A brand-new, and massive, internet of things (IoT) botnet is poised to bring down the internet. Maybe. Probably.
According to Check Point’s research team, this new baddie, ominously dubbed “Reaper,” is recruiting IoT devices such as IP wireless cameras and DVRs at a far faster rate than the Mirai botnet did in 2016—and it already is estimated to have infected multiple devices in more than a million organizations globally.
The analysts don’t know the intentions of the threat actors behind it, but “with previous botnet DDoS attacks causing widespread, large-scale disruption, it’s likely that an attack is being prepared,” they said.
Any DDoS attack could be far more devastating than the attack on Dyn last year—the anniversary of which is coming up. In that attack, large portions of the internet were knocked offline. A move from Reaper on the other hand could threaten the public IP infrastructure en toto.
"The end of the world may not be nigh but the internet appears to be at severe risk of compromise,” said Lee Munson, security researcher at Comparitech.com, via email. “As information security experts have been warning forever, it seems, a number of internet-connected fridges, kettles and lightbulbs, along with the ever-vulnerable batch of routers and cameras, have all been marked for takeover by a new botnet. That this should be devastating if it comes to pass is hardly a surprise, given how many manufacturers of IoT devices care little for security before selling their shiny new products.”
Any DDoS attack would be “the likes of which have not been seen before,” he said.
But wait, there’s more: It also appears that Reaper is still merely a baby botnet. It continues to grow in the shadows, without carrying out—as yet—any attacks. Its authors instead seem consumed with adding as many devices to its ouvre as possible.
After first being picked up via Check Point’s global Intrusion Prevention System (IPS) in the last few days of September, activity has snowballed, with the malware evolving “on a daily basis” to exploit vulnerabilities in additional devices from vendors including GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others, the researchers said.
Check Point said in an analysis that it has also become apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves—thus gaining the ability to propagate exponentially. In its own analysis, Qihoo 360 Netlab put a finer point on it: It said that it observed, over the course of a single day, more than two million infected devices waiting to be processed in the C&C servers' queue.
As of this week, approximately 60% of the corporate networks which are part of Check Point’s ThreatCloud global network are expected to be infected.
Interestingly, while some technical aspects initially led researchers to suspect a possible connection to Mirai, the botnet behind the Dyn attack, it turns out that this is an entirely new and more sophisticated campaign.
“The biggest difference between the two is that Mirai tried to connect to devices via telnet, utilising default or weak passwords to take control of devices,” said Tristan Liverpool, director of systems engineering at F5 Networks, via email. “In contrast, the Reaper botnet is looking to use exploits on unpatched devices, to take control of them and add it to the command and control (C&C) platform. This means that it can continue to grow and be harnessed for all kinds of criminal activities.”
As for mitigation, a simple password upgrade is not sufficient to protect against the botnet.
“To stop the propagation of this botnet, all companies and consumers should ensure all their devices are running the latest firmware versions, which will have security patches included,” Liverpool said.
In the meantime, “everyone needs to prepare for the worst, as it is still unknown whether the motive of the perpetrators is chaos, financial gain or to target specific states or brands,” he added. “For organizations to protect themselves, they must identify which information is critical and needs to be available anytime, anywhere. In summary, security can be built around these key areas and a contingency plan must be developed.”
Munson added that the IoT ecosystem must be put on notice. “It is vital that manufacturers do their part in securing the devices of tomorrow before they are allowed to destroy or severely disrupt the internet world they will be ultimately be joining,” he said.
The UK’s Office for National Statistics (ONS) has released its crime in England and Wales statistical bulletin, noting a preponderance of cyber-related fraud within its year-long analysis timeframe.
Between June 2017 and one year prior, there were 3.3 million incidents of fraud in England and Wales alone, according to the Crime Survey for England and Wales (CSEW). The report said that the most common type of fraud reported was bank and credit-card fraud, with more than 2.5 million incidents in the period.
Of these, more than half (1.9 million incidents or 57%) were cyber-related, according to the bulletin.
“This level of recorded fraud figures is astounding, and bad news for consumers who often bear the brunt of many direct costs and pains—especially in account takeover and new account fraud,” said Ryan Wilk, vice president at NuData Security. “The increasing volume of attacks globally has also been attributed to more fraudsters willing to commit the crime, more data available on the black market and more financial institutions and merchants that are vulnerable to attacks. It’s incumbent upon companies to secure their customers’ trust by keeping their accounts safe from hackers without hurting their customer experience. They can’t afford to hear their customers say, ‘My account got hacked again.’”
The CSEW also said that of the roughly 1.6 million adults who experienced a computer misuse crime, about two-thirds (67%) were related to computer viruses and malware. The rest involved personal data breaches and various hacking incidents.
“To detect out of character and potentially fraudulent transactions before they can create a financial nightmare for consumers, we must adopt new authentication methods that they can’t deceive,” Wilk said. “Solutions based on consumer behavior and interactional signals are leading the way to provide more safety for consumers, and less fraud in the marketplace.”
More than half (59%) of Americans think fraud is an inevitable part of shopping online, according to new research from Paysafe—and most are willing to cope with more strenuous security to combat it.
The Lost in Transaction report, based on a survey of 300 businesses and 3,038 general consumers in September 2017 in the UK, Canada and the US, contradicts the widely-held belief that consumers value convenience and experience over security when shopping online. About 58% of consumers in the survey said they are willing to accept any security measures needed to eradicate fraud, while nearly three quarters (71%) said they’re open to the introduction of more secure payment processes, such as two-factor authentication.
In fact, only 12% of American consumers abandon online shopping carts due to payment security taking too long; while the most significant driver of abandoned carts is hidden transaction fees and delivery charges, according to 37% of consumers.
This attitude doesn’t line up with business assumptions however. By contrast, only 39% of US businesses believe their customers would favor tighter security, and two-thirds (67%) think longer verification processes increase their risk of losing customers.
One further key issue highlighted by the report is the trade-off merchants face when balancing risk and revenue generation. Sixty-seven percent of businesses surveyed want to increase customer sign-ups and transaction volumes by reducing risk thresholds for ID verification. But 76% also want to produce more effective verification measures to reduce fraudulent transactions, a potential conflict with their revenue ambitions.
These conflicting views exist even though transactional fraud is a top priority in the boardroom, according to three quarters of businesses (73%). In addition, 47% of merchants say that over 5% of their transactions are fraudulent. In this context, eight out of 10 businesses expect to increase spend on fraud in the next 12 to 24 months, typically by at least 11%.
“For years, consumers have had to overcome the apprehension that businesses know too much about them—from shoe sizes to food preferences,” said Todd Linden, CEO of Paysafe Payment Processing, North America. “But as the payment world evolves, it is this knowledge that will make individuals more secure. The evolution of big data will make payments smarter and easier and help to redress the balance between security and convenience. Big data will be the ultimate key to tightening up security at POS, online and in brick and mortar environments.”
Another way in which businesses intend to tackle fraud is by reducing their dependence on traditional payment methods. 45% of American businesses would like to see a decline in payment by check, with debit cards and credit cards not far behind. The susceptibility of these payment methods to fraud is a significant factor, with credit cards being ranked as the most vulnerable to fraud by 65% of respondents, followed by checks (47%) and then debit cards (40%). This is an area where consumer and business views align—nearly a third of consumers have experienced credit-card fraud in the last year, with almost one in four receiving no reimbursement.
In tandem with that, nearly a third of businesses said they are likely to introduce voice-activated systems like Alexa within two years, while nearly one in five favor some form of biometric payment and a quarter are looking to introduce cryptocurrencies. This is on top of the 23% who are planning to introduce mobile wallets. Consumer behavior is also helping to drive these changes, with nearly a third (31%) adopting mobile wallets; one in four having used biometric and voice activated systems and 14% already using cryptocurrencies for payments.
The FBI has requested that US victims of DDoS attacks share the details of the experience, regardless of the scale of attack or financial impact to the organization.
According to its statement, victims will be asked to share descriptions of losses incurred through the attack, as well as the traffic protocol and IP addresses used by the attack and “any extortion/threats pertaining to the DDoS attack.”
Claiming that DDoS “for hire” services, also known as booters or stressers, are considered a crime if they are used against a website without the owner’s permission.
“These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency,” the alert said.
“Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.”
The FBI has requested that DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident.
In May, the FBI was asked by the Federal Communications Commission to investigate a DDoS on its website, which was rumored to be linked to the satirical news program "Last Week Tonight", after host John Oliver encouraged viewers to flood the page with visits and comments after an article on net neutrality.
Kirill Kasavchenko, principal security technologist, EMEA at Arbor Networks, told Infosecurity: "It is good to see that FBI is encouraging DDoS victims to preserve and share collected evidence in available formats. The collected evidence in most cases is enough to make a firm judgment on whether the incident was a result of internal problem with hardware or software, a result of external problem, e.g. a service provider outage, or a real DDoS attack. In the latter case, providing this evidence not only allows law enforcement agencies to understand attack profiles and provide recommendations about improving defenses, but also, to some extent, it allows authorities to trace back infrastructure used by threat actors."
“We fully support recommendations to never pay demanded ransoms and we have been always advocating against paying to extortionists. Once a victim pays, there are absolutely no guarantees they will not be threatened again, however it is very likely that ransom will be invested into attacking infrastructure and new capabilities that at the end of a day will target broader range of victims with new threats.”
In a letter to then FBI acting director Andrew McCabe, five senators asked that the FBI “prioritize this matter and investigative the source of this attack” as “any cyberattack on a federal network is very serious”, closing with “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC's rulemaking proceedings”.
A new CBI report into emerging technologies has revealed that artificial intelligence (AI), blockchain and the Internet of Things (IoT) will become mainstream business components over the next five years.
In Disrupting the Future, the CBI outlines how firms and the government must pave the way for the adoption of cutting-edge technologies, whilst also highlighting the barriers that must be overcome to do so.
When regards to AI, half of businesses believed this technology would soon fundamentally transform their sector. However, only a third of organizations said their company had the skills and capabilities needed to adopt AI technologies. As a result, the CBI today called on the government to establish a joint commission to examine the impact of AI on people and jobs, with plans for action that will raise productivity, spread prosperity and create new economic growth.
Further, CBI claimed that the principle concern for businesses looking to adopt the IoT is the security and privacy of devices, urging government to pass the Data Protection Bill so companies have ample time to prepare for the General Data Protection Regulation, which sets a clear framework for safeguarding the data generated by IoT devices.
Lastly, with blockchain technologies gaining popularity and continuing to span different sectors, there is a need for regulatory co-ordination at both domestic and international level to avoid fragmentation and encourage industry collaboration, the CBI said. Therefore, regulators must work closely with the different industry consortia and the Financial Conduct Authority (FCA) to share best practice and learnings.
“Much is made of new technologies and how they will impact companies in 10 or 20 years, but these are no longer ideas on the fringes and are shifting rapidly into the business mainstream,” said Josh Hardie, CBI deputy director-general. “The UK must lead the way in adopting these technologies but we must also prepare for their impacts.”Businesses that invest and innovate tend to grow quicker and get the best out of their workforce, he added, but while these technologies are in action now, regulatory hurdles, security concerns and the issue of finding people with the right skills mean that many firms are slow to adopt.
“It’s up to business, government and employee groups to make sure the UK economy leads from the front.”
Matt Hancock MP, welcomed the report from the CBI.
“Alongside our independent review into Artificial Intelligence last week, our ambitions are aligned on the need to embrace the opportunities of the digital revolution,” he explained. “In our manifesto, we committed to establishing a data use and ethics body which would work with industry to answer some of the vital questions on the impact of big data and artificial intelligence, and so create the right conditions for digital businesses to thrive.”
Most CISOs feel that IT security is hindering productivity and innovation across the enterprise.
Research from Bromium, based on a survey of 500 CISOs from large enterprises in the US (200), UK (200) and Germany (100), has found that most security teams utilize a ‘prohibition approach’—i.e. restricting user access to websites and applications.
In fact, 88% of enterprises prohibit users from using websites and applications due to security concerns; and 94% have invested in web proxy services to restrict what users can and can’t access.
Unfortunately, these restrictions negatively impact user experience, according to respondents: About three-quarters (74%) of CISOs said users have expressed frustration that security is preventing them from doing their job, and 81% said that users see security as a hurdle to innovation.
The findings also indicate that security could impact customer relationships and brand identity, as CISOs report that they get complaints at least twice a week that work has been held up by over-zealous security tools. Across the respondents, IT help desks are spending an average of 572 hours a year responding to user requests and complaints regarding access to websites.
All this frustration is creating an uneasy relationship between IT, security and the user. About three-quarters (77%) of CISOs said they feel stuck in a catch-22, caught between letting people work freely and keeping the enterprise safe. A further 71% said that they are being made to feel like the bad guys, because they have to say ‘no’ to users requesting access to restricted content.
“At a time when competition is fierce, the risk of falling behind and being less productive is as big a risk to an enterprise as cyber-attacks,” said Ian Pratt, president and co-founder of Bromium. “Security has to enable innovation by design, not act as a barrier to progress. Sadly, traditional approaches to security are leading to frustrated users, unhappy CISOs and strained relationships between workers and IT departments—all of which stifles business development, innovation and growth.”
When it comes to software vulnerability (CVE) disclosure, the US lags China when it comes to turnaround time.
Recorded Future, which had previously uncovered unexpectedly large gaps between public disclosure of a vulnerability and its inclusion in the US National Vulnerability Database (NVD), found that on any given day, there’s more current information about software vulnerabilities on China’s National Vulnerability Database (CNNVD) than on NVD. On average, the gap between first disclosure of an issue and its availability on CNNVD is around 13 days. On NVD, the average delay is 33 days.
To arrive at the findings [PDF], Recorded Future examined how many days after initial web disclosure NVD and CNNVD waited to report the 17,940 vulnerabilities first publicly disclosed and then incorporated by both systems between September 13, 2015 and September 13, 2017 (initial web disclosure includes any mention of the vulnerability on the web).
Because averages can be dominated by a small set of vulnerabilities with long delays, Recorded Future looked at the data based on percentiles as well. Within six days of initial disclosure, 75% of all vulnerabilities published on the web are covered in CNNVD. The US NVD takes 20 days. Further, CNNVD captures 90% of all vulnerabilities within 18 days. The NVD takes 92.
There are two classes of vulnerability disclosure: Coordinated and uncoordinated. In some cases, a vendor clearly coordinates the announcement of the vulnerability, and it is simultaneously publicly disclosed and reported in NVD. In these cases, CNNVD trails NVD by a median of one day. When the vendor doesn’t tightly coordinate with NVD, it takes NVD 38 days to report on 75% of published vulnerabilities and 125 days to cover 90%. For CNNVD in these cases it takes seven days to report on 75% and 23 days to report on 90%.
As for the reason for the delays, Recorded Future explained that NVD waits for voluntary submissions of information; it reports and analyzes vulnerabilities only after they are published in MITRE’s CVE Dictionary, which relies on voluntary submissions of the vendors and CNAs associated with the vulnerabilities. If the CVE is not published in the CVE Dictionary, it’s not included in NVD nor available to companies relying on NVD for vulnerability awareness.
China on the other hand has prioritized timely disclosure by using extensive sources of vulnerability information across the web rather than relying on voluntary industry submissions—it reports all available vulnerabilities.
“The end result is that there is no US government ‘comprehensive cybersecurity vulnerability database,’” explained the firm. “Black-hat hackers who monitor the CNNVD could benefit from its more complete collection as they are looking for new exploits to target. US security teams should have access to a similar resource.”
A full quarter (25%) of email claiming to be from federal agencies is either fraudulent or otherwise unauthenticated, analysis has revealed.
In the wake of the US Department of Homeland Security mandating a move to DMARC for email security, Agari has been conducting research into federal adoption rates across 1,300 domains and the volume of fraudulent email for more than 400 federal customers.
When fully implemented, DMARC (short for Domain-based Message Authentication, Reporting & Conformance) virtually eliminates deceptive emails that impersonate an agency domain. The DHS said that agencies will have 90 days to move to the lowest level of the scheme (monitoring, or p=none), and one year to implement the highest level (reject, which blocks all unauthenticated messages from delivery).
However, Agari said that so far, only 9% of domains have implemented the authentication standard with a policy that blocks inauthentic emails, and nearly 82% of federal domains lack DMARC entirely.
Among the 400 government domains protected by Agari, cyber-criminals targeted 90% of them with deceptive emails that appear to come from a federal agency between April and October 2017. Of the 336.4 million emails appearing to be sent from these domains during that period, 85.6 million (25.4%) were fraudulent or otherwise failed authentication.
DMARC has been shown to make good on its goals: In one use case cited by Agari, DMARC prevented delivery of more than 100 million fraudulent email messages in 24 hours.
“DMARC has proven incredibly effective at combating phishing across billions of emails daily,” said Patrick Peterson, founder and executive chairman of Agari. “This DHS directive is an important step to protect our government, businesses and citizenry from cybercrime.
Security and privacy products are the leading category in software products sold online, accounting for over 30% of online sales.
According to statistics from the H1 2017 benchmark report on Digital Commerce Trends in Software & Online Services Sales from 2Checkout (formerly Avangate), subscription-based software solutions, downloadable or as a service, maintain a strong upward trend.
Mark James, security specialist at ESET, told Infosecurity that a few factors will drive online sales of security products up and up: ransomware is a scary thought for a lot of people, not just business because often it is perceived as someone else’s problem to resolve (the tech team) but the consumer understands that some things just cannot be replaced.
“What at one time was perceived as a fairly safe haven for memories and private information, the home network is now a very low hanging fruit for opportunistic ransomware, and as security companies and law enforcement get better at shutting down servers and networks then the likelihood of you getting decryption keys gets less and less,” he said.
“People are understanding now that options are out there that will enable them to drastically reduce their chance of being infected and enable them to recover if they do end up a victim. Put that alongside the huge high profile data breaches we see daily, we have to protect against others using our credentials.”
The news of an increase comes after yesterday’s PwC Global State of Information Survey, which revealed that UK businesses have reduced cybersecurity budgets by a third, from £6.2m last year to £3.9m this year.
Tyler Reguly, manager of security research and development at Tripwire, said: “The interesting thing here is the contrast created between these two reports that should scare a lot of people. While individuals are investing in security and privacy products, likely spurred on by the ever-increasing news of breaches and data loss, enterprises are reining in their spending. We’re at a point where consumers feel that their data is in a more precarious state than ever before yet the companies entrusted with this data are doing less to protect it.”
Professor Giovanni Vigna, Co-founder and CTO of Lastline, said that reducing investments in cybersecurity is dangerous as security threats continuously evolve, and need to be matched by innovative approaches that can address the latest attack techniques.
Tim Helming, director of product management at DomainTools, added: “The fact that cybersecurity budgets have been slashed in the UK is somewhat baffling. All of the indications suggest that cybercrime of all forms is likely to grow in magnitude and severity in the coming years, so to make the decision to reduce a security department’s capacity to respond appropriately to these increased threats seems counterproductive.”
The European Commission has reiterated its opposition to calls made by member states including the UK to undermine encryption via backdoors, with new proposals designed instead to encourage sharing of decryption expertise across the region.
In an update designed to reassure citizens that the EU executive is taking terrorism seriously, it detailed the following new strategy:
“Support law enforcement and judicial authorities when they encounter encryption in criminal investigations, without weakening encryption at a more general level or affecting a large or indiscriminate number of people: The Commission is today proposing technical support measures, a new toolbox of techniques, and training, and proposes setting up a network of points of expertise.”
Specifically, the initiative will see: more support given to help Europol advance its decryption capability; the creation of a “network of centres of encryption expertise”; extra training for law enforcement; a “toolbox for legal and technical instruments”; an “observatory for legal and technical developments”; and structured dialog with industry and civil society organisations.
It’s an unusual step given that it’s unlikely any police are able to crack the strong encryption present on devices like the iPhone and services including WhatsApp, iMessage and Telegram. It’s even less likely that law enforcers in one country would be prepared to share their encryption-cracking expertise with others.
There’s also no mention here of reports in March that the European Commission was planning to offer comms providers “three or four options” to force them to make available the communications of suspects to police.
One option would be to allow police to hack suspects’ devices directly. Such a plan is apparently being readied by the German government.
This is in stark contrast, of course, to the UK, which has granted its authorities some of the most sweeping surveillance powers in the world. UK police and intelligence services can conduct bulk hacking covering large swathes of the population, even without suspicion of wrongdoing.
Privacy International is currently challenging these “bulk/thematic hacking” powers.
“What we’re doing today is trying to move beyond a sometimes slightly sterile debate of backdoors versus no backdoors, to address some of the concrete practical challenges that law enforcement faces,” EU security commissioner, Julian King claimed in a press conference.
“For example, when they seize a device, how do they get the information and exploit the information that might be encrypted on that device?”
Domino’s Australia is blaming a former supplier for a potential leak of customer information which ended up being used in spam emails.
The company said it has contacted the Australian Information Commissioner and confirmed that its own systems are secure.
A note from group CEO, Don Meij, had the following:
“Over the course of the last couple of weeks a number of our customers have reported that they have received unsolicited (or ‘spam’) emails from unknown third parties. Customers are being directly addressed by their first name and are being asked to confirm the suburb that they live in.
"This is the type of information that is contained in an online rating system managed by a former supplier, which suggests this may have been the source of the information. We are continuing to investigate this.”
The firm explained that the information potentially leaked by this third party did not include financial information but most likely did feature: Domino’s store name, customer order name and customer email address.
It’s most likely that the scammers are looking to harvest more information via phishing emails to sell online or use to commit identity fraud.
Domino’s urged users not to click on links or open attachments in such unsolicited emails, to delete without replying and to ensure anti-malware protection is up to date.
“Fraudsters can readily correlate their location, email addresses and names with other information that’s either already publicly available or available from previous breaches, for phishing attacks etc. to support viable identity theft for credit accounts, personal loans, etc,” NuData Security director, Lisa Baergen, warned.
“This is why advanced, integrated multi-layered authentication solutions incorporating passive behavioral biometrics are being increasingly adopted by top banks and payment processors, major merchants, and others.”
Cybercrime in the UK appears to have dropped in recent months, with 1.9 million incidents of online fraud and 1.6 million incidents of 'computer misuse' recorded by the Office of National Statistics for the year ending June 2017.
The statistics bureau claimed that over half (57%) of the reported fraud during the period was cyber-related.
Overall, “bank and credit account fraud” was the most common type;, accounting for 2.5 million incidents or 75% of total fraud.
This was followed by “consumer and retail fraud” including online shopping or IT helpdesk scams, accounting for 0.7 million incidents or 22% of the total.
When it comes to computer misuse, 1.1 million incidents (67%) were malware related and a third (0.5 million) were related to unauthorized access to personal information.
The stats can be seen in context of the last major update from the ONS for the year ending September 2016, when it revealed 1.97 million cybercrime incidents and just over 1.9 million online fraud incidents.
However, there were the usual caveats. Although fraud and computer misuse estimates have been incorporated within headline ONS estimates since the year ending September 2016, they are based on so-called 'Experimental Statistics'.
This means the stats are still in a testing phase and are not yet fully developed, meaning there could be inaccuracies.
The ONS also had this to say:
“There are concerns about the quality of recording – crimes may not be recorded consistently across police forces and so the true level of recorded crime may be understated.”
That said, the fall in cybercrime was welcomed by industry experts.
“To continue to drive down cases of cybercrime and its wider effects, businesses can’t rely on government initiatives alone,” argued SailPoint CEO Mark McClain.
“Companies must take proactive steps to mitigate threats by developing a user-focused defense strategy focused on managing user identities and protecting personally identifiable information. This approach will ensure there is complete visibility across entire systems, making it easier to locate potential vulnerabilities and protect from the debilitating effects of data breaches and leaks.”
Organizations want non-security functions like IT operations, risk management and compliance to get more involved in cybersecurity, research has revealed.
A Tripwire survey of 315 IT security professionals at companies with over 100 employees conducted by Dimensional Research found that respondents were unanimous in believing that soft skills are important when hiring for their security teams.
The three most important soft-skill attributes cited were: Analytical thinker (selected by 65%); good communicator (60%); and troubleshooter (59%). Tied for fourth place was “strong integrity and ethical behavior” and “ability to work under pressure,” both selected by 58% of participants.
“The cybersecurity industry should not overlook the soft skills that are needed to build a strong security program,” said Tim Erlin, vice president of product management and strategy at Tripwire. “The reality is that today’s security pros need to go beyond technical expertise. Security practitioners need to be good communicators who can connect cybersecurity issues to business priorities, rally the rest of the organization to get involved, solve tough problems and handle sensitive issues with integrity.”
Respondents were also asked if the need for soft skills has changed over the last two years, and 72% said the need had increased. A fifth (21%) said that soft skills are actually more important than technical skills when hiring staff—a notable statistic in light of the fact that 17% said they expect to hire people without security-specific expertise over the next two years.
In addition, nearly all respondents (98%) believe non-security functions need to be more involved in cybersecurity in the future. Of those, 74% said IT operations needs to be more involved, 60% said risk management, 53% said compliance and 45% said legal needs to be brought into the fold. Other mentions included human resources (32%) and marketing (11%).
“With security-related regulations like GDPR on the rise, it’s unsurprising that respondents expect their legal and compliance teams to get more involved in cybersecurity,” said Erlin. “It’s become increasingly apparent that security is a shared responsibility, even for those without any technical cybersecurity experience. Employees from other functions can partner with their security teams to help them look at issues from different perspectives, help further the broader organization’s understanding of cybersecurity, and help enforce best security practices across the organization.”
British intelligence agency Government Communications Headquarters (GCHQ) may have been collecting mass amounts of social-media data on millions of UK residents for decades—and sharing it with foreign intelligence and other law enforcement agencies.
Privacy International (PI), a privacy watchdog, claims to have documents that show that the spy agency collected and continues to access social-media information from private companies’ databases. It also has mounted litigation to expose the practice, challenging the right of the UK government to have such access.
PI said that it has obtained letters that confirm that “inappropriate and uncontrolled/uncontrollable sharing with industry third parties” is ongoing, without any proper oversight. It also alleges that government contractors have system access rights which could allow them to enter an agency’s system, extract data and then cover their tracks.
“It remains unclear exactly what aspects of our communications they hold and what other types of information the government agencies are collecting, beyond the broad unspecific categories previously identified, such as ‘biographical details’, ‘commercial and financial activities’, ‘communications’, ‘travel data’, and ‘legally privileged communications’,” PI added.
"This is the first time on record we know bulk personal data sets contain social media data and sensitive medical records," Millie Graham Wood, a solicitor at PI, told the International Business Times. "To know they have large-scale social media data on an untargeted basis is pretty shocking. We don't know how long it's been going on for, or whether it's shared with foreign governments, industry and other departments like HMRC [Revenue and Customs]. If you think about how sensitive social media data are, it's so dangerous if there is no oversight."
PI also said that the Investigatory Powers Commissioner was unaware of the collection activities until PI brought it to light in the lawsuit, and that it has sought immediate inspection.
"We have just started our audit process and will continue to do a series of inspections on whether [intelligence agencies'] practices are lawful or not," an IPCO spokesperson told the IBT.
As for the validity of the accusations, Lee Munson, security researcher at Comparitech.com, said that they seem feasible.
"If GCHQ has collected a massive amount of information on every man, woman and child in the United Kingdom I do not think anyone can really be surprised,” he said, via email. “After all, we have known for many years that former Home Secretary, and now Prime Minister, Teresa May was keen for the security services to have access to as much data as possible, via the Investigatory Powers Act 2016.”
That act, aka the “Snoopers Charter”, has been highly controversial. It requires service providers to store the browsing history of the entire populace—as well as their emails, phone call and text records—for a year. They can then be handed over to the authorities for analysis at will. It also gives the government broad powers to read communications and listen in on calls without requiring suspicion of criminal activity; and bulk personal datasets, which allows agencies to acquire mass databases held by public or private sector bodies, which could contain highly personal details on things like religion, ethnic origin, sexuality, political leanings and health problems.
Muson added, “The fact that the legislation explicitly mentions bulk communications data acquisition would, I suspect, make any collection of social media, financial or health data at this time quite legal, even without any kind of court warrant being required,” Munson added. “Of course, the legality of any such bulk data swipes prior to 2016 are questionable, as is the collection of information from private databases, if true, but the fact remains that GCHQ almost certainly has far more information at its finger tips than many people realize.”
Social networking sites, especially, are a goldmine.
“The moral of this story is for people to think twice about the information they share willingly with their actual or virtual friends online because, one day, whether or not they have something to hide will be irrelevant as they will have voluntarily given up all of their privacy rights anyway,” Munson said.
This is of course not the first time a government has been found collecting social media data and other information on its citizens. Famously, Edward Snowden revealed the extent to which the NSA surreptitiously gathered information on US citizens.
Contrary to security best practices, most employees are seeking out, and finding, information that is irrelevant to their jobs.
According to a global survey of more than 900 IT security professionals from One Identity, 92% of respondents reported that they have caught their employees attempting to access information they don’t need for their day-to-day work—and nearly one in four (23%) admitted this behavior happens frequently.
This is also a case of physician, heal thyself: Nearly two in three (66%) IT security professionals admit they have specifically sought out or accessed company information they didn’t need. IT security executives are the guiltiest by level: 71% of executives admit to seeking out extraneous information, compared to 56% of non-manager-level IT security team members. Additionally, 45% of executives admit to snooping for or accessing sensitive company performance information specifically, compared to just 17% of non-manager team members.
It all adds up to a major “snooping” problem among today’s workforce.
The survey, conducted by Dimensional Research, found that the transgressions among IT pros include the abuse of elevated rights attributed to the IT security role. These are used to access a range of sensitive information, but company performance information especially is a hot commodity: More than one in three (36%) of IT pros admit to looking for or accessing sensitive information about their company’s performance, apart from what is required to do for their jobs.
“While insider threats tend to be non-malicious in intent, our research depicts a widespread, intrusive meddling from employees when it comes to information that falls outside their responsibility—and it could be that meddling that ends up putting their employers in hot water,” said John Milburn, president and general manager of One Identity.
The survey also found that the smaller the company, the bigger the snoop: 38% of IT security professionals at companies with 500-2,000 employees admit to looking for or accessing sensitive performance data, versus 29% of professionals at companies with more than 5,000 employees.
Also, workers in technology companies most likely to go on a sensitive information hunt: About 44% of respondents working for technology companies admit to searching for sensitive company performance information, compared to 36% in financial services, 31% in manufacturing and just 21% in healthcare.
“Without proper governance of access permissions and rights, organizations give employees free reign to move about the enterprise and access sensitive information like financial performance data, confidential customer documentation or a CEO’s personal files,” Milburn added. “If that information winds up in the wrong hands, corporate data loss, customer data exposure or compliance violations are possible risks that could result in irreversible damage to the business’s reputation or financial standing.”
Nearly a third (30%) of UK business leaders have never heard of the GDPR, although those that are aware of the new regulation seem to progressing well on compliance, according to new research from the Institute of Directors (IoD).
The study of nearly 900 IoD members also revealed that 40% didn’t know if the GDPR would affect their business, which is concerning considering the new data protection law will touch almost every public and private sector organization in Europe and beyond.
Half of those surveyed said they haven’t yet discussed GDPR compliance arrangements with partners or vendors with whom they share data; a potentially serious oversight in light of the fact that third parties are often an organization’s weakest link when it comes to data protection.
However, of those that understand the regulation, two-thirds (66%) said they are either “very” or “somewhat” confident they fully understand how it will affect the running of their business.
Plus, 86% claimed they are “very” or “somewhat” confident of being fully compliant by the May 25 2018 deadline.
IoD head of external affairs, Jamie Kerr, claimed firms have clearly not got the message on GDPR compliance despite the potentially huge cost of non-compliance: fines of up to £17m or 4% of global annual turnover, whichever is higher.
He urged the government and ICO to step up outreach efforts and simplify the message on how to comply.
“It is crucial everyone understands just how big this regulatory change will be for business leaders over the next few months,” he added.
“GDPR also comes hot on the heels of a number of big regulatory shifts for business over the past few years. We should also not forget the potential of extensive preparations that will be needed as we depart from the EU. Taken altogether, it’s not the easiest time to do business in the UK.”
Phil Becket, managing director of IT forensics firm Alvarez & Marsal, argued that being able to prepare for and detect cyber-attacks will be key to staying compliant with the GDPR.
“Complacency is no longer an excuse for firms, they need to know what they’re doing with consumer data, or face the consequences. Hackers are persistent and creative, and more often than not they are able to get into systems with ease – just look at the recent breaches seen in the news,” he added.
“Combined with stricter rules and harsher punishments for lax security, firms need to be on the front foot and ignorance is certainly not the right approach.”
Researchers have found a serious vulnerability in a commonly used cryptographic library, compromising the security of potentially millions of RSA encryption keys used to protect a wide range of laptops, smart cards and embedded devices.
'ROCA' (Return of Coppersmith’s Attack) was revealed this week by researchers from the Czech Republic, UK and Italy.
The newly discovered vulnerability (CVE-2017-15361) was found in the implementation of RSA keypair generation in a cryptographic library used in chips produced by Infineon Technologies, featuring the Trusted Platform Module (TPM) microcontroller.
Unfortunately, it’s in a wide range of products dating back as far as 2012.
A detailed note explaining the attack had the following:
“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required. The vulnerability does NOT depend on a weak or a faulty random number generator – all RSA keys generated by a vulnerable chip are impacted. The attack was practically verified for several randomly selected 1024-bit RSA keys and for several selected 2048-bit keys.”
The bug makes it possible for attackers to use a targeted public RSA key to compute the private part of that key, known as a 'practical factorization attack'.
With the private key, they could decrypt sensitive messages, impersonate the legitimate key owner, forge signatures and other related attacks.
The good news is that, thanks to the eight-month disclosure period agreed with German chipmaker Infineon, many vendors including Fujitsu, Google, Microsoft, HP and Lenovo have had time to release updates and guidelines for mitigation.
However, the vulnerable keys are embedded in a wide range of products, from electronic citizen documents to authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP.
Around 760,000 vulnerable keys have been found so far but the researchers warned that “up to two to three magnitudes more” could be at risk.
The researchers urged organizations to first test to see if they are affected and then contact the affected vendor for help, applying a patch if there’s one available.
UK organizations are unprepared for cyber-attacks, lack visibility into threats and aren’t doing enough to collaborate internally and externally, according to PwC.
The professional services giant’s Global State of Information Security Survey 2018 polled 560 executives from UK companies and public sector organizations of all sizes.
Over a quarter (28%) claimed they didn’t know how many attacks their organization had suffered over the past year while a third (33%) said they didn’t know how the attacks had occurred.
What’s more, 17% admitted to not running any kind of preparatory cyber-drills and less than half (49%) conduct vital pen tests.
Bharat Mistry, principal security strategist at Trend Micro, was surprised at this lack of preparedness.
“The last thing you want when you have a breach is for staff to be reading the breach response handbook and trying to figure out who should do what. In fact, I would say if you haven’t tested your breach response plan, then it’s not worth the paper it written on,” he told Infosecurity.
“With the looming deadline of GDPR and the consequential fines for breaches of personal data it’s now more imperative than ever to make sure that you not only have a plan but it’s tested and effective to ensure compliance."
The bad news doesn’t end there. Less than half (44%) collaborate with peers in the industry compared to 58% globally, and not many more (53%) form cross-organizational teams featuring finance, legal, risk, HR and IT execs to regularly discuss and strategize over security issues.
“Cybersecurity needs to be viewed as a ‘team sport’ rather than just an issue for the IT team,” said partner Richard Horne. “To be most effective, everyone in an organization should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.”
Perhaps unsurprisingly given the above, there is a general lack of interest in cybersecurity at board level. Just 34% said board members actively participate in strategy, versus 44% worldwide.
UK organizations are also holding back on insurance: only 44% said they had a policy in place compared to 58% globally.
Yet firms are experiencing serious repercussions. UK organizations faced 19 hours of downtime from security incidents during the reporting period, 21% had internal records lost or damaged, 20% had employee records compromised and 23% saw customer records stolen.
The latter in particular bodes badly for GDPR compliance.
Targeting employees is the most common way of attacking a UK firm, up from 20% to 27% in this report, while mobile device breaches (29%) were top globally.
On the plus side, the average security budget for UK organizations last year was £3.9m. What’s more, 64% of respondents said they had an overall security strategy in place and over half (53%) agreed that spending is based exclusively on risk.
A new report from CA Veracode has exposed the pervasive risks companies face from vulnerable open source components.
In its 2017 State of Software Security Report the firm reviewed application security testing data from scans of its base of 1400 customers, discovering that 88% of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks.
A cause of the problem, in part, is that fewer than 28% of companies carry out regular analysis to see which components are built into their applications, Veracode claimed.
“The universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit,” said Chris Wysopal, CTO, CA Veracode.
There have been plenty of examples of high-profile Java app breaches caused by vulnerabilities in open source or commercial components in the last year, one such being the ‘Struts-Shock’ flaw affecting the Apache Struts 2 web application framework.
“Development teams aren’t going to stop using components – nor should they, but when an exploit becomes available, time is of the essence,” Wysopal added. However, as evidenced in the report, the most severe flaws require significant time to fix (only 22% of very high severity flaws were patched in 30 days or less), with most attackers leveraging vulnerabilities within days of discovery.
“We’ve now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify.”
Google has implemented additional cyber-protections for users that are at particularly high risk of targeted online attacks, such as campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.
The Advanced Protection Program is a continually updated suite of services that focuses on three core defenses:
Phishing: Advanced Protection requires the use of security keys (small USB or wireless devices) to sign into an account. They use public-key cryptography and digital signatures to prove to Google that it’s really the account holders. Anyone trying to log in who doesn’t have the security key is automatically blocked, even if the person has the password.
Accidental Sharing: Sometimes people inadvertently grant malicious applications access to their Google data. Advanced Protection prevents this by automatically limiting full access to Gmail and Drive to specific apps. For now, these will only be Google apps, but Google expects to expand these in the future, it said.
Fraudulent Account Access: Another common way hackers try to access accounts is by impersonating the account holder and pretending they have been locked out. For Advanced Protection users, extra steps will be put in place to prevent this during the account recovery process, including additional reviews and requests for more details about why the person has lost access to his or her account.
“We've been testing Advanced Protection for the last several weeks and learning from people like Andrew Ford Lyons, a technologist at Internews, an international nonprofit organization that has supported the development of thousands of media outlets worldwide,” said Dario Salice, Advanced Protection product manager at Google, in a blog.
“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," said Lyons. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.”
Anyone with a personal Google Account who is using Chrome (other browsers will be added) can enroll in Advanced Protection.
Charl Van Der Walt, chief security strategy officer at SecureData, applauded the move but did have a caveat: A significant number of successful breaches are still achieved via a compromised desktop, mostly via a malicious document attachment—and these new controls will do little to change this.
“Instead, [high-risk] users should think hard about the platforms they use to access email and how they open attachments,” he said via email. “Simple, limited-use platforms like a Chromebook or a tablet are generally safer to work from, but using a Yubikey with a tablet can be tricky, especially on iOS devices. This seems a pity, and looks to be a trade-off.”
He also brought up the data privacy disconnect that exists between the US and other parts of the world.
“Something else to consider is that although preventing unauthorized remote access to email is part of the equation, there needs to be jurisdictional consideration also,” he added. “Google itself might have access to email and contact data, and that given Google is a US company, the US government may be able to obtain access. This, however, is a ‘political’ consideration rather than a technical one.”