recording calls taking place on video conferencing platforms.

This move to remote working has also highlighted the lack of consistency between different jurisdictions in regard to the application of GDPR, in the view of Armstrong. While data protection authorities (DPAs) quickly issued advice about how organizations should handle this situation at the start of the crisis, a distinct lack of uniformity was observed.

With home working set to continue to play an important role for the foreseeable future, Armstrong set out advice for organizations to minimize the risks of data privacy problems occurring. These include recognition that consent will rarely be a solution when it comes to data collection, undertaking a data protection impact assessment (DPIA) and following the six GDPR principles.

Another major data privacy issue this year in a European context has been the UK’s ongoing negotiation with the EU to set out the full terms of its departure at the end of this year. Andre Bywater, partner at Cordery, explained that while data protection isn’t the main bone of contention in the negotiations, it currently remains unclear what the UK’s relationship with GDPR will be from next year. “GDPR has applied in the UK during the transition period, but once we leave the EU with or without a deal, it won’t technically apply,” he explained. It could be that the UK passes its own new data protection law that follows the GDPR, “but there may also be changes.”

A big aspect of the uncertainty is that the UK is currently awaiting an “adequacy decision” from the EU, in which its system is being assessed on how well it is able to protect privacy rights. If granted, data transfers from the EU to the UK can flow freely, but if not, this could cause numerous issues for organizations. Bywater commented: “I do not think we will get an adequacy decision within the next four weeks.” In this situation, “any data transfers from the EU to the UK will all have to use a particular mechanism” such as model clauses.

Summing up, Armstrong advised businesses to have a data transfer plan to be ready for such a scenario.

Categories: Cyber Risk News

Bomb Threat Hacker Gets 8-Year Prison Sentence

Tue, 12/01/2020 - 19:18
Bomb Threat Hacker Gets 8-Year Prison Sentence

An American hacker has been sent to prison for carrying out a series of cyber and swatting attacks, including sending bogus threats of shootings and bombings to schools in the United Kingdom and the United States.

North Carolina resident Timothy Dalton Vaughn also called in a false report of an airplane hijacking involving a jetliner traveling from London to San Francisco.

The 22-year-old, known online by the handles “WantedbyFeds” and “Hacker_R_US,” was arrested in February 2019 by special agents with the FBI. 

Authorities found that Vaughn had in his possession 200 sexually explicit images and videos depicting children, including at least one toddler.

Vaughn was a member of a worldwide collective of computer hackers and swatters who call themselves the “Apophis Squad.” 

The squad caused disruptions by making threatening phone calls, sending false reports of violent school attacks via email, and launching distributed denial-of-service (DDoS) attacks on websites.

"Vaughn and others sent emails to at least 86 school districts threatening armed students and explosives," said the Department of Justice. 

"The threatened attacks included the imminent detonation of a bomb made with ammonium nitrate and fuel oil, rocket-propelled grenade heads placed under school buses, and the placement of land mines on sports fields."

Squad members sometimes reported threats using "spoofed" email addresses to make it appear as though the reports had been sent by innocent parties, including the mayor of London.

Among the squad's victims was a Long Beach motorsport company whose website was knocked offline for three days by a DDoS attack. The business received an email demanding a ransom of 1.5 Bitcoin (worth approximately $20,000) to cease the attack.

The Apophis Squad also hacked and defaced the website of a university in Colombia so that site visitors were greeted with the image of Adolf Hitler clutching a sign that read "YOU ARE HACKED."

In November 2019, Vaughn pleaded guilty to one count of conspiracy to convey threats to injure, convey false information concerning use of explosive device, and intentionally damage a computer; one count of computer hacking; and one count of possession of child sexual abuse material.

Yesterday, Judge Otis Wright sentenced Vaughn to prison terms of 95 months for the child sexual abuse material possession charge and 60 months for each of the other charges. The terms are to be served concurrently.

Categories: Cyber Risk News

Cyber Crime Unit Arrests Five in Louisiana

Tue, 12/01/2020 - 18:32
Cyber Crime Unit Arrests Five in Louisiana

Louisiana's Cyber Crime Unit has arrested five men for allegedly committing internet crimes against children. 

An announcement regarding the arrests was made yesterday by the Bayou State's attorney general, Jeff Landry.

"My team and our law enforcement partners continue to do more with less to keep our state’s children safe," said Landry. 

"I am very proud of the work they do every day to bring child predators to justice, and I hope they get the resources necessary to do their jobs even more effectively during this time of increased online activity." 

Jared Wilkinson, who was booked into the East Feliciana Parish Jail, was the youngest man to be arrested by the CCU. The 20-year-old resident of Jackson was charged with 50 counts of Pornography Involving Juveniles Under the Age of Thirteen (possession).

Denham Springs resident Pedro Moreno was charged with seven counts of Pornography Involving Juveniles Under the Age of Thirteen (possession). 

The arrest of the 40-year-old was the result of a joint investigation with the Louisiana Bureau of Investigation, Homeland Security Investigations, Livingston Parish Sheriff's Office, and Jefferson Parish Sheriff's Office. 

Mostafa Rasheed, also aged 40, was arrested and charged with 13 counts of Pornography Involving Juveniles Under the Age of Thirteen (possession) and four counts of Sexual Abuse of an Animal. 

The Baton Rouge resident was booked into the East Baton Parish Prison on November 25 after a March 2020 tip from the National Center for Missing and Exploited Children triggered an investigation.

NCMEC reported that Facebook user Leon Al-Iraqi had uploaded a video depicting child sexual abuse material. The CCU executed a search warrant for the social media account and discovered multiple videos of children being raped and four videos showing the sexual abuse of animals. 

WBRZ reported that authorities were able to trace the social media account back to Rasheed via an IP address. 

Gregory Pratt, a 53-year-old resident of West Monroe, was arrested and charged with one count of Pornography Involving Juveniles Under the Age of Thirteen (possession).

Terrytown resident Charles Howell IV, aged 61, was also arrested and charged with one count of Pornography Involving Juveniles Under the Age of Thirteen (possession).

Categories: Cyber Risk News

Cyber-Attack Exposes Data of 295,000 Colorado Springs Patients

Tue, 12/01/2020 - 17:58
Cyber-Attack Exposes Data of 295,000 Colorado Springs Patients

An American nonprofit mental health and behavioral health services provider has been notifying patients of a recent cyber-attack that exposed the protected health information (PHI) of more than 295,000 patients. 

AspenPointe, which is based in Colorado Springs, Colorado, was successfully targeted by cyber-criminals in September 2020. The attack forced the healthcare provider to take its systems offline, causing several days of operational disruption.

"We recently discovered unauthorized access to our network occurred between September 12, 2020 and approximately September 22, 2020," said AspenPointe in a notification letter sent out to patients on November 19.

"We immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations to analyze the extent of any compromise of the information on our network."

The investigation, which concluded on November 10, found that cyber-criminals had been able to access patient data that included full names, dates of birth, driver's license numbers, bank account information, Social Security numbers, Medicaid ID numbers, dates of visitations, admissions dates, discharge dates, and/or diagnosis codes. 

"To date, we are not aware of any reports of identity fraud or improper use of your information as a direct result of this incident," said AspenPointe.

The security breach was reported to Health and Human Services' Office for Civil Rights on November 19 as affecting 295,617 individuals. AspenPointe is offering 12 months of complimentary identity theft protection services and a $1m insurance reimbursement policy to those affected. 

The healthcare provider said that following the attack, it has taken steps to improve its cybersecurity, including firewall changes, the implementation of additional endpoint protection, and increased monitoring. A password reset has also been performed. 

AspenPointe manages 12 organizations that help thousands of people every year who are suffering from mental health problems, including depression and grief, and also supports individuals with substance misuse issues. 

The healthcare provider also offers career services, assisting Colorado Springs residents to develop employment goals and teaching them how to search for and apply to jobs, write a resume, and make a good impression in a job interview. 

Categories: Cyber Risk News

Only 14% of Online Users Frequently Use Biometric Authentication

Tue, 12/01/2020 - 16:00
Only 14% of Online Users Frequently Use Biometric Authentication

Only 14% of consumers frequently utilize biometric authentication methods to log into a digital service, website or account, according to new research by Nomidio.

This is despite more than half (57%) of those surveyed stating that biometrics would make authentication quicker. Additionally, 54% and 53% thought it would make logins easier and more secure, respectively.

The biggest concern people had regarding the use of this authentication method was the risk of the biometric data falling into the hands of malicious actors, cited by a third of respondents. This was followed by 29% expressing concern that their behavioral data, showing where they had logged in, would be sold on by the identity provider.

Close to three-quarters (71%) said they would be put off biometric authentication if they were required to download multiple apps.

Ben Todd, head of worldwide sales at Nomidio, commented: “Consumers are switched on; the loss of biometric identifiers and the risk an identity provider might sell or mine behavioral data are very real.” 

Philip Black, commercial director at Nomidio, added: “Biometric authentication is still emerging and if we want consumers and employees to make the step-up, we must deliver solutions that provide a ‘Netflix style’ user experience. If I can’t log-in because my biometric ID is tied to my phone and it’s lost, stolen or out of battery, I might just stick with a password.”

The use of biometrics to log into online services such as e-commerce accounts is likely to increase in the wake of the shift to digital services during COVID-19 and a resulting rise in online fraud. Recently, Amazon revealed it is trialling a new biometric scanner it hopes will streamline contactless payment security and physical access for consumers and businesses.

Categories: Cyber Risk News

#thinkcybersec: Don’t Presume Legacy Tech is a Negative Thing

Tue, 12/01/2020 - 15:31
#thinkcybersec: Don’t Presume Legacy Tech is a Negative Thing

Legacy technology is not always as bad as it is commonly believed to be, according to a panel of CISO speakers.

Speaking during the Think Cybersecurity for Government conference, Bill McCluggage, managing director of Laganview Associates, said that legacy technology “is not all bad” and while all organizations have some sort of legacy technology and accrue not only tech debt but legacy issues, the positive side is that “it is stable and we understand it.”

He said that as well as being reasonably well understood and protected behind layers, the challenges can be in getting provider support and not being able to adapt to the modern threat landscape, as well as facing database issues. “What we create today will be legacy tomorrow; we have got it and have to live with it.”

Paul Jackson, head of public sector at Tanium, said the challenge across government is there is “no shortage of programs looking at digital transformation” and it is common for them to struggle with legacy technology. “I speak to hospitals and universities, and they tell you what [the network is] made up of, and they have not got a hand on what they have got. It is hard to protect and hard to transform.” He recommended “getting the basics right, as the sooner you get a handle on it, the better it is for your environment.”

Greg van der Gaast, CISO of Salford University, said legacy technology “tends to be a known quantity” as most environments have thousands of endpoints, but with legacy technology it is known about and behind layers of protection. “It is like the family jewels; you keep them safe and not hanging out of the window,” he said. “It was said that systems are legacy the minute they hit production, but that should not be the case.”

McCluggage agreed, saying with legacy technology we know that it is stable, and you know the ports of entry, but keeping it managed, with the right people, is a challenge. “Over the next year to 18 months we will have import duties run off backend legacy systems, and they will be the engines of the state,” he said.

Jackson made the point that a lot of attackers target vulnerabilities in the legacy estate, so users would be recommended to take a “holistic view.” Also, van der Gaast said if you do not have awareness of your environment around legacy systems you cannot be sure it is isolated: “if you create layers it requires awareness of these layers.”

Categories: Cyber Risk News

Personal Info Available on Dark Web for as Little as 50 Cents

Tue, 12/01/2020 - 14:45
Personal Info Available on Dark Web for as Little as 50 Cents

Personal data is being sold on the dark web for as little as 50 cents (USD), an investigation by Kaspersky has found.

The study looked at the potential consequences of doxing, a practice where a person shares information about another individual without their consent with the aim of embarrassing, hurting them or putting them into harm. 

Kaspersky added that particularly determined abusers may even go as far as hacking into the target’s online accounts, a service that can be purchased on the dark web.

In their analysis of active offers on 10 international darknet forums and marketplaces, the researchers revealed the very high demand there is for individuals’ private information. The cost of an ID is as little as 50 cents, and varies according to the type and detail of data on offer. They also found that personal financial information, such as credit card details, banking and e-payment service access have remained just as much in demand as around a decade ago, with prices unchanged in recent years.

In the hands of malicious actors, this type of data can have severe consequences for the victims, potentially leading to extortion scams, phishing attacks, direct theft of money and social damage such as doxing.

In recent years, new types of data have gained prominence. This includes personal medical records  and selfies with personal ID documents, the latter of which can enable bad actors to take a victim’s name or services on the basis of their identity.

Dmitry Galov, security researcher at Kaspersky’s GReAT, commented: “In the past few years many areas of our lives have become digitized – and some of them, such us our health, for instance, are especially private. As we see by the increasing number of leaks, this leads to more risks for users. However, there are positive developments too – many organizations are taking extra steps to secure their users’ data. Social media platforms have made especially significant progress in this regard as it is much harder now to steal an account of a specific user.

“That said, I believe our research highlights how important it is to be aware that your data is in fact in demand and can be used for malicious purposes even if you do not especially have lots of money, do not voice controversial opinions and are generally not very active online.”

Categories: Cyber Risk News

#thinkcybersec: Reconsider Hiring Strategies to Meet 2021’s Digital Challenges

Tue, 12/01/2020 - 13:28
#thinkcybersec: Reconsider Hiring Strategies to Meet 2021’s Digital Challenges

It is time for government to open up apprenticeship and hiring opportunities for cybersecurity, particularly in the public sector, to meet the needs of the UK industry.

Speaking on a panel as part of the Think Cybersecurity for Government conference, Chris Green, head of communications at (ISC)2, cited the recent Cyber Workforce Study’s finding of a reduced UK skills gap, which found that one in five companies had a staff shortage. “They have not had the staff on hand to deal with issues,” he said, stating that there will be an increased demand as we move into 2021 due to COVID-19 “and a lot has to be done to overcome that issue.”

He called for roles to be more accessible to more people, as we need to identify and train those people. Hiring has increased but “the impact of COVID-19 has accelerated digital transformation, and we can expect the gap to widen again as more and more companies transition to a digital environment.” Green said a lot of companies did not have the infrastructure or people in place to enable that move to a more online existence, and as a result, he expects to see an increase in the size of the skills shortage next year.

Asked by moderator David Bicknell how this issue can be overcome, Green said this can be achieved with government training opportunities, and to “make the route valuable” for those coming from the academic perspective. “Government can do more to qualify professional certifications, especially in cybersecurity,” he said.

Also on the panel was Saj Huq, director of LORCA, who said the cybersecurity field is developing so quickly “it is hard to remain agile and on top of what the changes are.” He claimed he was optimistic about the changes, and that statistics show cybersecurity is “going in the right direction” but he was nervous about maintaining that upswing. “What is clear is that cybersecurity is top of the policy agenda and we can make the right investments into the future,” he said.

Jessica Figueras, founder of Hither Ventures. said we should think about how we use people and skills in roles, and it is important to address the issue at many different levels “and clearly shortage is coming in first place.” She also called for government to increase its leadership role for innovation in order to better develop skills in the UK. Huq agreed, saying it needs to be clearer with regards how to become a technology entrepreneur, while Green said the educational curriculum should be reviewed to make computer studies less about coding and more about cybersecurity skills.

“Introduce more cybersecurity stuff at the educational level and you increase the seed of interest of cybersecurity as a career,” he said. “We struggle to bring Generation Z in, who don’t view cybersecurity professionals as inspirational or critical to society, and that is down to a lack of exposure to the role cybersecurity plays.”

Huq said: “Continued investment in innovation is important as the field is changing, and we cannot afford to stand still and we need to invest. This is not just about public money, but it means the role of industry needs to evolve more broadly as security is treated as a bolt on and insurance policy.”

Categories: Cyber Risk News

Vietnamese State Hackers Deploy Coin Miners to Victims

Tue, 12/01/2020 - 12:01
Vietnamese State Hackers Deploy Coin Miners to Victims

Vietnamese state-backed hackers have been observed deploying cryptocurrency mining malware to monetize the networks of victim organizations they’re also spying on, according to Microsoft.

APT32, (aka Ocean Lotus, BISMUTH), has in the past been associated with sophisticated cyber-espionage campaigns aimed at targets as diverse as carmakers and local Chinese government departments.

However, from July to August 2020, the group deployed Monero coin miners in attacks targeting private and public sector organizations in France and Vietnam. Doing so may be part of a plan to generate extra revenue alongside such attacks, or an attempt to stay hidden, Microsoft claimed.

“The coin miners also allowed BISMUTH to hide its more nefarious activities behind threats that may be perceived to be less alarming because they’re ‘commodity’ malware,” it said in a blog post.

“If we learned anything from ‘commodity’ banking trojans that bring in human-operated ransomware, we know that common malware infections can be indicators of more sophisticated cyberattacks and should be treated with urgency and investigated and resolved comprehensively.”

Other tactics designed to “blend in” include the targeting of only one individual in an organization with spear-phishing; in some cases, the attackers even corresponded with their victims to encourage them to open the malicious attachment.

Another is the use of DLL side-loading via outdated applications including Microsoft Defender Antivirus.

“Blending in was important for BISMUTH because the group spent long periods of time performing discovery on compromised networks until they could access and move laterally to high-value targets like servers, where they installed various tools to further propagate or perform more actions,” noted Microsoft.

“At this point in the attack, the group relied heavily on evasive PowerShell scripts, making their activities even more covert.”

Organizations faced with this threat group should focus on reducing the attack surface via user education, disabling Macros, tweaking email filters and other techniques, improving credential hygiene through MFA and stopping attack sprawl with intrusion detection, firewalls and other tools.

Categories: Cyber Risk News

Carrefour Handed $3.7m GDPR Fine

Tue, 12/01/2020 - 11:01
Carrefour Handed $3.7m GDPR Fine

French retail giant Carrefour and its banking arm have been fined over €3m ($3.7m) by the local data protection regulator for multiple breaches of the GDPR.

French regulator the Commission nationale de l’informatique et des libertés (CNIL) hit Carrefour France with a €2.25m fine and Carrefour Banque received an €800,000 penalty.

CNIL took into account the significant remedial action that had been taken by the firm to address its concerns.

However, the list of these concerns extended to nine key areas, according to compliance experts Cordery.

Information about data protection was too complicated and imprecise, and hidden in lengthy documents alongside other information. Key info on data retention was also missing.

Cookie use was unlawful, the policy for dealing with data subject requests was too restrictive, Carrefour didn’t meet time limits for responding to data subject requests and it transferred data without being fully transparent.

CNIL claimed that a data retention period of four years for customer data after the last purchase was excessive. Plus, it felt there was also insufficient information on data transfers outside the EU and the legal basis for processing on the website.

“The data transfer element is especially interesting given the issues with the collapse of Privacy Shield and the increased focus on data transfer using Standard Contractual Clauses,” said Cordery.

“It seems that data protection regulators are also focussing on what organizations are saying on their websites about data transfers. Consider therefore reviewing your website to ensure that it meets GDPR transparency standards, especially to meet the required standard with information on data transfers.”

CNIL is one of Europe’s more active GDPR regulators. It was the first to issue a major fine following the introduction of the new legislation: hitting Google with a €50m ($60m) penalty for failing to notify users about how their data is used.

Categories: Cyber Risk News