The Lazarus Group, a cybercrime gang with links to the North Korean government, has been targeting Bitcoin industry insiders in an effort to steal their credentials (and, presumably, their Bitcoin).
According to the Secureworks Counter Threat Unit (CTU), a targeted spearfishing email campaign to employees of a London cryptocurrency company is making the rounds, purporting to discuss a job opening for a CFO. The supposed attached job listing in fact installs a remote access trojan (RAT), allows the attackers to download more malware, take control of a victim’s device and steal data, including network credentials.
Lazarus, one hacking arm of the North Korean regime, is thought to be behind the Wannacry ransomware campaign, the $81 million Bangladesh central bank heist, as well as the infamous 2014 attack on Sony Pictures. Meanwhile, Recorded Future recently said that North Korean threat actors have begun amassing experience procuring cryptocurrency both legally and illegally, including, likely, recent intrusions into several Bitcoin exchanges in South Korea.
“North Korean threat actors have been conducting cyber-operations to generate funds for the Kim regime likely since at least 2015, but appear to have become interested in Bitcoin and cryptocurrency only over the past six months,” Recorded Future said.
The firm’s analysis discovered in May that users in North Korea had begun to mine Bitcoin. Before then, there had been virtually no activity to Bitcoin-related sites or nodes, or utilizing Bitcoin-specific ports or protocols. Beginning on May 17, that activity increased exponentially, from nothing to hundreds per day.
Given the fact that Bitcoin prices have continued to rise, North Korea’s interest in cryptocurrency is unsurprising. The virtual currency topped $17,500 to the dollar on Friday.
“Cyber-criminals are increasingly looking to monetize their efforts, and with the recent increase in Bitcoin valuation it’s not surprising that they’re after such targets, especially since phishing campaigns are increasingly able to bypass legacy email filters and gateways,” Eyal Benishti, founder and CEO of IRONSCALES, told Infosecurity via email.
More than nine in 10 Americans (94%) in a new survey have heard news stories about security breaches in the past 12 months, and most said they are worried about risks associated with activities as basic as use of public Wi-Fi hotspots and online shopping. However, a full 43% have not changed their online habits at all.
This suggests many Americans may not understand that they have a role in accountability when it comes to taking specific actions to safeguard their personal data, postulates a Tenable-commissioned survey by Harris Poll of more than 2,000 US adults. However, it also reflects a lack of realistic assessment as to the safety of their information. One-fifth (21%) said they aren’t sure if they have been impacted by security breaches in the past 12 months. Only 12% of Americans say their personal information has been stolen by hackers due to a security breach in the past 12 months.
“Given [that] the Equifax breach exposed sensitive data of as many as 143 million Americans, that number is statistically impossible,” the report pointed out. “Given the Yahoo! breach and countless others, this data suggests an alarming lack of understanding about the pervasiveness of recent breaches and the risks they pose to average Americans. It’s cyber illiteracy.”
Ironically, 37% of respondents said they think it’s likely their personal information will be stolen as a result of a security breach in the next six months. Additionally, it appears many Americans are worried about their personal information getting stolen as a result of some of the most common online activities. A full 63% are worried about their data getting stolen when connecting to public or unknown Wi-Fi hotspots, nearly three in five (58%) are worried about their personal information being stolen when online shopping, half (50%) are worried when banking online, and 35% are concerned when connecting with their friends/family through social media.
And yet, many Americans still have not taken some critical steps to protect their data. For example, only 25% have implemented two-factor authentication on their devices to protect their personal information in the past 12 months, even though security experts and major online services and technology companies like Facebook and Google strongly encourage it. Further, only a third (32%) have reduced their use of public Wi-Fi or unknown hotspots as a result of hearing about breaches.
Meanwhile, only 56% of Americans have used a password to lock their computer, and only 45% use a PIN to lock their mobile devices. Despite it being built into recent versions of the most popular mobile device in the country (iPhone), the use of biometrics is still not widespread, with only 19% of Americans reporting that they have implemented it on their devices in the past 12 months.
Many also don’t update their apps in a timely manner, with 14% of smartphone users waiting more than a week to update apps on their smartphones (or never doing it) after receiving a prompt. Meanwhile, 13% of computer users wait more than a week, including 3% and 5% who don’t update apps.
“The irony is that cyber poses an existential threat to our economy and to our very social fabric and safeguarding ourselves is therefore a shared responsibility,” the report noted. “Enterprises must lead the way by practicing fundamental hygiene and enforcing a basic standard of care for their customers’ data; but individuals must do their part, too—both as consumers and in many cases, as employees of those same enterprises—and that starts with cyber literacy.”
On the positive side, more than two in three Americans (68%) said they have avoided opening links/attachments from unsolicited emails or texts in the past 12 months. Roughly half of Americans (53%) say they have made their account passwords more complicated in the same time period, and 15% have used a password management tool.
When it comes to the value placed on critical data, there is major variance in perception across countries and industry sectors.
According to a study from Quocirca sponsored by Trustwave, shareholder data and patient data are the most valuable data types: Shareholder data is most highly valued by IT professionals at more than $1,700 per record, followed by patient records with a mean value of more than $1,500 and consumer data at just more than $1,000 per record.
The lowest-ranked are contractors, at just less than $600 per record.
However, valuations change across geographies. US professionals value their personally identifiable information (PII) data more than twice as much as their UK counterparts: The average per capita value (PCV) of PII in the US is $1,820, versus $843 in the UK (and $1,025, $1,186 and $1,040 respectively in Canada, Australia and Japan).
Different levels of importance are placed on different data types too, such as PII, intellectual property (IP), payment card data and email: PII (47.4%) is given a higher priority than IP (27.6%), followed by payment-card data (18.4%) and then corporate email (6.6%).
Industry sector also influences the type of data that is given highest priority: Healthcare and hospitality sectors prioritize PII data, with an average score of 3.5 and 3.4 out of 4, while industrial and IT/communications companies rank IP as most important, at 3.0 and 2.9 out of 4.
Corporate security and risk professionals also massively overestimate the value of PII data for sale on the black market: Overall criminal resale values for PII on the black market are less than 5% of the value that enterprise security professionals estimate them to be worth. For a payment card record, security managers over-estimate by 60 times the actual criminal values of data for sale on the black market. For a single banking record, it is 2,000 times more.
“Today, data is one of the most valuable commodities possessed by any business,” said Ziv Mador, Trustwave vice president of security research. “Whether that data belongs to the organization itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cybersecurity investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018.”
All of this translates into differences in both the level of vigilance applied to assessing and mitigating the level of risk. Data risk vigilance (DRV), a measure of efforts to protect data, is highest among Canadian and US firms, and lowest amongst Australian businesses. The UK and Japan fall in the middle. In terms of sector, financial companies and IT/communications companies were the highest-scoring verticals when it comes to DRV, and hospitality and retail are the lowest.
Patient data is the most rigorously risk-assessed: Nearly 80% of organizations seeing patients as their prime data subject said they had carried out a comprehensive risk assessment, more than for any other data subject. In the UK, where healthcare is largely controlled by the government through the National Health Service (NHS), this rose to 90%. In the US, where regulation is tight through Health Insurance Portability and Accountability Act (HIPAA), 85% have carried out risk assessment.
Certain types of PII are much less assessed in terms of risk: Contractors’ and suppliers’ individual PII data is less rigorously assessed than other types of PII, such as patient data. A full 45% of companies holding contractors’ private data and 42% holding suppliers’ data failed to conduct comprehensive risk assessments of the data.
"Data is transforming businesses in the early 21st century in the same way electricity did at the start of the 20th,” said Bob Tarzey, senior security analyst at Quocirca and principal author of the study. “For nearly all businesses, their PII and IP are essential assets that are enticing targets for criminals, those storing payment card data are the most tempting target. Data subjects are becoming more aware of the value their data has to the businesses they deal with, and are less forgiving when things go wrong. However, even as one data breach is eclipsed by another in the eye of the press, the regulators will continue to investigate the most serious as they are invested with more powers and the clout to issue ever greater fines.”
Three men have pleaded guilty to building and operating the infamous Mirai botnet, which subsequently knocked over some of the world’s most popular websites late last year.
Paras Jha, 21, of Fanwood, New Jersey, Josiah White, 20, of Washington, Pennsylvania and Dalton Norman, 21, of Metairie, Louisiana admitted conspiracy to violate the Computer Fraud & Abuse Act.
They exploited vulnerabilities in IoT devices to conscript them into the botnet, comprising over 300,000 compromised endpoints, according to the Department of Justice.
This botnet was then used to launch DDoS attacks against various organizations. The three would apparently seek to extort money from their victims to call off the attacks or sell them DDoS mitigation services via Jha and White’s Protraf Solutions company.
However, they weren’t responsible for the attack on DNS firm Dyn which took out some of the biggest names on the web including Spotify, PayPal and Twitter, according to Reuters.
The DoJ explained:
“The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.”
Jha and Norman also pleaded guilty to violating the Computer Fraud & Abuse Act with a separate scheme in which they built a clickfraud botnet of 100,000 compromised devices including internet routers.
Finally, Jha pleaded guilty to a third charge related to a series of DDoS attacks on the networks of Rutgers University.
These took out a key portal used by staff, faculty and students for days at a time, disrupting assignments and assessments.
“The Mirai and Clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cyber-criminals that can quickly weaponize technological developments to cause vast and varied types of harm,” said acting assistant attorney general John Cronan.
A former Barclays Bank employee has been sentenced to six years and four months behind bars for helping cyber-criminals launder millions of pounds of stolen funds.
Jinal Pethad, 29, from London, set up 105 fake bank accounts using false identity documents in a bid to trick the bank’s security processes, the National Crime Agency claimed.
He pleaded guilty this week to conspiring to launder money between 2014 and 2016 on behalf of Pavel Gincota and Ion Turcan.
The two, who were jailed in October, wanted to get rid of £2.5m stolen in scams using the infamous Dridex banking trojan.
Pethad was soon tracked down during the investigation into their activities and after officers raided his Edgeware home they apparently recovered over £4000 in cash, seven luxury watches and three mobile phones which had been used to communicate with Gincota.
In one of the exchanges between the two, Gincota apparently asked: “Can I bring 2 guys for open acc pls??? 1-german; 1-france; or 2-france; who u want? Let me know pls!”
“Jinal Pethad abused his position of trust at the bank to knowingly set up sham accounts for Gincota and Turcan, providing a vital service which enabled them to launder millions,” said Mark Cains of the NCA’s National Cybercrime Unit.
“Using his knowledge of the financial system, he made sure the stolen money was not blocked before entering these accounts, and provided the pair with reports to evidence his efforts and maintain the criminal relationship.”
The insider threat remains a major cybersecurity risk to organizations. Recent research from Crowd Research Partners found 90% of infosec professionals feel vulnerable to such attacks.
"We have worked with and supported the police with this investigation and welcome the outcome of the proceedings,” a Barclays spokesperson said. “Barclays has a zero tolerance to any unlawful activity and confirms Jinal Pethad was dismissed by the bank.”
NatWest has been left red-faced after initially appearing to brush off a noted security researcher who spotted its homepage was not HTTPS-encrypted.
The UK bank, owned by RBS, replied to a Twitter post by Troy Hunt: “I’m sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy?”
Hunt explained in a blog post that even though the lender’s homepage didn’t actually contain anything sensitive like an account log-in box, it could still be hijacked by hackers to redirect unsuspecting customers to a similar looking phishing site.
“It's served over HTTP so it's not an encrypted connection and can therefore be intercepted, the traffic read, modified or requests redirect to other locations,” he wrote.
“We're seeing ‘Not secure’ next to the address bar because I've typed something into the search box. This change began rolling out in Chrome in October and I would opine that ‘Not secure’ is not what you want to see on your bank.”
Hunt continued that hackers could easily modify the HTML to a similar looking but different domain — for example, from nwolb [dot] com to nuolb [dot] com.
To add insult to injury, the bank then registered the nuolb domain following the interaction — missing the point completely that the homepage was still unprotected.
In fact, it issued this tweet:
“Hi there Troy, the website contains general information, rest assured when you are logging in that the website is secure. Please feel free to DM me if you have anymore queries around this.”
Fortunately, however, NatWest finally saw sense and the homepage for its personal banking customers is now protected with HTTPS.
Despite the tortuous process, Hunt praised the lender for its relatively quick response.
As of December, 67% of pages loaded by Firefox were HTTPS enabled, thanks to public initiatives such as Let’s Encrypt.
This Christmas Infosecurity has invited five top industry names to each fill the role of guest editor for a day, and we are delighted to introduce Tracy Z. Maleeff, who will be taking the reins for the final day.
Tracy Maleeff is a cyber analyst in the Security Operations Center at GSK. Prior to joining the in Award, the Wolters Kluwer Law & Business Award for Innovations in Law Librarianship, and was named a Fellow. She has presented at many conferences, both for Library & Information Science as well as for Information Security (BSides, DEF CON's Recon Village, the Diana Initiative), on topics ranging from social media, networking, research straformation security industry, Tracy worked as a librarian in academic, corporate, and private law firm libraries.
While a member of the Special Libraries Association, she received the Dow Jones Innovatetegies, and security awareness.
She received the Women in Security Leadership Award from the Information Systems Security Association and is very active in the Information Security community. Tracy holds a Master of Library and Information Science degree from the University of Pittsburgh, as well as undergraduate degrees from both Temple University (magna cum laude), and the Pennsylvania State University.
Tracy will be sharing her thoughts on the industry throughout the day with an introductory video, opinion article, Q&A with the real editor Eleanor Dallaway and a Twitter takeover!
When it comes to cloud data protection, there’s a significant disconnect between the perceived benefits vs. the reality of its cost and management.
According to a survey by Druva, 59% of respondents listed cost savings as the most anticipated benefit of moving to AWS, with simplicity and improved security as the second and third primary drivers. Yet, 49% of respondents who are considering a move cite cost as the No. 1 barrier.
Similarly, a full 54% of respondents are leveraging the cloud for data protection; however, 62% of respondents concerned about incurred compounding data protection costs as a result of having multiple sites.
When it comes to confidence in ability of the cloud to recover data, about 72% of respondents indicated a very strong level of cloud adoption interest based on their higher confidence levels in the ability to recover data from the cloud. On the other hand, more respondents—82%—felt confident in restoring data from on-premises systems.
"Although cloud migration has increased significantly in recent years, we still see a disconnect between perceptions of the cloud and its reality,” said Dave Packer, vice president of product and alliance marketing at Druva. “The misconception persists that the cloud is too expensive for storing data, and IT professionals fear rising costs as data grows and duplicates across the enterprise. However, organizations that have already leaned into transitioning to the cloud have realized that by fully embracing vendors providing truly cloud-native technology, both costs and scale can be optimized—and they have greater security and control over their data, regardless of where it resides.”
There have been at least 360,000 new malicious files detected every day in 2017—an 11.5% increase from the previous year.
According to Kaspersky Lab’s Number of the Year for 2017, a number of these new malicious files (processed by the company’s in-lab detection technologies) fall into the malware category (78%); however, viruses still account for 14% of daily detections. The remaining files are advertising software (8%).
This growth is having an effect at large: Kaspersky found that 29.4% of user computers encountered an online malware attack at least once over the course of the year; and 22% of user computers were subjected to advertising programs and their components.
Other interesting data points in the report include the fact that viruses significantly dropped in prevalence five to seven years ago, due to their complex development and low efficiency, Kaspersky said. However, a modicum of development still keeps chugging along as the 14% figure illustrates.
The reasons behind the growth are myriad: The explosive increase in ransomware attacks over the last couple of years is only set to continue, thanks to a growing criminal ecosystem behind this type of threat. Kaspersky said that bad actors are producing hundreds of new samples every day. Aside from that, 2017 also saw a spike in crypto-miners—a class of malware that cyber-criminals have started to use actively. Also, the increase in detections could be attributed to detection technologies getting better, and catching more.
The number of new malwares was calculated for the first time in 2011, when the total equaled only 70,000. Since then, it has grown five-fold. Also, after a slight decrease in 2015, the number of malicious files detected every day is growing for the second year in a row.
“In 2015, we witnessed a visible drop in daily detections and started thinking that new malware could be less important for criminals, who may have instead shifted their attention towards reusing old malware,” said Vyacheslav Zakorzhevsky, head of the anti-malware team at Kaspersky Lab. “However, over the last two years, the number of new malware we discovered has been growing, which is a sign that interest in creating new malicious code has been revived.”
A shadowy attacker has been seen attacking critical infrastructure in the Middle East with a malware called Triton, designed to manipulate industrial safety systems.
FireEye’s Mandiant division said that an incident that it investigated saw Triton targeting emergency shutdown capability for industrial processes, but that the threat actor is likely developing the capability to cause physical damage.
Triton, an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers, is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS), the firm explained. It follows in the footsteps of Stuxnet, which was used against Iranian nuclear facilities in 2010, and Industroyer which was likely deployed by Sandworm Team against Ukraine in 2016.
As for who’s behind it, “We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack,” researchers said in an analysis. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”
Mandiant said that in this incident, the attacker gained remote access to an SIS engineering workstation and deployed Triton to reprogram the SIS controllers; some of them entered a failed safe state triggered by validation checks, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation.
“Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences,” the firm said.
The attacker deployed Triton shortly after gaining access to the SIS system, indicating that the group had pre-built and tested the tool. That would require access to hardware and software that’s not widely available to the average cybercrime group.
The end game is unknown at this point. “The targeting of critical infrastructure to disrupt, degrade or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, US and Israeli nation state actors,” said Mandiant. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”
It’s not just Uber: an astonishing half of IT security decision makers polled by CyberArk claimed their organization didn’t ‘fully’ inform customers when their personal details had been breached.
The security firm interviewed 1300 cybersecurity leaders to compile its latest study, The Business View of Security: Examining the Alignment Gap and Dangerous Disconnects.
A spokesperson confirmed to Infosecurity that no further details were available from the research on exactly what ‘fully’ means in this context.
However, the 50% figure is a stark reminder that many organizations are playing with fire in light of the forthcoming EU General Data Protection Regulation (GDPR), which will mandate 72-hour breach notifications.
The past 12 months have seen a slew of delayed and nebulous breach reports from big name firms that should know better, including Yahoo, Equifax and Uber.
In a now-infamous case, the ride-hailing company chose not to inform customers at all of a breach last year, instead electing to pay off the hackers to delete the data in a bid to hush up the incident.
UK banking regulator the Financial Conduct Authority (FCA) this week announced new rules forcing lenders to be more transparent about security incidents, after last week claiming there’s “currently a material under reporting of successful cyber-attacks in the financial sector.”
David Higgins, director of customer development EMEA at CyberArk, said it’s not uncommon for organizations to want to hide the extent of damage caused by cyber-attacks.
“This sort of behavior will have massive consequences in the coming year with enforcement of GDPR fines for lack of compliance,” he added. “What’s also surprising about this survey is the persistence of rampant poor security practices and lack of consistency across line of business and IT security leaders — despite strong awareness of risks and continued headline-generating cyber-attacks.”
These poor security practices included a third of respondents claiming they don’t have adequate understanding of security policies.
A similar number (31%) claimed they don’t use a privileged account security solution to store and manage privileged and/or administrative passwords.
Cybersecurity vendor Tenable is in trouble with its customers after removing features in its new product and deluging them with emails following an admin error.
The firm’s new Nessus Professional v7 scanning tool drops two features: an API which allowed users to run scans remotely and multi-user support.
Several customers took to Twitter to voice their frustration at the move. One, @redsnapper88, had the following:
“Pretty disappointed with Tenable's decision to drop API support from Nessus Pro. Can anyone suggest a decent alternative that doesn't break the bank?”
Another, @FreedomCoder, was even more forthright:
“It is sad how @TenableSecurity has been systematically killing Nessus Professional update after update. Instead of adding feature, removing them in order to push users to their less useful more expensive solutions. No API WTF !!!!!”
To add insult to injury, users were overwhelmed with email spam for a couple of hours on Tuesday after they were added to a new Nessus Professional group support forum.
Noted security expert Brian Honan had this to say on Twitter:
“Wow, @TenableSecurity not a nice move to sign me up without my permission to your Tenable Community and then hit my mailbox with emails I don't want. Then to have to sign in to opt-out not good. Four letters for you to become aware of #GDPR”
In firefighting mode, the firm’s co-founder and CTO, Renaud Deraison, apologized for the email snafu, claiming the firm had inadvertently turned on notifications for users for every post on the forum.
“This triggered a cascade of emails for a subset of Nessus Professional customers for approximately two hours yesterday,” he explained.
“We are currently implementing system changes to ensure no new notifications will be sent to group members unless you update your own notification preferences. Also, customers will only be added to Collaboration Groups upon their consent. As an extra precaution, we have temporarily disabled the community site as we update the settings.”
He also tried to explain the reasoning behind the new feature set in Nessus Professional v7, claiming that users who want to scan remotely can do so in Tenable.io.
“It was never intended for use in a purely automated fashion, using the API to run scans remotely and extract the data into another system. In fact, the first version of Nessus didn’t even have any form of command line support,” he said.
“As a result, we never built any safeguards in the API preventing a script from misusing it and overloading the scanner. Ultimately we decided to let go of this API after having seen some misuse of this functionality which stretched the capabilities of the scanner.”
Deraison added that multi-user support was dropped because “it adds confusion and falls short of expectations since users can’t share results.”
He maintained that only 2% of customers actually use the remote scan API and just a “handful” of scanners have multiple users.
“We believe using our engineering resources to make the scanner more efficient, flexible and scalable rather than focus on corner use cases is the right strategy to providing you with the best experience,” he added.
Tens of millions of websites could be hacked each year, according to researchers in San Diego who have invented a new testing tool.
The team at UC San Diego’s Jacobs School of Engineering claimed that 1% of sites analyzed over an 18-month period by their new “Tripwire” tool were breached.
This was true of all sites irrespective of the size or reach, meaning visitors to 10 of the top 1000 most visited websites on the internet could be at risk.
“No one is above this — companies or nation states — it’s going to happen; it’s just a question of when,” said Alex Snoeren, the paper’s senior author.
Although the researchers didn’t name the compromised sites they found, they did inform the relevant security teams.
“I was heartened that the big sites we interacted with took us seriously. Yet none of the websites chose to disclose to their customers the breach the researchers had uncovered,” said Snoeren. “The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure.”
The Tripwire project worked by using a bot to create accounts with each site, linked to a unique email address. The same password was used for the email and website account.
The team then waited to see if a third party used that password to access the email account, indicating the website account information had been leaked.
To ensure the security breach was a result of issues on the website and not the email side, the team set up a control group of 100,000 email accounts created with the same provider but not linked to any website accounts.
They found none of these email accounts were accessed by malicious third parties.
In total, 19 of 2300 website-linked email accounts were hacked including an unnamed US start-up with 45 million active users, the researchers claimed.
Once they compromised the email accounts in question, the hackers usually didn’t hijack them to send spam but instead monitored email traffic — most likely looking for financial details.
The team advised users not to reuse passwords across multiple accounts, to minimize the amount of info handed over to websites and to use a password manager.
Earlier this week a huge database of 1.4 billion plain text breached credentials was uncovered by dark web analysts.
This Christmas Infosecurity has invited five top industry names to each fill the role of guest editor for a day, and we are delighted to introduce Rik Ferguson, who will be taking the reins today!
Rik, vice-president security research at Trend Micro, is one of the leading experts in information security. He is also a special advisor to Europol EC3, and a project leader with the International Cyber Security Protection Alliance (ICSPA).
In April 2011 Rik was inducted into the Infosecurity Europe Hall of Fame. As a presenter at global industry events such as RSA, Mobile World Congress, Milken Institute, Virus Bulletin, RUSI and the e-Crime Congress, Rik addresses the challenges posed by emerging technology and online crime. He is frequently interviewed by the BBC, CNN, CNBC, Channel 4, Sky News and Al-Jazeera English and is quoted by national newspapers and trade publications throughout the world.
Rik is actively engaged in research into online threats and the underground economy. He also researches the wider implications of new developments in the information technology arena and their impact on security, both in the enterprise and for society as a whole, publishing papers, articles, videos and participating in thought-leadership initiatives With almost 25 years of experience in information security, Rik has been with Trend Micro since 2007. Prior to assuming his current role he served as security & privacy infrastructure specialist at EDS where he led the security design work for government projects related to justice and law enforcement and as senior product engineer at McAfee focused on network security, intrusion prevention, encryption and content filtering.
Rik will be sharing his thoughts on the industry throughout the day with an introductory video, opinion article, Q&A with the real editor Eleanor Dallaway and a Twitter takeover!
This Christmas season is shaping up to be AWESOME for electronics aficionados—largely thanks to Santa’s goody bag being filled with some of the most interesting connected toys and gadgets of all time.
I mean, who doesn’t want to get their young spawn some of the cool stuff on the shelves this holiday season? Think soccer balls that track your form when you kick them; a Star Wars First Order Stormtrooper Robot with AR and facial recognition features that will patrol an assigned area and alert you if there are any intruders; a mini-bowling ball you can steer with your face; or kid-friendly wearable fitness gadgets that encourage physical play and movement. This is, in other words, the awesomest Christmas season ever if you’re a kid (or a cool geek) with indulgent, relatively disposable income-spending parents/friends/whoevers that like you.
But….sigh. time to throw a whole lotta humbug right over that irrational festive exuberance.
“Unsecured smart toys present serious risks to the children who play with them,” said Ryan Polk, Internet Society (ISOC) Policy Advisor. “You wouldn’t buy a toddler a toy that is a choking hazard. You wouldn’t buy a toy with lead paint. So you should make sure you buy smart toys that will keep children safe and respect their privacy.”
With holiday shopping season in full swing, the safety of connected gadgets and toys is in the full cybersecurity spotlight, as well they should be. Consider some recent events, as Polk pointed out: Hackers exposed the personal messages recorded to play through a smart teddy bear; strangers can send messages to nearby children by using a toy robot’s Bluetooth feature (I hear this is Roy Moore’s personal fave); and companies could be using a toy’s microphones not only for voice commands, but to also collect personal information to share with third parties.
The danger is especially piquant when it comes to connected toys for kids. Polk ominously framed the issue: “When your in-laws give your child a loud toy for the holidays, you know you are going to have to hear it for the next few months,” he said in a blog post. “But when that toy connects to the Internet, how can you be sure that you’re the only ones listening?”
Errrr…so much for spirit of the season, there, Ryan. Thanks for remotely executing coal into my stocking. Coal injection…heh heh. Geddit?
Fortunately, there are several things parents can do to be smart when buying toys this holiday season, according to ISOC:
- Read the reviews. Consumer organizations and others review connected devices and toys as part of their buying guides. Mozilla and Which? Both released buying guides for smart toys this holiday season.
- Read the user agreement. User agreements should tell you what data a smart toy collects. They also should tell you who they share that data with. Will they send your child’s data to advertisers or other third parties?
- After you buy it, keep up with updates. Even if a smart toy is secure when you buy it, you have to keep up with updates to keep it secure. When buying a device, make sure it can be updated. Another factor to consider is how long the developer will support the device with updates.
- Ask yourself, does this need an Internet connection or Bluetooth functionality? If you cannot tell if a toy is safe and privacy respecting, it may be better to buy a similar toy without the Internet or Bluetooth functionality.
“Shopping smart doesn’t only keep you and the ones you love safer, but also helps send a clear message to toy companies,” Polk added. “Security and privacy are too important to be an afterthought. They must take a central role in designing any smart toy.”
Good advice. All I want for Christmas (besides a Star Wars Droid Inventor Kit, natch) is not to get hacked. Nor my kids to get hacked. Nor anyone, really, to get hacked (is Trump having a gold-plated virtual reality “alterno-facts” gadget that fetches news headlines made, I wonder?). So be aware, choose wisely and maybe we can all be cautiously festive about connected toys again.
UK private-school fee payments from parents have become one of the top targets for cyber-criminals, especially with invoices for next term being issued over the current weeks.
Cyber|Decider is warning that schools generally, and private school fee payments particularly, are currently popular with cyber-criminals because of the combination of them being large (generally £4,000-£10,000 per term), and the poor cybersecurity at many schools.
The scam typically begins with parents receiving an email giving them payment details for the school fees, perhaps saying these have changed. However, hackers have surreptitiously gained access to the school’s email, usually through an undiscovered phishing attack—in order to divert the payments into their own accounts. They can also set up automatic rules, so responses from parents requesting confirmation of authenticity get diverted to the hackers, and the school doesn’t see them.
The hacker’s bank account is then emptied early in the next term, netting the criminals sometimes tens and often hundreds of thousands from a single school. From each single attack perspective, the amounts stolen are not high enough to warrant a full police investigation, so most fraudsters disappear without a trace and elude prosecution.
“In 2017 we saw schools generally become a big target for cyber-criminals,” said Neil Hare-Brown, CEO at Cyber|Decider. “Their security is often poor, and their fees administration largely undertaken out of their electronic mailbox which is often hosted online, making it easy to hijack.”
He added, “In addition, the parents with whom they communicate generally use webmail, and often from insecure systems. Families and schools are sharing lots of information about payments for fees, trips and everything else, so these mailboxes hold lots of important personal data such as bank and credit card details, passport images, medical and family information. Many schools have moved their email systems online and use payment gateways, but often they use systems that are insecure.”
Also, school staff and parents are easily deceived, and scams operated over the holiday period when schools are closed mean the alert won’t be raised quickly. This gives the criminals time to transfer funds with little chance of them returned.
Clearly, when receiving payment requests from schools or anyone else by email, especially one changing the previous arrangements, parents should be very aware. They should telephone the school on its normal number, and double-check verbally with the school before making the payment.
Schools meanwhile should implement thorough and regular cybersecurity training for all staff, and avoid using generic mailbox accounts. They should also use a payment gateway for payments and a secure communications portal for use in communications with parents in all matters, including school fees. Also, two-step authentication should be implemented on all online systems in use by the school.
The European Commission has announced its first-ever bug bounty program, and is calling on hackers to find vulnerabilities in VLC, a popular open-source multimedia player loaded on every workstation at the Commission.
The program has kicked off with a three-week, invitation-only session, after which it will be open to the public. Rewards include a minimum of $2,000 for critical severity bugs, especially remote code execution.
High severity bugs such as code execution without user intervention, will start at $750. Medium severity bugs will start at a minimum of $300; these include code execution with user intervention, high-impact crashes and infinite loops. Low-severity bugs, like information leaks, crashes and the like, will pay out starting at $100.
Also, depending on the cases, the severity can be raised to a higher severity. Crashes in the common formats, like AVI, MP4, MKV and decoders/packetizer of H264, HEVC and AAC are more likely to be raised in severity and/or rewards. Crashes that apply to all inputs will have the same treatment.
Also, “very important and clever bugs” could be rewarded extra payment in bitcoin (Up to 0.1 BTC).
The bounty is administered by HackerOne and has grown out of the EU-Free and Open Source Software Auditing (EU-FOSSA) project, which was created in the wake of the Heartbleed open-source phenomenon to help EU institutions better protect their critical software.
Marek Przybyszewski and Pierre Damas, who work for what is essentially the IT department of the European Commission (known as the Open Source Strategy of the Directorate General for IT, or DIGIT), explained that DIGIT has been introducing free and open source software in its IT stack since at least the year 2000. Since then, it has become strategic in several areas: Linux is used at 80% of the servers of the Commission's Data Centre and the Europa website is running on Drupal, to name a few.
“Where free and open-source software makes up key components, we cannot only rely on commercial backing and sponsoring, but also need to take into account if a project has the capacity to take care of security itself,” they said in a Q&A sent to Infosecurity. “Through the FOSSA project, we are supporting free and open source projects that make up a crucial element to the institutions and to modern economy and society at large.
Julia Reda, a member of the European Parliament from Germany and the originator of the EU-FOSSA project, said that with the decision to elicit the help of outside researchers, VLC was chosen as a natural next step.
“It is important to understand that every day infrastructure we rely on for work, our private lives and our fundamental freedoms—the internet—depends on open-source to work,” she said. “Public institutions such as the EU have a responsibility to ensure the security and reliability of this infrastructure. That is why we are using a small part of the EU budget to finance security research into open source projects, improving security for both the European institutions themselves as well as for everyone using them.”
A ransomware named Spider has been crawling around the web, using decoy documents to lure victims in the Balkans into its lair with threats of “debt collection”.
According to Netskope Threat Research Labs, once infected, victims are given 96 hours to pay (that’s four days, for the mathematically challenged among us)—an unusually generous payment window for ransomware. The authors also take pains to calm their victims, assuring them that file recovery is “really easy,” even going so far as to provide a handy video showing just how the process works and a help section, which contains the links and references to the resources needed to make the payment.
“This ongoing campaign, identified on the 10th December, uses decoy Office documents which usually arrive as email attachments,” said Amit Malik, researcher for cloud security at Netskope Threat Research Labs, in an analysis. “These attachments are auto-synced to the enterprise cloud storage and collaborations apps.”
That Office document is written in the Bosnian language, indicating that the threat actors are specifically targeting the Bosnia and Herzegovina region. Once Spider ransomware encrypts the files, its warning message also provides language translation into its user interface—indicating that the malware could be tweaked for other regions.
No matter how empathetic the attackers may seem, Spider’s emergence shows that “ransomware continues to evolve and prevail as a top threat to all verticals in many organizations,” Malik said. “The addition of Spider ransomware as a new cob in the increasing ransomware web is a classic example. We continue to see an increase of decoy Office documents as an attack vector in spreading ransomware like GlobeImposter tied to several active and ongoing campaigns. As ransomware continues to evolve, administrators should educate employees about the impact of ransomware and ensure the protection of the organization’s data by making a regular backup of critical data.”
Macros are the main infection vector here, so to avoid getting caught in Spider’s silk, users should disable macros by default, and also be cautious of documents that contain only a message to enable macros to view the contents, especially unsigned macros and macros from untrusted sources.
UK banking regulator the Financial Conduct Authority (FCA) has unveiled sweeping new rules which will force high street lenders to be more transparent to customers about security incidents.
Published on Tuesday, the final rules are designed to make it easier for consumers to compare the service offered by banks, in a bid to drive greater competition in the market.
From August 18 next year, all UK banks offering personal and business current accounts will be forced to reveal how often they have had to report “major operational and security incidents.”
However, it’s unclear how much detail, if any, lenders will be forced to go into on each incident.
A “major” incident in this instance refers to one which prevents customers from using banking services.
The new reporting rules are required by forthcoming EU legislation the Second Payment Services Directive (PSD2), which will feature “a matrix of quantitative and qualitative impact thresholds” taking account of things like length of incident and size of firm.
The FCA’s move comes after director of supervision, Megan Butler, claimed last week that there’s “currently a material under reporting of successful cyber-attacks in the financial sector.”
Of course, most major security incidents affecting customer data will also have to be reported under the GDPR from May 2018.
Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK&I, argued that banks are undergoing “a period of intense structural change.”
“With the number of threats continuing to increase exponentially, customer trust has never been so valuable or hard to come by and as such it has never been more important for banks to be open and honest about their security,” she added. “It is paramount that the industry does not overlook, or get complacent about, security or place it in the ‘too big to fix’ category, and instead takes a proactive approach.”
Microsoft has taken pity on system administrators with a relatively light patch update round this month, with 32 unique CVEs, none of which have been publicly disclosed or exploited.
December’s Patch Tuesday includes 20 critical fixes and 12 rated “important”, while 24 address remote code execution issues.
Most of the vulnerabilities addressed this month are found in IE and Edge and experts have urged firms to prioritize these.
“We recommend prioritizing patching user-facing workstations to address the 19 critical Internet Explorer and Edge updates released today by Microsoft, as they are listed as “Exploitation More Likely”. There are no known exploits as of yet, but this is an opportunity to remain ahead of any future exploits that may be released,” explained Qualys director of product management, Gill Langston.
“There is one Windows OS vulnerability that should be reviewed, and that is the fix for CVE-2017-11885, which is a Remote Code Execution using RPC on systems that have Routing and Remote Access service (RRAS) enabled. Make sure you are patching systems that are using RRAS, and ensure it is not enabled on systems that do not require it, as disabling RRAS will protect against the vulnerability. For that reason it is listed as Exploitation less likely, but should get your attention after patching the browsers.”
Elsewhere, an RCE vulnerability in Excel was flagged by Ivanti product management manager, Chris Goettl.
“CVE-2017-11935 is a vulnerability in how Microsoft Office handles objects in memory. An attacker could create a specially crafted file to perform actions in the context of the current user. This is a case where proper privilege management would mitigate the impact if exploited,” he explained.
“The attack could take the form of an email attachment, or as specially crafted content hosted on a website and convince a user to open the specially crafted file to exploit the vulnerability. Depending on your source open rates phishing attempts are still around 30% and click rates at around 12% so a user targeted exploit like this is perfect for an attacker to take advantage of.”
Adobe released just one patch this month: APSB17-42 is listed as a “Business Logic Error” and rated Priority 2.
Last week, Redmond issued two out-of-band fixes for critical flaws in its Malware Protection Engine.