Info Security

Subscribe to Info Security  feed
Updated: 1 hour 26 min ago

Over 2000 WordPress Sites Hit by Malicious Redirects

2 hours 7 min ago
Over 2000 WordPress Sites Hit by Malicious Redirects

Thousands of WordPress sites have been infected with malicious JavaScript in an attempt to promote scam websites, according to Sucuri.

The number of infections spiked last week, with hackers exploiting vulnerabilities in various plugins, including Simple Fields and the CP Contact Form with PayPal, the security vendor explained in a blog post.

After exploitation, the hackers are able to inject JavaScript which begins a series of redirects to a fraudulent “survey-for-gifts” website, where users are tricked into handing over personal info and unwittingly installing malware.

Among the domains registered as part of the campaign are gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com and admarketresearch[.]xyz.

“Unfortunately for website owners, this malicious JavaScript payload is capable of making further modifications to existing WordPress theme files via the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as a PHP backdoors and hacktools, to other theme files so they can continue to maintain unauthorized access to the infected website,” Sucuri explained.

“We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.”

The attackers have also been observed abusing/wp-admin/ features to create fake plugin directories that contain more malware, for example by uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to upload and unzip a compressed fake plugin into /wp-content/plugins/.

The two most common fake plugin directories spotted by Sucuri are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.

The firm has seen over 2000 infected sites thus far compromised in this campaign.

WordPress is by far the biggest culprit when it comes to hacked website platforms. It accounted for 90% of compromised websites spotted by Sucuri in 2018, up from 83% in 2018. There was a big drop to Magento (4.6%) and Joomla (4.3%) in second and third.

Categories: Cyber Risk News

Data on 30,000 Cannabis Users Exposed in Cloud Leak

2 hours 52 min ago
Data on 30,000 Cannabis Users Exposed in Cloud Leak

Tens of thousands of cannabis users in the US have had their personal information leaked by a misconfigured cloud bucket, according to researchers.

Over 85,000 files including more than 30,000 records with sensitive personally identifiable information (PII) were exposed when software firm THSuite apparently left an Amazon Web Services (AWS) S3 bucket unsecured.

THSuite provides software that helps cannabis dispensaries collect the large volumes of sensitive user info they need to comply with state laws.

At least three clients were affected in the privacy snafu: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company.

Exposed PII included names, home and email addresses, dates of birth, phone numbers, medical ID numbers and much more, according to vpnMentor.

As such, the leak affected both medical cannabis users and those who bought the plant for recreational purposes.

“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally,” the researchers argued.

“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual.”

The revelations may also harm recreational users, especially if their employer prohibits cannabis use, they continued. The database apparently included scanned copies of government and employee IDs.

From a cybercrime perspective, the data trove would also offer a potentially lucrative opportunity for hackers to craft convincing phishing emails, texts and calls, and launch follow-on identity fraud attempts.

The researchers found the exposed database via a simple scan on December 24 last year. After contacting its owners on December 26 the problem was finally mitigated on January 14 2020.

Cloud misconfigurations like this remain a major source of cyber-related risk for organizations around the world. VpnMentor alone has been able to find millions of user records leaked by the likes of cosmetic giant Yves Rocher, Best Western Hotels and Canadian telco Freedom Mobile.

Categories: Cyber Risk News

UN Wants US Probe into Bezos-Saudi Phone Hack

3 hours 37 min ago
UN Wants US Probe into Bezos-Saudi Phone Hack

The United Nations has called for a US-led investigation into the alleged hacking of Jeff Bezos’s mobile phone by the crown prince of Saudi Arabia, Mohammed bin Salman.

The bombshell allegations, which broke on Wednesday, suggest that spyware was deployed via an MP4 file sent from a WhatsApp account belonging to the prince. The two had apparently met and exchanged phone numbers a month before the alleged attack on May 1 2018.

According to the analysis by UN special rapporteurs Agnes Callamard and David Kaye, “massive and unprecedented” exfiltration of data followed the initial spyware deployment, with data egress from the device jumping suddenly by 29,156% to 126 MB and then continuing undetected for months after.

“The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials,” the UN analysis continued.

“This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.”

The NSO Group has “unequivocally” denied the claims.

It’s claimed that the Saudis targeted the world’s richest man Bezos because of his ownership of the Washington Post, whose columnist Jamal Khashoggi wrote in highly critical terms of the crown prince. He is believed to have been assassinated on a visit to the Saudi embassy in Turkey on October 2 2018.

In November 2018 and February 2019, the crown prince’s WhatsApp account is also said to have sent messages revealing details of Bezos’s affair, months before it became public knowledge.

“The information we have received suggests the possible involvement of the crown prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia,” argued the special rapporteurs.

“The alleged hacking of Mr. Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the crown prince in efforts to target perceived opponents.”

The case also highlights the devastating impact of legitimate cross-border spyware sales from private companies to authoritarian governments, the UN argued.

“Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse,” it said.

“It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology.”

It will be some cause for concern for Bezos and his personal security team that the attack went undetected for so long.

“For high value targets, the best protection is to compartmentalize how apps are used. For example, they might use WhatsApp or Signal for communicating with external contacts, and Teams for communicating with internals,” argued F-Secure principal researcher, Jarno Niemelä.

“It makes sense to separate use by device, I recommend communicating with external contacts with a different device to the one that you use for handling critical matters such as 2 factor authentication apps. It is also important to review application permissions regularly to deny access to apps that have fallen out of use.”

Categories: Cyber Risk News

US Journalist Denounced for Alleged Involvement with Brazilian Criminal Organization

Wed, 01/22/2020 - 17:07
US Journalist Denounced for Alleged Involvement with Brazilian Criminal Organization

Brazilian prosecutors have denounced American journalist Glenn Greenwald for his alleged involvement with a cybercrime organization that hacked cell phones to commit bank fraud.

Greenwald is best known for a series of reports published from June 2013 by The Guardian newspaper that detailed the global surveillance programs of the United Kingdom and the United States. The reports were based on classified documents disclosed by Edward Snowden and whistle-blowing events involving WikiLeaks.

In a criminal complaint filed by federal prosecutors in Brazil on Tuesday, Greenwald is accused of being involved with a criminal organization that hacked mobile devices and committed bank fraud and money laundering. 

According to the complaint, the organization is behind a number of hacks perpetrated last year in which cell phones belonging to public officials and prosecutors were compromised. Among the officials whose devices were hacked was the Brazilian minister of justice and public security, Sérgio Moro.

Seven individuals are named and denounced in the complaint, including computer programmer Gustavo Henrique Elias Santos and his wife, Suelen Oliveira, who allegedly recruited people to participate in a series of scams.

Greenwald was named as an auxiliary to the criminal organization’s activities after a recording of a conversation between the journalist and the organization’s alleged hacker Luiz Molição emerged. The recording was found on a MacBook seized by Brazilian police from the house of Walter Delgatti Netto, who prosecutors allege was one of the organization’s leaders. 

In the audio, Molição confirms that a phone hack is ongoing. He then asks Greenwald for guidance on the possibility of "downloading" the content of other people's Telegram accounts before the journalist publishes certain articles on his website, The Intercept.

Prosecutors allege that Greenwald then advised Molição to cover the criminal gang's tracks by deleting archives of material that they had sent to the journalist. Deleting the material could hinder a police investigation and possibly reduce the criminal liability of the individuals behind the hack. 

The complaint states that the criminal organization carried out 126 telephone, telematic, or computer interceptions and 176 invasions of third-party computer devices. An investigation into whether the hacks resulted in financial profits is ongoing, and the possibility of future judicial proceedings has not yet been ruled out.

The Intercept and Greenwald both released statements on Tuesday labeling the federal prosecutor’s allegations as an attack on Brazil’s free press "in line with recent abuses by the government of far-right President Jair Bolsonaro."

Categories: Cyber Risk News

Fake Smart Factory Captures Real Cyber-threats

Wed, 01/22/2020 - 15:40
Fake Smart Factory Captures Real Cyber-threats

A fake industrial prototyping company created by cybersecurity researchers has become the target of real-life cyber-attackers. 

Researchers at Trend Micro established the faux firm and maintained it for a six-month period in 2019 to learn about the threats facing companies that use Operational Technology. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud.

The fake concern consisted of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines that ran the factory. Among these machines were several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations, and a file server.

The honeypot went live on May 6, with a fake client base composed of large anonymous organizations from critical industries. By July 24, a threat actor had entered the fake company's system and downloaded a cryptocurrency miner. Researchers observed the attacker returning regularly to relaunch their miner.

By August, researchers had observed multiple incidences of compromise, with one threat actor performing reconnaissance activities and another causing system shutdowns. Ransomware attacks using Crysis and a Phobos variant were carried out against the fake company in September and October, respectively. 

Greg Young, vice president of cybersecurity for Trend Micro, said the research indicated that industrial companies are primarily vulnerable to bog standard cyber-threats.

He said: "Too often, discussion of cyber threats to ICS has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely."

Young warned owners of small smart factories against the dangers of thinking that their company's size makes them somehow immune to the threat of cyber-attack.

He said: "Owners of smaller factories and industrial plants should not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line."

Smart factory owners can reduce the risk posed by malicious threat actors by minimizing the number of ports they leave open and also by strictly enforcing access control policies.

Categories: Cyber Risk News

Facebook Crime Rises 19% as UK Tries to Police Social Media

Wed, 01/22/2020 - 14:53
Facebook Crime Rises 19% as UK Tries to Police Social Media

The UK government is planning to police social media by issuing sites with a new code of conduct.

Social media firms will be required by law to protect children from viewing any content deemed to be "detrimental to their physical or mental health or wellbeing," according to a report published yesterday in The Daily Telegraph.

Failure to act in line with the government-backed code could result in fines and penalties that could potentially lose an offending company billions of pounds in revenue.  The current code of conduct was created in 2017 and updated in April 2019.

News of the stricter code comes as statistics obtained from the British police reveal an alarming increase in the number of reported crimes linked to Facebook. 

Data obtained from 20 different UK police forces under a Freedom of Information (FOI) request indicates that in the financial year 2019–20, the number of Facebook-related crimes reported to the police was 32,451. When compared to the same period in 2017–18, this total shows an increase in crime of 19%.

Official figures from the police list the total number of crimes with a connection to Facebook as 55,643. Data shared under the FOI request revealed that Leicestershire Police received the highest number of reports of Facebook-linked crimes. In total, the English Midlands force said it had recorded 10,405 such incidents, of which 408 involved victims categorized as "vulnerable."

Lancashire Constabulary reported the second-highest number of crimes linked to the social media giant. The North West England force said it had recorded 8,829 Facebook-connected crimes, of which 718 were harassment, 179 were sexual offences, 1,007 involved offensive messages, and 1,497 were classified as malicious communication.  

Greater Manchester Police reported 8,230 Facebook-linked crimes, many of which involved "engaging in sexual activity with a child."

The FOI request was put out by the Parliament Street think tank. Figures obtained by the think tank via a FOI request for offenses that mentioned Instagram or Facebook in the crime notes found that Instagram had been used by pedophiles, stalkers, burglars, and drug dealers to commit 15,143 crimes since 2017. The total number of cases associated with both sites since 2017 is 70,786.

Categories: Cyber Risk News

Apple Dropped iCloud Encryption Plans After FBI Complaint: Report

Wed, 01/22/2020 - 12:35
Apple Dropped iCloud Encryption Plans After FBI Complaint: Report

Apple dropped plans to offer end-to-end encrypted cloud back-ups to its global customer base after the FBI complained, a new report has claimed.

Citing six sources “familiar with the matter,” Reuters claimed that Apple changed its mind over the plans for iCloud two years ago after the Feds argued in private it would seriously hinder investigations.

The revelations put a new spin on the often combative relationship between the law enforcement agency and one of the world’s biggest tech companies.

The two famously clashed in 2016 when Apple refused to engineer backdoors in its products that would enable officers to unlock the phone of a gunman responsible for a mass shooting in San Bernardino.

Since then, both FBI boss Christopher Wray, attorney general William Barr and most recently Donald Trump have taken Apple and the wider tech community to task for failing to budge on end-to-end encryption.

Silicon Valley argues that it’s impossible to provide law enforcers with access to encrypted data in a way which wouldn’t undermine security for hundreds of millions of law-abiding customers around the world.

They are backed by world-leading encryption experts, while on the other side, lawmakers and enforcers have offered no solutions of their own to the problem.

Apple’s decision not to encrypt iCloud back-ups means it can provide officers with access to target’s accounts. According to the report, full device backups and other iCloud content was handed over to the US authorities in 1568 cases in the first half of 2019, covering around 6000 accounts.

Apple is also said to have handed the Feds the iCloud backups of the Pensacola shooter, whose case sparked another round of calls for encryption backdoors from Trump and others.

It’s not 100% clear if Apple dropped its encryption plan because of the FBI complaint, or if it was down to more mundane usability issues. Android users are said to be able to back-up to the cloud without Google accessing their accounts.

Categories: Cyber Risk News

Microsoft Exposes 250 Million Call Center Records in Privacy Snafu

Wed, 01/22/2020 - 11:00
Microsoft Exposes 250 Million Call Center Records in Privacy Snafu

Microsoft briefly exposed call center data on almost 250 million customers via several unsecured cloud servers late last year, according to researchers.

Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.

Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. The records included phone conversations between service agents and customers dating back to 2005, all password-free and completely unprotected, according to Comparitech.

Most personally identifiable information (PII) was redacted from the records, but “many” apparently contained customer email and IP addresses, support agent emails and internal notes and descriptions of CSS cases.

This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data.

“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets,” explained Comparitech’s Paul Bischoff.

“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.”

However, Microsoft was praised for acting swiftly to lock down the exposed servers.

After being informed by Diachenko on December 29, the firm had secured all data by December 31.

Microsoft is just the latest in a long line of companies that have exposed sensitive consumer data through cloud misconfigurations.

These include Choice Hotels, Honda North America, Adobe and Dow Jones.

Sometimes the leaks come from suspected cyber-criminals. Back in December, over one billion email and password combos were exposed via an unsecured Elasticsearch database, with many collected from a previous 2017 breach.

Categories: Cyber Risk News

Campaigners Threaten ICO with Legal Action for AdTech Failings

Wed, 01/22/2020 - 10:30
Campaigners Threaten ICO with Legal Action for AdTech Failings

Campaigners are threatening to take the Information Commissioner’s Office (ICO) to court for failing to enforce data protection laws in tackling what they see as widespread illegality in the adtech industry.

The Open Rights Group (ORG) responded to an update from the ICO last Friday detailing what action has been taken since the latter’s June 2019 report raised serious concerns about real-time bidding (RTB).

RTB is the process where website publishers auction space on their pages to advertisers in near real-time. However, that process often involves the advertiser seeing detailed information about the individual web user they want to reach, including their browsing history and perceived interests.

The ICO duly raised multiple concerns in its report claiming: the methods of obtaining informed consent from data subjects are often insufficient; privacy notices lack clarity; and that the scale of data profiling and sharing is “disproportionate, intrusive and unfair.”

It also argued that the widespread use of contractual agreements to protect how bid request data is shared, secured and deleted is inappropriate given the scale of the supply chain and type of data shared.

However, in an update last week, the ICO seemed to hold back from enforcing GDPR and other relevant laws, choosing instead to focus on positive steps taken by Google and the Internet Advertising Bureau (IAB) to act on its concerns.

That’s not good enough for the ORG’s executive director, Jim Killock, who filed an initial complaint with the ICO regarding RTB practices 16 months ago.

"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance,” he argued.

"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.”

Killock and co-complainant Michael Veale, a lecturer in digital rights and regulation at UCL, are now considering whether to take legal action against the regulator for failing to act, or individual companies for breaking the law.

“When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy,” argued Veale. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”

However, the ICO’s primary impulse has always been to educate rather than punish the industry, so it’s likely that harsher enforcement measures will eventually come for those in the adtech ecosystem that fail to change their ways.

“The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same,” argued ICO executive director for technology and innovation, Simon McDougall.

“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilize its wider powers.”

Categories: Cyber Risk News

KnowBe4 Donates $250,000 to Stetson University College of Law

Wed, 01/22/2020 - 09:24
KnowBe4 Donates $250,000 to Stetson University College of Law

Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.

The donation includes:

  • Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
  • Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
  • A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students

“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”

The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.

“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.

Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.

The donation includes:

  • Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
  • Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
  • A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students

“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”

The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.

“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.

Categories: Cyber Risk News

Surge in Ships Seeking Cybersecurity Classification

Tue, 01/21/2020 - 17:24
Surge in Ships Seeking Cybersecurity Classification

A leading offshore safety and verification body has reported a rapid rise in the number of ships seeking to gain a cybersecurity classification. 

Ship classification society Bureau Veritas Marine & Offshore (BV) says it has seen a surge in the number of ships applying for its "Cyber Managed" notation. The notation is based on BV's rule NR659 on cybersecurity for the classification of marine units, which was co-developed with marine security experts.

To be awarded a "Cyber Managed" class notation, ships must show that their design, construction, commissioning, and maintenance of onboard computer-based systems are in line with existing cybersecurity best practices and standards, such as IMO MSC-Fal 1-Circ3NIST, and BIMCO.

A BV spokesperson said: "Cyber Managed works because it is based on a security risk assessment developed from an initial mapping of onboard systems that results in a practical set of requirements.

"The initial risk analysis and mapping exercise can be performed either during the newbuilding phase or at any time during the lifecycle of the vessel. As such, the notation is applicable to both new and existing ships."

As part of the risk assessment process, all the ship's onboard handbook and onshore security policies are reviewed by BV. Vessels are then surveyed to ensure that the documentation they supplied accurately reflects the condition of the hardware installed. 

The notation doesn't require new equipment to be fitted to the ship, but rather it works by mitigating risk through protecting remote access and network connections. This can often be achieved through software updates. 

According to BV, shipowners in Greece have been pioneers in applying the notation, which is now gaining traction across the entire maritime ecosystem with other shipowners, ship managers, charterers, insurers, and offshore operators. By the end of January 2020, BV predicts that more than 100 ships will be operating under the "Cyber Managed" notation.

"We see that shipowners are willing to invest in ensuring they are addressing cyber-risks, and their charterers are increasingly interested as well," said Paillette Palaiologou, vice president for the Hellenic Black Sea & Adriatic Zone, Bureau Veritas. 

"We are seeing interest from insurers as well—and that this notation can be expected to be a factor in the response of underwriters’ assessment of risk."

Categories: Cyber Risk News

US Cybersecurity Firm Founder Admits Funding DDoS Attacks

Tue, 01/21/2020 - 16:28
US Cybersecurity Firm Founder Admits Funding DDoS Attacks

An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.

Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016. 

DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can't handle visits from genuine users.

In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted. 

"In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business," wrote the Department of Justice in a statement released on January 16.

The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.

US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston's guilty plea.

The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey. 

Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be "the new industry standard in DDoS mitigation" and is currently online using an invalid certificate. 

Preston was featured in the 2016 KrebsOnSecurity story "DDoS Mitigation Firm Has History of Hijacks," which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn't own in a bid to protect clients from DDoS attacks. 

Preston will reappear before the court on May 7 for sentencing.

Categories: Cyber Risk News

Scottish Police Deploy Tech That Extracts Data from Locked Smartphones

Tue, 01/21/2020 - 15:44
Scottish Police Deploy Tech That Extracts Data from Locked Smartphones

Police Scotland has announced plans to establish "cyber kiosks" that will allow officers to scan locked smart devices for evidence. 

The 41 new kiosks will be located in police stations across local policing divisions, where they will be operated by over 400 specially trained officers.

Each kiosk is essentially a desktop computer capable of performing data extraction, transfer, and analysis. The extraction devices are manufactured by Israeli company Cellebrite and are used around the world to retrieve data from cell phones, drones, and other types of digital technology.

Police Scotland said the Cellebrite devices will speed up their workflow and get smartphones that are found not to contain any information pertinent to an investigation back into their owners' hands more quickly. 

"The technology allows specially trained officers to triage mobile devices to determine if they contain information that may be of value to a police investigation or incident. This will allow lines of inquiry to be progressed at a much earlier stage and devices that are not relevant to an investigation to be returned quicker," said Police Scotland.

Scottish police purchased the Cellebrite devices two years ago; however, legal concerns over how the technology may impact the public's right to privacy have delayed their deployment. 

The Scottish Human Rights Commission and Privacy International have each said that the legal powers under which Police Scotland will operate the new technology are "not sufficiently clear, foreseeable or accessible."

Privacy International has expressed concerns over "the failure of Police Scotland to carry out impact assessments" in relation to the new technology.

Deputy Chief Constable Malcolm Graham has said that the technology will only be used by the police where there is a "legal basis and where it is necessary, justified and proportionate" to an incident or crime under investigation.

Graham said: "Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever.

"Current limitations however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them. By quickly identifying devices which do and do not contain evidence, we can minimize the intrusion on people’s lives and provide a better service to the public."

Categories: Cyber Risk News

Hong Kong Looks to GDPR as it Strengthens Privacy Laws

Tue, 01/21/2020 - 11:35
Hong Kong Looks to GDPR as it Strengthens Privacy Laws

Hong Kong is set to follow the lead of European regulators in applying tougher penalties for data protection infractions, following a serious breach at airline Cathay Pacific in 2018.

Proposed amendments to the regional government’s Personal Data (Privacy) Ordinance, which cited the GDPR, would see fines levied as a percentage of global turnover, according to reports.

The privacy commissioner may even be given powers to levy fines immediately depending on the severity of an incident, without first needing to issue an enforcement notice.

The proposals would also mandate breach notifications to the commissioner within five days, a couple of days longer than GDPR rules but still an improvement on the current situation.

The breach of Hong Kong’s national carrier two years ago, which affected over nine million customers, shone a light on the inadequacies of the Special Administrative Region (SAR)’s existing data protection regime.

It took Cathay seven months to report the incident, although it was under no legal obligation to do so at all.

The privacy commissioner was powerless to levy fines: instead, the only option was an enforcement notice citing violation of privacy laws and ordering the firm to improve its cybersecurity posture. Failure to comply with the order leads to a fine of just HK$50,000 ($6433).

Rights groups have written to Hong Kong’s Legislative Council (LegCo), arguing that the proposals still don’t go far enough.

The government’s current proposal is too narrow, and LegCo now has a critical opportunity to strengthen this outdated law and bring it closer to better models, such as Europe’s privacy laws,” said Sophie Richardson, China director at Human Rights Watch (HRW).

“Strong protections on how people’s personal data can be collected and used will help assuage fears that mass surveillance tactics used elsewhere could spread to Hong Kong.”

HRW also wants to see the definition of personal data under the ordinance broadened, and a distinction to be made between general personal data and sensitive data, with the latter subject to stricter conditions.

It also argued for stronger rights for data subjects over how their data is used: for example, mandating firms to obtain explicit consent before using personal data, and empowering individuals to have data erased if they choose.

Such elements are all key parts of the GDPR. Various parts of the EU regulation can also be found in the new California privacy law, CCPA.

Categories: Cyber Risk News

UK Gov Database Leak Exposes 28 Million Children

Tue, 01/21/2020 - 10:55
UK Gov Database Leak Exposes 28 Million Children

The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.

Known as the Learning Record Service, the database stores information on students in England, Wales and North Ireland choosing to take post-14 qualifications like GCSEs.

However, according to a report in The Sunday Times, a data intelligence firm known as GB Group was able to sign an agreement with a third-party company to access the data. GB Group’s clients include gambling firms such as Betfair and 32Red, which apparently used the data for age and ID verification on their websites.

The third-party, Trust Systems Software (Trustopia), denies providing database access to GB Group. Both GB Group and the DfE are investigating the reports, with the latter having reportedly disabled access to the data trove and informed privacy watchdog the ICO.

“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” a spokesperson told the paper.

The children’s commissioner for England, Anne Longfield, reportedly said she was “very shocked to learn that data has been handed over in this way.”

Although the information used by the betting firms appears to have been limited, given it covers a huge number of children, the incident could well lead to a significant GDPR investigation by the ICO.

“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.

“In all of this, the responsibility sits squarely with the Department for Education, which has collected vast amounts of children's data for nearly a decade with apparently little oversight.”

Categories: Cyber Risk News

Zero-Day IE Bug is Being Exploited in the Wild

Tue, 01/21/2020 - 10:06
Zero-Day IE Bug is Being Exploited in the Wild

Both Microsoft and the US government are warning computer users of a critical remote code execution (RCE) vulnerability in Internet Explorer, which is currently being exploited in the wild.

The zero-day bug, CVE-2020-0674, exists in the way the scripting engine handles objects in memory in IE, according to a Microsoft advisory updated over the weekend.

Attackers could send phishing emails to victims, tricking them into visiting a specially crafted website designed to exploit the flaw through IE, Redmond claimed.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” it continued.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The vulnerability affects IE versions 9, 10 and 11 running on all Windows desktop and server versions, including the no-longer supported Windows 7 and Server 2008.

Despite admitting that the flaw is being exploited in “limited targeted attacks,” Microsoft has yet to release an emergency patch. Instead, it detailed a set of temporary mitigations which revolve around restricting access to the JavaScript component JScript.dll.

Carl Wearn, head of e-crime at Mimecast, advised organizations to enforce the use of alternative browsers until the issue is fixed.

“In addition to the threat from this zero-day vulnerability, I would also be wary of using IE at present due to the current resurgence in the use of exploit kits specifically designed to exploit IE vulnerabilities,” he added.

“Ransomware threat actors in particular are currently utilizing exploit kits such as Fallout and Spelevo. While posing no threat to other browsers these exploit kits will likely compromise any Windows machine utilizing Internet Explorer if it visits a compromised website.”

IE versions still have a combined global market share of over 5%, according to the latest figures from December 2019.

Categories: Cyber Risk News

US Could Appoint a Cybersecurity Leader for Each State

Mon, 01/20/2020 - 17:50
US Could Appoint a Cybersecurity Leader for Each State

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.

Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.

Under the legislation, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator. 

Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding. 

The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.

Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.

Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

"State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors," reads the bill. "There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses."

The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.

Portman said: "This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments' cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs."

Categories: Cyber Risk News

Possessing Ransomware Could Become Illegal in Maryland

Mon, 01/20/2020 - 16:29
Possessing Ransomware Could Become Illegal in Maryland

Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware. 

A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court. 

The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.

Any person convicted of this misdemeanor could face 10 years in prison and/or a fine of up to $10,000. 

The proposed law would not apply to cybersecurity researchers who may be in possession of ransomware for innocent research purposes.

Senator Susan Lee, who is the lead sponsor of the bill, said that it "gives prosecutors tools to charge offenders.”

Assuming a remarkable level of naiveté on the part of cyber-criminals who use ransomware to extort vast sums of money from organizations and individuals, Lee said that it was "important to establish [the bill] so criminals know it’s a crime."

In January 2019, the Salisbury, Maryland, police department suffered a ransomware attack that prevented officers from accessing the department's computer network. Four months later, Baltimore, the state's largest urban conurbation, was hit by a ransomware attack that is estimated to have cost around $18m. 

Possessing ransomware is already a criminal offense in several US states, including Michigan and California. The fight against ransomware was led by Wyoming, which in 2014 became the first state to make it illegal to possess ransomware, spyware, adware, keyloggers, and several other types of malware.

There's no denying that ransomware is causing problems in the United States. In 2019 alone, this particular strain of malware impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5bn. 

According to a ransomware report by cybersecurity firm Emsisoft,"the only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid."

Categories: Cyber Risk News

Mitsubishi Electric Discloses Information Leak

Mon, 01/20/2020 - 15:29
Mitsubishi Electric Discloses Information Leak

Japanese company Mitsubishi Electric has today disclosed an information leak that occurred over six months ago. 

The century-old electronics and electrical equipment manufacturing firm announced the breach by issuing a brief statement on its website.

An official internal investigation was launched after suspicious activity was observed taking place on June 28, 2019. The company said that upon noting the unusual behavior on the network, measures were immediately taken to restrict external access. 

According to, hackers accessed servers and computers at Mitsubishi headquarters and other offices belonging to the company in a large-scale cyber-attack. 

Mitsubishi said: "We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside."

Mitsubishi announced the breach today after it was reported by two newspapers, the Asahi Shimbun and Nikkei. A theory put forward by both local papers is that the attack was initiated by a cyber-espionage group with links to the People's Republic of China. 

While Nikkei reported that hackers swiped 200 MB of information from Mitsubishi, the manufacturer claims that its investigation of the incident uncovered no evidence that any sensitive data connected to its business partners or government defense contracts had been stolen or misused. 

In a statement no doubt intended to reassure Mitsubishi's corporate parents, the company wrote: "As a result of an internal investigation, it has been confirmed that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners has not been leaked." 

When announcing the incident, Mitsubishi didn't explain why it had waited so long after discovering the breach to go public with the news. However, the inclusion of the comment "to date, no damage or impact related to this matter has been confirmed" could imply that the company chose to hold back information until it had a clear idea of what the effects of the breach might be.

Japan's chief cabinet secretary Yoshihide Suga said the government had been informed of the cybersecurity breach and that there was no leak of information related to defense equipment or to the electric power sector.

Categories: Cyber Risk News

€114m in Fines Imposed by Euro Authorities Under GDPR

Mon, 01/20/2020 - 13:01
€114m in Fines Imposed by Euro Authorities Under GDPR

Data protection regulators have imposed €114m ($126m/£97m) in monetary fines under the GDPR for a wide range of infringements, according to new findings from DLA Piper.

Whilst not all fines were related to data breach infringements, DLA Piper’s latest GDPR Data Breach Survey found that more than 160,000 data breach notifications have been reported across the 28 European Union Member States since the GDPR came into force on May 25 2018.

In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.

The highest GDPR fine to date was €50m, imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent. Earlier this year, the UK ICO published intentions to fine British Airways £183.39m and Marriott £99m following two high profile data breaches, although neither fine has been finalized at the time of writing.

Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.

“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Categories: Cyber Risk News