Info Security

Subscribe to Info Security  feed
Updated: 12 min 27 sec ago

#BHEU: How Google Aurora Attacks Changed the Consciousness of Cybersecurity

Wed, 12/05/2018 - 10:56
#BHEU: How Google Aurora Attacks Changed the Consciousness of Cybersecurity

Opening the Black Hat Europe conference, founder Jeff Moss cited the 2010 attacks on Google as a point where attacks became more serious, as this enabled people in cybersecurity to “speak to a new audience.”

Looking back at 2018, Moss said that this year has felt like a new era with “new awareness.” Recalling the dot com boom and bust era, he explained that was when we put things on the internet and first began to realize the value of risk, and the rush to find security professionals “to protect before anything needed protecting.”

However, the attacks by China on Google in 2010 changed that, he claimed, saying that overnight it became acceptable to say that you had been hacked.

He added: “That enabled us to speak to a new audience, the media took us a bit more seriously and the world took us a bit more seriously, and that was really a 'before and after' event. I feel now that this is happening again on non-traditional topics.

“It feels like power and politics have entered our arena, it is not just law enforcement and organized crime, it feels like great powers are playing in our area and nation states with different agendas and different rules, are now playing in our backyard.”

Moss said that these are still our networks, but it now involves election meddling, fake news and propaganda, and social risks of giant social media platforms. These are not traditional issues for the industry to deal with “but we will be the ones being asked to fix it.”

He added that we are in a new era to provide advice and fix some of these issues, “and I think that is super exciting and super scary at the same time, but it is not like it was two years ago – there is an acceptance that we are in a new era.”

He concluded that while Google made it OK to talk about being attacked, election meddling in the US has made it OK to talk about cybersecurity and democracy, and also the harms of social media platforms.

Categories: Cyber Risk News

BEC Crime Gang Lines Up 50,000 Global Execs

Wed, 12/05/2018 - 10:26
BEC Crime Gang Lines Up 50,000 Global Execs

Researchers have uncovered what appears to be a major BEC crime gang which used commercial lead-gen services to identify 50,000 executives to target.

Dubbed 'London Blue' in a new report from Agari, the group is Nigerian in origin, with collaborators in the UK, US and Western Europe. It first came to light after making the mistake of targeting the security vendor’s own CFO.

“London Blue operates like a modern corporation. Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules),” the report explained.

“London Blue’s effectiveness depends on working with commercial data brokers to assemble lists of target victims around the world. Doing so gives it the attack volume of a mass spam campaign, but with the target-specific customization of spear-phishing attacks. By combining commercially available tools with criminal tactics, the attackers are able to deliver semi-customized attacks on companies of all sizes in countries located around the world.”

After compiling the list of 50,000 executives, 71% of which are CFOs, members of the team then carry out additional research to fill in any missing details that will help personalize the scams.

Most targets were located in the US, with others in Spain, the UK, Finland, the Netherlands and Mexico.

Interestingly, the gang itself previously focused on credential phishing and Craigslist scams before being attracted by the potentially bigger pay-out associated with BEC.

According to the FBI, scammers have made over $12.5bn from BEC attacks since 2013.

Although these scams typically don't feature malware, and are therefore harder to spot with traditional tools, security controls can be implemented to spot spoofed domains and/or use machine learning to raise the alarm if an executive's writing style appears to change.

Categories: Cyber Risk News

IoT Backbone is Riddled with Security Issues

Wed, 12/05/2018 - 10:03
IoT Backbone is Riddled with Security Issues

Two popular IoT communications protocols are riddled with vulnerabilities and systemic issues which are exposing countless global organizations to industrial espionage, targeted attacks and DoS, according to Trend Micro.

The security giant’s latest report, The Fragility of Industrial IoT’s Data Backbone, focuses on two of the most popular machine-to-machine protocols in use today: Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

As security is not built-in to these protocols by default, they exposed 219 million messages globally in just the four months of the research period.

The report detailed how these security deficiencies leak credentials, sensitive information, and industry-related process data — which could be used to enable reconnaissance and industrial espionage.

Security problems with the design, implementation and deployment of devices using these protocols could allow attackers to remotely control endpoints, while hackers could also abuse functionality in the protocols to achieve persistent access to a target and move laterally across a network.

One flaw detailed in the report, CVE-2018-17614, was described as an out-of-bounds write that could allow an attacker to execute arbitrary code on vulnerable devices that implement an MQTT client.

Telemetry data passing over these protocols could also be “poisoned” to sabotage operations, the report warned.

There are also implications for consumers, given that MQTT is used by Facebook Messenger.

Another messaging service, Bizbox Alpha mobile, leaked 55,475 messages in four months, 18,000 of which were email messages.

Greg Young, vice-president of cybersecurity for Trend Micro, said the report should be cause for organizations to improve the security of their OT environments.

“These protocols weren’t designed with security in mind, but are found in an increasingly wide range of mission critical environments and use cases,” he added. “This represents a major cybersecurity risk. Hackers with even modest resources could exploit these design flaws and vulnerabilities to conduct reconnaissance, lateral movement, covert data theft and denial-of-service attacks.”

The report also warned that as MQTT and CoAP become more popular, hackers are likely to use it not only for DoS but as a channel for C&C and exfiltration.

Trend Micro urged security teams to remove unnecessary M2M services, check their data is not leaking through public IoT services, improve vulnerability management workflows and stay up-to-date with evolving industry standards.

Categories: Cyber Risk News

#NICEK12: Digital Detox for Cyber Awareness

Tue, 12/04/2018 - 15:36
#NICEK12: Digital Detox for Cyber Awareness

In addition to sessions on cryptography and teaching kids how to code, the 2018 NICE K12 Cybersecurity Education Conference also focused on teaching young people how to protect their identities and develop good cyber-hygiene habits to help them stay safe online. 

To that end, former private detective Melissa J. Straub, now founder and director of educational services at High Impact Youth Training Solutions Inc., said that teaching young people about cybersecurity is critical. "It only takes one picture, one video or one comment to take down a child’s reputation."

“Kids are on technology, kids are using technology and they have become so reliant on technology. That’s not to say technology is bad. It can help kids change, grow and innovate, but it can also hurt kids,” Straub said.

That’s why students of all ages need to have educators and parents engaging them in conversations about the consequences of their online behavior. An effective way to do that is to encourage students to go through a digital detox. 

“When we are learning how to drive a car, we take a test, we practice, then we earn a license. Yet we are handing kids the keys to the Wild West without any training on how to secure their information,” Straub said. 

According to Straub, more than half (54% ) of teens say life would be better without social media. Despite being touted as social networking, many social media sites have resulted in kids feeling more social isolation. As with most things in life, using technology should happen in moderation for young people. “There should be a balance of how much time kids are spending behind a screen, and if their behavior starts to change or their grades are changing, those are indicators of a problem,” Straub said. 

The most significant impacts technology is having on children is that they are engaging in or victims of cyber-bullying. Add to that the fact that they are only one click away from violence or sexual content, and it’s easy to see why kids need to learn good cyber-hygiene. 

Of equal concern to Straub is the threat of online predators. “It used to be you met someone in person, then found out the kind of person they are on social media. Now it is the other why around.”

When she talks with kids, though, they admit that they have computers in their rooms and their parents rarely – if ever – monitor what they are doing. Parents don’t know the apps kids are using, nor do they know the people their children are friends with online. 

In addition to teaching children that they don’t own their information and they do not control who sees it once it is online, Straub also warned, “Predators talk to kids in a gaming system and then pull them out into a private exchange,” which is why it’s important to engage kids in conversations about cybersecurity early and often and for parents to know what security and parental controls they should put in place. 

Categories: Cyber Risk News

Russian Ransomware Brokers Scam Victims

Tue, 12/04/2018 - 14:03
Russian Ransomware Brokers Scam Victims

Security researchers have discovered cybersecurity scammers in Russia are generating hundreds of thousands of dollars in profits by falsely claiming to be able to unlock encrypted files.

Check Point explained that one ‘IT consultancy’ named Dr Shifro is promising customers it can help them recover from ransomware like Dharma/Crisis, for which there is no known decryption key.

In reality, the firm pays the ransomware author a fee and then passes the cost on to the customer at a 75%+ margin, acting more as a broker than an IT consultancy.

Dr Shifro has been around for over two-and-a-half years and has managed 300 ransomware ‘decryptions’ for its clients.

Typically it adds an extra $1000 fee on top of whatever the cyber-criminal is charging for a decryption key, meaning the firm has been able to drive profits of at least $300,000 over the past couple of years.

Researchers believe that, from the correspondence between Dr Shifro and the ransomware creators that they were able to obtain, the former also tries to negotiate a discount from the ransomware author to further increase its margins, a spokesperson told Infosecurity.

“The first point with services like Dr. Shifro’s is ‘if it sounds too good to be true, it probably is.’ While there are legitimate IT consultancies that can help recover systems and files from a ransomware attack, they will usually not make promises they cannot keep,” the security vendor warned.

“In fact, they will usually only offer to help where decryption keys are already publicly available online, and perform decryption services for those who may be unable to do so themselves. Anyone claiming otherwise should be approached with caution.”

Check Point warned that similar scams could emerge over the coming year as a new way of making money off the back of attacks.

Although there have been reports that cryptomining malware is growing in popularity at the expense of ransomware, a recent Europol report warned that the latter was still the top malware threats facing organizations, and would remain a major risk for years to come.

More targeted variants have started to emerge of late, which are harder for firms to defend against. Two Iranians were recently indicted by the US for masterminding the SamSam attacks over the past three years, causing losses estimated at $30m in North America and the UK.

Categories: Cyber Risk News

New Head of Security Business Announced at BT

Tue, 12/04/2018 - 12:23
New Head of Security Business Announced at BT

Today, global telecommunications giant BT announced the appointment of Kevin Brown as managing director of BT Security.

Brown will succeed Mark Hughes, who is leaving BT at the end of the year. Brown will oversee the company’s physical and cybersecurity activity around the world.

Brown first joined BT in 2012, following a 20-year career in law enforcement. He has specialized in security throughout his time at BT, and in previous roles has led its global investigation and intelligence teams and driven the modernization of BT’s protection systems. In his previous role, Kevin led BT Security’s engagement with international governments, and managed its relationships with international law

BT has 3000 cybersecurity experts around the world protecting its operations across 180 countries as well as its customers’ networks. According to the firm, its global network of security operations centers protects BT against 125,000 cyber-attacks every month and provides cybersecurity solutions and services to consumers, governments and businesses.

“I’m thrilled to be leading BT’s security operations at a time when the need to protect households, business, governments and entire nation states from damaging cyber-attacks has never been greater,” Brown said.

“Our global network gives us a ringside view of the latest threats so we can anticipate and mitigate emerging attacks before they impact our business or our customers. Our expertise in securing BT’s global network is why organizations around the world trust us to protect their most critical assets. I’m really looking forward to continuing the rapid growth that BT Security has seen in recent years.”

BT also said that it plans to increase its cybersecurity headcount by 25% over the next five years “in order to develop the next generation of cybersecurity professionals and meets its growth ambition.”

Categories: Cyber Risk News

Researchers Find First Major Kubernetes Flaw

Tue, 12/04/2018 - 10:22
Researchers Find First Major Kubernetes Flaw

Security researchers have patched a critical security flaw in popular container orchestration tool Kubernetes which could allow third parties to remotely control targeted systems.

Organizations running previous versions were urgently requested to upgrade to Kubernetes v1.10.11v1.11.5, and v1.12.3. The issue will also be addressed in the upcoming v1.13.0 release, according to Google staff software engineer, Jordan Liggitt.

“This vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” he explained.

CVE-2018-1002105 is a privilege escalation flaw allowing an attacker to gain full admin privileges on any computer node run in a Kubernetes cluster. As such, it’s been give a CVSS score of 9.8.

“This is a big deal,” warned Red Hat cloud platforms lead, Ashesh Badani. “Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

All the firm’s Kubernetes-based products are affected: Red Hat OpenShift Container Platform, Red Hat OpenShift Online and Red Hat OpenShift Dedicated.

However, Badani used the opportunity to promote enterprise-grade open source products, which he claimed offer greater contextualized support for organizations in these situations.

This is the first major bug discovered in the popular container orchestration platform, and is likely to be exploited in the wild given the growing popularity of microservices among DevOps teams.

According to one firm, 44% of companies plan to replace some of their virtual machines (VMs) with containers, while the vast majority (71%) said they’ve already deployed containers on a VM.

Categories: Cyber Risk News

Quora Breach Hits 100 Million Users

Tue, 12/04/2018 - 09:40
Quora Breach Hits 100 Million Users

Quora has become the latest big-name tech firm to suffer a major data breach, after revealing that personal information on 100 million users may have been compromised.

The question-and-answer website said it discovered unauthorized access by a malicious third party on Friday, and is currently investigating the exact cause of the incident in concert with a digital forensics firm and law enforcement.

The potentially compromised information includes account info such as names, email addresses and encrypted passwords, as well as data imported by users from linked networks.

Other data that may have been breached includes public content and actions — like questions, answers, comments and upvotes — and non-public content like answer requests, downvotes and direct messages.

“Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content,” the firm clarified.

“The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious.”

All affected users have been logged out, with a forced password reset for those who chose this as their authentication method.

SecureAuth chief security architect, Stephen Cox, suggested that stolen credentials may have been behind the breach.

“More focus needs to be put on advanced authentication techniques to improve organizations’ security posture in this threat landscape,” he added. “Far too many organizations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted basic techniques such as two-factor authentication.”

Although the personal data compromised in this incident appears to be fairly limited, and Quora had at least hashed passwords with a salt that varies for each user, the incident could still lead to a deluge of phishing attempts on users.

Categories: Cyber Risk News

#NICEK12: Hands-On Resources from the Field

Tue, 12/04/2018 - 03:09
#NICEK12: Hands-On Resources from the Field

In addition to the five conference tracks at the 2018 NICE K12 Cybersecurity Education Conference going on in San Antonio, Texas, attendees were also able to engage in hands-on learning at drop-in sessions during which exhibitors were able to share resources they have used with some success to help advance cybersecurity in the K-12 sector. 

In one session, two teachers from North Carolina showcased the progress they have made in educating kids about cybersecurity.

In their presentation, “Bytes for Breakfast - A Small Rural High School’s Answer to Getting Students Excited About Coding and Cybersecurity,” teachers Renee Himmelspach and Amanda Campbell from South Stokes High School in North Carolina said that the name of their club came from the fact that the group meets before school.

The Bytes for Breakfast club, which is in its first year, meets twice a month before the school day begins for students to explore coding using the two Raspberry Pi’s and iPad Pros that were donated to the group. The group also meets once a month after school for an extended period of time.

Credit: South Stokes High School

With as much enthusiasm as Himmelspach and Campbell displayed, Robert Black, CEO and founder of Start Engineering, showcased the Cybersecurity Career Guide, a book designed for classrooms, camps and other outreach programs to introduce students to the myriad career paths available in the field of cybersecurity. 

Credit: Start Engineering

In partnering with Palo Alto Networks, Start Engineering was able to produce the 52-page, magazine-style book that includes a description of different job types, as well as the required education and the likely salary candidates would earn for each position.

Designed for middle and high school students, the publication was released in April and will be updated every two years as job descriptions and technology evolves.

Categories: Cyber Risk News

#NICEK12: Creating a Paradigm Shift in Cyber

Tue, 12/04/2018 - 02:44
#NICEK12: Creating a Paradigm Shift in Cyber

At the 2018 NICE K12 Cybersecurity Education Conference in San Antonio, Texas, industry leaders spoke about promoting cyber awareness by educating kids so that they can in turn educate their parents and move the needle on protecting privacy in our interconnected world. 

In his presentation, “The Thief Is One Hundred Years Ahead of the Locksmith,” Ronald Malden, chief learning officer, Regal Business Opportunities Inc., offered a strategic plan for the national initiative of accelerating cybersecurity learning and skills development in a diverse user community.

Because criminals are able to remain one step ahead of whatever lock defenders invent, education is far more useful than inventing new defenses. 

“In this day and age, we have to educate the children if we are ever to achieve cyber awareness across a diverse workforce environment. In today’s current cyber environment, when I focus on general education, I’m actually focused on what we need to accomplish in K-12 in order to educate the entire society,” Malden said.  

So how do we become more cyber aware? According to Malden, approaching cyber in general education from a K-12 perspective includes both technical and nontechnical content because computing communication is occurring when you wake up and does not stop when you sleep. “We need to educate cyber knowledge across the life spectrum as well as teach it in small doses in diverse general education, which includes teaching cyber in physics, law and philosophy.”

To be successful in that endeavor, it’s important to target the audience messenger, or the trusted person, providing educators with an approach that tells them how to educate the population in general.

“Students should be graduating cyber certified so that they understand penetration detection, intrusion detection and what it means to be cyber aware so they are not the victim,” Malden said. “A cyber-hacker is looking for money. If you are no longer the low-hanging fruit, then you have less of a loss.”

The industry needs to develop a paradigm shift that delivers us from defensive to offensive education. To achieve that, Malden said we must address the education of all individuals and increase involvement in cyber education by integrating cyber domain concepts as organization ethos or curriculum in K-12 education.

Categories: Cyber Risk News

#NICEK12: Increasing Cyber Career Awareness

Mon, 12/03/2018 - 16:13
#NICEK12: Increasing Cyber Career Awareness

With a packed schedule of over 100 sessions across five tracks, the 2018 NICE K12 Cybersecurity Education Conference endeavored to deliver a wide array of strategies and tactics to enable educators and public schools to enhance their understanding of how to engage students in cybersecurity. 

The five tracks included increasing cybersecurity career awareness, infusing cybersecurity across the educational portfolio, integrating innovative cybersecurity educational approaches, designing cybersecurity academic and career pathways and promoting cyber awareness. 

In talking about innovative ways to introduce students to career paths they may not even know exist, Benjamin Galynker, director of content, Hats & Ladders, spoke about how to go “From Overwhelmed or Slacking to Ethical Hacking.” 

It’s no mystery why the skills gap continues to grow despite industry demand. “The problem we face is understanding how to raise young people’s awareness of career options that their parents might not know about,” Galynker said. 

When it comes to cybersecurity, most people think it’s not for them or more likely that it couldn’t be for them, which is why awareness matters. Society works best when young people pursue careers that they are confident will allow them to succeed in their futures, Galynker said.

There are some missing links, though, between awareness and "what should I do next," which is where educators and schools play a key role. Hats & Ladders is one way to make educators aware of the industry’s efforts to create platforms that will help engage students. 

The organization is intended to connect educators and mentors, industry partners, colleges and community programs to help students begin to understand the career opportunities available to them through online learning, as well as helping educators incorporate into their curriculum more hands-on DIY activities, field trips and observations, internships, apprenticeships and scholarships.

Part of the effort is to help educators understand the root sources. To that end, Hats & Ladders developed a free platform to fill in those missing links, taking students from curiosity to interest, engagement and motivation. 

Often, youth will rely on their own knowledge without realizing what they don’t know. They think they know what they want to do, but they don’t have a second or third choice, nor do they understand the career assets they might have and how they can use those assets to pivot into potential cybersecurity careers. 

“Youth don’t have a lot of career development counseling,” Galynker. “[For] every 437 high school students, there is only one high school counselor, making parents the single largest influence on young people’s careers.”

Categories: Cyber Risk News

#NICEK12: Young Women Are Making Cyber Waves

Mon, 12/03/2018 - 15:19
#NICEK12: Young Women Are Making Cyber Waves

In a pre-conference workshop, 2018 NICE K12 Cybersecuirty Education Conference sponsor IBM offered #CyberDay4Girls, in which girls in 6th–9th grade met at Sam Houston High School to learn about protecting their online identity and the internet of things and to meet female role models studying and working in cybersecurity. 

Part of the goal is shifting the perspective and teaching girls to be brave, not perfect, said Kyla Guru, a high school junior from Illinois and founder of Bits N’ Bytes Cybesecurity Education (BNBCE) in her keynote address.

Guru first thanked the audience for involving her in the dialogue about what she called our "state of cyber-insecurity." “What is the current state?” Guru asked. “An expected 1.8 million cybersecurity jobs that will be unfilled by 2022. In 2017, the education sector alone accounted for 13% of breaches, which amounts to the compromise of around 32 million records. In addition, we are expected to lose $8 million by 2022.”

Her goal is to make sure that we all understand the monetary loss that will happen because of cyber-attacks so that rather than lose that money, we can try to save that money for future generations to invest in saving the future.

“We are making waves,” Guru said, “and that calls for some sort of applause. We need some recognition for the progress we have made so that we can get excited about the work that still needs to be done.”

In explaining her vision, Guru explained why she came to create BNBCE. The idea came to her when thinking about the requirement that she and her fellow students had to sign the student science lab safety contract every year. After seven years, she had the contract memorized.  

“I know that after you get chemicals in your eyes, you have to wash your eyes out for 20 minutes at the wash station. Those have been made second nature because of the emphasis that teachers have put on it. So I started to think, ‘What if we could make something like this for cybersecurity?’ because that is the power of education.”

Recognizing that the digital internet is the new playground for young people, Guru said she realized that her peers didn’t have security as a second nature to them. “I set out to create a five-minute animated video for my former elementary school, but after I made the video, I realized that the problem couldn’t be solved by one video sent to one school down the street from my house. This mission was so much bigger than this one school.”

From there, Guru created the national nonprofit that started with youth. Why? “It is incredible impressive and slightly concerning how much we use technology. Also, young people are going to build technology. Shouldn’t they know how to deal with and manage the situations that will come along with that technology?” she said.

In the past 24 months, the nonprofit has grown to include 26 partners. BNBCE has written 40 articles on its blog and hosted more than 35 workshops, amounting to an outreach that has connected with 15,722 students.

Categories: Cyber Risk News

#NICEK12: San Antonio Aims to Become Cyber City, USA

Mon, 12/03/2018 - 14:45
#NICEK12: San Antonio Aims to Become Cyber City, USA

The 2018 NICE K12 Cybersecurity Education Conference kicked off this morning in San Antonio, Texas, with opening remarks from Ron Niremberg, mayor of San Antonio. 

The National Initiative for Cybersecurity Education (NICE) is part of the National Institute of Standards and Technology (NIST) and aims to deliver quality professional development focused on strategies that will inspire awareness about cybersecurity preparedness for young people while also inspiring them to explore the myriad careers within the industry. 

“I can’t think of a more important educational initiative,” said Niremberg. “The city’s cyber roots go almost as far back as our military history. Today San Antonio is second only to Washington, D.C., in terms of cybersecurity assets.”

Over the past few years, the US Cyber Command has brought more than 1,000 new jobs to San Antonio, resulting in hundreds of millions of dollars of economic impact. In addition to the robust cybersecurity industry, the city boasts over a dozen colleges and universities with cybersecurity programs.

Advancements continue to be made. According to the mayor, in the last two months, San Antonio has had two very exciting announcements related to work in cyber. First, the University of Texas–San Antonio (UTSA) announced a significant investment in its AI and data science national security collaboration center. With a $33 million investment, UTSA will be expanding its downtown campus by developing a National Security Collaboration Center (NSCC) and a School of Data Science.

Second, Texas A&M was invited to join Facebook’s cybersecurity university program. Together, Facebook and Texas A&M–San Antonio have opened a $63 million science and technology building. 

The collective investments are an indication that “San Antonio leadership gets it. Cybersecurity is an extraordinary priority for us,” Niremberg said. 

“We know our community needs to continue to fund innovation and continue to invest in our future workforce, as we continue to build what we call Cyber City, USA. The work you are doing is critical for all.” 

Categories: Cyber Risk News

Reported Cybercrime Jumps 14% in England

Mon, 12/03/2018 - 11:10
Reported Cybercrime Jumps 14% in England

There has been an increase in the volume of cybercrime incidents reported to English police of 14% over the past two financial years, according to a new report.

Think tank Parliament Street filed Freedom of Information (FOI) requests with the country’s police forces, asking for a breakdown of Computer Misuse Act crimes which involve hacking, smart devices and/or connected devices.

Although it received back a full set of answers from just 14 out of a possible 39 forces, the findings could be viewed as illustrative of broader trends.

The total number of cybercrimes over the two-year period was 2547, rising from 1193 in 2016/17 to 1354 in 2017/18.

Of those appraised, Cleveland Police reported the most cases in 2017/18 with 356, followed by West Midlands (329) and Nottinghamshire Police (246).

The latter two also reported the biggest increases from the previous year, of 19% and 21% respectively.

However, interestingly, London’s Metropolitan Police reported a drop in cybercrime cases, from just 77 in 2016/17 to 49 in 2017/18.

Anecdotally, unauthorized access of email and social media accounts to obtain and distribute personal photos figured strongly in cases. On the corporate side, the report also highlights ransomware as a common factor in cases.

“It’s clear that the tidal wave of cybercrime is draining the resources of police forces as well as businesses. Tackling this problem requires a concerted effort to recruit staff equipped with the latest cyber skills as well as extending education and training opportunities to existing employees,” argued Sheila Flavell, chair of the Institute of Coding.

“As part of this effort, it’s vital that industry works more closely with academic institutions, to develop specialist flexible courses, so that skills within workforces increase dramatically.”  

The report itself calls for mandatory cyber training for all new police recruits in line with nationally recognized standards; more help from tech and social media companies to train officers; and an increase in STEM-qualified officers.

“As well as working closely with universities and training colleges, industry organizations should also offer placement years and consultancy to ensure that police forces are fully equipped to deal with this threat,” it advised.

The tech sector is stepping up to a certain extent: last week Cisco announced it would be providing free access to its Cisco Networking Academy to help train 120,000 officers.

Categories: Cyber Risk News

Kaspersky Lab's US Ban Appeal Thrown Out

Mon, 12/03/2018 - 10:22
Kaspersky Lab's US Ban Appeal Thrown Out

Eugene Kaspersky has vowed that his firm will continue its mission to protect global organizations after a US court threw out its appeal to have a ban on federal use of its products overturned.

On Friday, a US Court of Appeals for the District of Colombia Circuit upheld a district court ruling that the September 2017 Binding Operative Directive (BOD 17-01) and the Congressional National Defense Authorization Act (NDAA) do not violate the constitution.

Kaspersky Lab had argued in court that they violate the Fifth Amendment by interfering with due process.

Russian intelligence is said to have used Kaspersky Lab products to spy on top secret US government programs, but the firm has always denied any collusion.

Kaspersky himself was sanguine about the outcome.

“The DC Circuit Court’s decision is disappointing, but the events of the past year that culminated in this decision were almost expected, and not just by our company, but by the cybersecurity industry in general,” he wrote in a blog post.

“We’re sure that the issues involved in our litigation go far beyond technical aspects of US constitutional law; they include real-world problems concerning everyone: a progression of protectionism and balkanization in a world of understated cyber-rivalry and highly sophisticated international cyber threats.”

The Moscow-headquartered firm had launched a Global Transparency Initiative in an attempt to restore trust with customers. This includes three new Transparency Centers in the US, APAC and Europe, where trusted partners can access reviews of the company’s code, software updates, threat detection rules and more.

The first such center was recently opened in Switzerland.

“We’re addressing customers’ concerns by ensuring that our own operations are transparent and trustworthy with a respected firm auditing our engineering practices and secure development processes,” explained Kaspersky.

“We constantly aim to be a part of the solution as the cyber threat landscape evolves. Regardless of whether we decide to pursue further legal action in response to today’s decision from the DC Circuit Court, we’ll remain committed to providing the best cybersecurity solutions for our customers globally and saving the world from cyber threats.”

Categories: Cyber Risk News

Southeby’s Site Infected with Magecart for Over a Year

Mon, 12/03/2018 - 09:40
Southeby’s Site Infected with Magecart for Over a Year

Sotheby’s has become the latest big-name brand to have its website infected with digital skimming code.

The venerable British auction house revealed on Friday that its New York-based e-commerce marketplace Sotheby’s Home, known formerly as Viyet, was affected.

According to the statement, the firm discovered and “promptly removed” on October 10 malicious code inserted onto the site by a malicious third party. However, it had been there since “at least” March 2017, meaning countless customers could have been affected over the 19 month-period.

In fact, it could be even longer. Sotheby’s admitted: “we cannot be certain as to when the website was first victimized by this attack.”

“The code was designed to target the data you entered into the payment information form on the Sotheby’s Home website,” it added. “This information would include your name, address, email address and payment card number, expiration date, and CVV code.”

The incident would seem to indicate that the group behind this scheme infected the site directly, in a similar way to skimming attacks on British Airways and Newegg sites, rather than via a third-party supplier, as happened to Ticketmaster.

Given that it has taken nearly two months for the auctioneer to come clean about the incident, it could be in trouble with European GDPR regulators if any EU citizens’ data has been swiped — although that’s unlikely given the site is designed for only US customers.

However, it could be too late for many of those affected. RiskIQ claimed recently that British Airways and Newegg customers’ credit card details went up for sale on the dark web little more than a week after they were skimmed from the respective sites.

Several groups are thought to be actively using the code around the world, with recent revelations that one is even attempting to sabotage the activities of another in order to maximize its profits.

Categories: Cyber Risk News

Marriott Starwood Hack: Data of 500 Million Hotel Guests 'Compromised'

Fri, 11/30/2018 - 12:42
Marriott Starwood Hack: Data of 500 Million Hotel Guests 'Compromised'

Hotel chain Marriott has confirmed widespread reports of a significant data breach with the sensitive details of 500 million customers possibly compromised.

In an online statement, the company said: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”

The statement explained that the information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

“Marriott deeply regrets this incident happened,” the company added. “From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.” 

Javvad Malik, security advocate at AlienVault, said: “This seems like a particularly big breach, not just because of the number of records taken, but also the details that were contained within. It appears as if detection capabilities were not adequate, taking several weeks to notice the breach and extraction of records. It is good that the credit card database was encrypted, but if, according to the company, the attackers were able to take the decryption key, then it was of no use. The digital equivalent of leaving the key for the front door under the mat.”

Jake Moore, cybersecurity expert at ESET UK, advised victims of the breach to keep a watchful eye on where their data may end up.

“Be alert to the idea that hackers may well target you for the final few pieces of information that they couldn’t get hold, perhaps in follow-up phishing emails, in an attempt to take over your identity in the coming days – if they haven’t done so already in the past,” he said. “This is particularly something to be mindful of if you visited one of the effected hotels on business and may not necessarily remember which hotels you visited.”

Categories: Cyber Risk News

Marriot Starwood Hack: Data of 500,000 Million Hotel Guests 'Compromised'

Fri, 11/30/2018 - 12:42
Marriot Starwood Hack: Data of 500,000 Million Hotel Guests 'Compromised'

News has surfaced that hotel chain Marriott has suffered a significant data breach with the sensitive details of 500 million customers possibly compromised.

In an online statement, the company said: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”

The statement explained that the information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

"Marriott deeply regrets this incident happened," the firm added. “From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.” 

Infosecurity will endeavor to bring you more on this story as it develops.

Categories: Cyber Risk News

Undervalued Assets Put Business at Risk

Fri, 11/30/2018 - 12:06
Undervalued Assets Put Business at Risk

New research from the Ponemon Institute, in partnership with DocAuthority, found that IT security departments are underestimating the value of business documents by hundreds of thousands of dollars.

In a newly published report, the Ponemon Institute found that despite being responsible for their management and protection, IT security departments are undervaluing a range of business assets, from research and development to financial reports. In contrast, they are over-prioritizing less-sensitive data related to personally identifiable information (PII).

The study found that IT security departments predicted that it would cost a business $306,545 to reconstruct an R&D document, while the R&D department estimated the reconstruction cost at $704,619, more than double what the IT security department estimated.  

Additionally, IT security departments estimated that the impact of a financial report being leaked at $131,570, compared to the $303,182 that the finance department believes it would incur from a security incident.

“The recent Ponemon report about data value illustrates the importance of understanding the relationships between organizations and third parties and the value of the information being shared. Only by doing so can organizations fully understand risk and properly prioritize effort and control,” said Matan Or-El, CEO of Panorays.

When IT security departments undervalue these assets, they also underestimate the safeguards that should be put in place in order to protect the business assets, thereby increasing the security risk.

The report also found that when organizations underinvest in protecting the more critical data, the result is money wasted on protecting meaningless data or the mishandling of access rights for employees.

"Typically, the security and protection of business data is considered to be the responsibility of the IT security department. Yet it’s clear from this research that IT security does not have the vitally important context required to understand the true value of that data and, in turn, create an effective strategy for defending it,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute in a press release. “Rather than being relegated to IT, data and its protection should be the concern of not only management level, but the business as a whole.”

Categories: Cyber Risk News

Request for Gift Card Purchases in Phishing Emails

Fri, 11/30/2018 - 11:44
Request for Gift Card Purchases in Phishing Emails

Hackers are deep in the spirit of exploiting the holidays for financial gain, which is why it’s unsurprising that yet another new type of spear phishing attack has emerged, in which attackers are posing as CEOs to trick office managers, executive assistants and receptionists into sending them gift cards, according to email security researchers at Barracuda Networks.

Since early October, the researchers have reportedly seen an uptick in these types of attacks. Unlike other phishing campaigns that include attachments, these emails do not have malicious links or files included. What also seems to be working effectively is that they are often sent from trusted email domains.

As a result, traditional email filters often do not recognize them as threats. Additionally, the attackers capitalize on the urgency of the holidays and poses the request as a company surprise to discourage the victim from confirming the legitimacy of the request.

Using the social engineering tactics of CEO impersonation, requests for secrecy, researching relevant details and implied urgency, the attackers are specifically and intentionally exploiting people’s good cheer during the holidays.

Credit: Barracuda Networks

In another example, an email message sent “from my Sprint Wireless 4G LTE Smartphone” asks the recipient to pick up gift cards to be distributed to staff but requests that she keep the transaction confidential.

“In all of these attacks, the emails were sent from free personal email services with a relatively high reputation. In addition, they do not contain any type of malicious payload, such as links or attachments,” wrote Barracuda’s Asaf Cidon, VP of content security services.

“Instead the emails rely solely on social engineering and impersonation to trick their targets. These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals.”

Categories: Cyber Risk News