Cybersecurity continues to be a top concern for financial institutions globally, but CISOs are split on their top priorities for securing their organizations against cyber-attacks.
According to the Financial Services Information Sharing and Analysis Center (FS-ISAC) 2018 CISO Cybersecurity Trends report, 35% of CISOs surveyed said that employee training is a top priority for improving security posture in the financial sector (respondents were all FS-ISAC members). Infrastructure upgrades and network defense were prioritized by 25% of CISOs, and breach prevention was the main thrust for 17%.
Notably, while cybersecurity used to be handled in the server room, it is now a boardroom topic. The study found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis. In the era of increasing security threats and vulnerabilities, CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defenses is a top priority.
The report also found that CISOs reporting into a technical function like CIO tended to prioritize infrastructure upgrades, network defense and breach prevention. On the other hand, CISOs reporting into a non-technical function like COO or general counsel prioritized employee training. The majority of CISOs still don’t report to the CEO (only 8%).
In the report, FS-ISAC encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an "at the ready" risk posture and that cyber-practices are transparent to board members. CISOs should also have expanded reporting responsibilities or dual-reporting responsibilities within the corporate structure to ensure critical information flows freely. Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making, the group pointed out.
The report also included a list of best practices for security. Dovetailing with the priorities of the respondents, the group recommends training for employees, regardless of reporting structure, because employees serve as the first line of defense. This should include awareness about downloading and executing unknown applications on company assets and in accordance with corporate policies and relevant regulations, as well as training employees on how to report suspicious emails and attachments.
“Cybersecurity preparedness starts with proper training of employees,” said Kathie Miley, COO of Cybrary, via email. “We all know that cyber education is critical for today’s businesses, but it is particularly imperative for the financial sector. The bottom line is that employees must be held responsible and accountable for cybersecurity training and they need to understand the basics of cyber hygiene – it’s not just the job of the CISO or IT security teams anymore.”
She added, “Continuous learning should become a nonnegotiable requirement in every organization, at every level. We need to let staff learn and become part of the solution. Specifically, cybersecurity training programs within organizations should be distinct to their role; identify critical assets and expose employees to the impact of vulnerabilities on the organization, their job and their customers or stakeholders.”
Credit reporting agency Equifax is bringing in a ringer to help clean up from the massive data breach that affected nearly every adult American last year.
The company has named Jamil Farshchi as its CISO. Farshchi is perhaps best known for being the person who took up the reins as CISO at The Home Depot in March 2015, just months after Home Depot itself discovered an enormous point-of-sale (PoS) breach, which resulted in 56 million customers’ credit card information being compromised.
Farshchi managed to steer the home improvement and DIY giant back into customer confidence, and he’s expected to do the same for Atlanta-based Equifax. He will assume “company-wide leadership of work already underway to transform the company's information security program and collaborate with the industry to share best practices on information security,” the company said.
He fills the open position left by Susan Mauldin, who abruptly retired in disgrace from the company after the breach was disclosed in late 2017.
"Jamil has a reputation for helping enterprises rebuild and fortify information security programs,” said Equifax interim CEO Paulino do Rego Barros Jr. “His expertise in risk intelligence and cybersecurity combined with his intimate knowledge of industry best practices will allow us to design and deploy a best-in-class, global security strategy to reestablish ourselves as a trusted leader."
He has his work cut out for him: The Equifax breach dwarfs Home Depot’s, consisting of 143 million compromised records. Criminals made off with names, Social Security numbers, dates of birth and physical addresses. Credit-reporting companies also have information on credit accounts, including the type of account, when it was opened, the limit, and the balance and payment history, and information on consumers' address history and debt. In all, the breach touched 45% of the entire US population, which translates to most of the adults in the nation.
Prior to his role at The Home Depot, Farshchi was the first global CISO at Time Warner and has held positions at Visa, Los Alamos National Laboratory, Sitel Corporation, Nextwave Broadband and NASA. He holds a master's degree from the University of Pennsylvania’s Wharton Business School and a bachelor's degree in Business Administration from the University of Oklahoma.
"Equifax is a company with tremendous potential, and I am confident that we will transform our security program into one of the most advanced and recognized globally," said Farshchi. "I am grateful for this new challenge and am looking forward to enabling the business with new insights, a fresh perspective, and a multi-dimensional way of thinking about global data stewardship and information security."
For CISOs in the US and UK, relentless, internet-scale threat campaigns and the sense that security teams are ill-equipped to stop them are near-universal pain points.
To better understand security leaders’ prevailing attitude toward the digital threat landscape, RiskIQ surveyed 1,691 CISOs from multiple verticals, including enterprise, consulting, government and education. The results show that with rapidly escalating digital threats now well documented and acknowledged, 89.1% of all information security leaders are concerned about the rise of digital threats. The top three concerns are phishing and malware attacks on employees and customers; brand impersonation, abuse, and reputational damage; and information breaches.
Interestingly, the issue giving CISOs the most anxiety aren’t actually the threats themselves, but a troubling shortage of staff and viable technology that can help stem the tide. As cybercriminals take advantage of vulnerabilities and lax security oversight across a business’s web, social and mobile assets, 67% of respondents claimed not to have sufficient staff to handle the daily barrage of cyber-alerts they receive.
This sentiment aligns with findings in the IDG Connect: 2017 State of Digital Defense Research Report, published in October 2017, which showed that 68% of IT organizations have no to modest confidence to manage digital threats, despite a majority significantly increasing their near-term digital defense investments.
This likely accounts for why 37% of firms have engaged a managed security provider to help monitor and manage cyber-threats.
“A lack of experienced staff to monitor and protect organizations from threat campaigns such as malvertising, phishing, and state-sponsored attacks will only get worse as businesses continue to expand their digital footprints in the pursuit of growing their business,” the firm said in its report.
Unsurprisingly, 60% of respondents expect digital threats to surge as their organizations increase online engagement with customers.
The Business Email Compromise (BEC) epidemic shows no signs of abating, after Proofpoint revealed a 17% increase in attacks last year.
The security vendor analyzed over 160 billion emails sent to more than 2400 companies spanning 150 countries to compile its 2017 Email Fraud Threat Report.
It revealed that by the fourth quarter, nearly 89% of all organizations were targeted by at least one attack — a major jump from the 75% targeted in Q4 2016.
Proofpoint claimed that attacks are typically low in volume but expanding within organizations to target more people across more units, and spoofing more identities.
The average number targeted in each organization was 13.
Most attacks are designed with wire transfer fraud in mind, with almost a third of emails containing the word “payment” in the subject line. Scams also coincided with the US tax deadline in Q1.
“To sound legitimate, the attackers manipulate the tone of their email copy. They take on different personalities, including ‘the authoritarian’ who uses a direct and urgent approach, or ‘the conversationalist’ who builds a dialogue before asking for the request,” Proofpoint explained.
“We also saw an increase in the number of ‘fake email chain’ messages, where the attacker will create a false email history to give a realistic experience and appear more credible. By Q4, more than 11% of all email fraud attacks included a variation of this tactic.”
The good news is that government agencies in the US and UK are implementing DMARC to help reduce email fraud. However, Proofpoint warned that fraudsters also use display name spoofing and lookalike domain spoofing to bypass fraud filters, meaning a multi-layered response is essential to mitigate risk.
In May 2017, the FBI issued a notice claiming that BEC scams had cost businesses an estimated $5bn over the previous three years, with losses rising 2370% from January 2015 to December 2016 alone.
European SMBs were forced to pay out out nearly $100m to regain access to locked computers, as ransomware continued to cause major disruption across the region last year, according to Datto.
The data protection firm spoke to 150 managed service providers (MSPs) serving over one million SMBs across Europe to compile its State of the Channel Ransomware Report.
It revealed that nearly 5% of SMBs fell victim to ransomware last year, paying out $98m between Q2 2016 and Q2 2017. However, on top of this, 78% of MSPs said their clients also reported "business-threatening" downtime.
Even major enterprises like Maersk and FedEx have been caught out by ransomware, both reporting related operational losses of $300m after the NotPetya attacks.
“The impact of ransomware can be threefold. The combined cost of the ransom, downtime and any reputation damage suffered can have a potentially business-threatening effect on a SMB, so there needs be a greater understanding around it,” argued Datto SVP, Mark Banfield.
“This can be helped by encouraging victims to report attacks. Providing authorities with real-life data that can be used to improve general awareness, prevention, detection and prosecution of perpetrators.”
Over a fifth (22%) of MSPs claimed multiple attacks were launched against clients in a single day. Most (99%) believe the frequency of attacks targeted at SMBs will increase over the next two years.
Some 18% of the 21% of SMBs that paid up did not receive the decryption key – which should serve as a reminder of the dangers of acquiescing. Less than a third (33%) of attacks were reported to the authorities.
Despite the continued dangers, awareness seems to be lacking among the SMB community.
Although 91% of MSPs said they are “highly concerned” about the business threat of ransomware, only 35% of SMBs said they felt the same.
MSPs cited a lack of cybersecurity training (45%) as the number one cause of successful ransomware attacks, closely followed by phishing emails (42%), which in any case can only work if the user is duped into clicking.
Trend Micro claimed to have detected over 82 million ransomware threats in the first half of 2017 alone.
However, some researchers have claimed that cyber-criminals are increasingly looking for even easier ways to make money, such as via crypto-mining malware.
A war of words has broken out between a little-known Italian crypto-currency exchange and the development team of the Nano currency over a suspected theft of around $170m.
Bitgrail posted a note on Friday claiming that it had temporarily suspended withdrawals and deposits and contacted police after noticing unauthorized withdrawal from the firm’s digital wallet to the tune of 17m Nano, a digital currency formerly known as RailBlocks.
Reports then emerged that Bitgrail founder Francesco Firano had asked the Nano development team to fork the currency in order to restore the stolen funds.
The team responded angrily in a blog post in which it said it was preparing evidence including blockchain entries, chat logs and screenshots for the police.
“In our conversation yesterday (which you can find attached here, this link has been edited to redact a private email.), Firano informed us of missing funds from BitGrail’s wallet. An option suggested by Firano was to modify the ledger in order to cover his losses – which is not possible, nor is it a direction we would ever pursue,” they said.
“We now have sufficient reason to believe that Firano has been misleading the Nano Core Team and the community regarding the solvency of the BitGrail exchange for a significant period of time.”
Rumors had broken out that Bitgrail may be trying to scam its users after a decision to update its terms of service, effectively ending support for non-European users.
Firano has now responded in a new statement claiming he has filed a complaint for aggravated defamation against the Nano developers for their comments.
He also claimed that the bugs exploited by the hackers were not attributable to Bitgrail software, and that the firm was readying a recovery plan.
High-Tech Bridge CEO Ilia Kolochenko claimed it was too early to tell who was in the right.
“I would not blame anyone prior to a rigorous technical investigation. Many blockchain start-ups simply neglect and carelessly disregard the fundamentals of cybersecurity,” he argued.
“Their negligence cannot help but attract cyber-gangs who can steal their crown jewels with almost absolute impunity. Money laundering with digital coins is also pretty simple. I think, 2018 will mark more notorious cases of similar incidents.”
Just in time for Valentine’s Day, the Necurs botnet has mounted a massive spam campaign focused on dating lures.
The uptick started in mid-January 2018 and continues as time draws near for Valentine’s Day on February 14, according to IBM X-Force.
The campaign delivers short email blurbs from supposed Russian women living in the US. While typical spam email is notorious for bad spelling and grammar, these samples are rather well worded, IBM X-Force found. Many of the messages indicated that the recipient had a profile on Facebook or on Badoo, which is a Russian dating-focused social network. Badoo is the third-most popular dating app in Russia but is available internationally.
The Necurs botnet is notorious for its massive spam campaigns, believed to control more than 6 million zombie bots. This latest romance-themed effort has been responsible for more than 230 million spam messages in the last two weeks, with average volumes in excess of 30 million emails per day. The spammers are constantly shuffling the resources they leverage in campaigns, and the originating IPs logged in one campaign are not likely to be used in the next one to avoid blacklists and blocking.
Each spam email comes from a disposable email address carrying the alleged writer’s name; it then asks the recipient to contact the writer using another email address with another person’s name on it.
“Romance scams and spam featuring messages from supposed interested women is an old ploy. Such emails usually feature nothing more than some basic text and are not very likely to lure many people in,” X-Force researchers said. “However, when it comes to spam, mass volume makes for a numbers game, and fraudsters only need a small percentage of recipients to reply. Those behind this campaign will likely lure their victims to share revealing photos and extort them, ask for money to come visit, or end up infecting them with malware.”
Necurs is most known for its ties to malware gangs that spread banking Trojans, like Dridex and TrickBot, as well as ransomware, like Locky, Scarab and Jaff. But IBM X-Force said that its operators dabble in distributing spam for other fraud endeavors as well. In 2017 for instance, Necurs was sending mass amounts of “pump and dump” stock scams designed to make recipients believe a penny stock was about to rise in value. Once enough people buy the stock and it actually rises in value, the scammers sell off their shares, at which point they make a profit. The penny stock then drops back to its real market value, and those who bought it can easily be left with nothing but losses.
“Preying on seasonal trends is probably the top characteristic of email spam. The first quarter of the year typically plagues email recipients with tax season spam and romance scams that start arriving in January, leading up to Valentine’s Day,” researchers said, adding that users can protect themselves by remaining wary of unsolicited email.
Managed security services providers (MSSPs) are wasting enormous resources processing useless security alerts, research has revealed.
Advanced Threat Analytics (ATA) found that the problem impacts staffing, operational business models and security effectiveness. Additionally, the survey found that incident responders often cope with this problem by either reducing the sensitivity of security equipment or ignoring alerts altogether.
ATA polled nearly 50 MSSPs to evaluate the state of incident response within their security operations centers (SOCs). Nearly 45% of respondents investigate 10 or more alerts each day (22% investigate 10 and 20 alerts each day, 11% investigate 20-40 daily, and 11% investigate 50 or more).
This is time-consuming: 64% state that, on average, it takes 10 minutes or more to investigate each alert; 33% say it takes between 10 and 20 minutes to investigate each alert, 20% say it takes between 20 and 30 minutes, and 11% state it takes 30 minutes or more.
Unfortunately, a full 44% of respondents report a 50% or higher false-positive rate: About a fifth (22%) experience a 50-75% false-positive rate, while the rest report a rate of 75-99%.
“This research shows that MSSPs are still on the receiving end of an oppressive number of daily security alerts, forcing many analysts and incident responders to spend hours – in some cases, more than five – each day investigating them, many of which turn out to be false-positives,” said Alin Srivastava, president, ATA. “Devoting so much time to benign alerts severely compromises security effectiveness, as analysts are distracted from acting on actual threats and incidents.”
Staff inefficiency isn’t the only outcome associated with alert overload. It’s also forcing SOCs to compromise in other critical areas as well. When asked what they do if their SOC has too many alerts for analysts to process, respondents said they tune specific alerting features or thresholds to reduce alert volume (67%); ignore certain categories of alerts (38%); turn off high-volume alerting features (27%); and hire more analysts (24%).
“Many MSSPs are expanding their teams in an effort to keep up with alert volume, which isn’t a sustainable model, while others change operational processes, like turning off security features or ignoring certain alerts, which greatly increases the risk that legitimate security events will go undetected,” continued Srivastava. “The most effective way for MSSPs to break free from alert tyranny is to invest in technology that decreases the number of incidents generated rather than in traditional SIEM [security information and event management] and incident orchestration solutions, which only reduce the time it takes to investigate each one.”
When survey respondents were asked what they felt was the main responsibility of their job, 70% said analyzing and remediating security threats; 20% said limiting the number of alerts sent to clients for review; 5% said investigating as many alerts as possible; and the remaining 5% said reducing the time it takes to investigate a security alert.
An aggressive Bitcoin-stealing phishing campaign mounted by the international cybercrime group Lazarus and using sophisticated, brand-new malware has been uncovered.
McAfee Advanced Threat Research (ATR) analysts discovered the campaign, dubbed HaoBao. It resumes Lazarus’ previous phishing email efforts, which used lures aimed at employee recruitment and targeted US defense contractors, the energy sector and financial institutions, including cryptocurrency exchanges. The objective was to gain access to the target’s environment and obtain key military program insight or steal money. Those efforts ceased in October 2017 but are ramping up again; and this time, the targeted emails are aimed at Bitcoin users and global financial organizations.
In mid-January, McAfee discovered a malicious document masquerading as a job recruitment ad for a “Business Development Executive” for a large, multinational bank located in Hong Kong. The document was distributed via a Dropbox account. When recipients open the malicious documents attached to the emails, they are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the recipients' system via a Visual Basic macro.
The malware scans for Bitcoin activity and then establishes a secondary implant for long-term data gathering. The interesting thing is that the implants have never before been seen, and indicate a newly sophisticated level of attack.
“This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017,” explained McAfee analyst Ryan Sherstobitoff in an analysis. “McAfee ATR analysis finds the dropped implants…have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence.”
He added that there’s no indication that Lazarus won’t continue its efforts.
“Despite a short pause in similar operations, the Lazarus group targets cryptocurrency and financial organizations,” said Sherstobitoff. “Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.”
IBM has finally released patches to mitigate the notorious Spectre and Meltdown vulnerabilities on its Power server line, whilst adding protection from a new flaw affecting its Notes collaboration platform.
Spectre and Meltdown were first made public at the very start of the year, sending system administrators into a patching frenzy — a process complicated by the fact that several fixes subsequently caused new problems for some systems.
IBM seems to have taken its time over the new fixes, which it said “make use of speculative execution to perform side-channel information disclosure attacks.”
“The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks but differ in the way that speculative execution is exploited,” an advisory published on Saturday noted.
“These vulnerabilities do not allow an external unauthorized party to gain access to a machine, but they could allow a party that has access to the system to access unauthorized data.”
IBM said Power customers must install patches to system firmware and operating systems — with the former a pre-requisite for the latter to be effective.
Firmware patches for Power7, Power7 , Power8 and Power9 are available via FixCentral, as are IBM i operating system patches.
AIX OS patches are available from a separate website, while Linux OS patches are available through partners RedHat, SUSE and Canonical.
IBM has also been forced to issue an interim fix for CVE-2017-1711, a vulnerability given a CVSS base score of 5.3, which the server giant interprets as “High Impact/Medium Probability of Occurrence.”
It noted that: “IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory.”
The issue affects IBM Notes 8.5.x and 9.0.x versions.
Over 4000 websites including several belonging to UK and US government agencies were found over the weekend to be running hidden crypto-mining malware.
Security researcher Scott Helme first investigated the website of the Information Commissioner’s Office (ICO) after a tip-off that AV filters were raising red flags.
“At first the obvious thought is that the ICO were compromised so I immediately started digging into this after firing off a few emails to contact people who may be able to help me with disclosure. I quickly realised though that this script, whilst present on the ICO website, was not being hosted by the ICO, it was included by a third-party library they loaded” he explained.
“If you want to load a crypto miner on 1,000 websites you don't attack 1,000 websites, you attack the one website that they all load content from. In this case it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”
Some of the sites affected by CoinHive included United States Courts, the General Medical Council, the UK’s Student Loans Company, NHS Inform and many others.
Helme argued that mitigating the attack only requires a small code change to how the Browsealoud script is loaded.
“What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page,” he explained.
“To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute.”
The good news is the attack took place on Sunday morning and Texthelp has been quick to recognise the issue and take its service temporarily offline to fix it.
Crypto-mining is an increasingly popular way for cyber-criminals to make money; in fact, many are turning away from ransomware to focus on the new tactic, according to Cisco Talos.
IBM claimed to have seen a six-fold increase crypto-mining malware attacks between January and August 2017.
Visitors to the official website of the Winter Olympics were left high and dry over the weekend after a cyber-attack made it unavailable for around 12 hours.
The incident happened shortly before the opening ceremony on Friday, with the issue only resolved by 8am the next day local time.
Reports suggest Wi-Fi connectivity and televisions in the media center also went down ahead of the ceremony.
Pyeongchang 2018 spokesperson Sung Baik-you confirmed the incident was a cyber-attack and that the cause was known.
“They know what happened and this is a usual thing during the Olympic Games. We are not going to reveal the source,” he told reporters.
“We are taking secure operations and, in line with best practice, we’re not going to comment on the issue because it is an issue that we are dealing with.”
Given North Korea’s recent warming of ties with the south, all eyes are on Russia, whose Olympic committee and nearly 200 athletes were banned from the games back in December after being found guilty of widespread state-sponsored doping at the Sochi games.
The Kremlin-linked Fancy Bear group has already been spotted ramping up its information warfare efforts, aimed at discrediting the games.
The website outage isn’t the only cyber-attack causing problems for event organizers.
“The new document contained the same metadata properties as those related to Operation GoldDragon and sought to gain persistence on systems owned by organizations involved with the Winter Games,” said senior analyst, Ryan Shertsobitoff.
“It is clear attacks are ongoing and are likely to continue throughout the duration of the games, what is yet to be determined is if actors are working simply to gain disruption or if their motives are greater. McAfee analysts are continuing to monitor the situation.”
Financially motivated cybercriminals always go for low–hanging fruit. That means leveraging existing attack tools rather than developing new ones, using the same attack on as many victims as possible and targeting mass amounts of devices. Research shows that in the last few months, those “fruits” have started to include assets that are generally more difficult to patch: servers.
According to Skybox Security’s inaugural Vulnerability and Threat Trends Report, during 2017, the vast majority of exploits affected server-side applications (76%), up 17 points since 2016. At the same time, the number of known vulnerabilities doubled.
That’s savvy, because for enterprises, dealing with server-side vulnerabilities is always more difficult: the higher-value assets require more consideration than simply if there is a patch available or not.
“As more functions rely on servers than on clients, organizations need to have the means to understand these server–side vulnerabilities in the context of the asset criticality, the surrounding topology and security controls and the exploit activity in the wild,” said Skybox Security CTO Ron Davidson. “Only then can they accurately decide the optimal patching priority and schedule.”
The increase in server-side exploits corresponds with the continued decline in the use of exploit kits relying on client-side vulnerabilities, which accounted for only a quarter of exploits in the wild in 2017. This is due in part to the demise of major exploit kit players like Angler, Neutrino and Nuclear, with no comparable front-runner rising to replace them.
“This does not mean, however, [that] exploit kits are gone,” said Marina Kidron, senior security analyst and group leader of the Skybox Research Lab. “If there’s one thing we know about cybercriminals, it’s that they’re constantly changing tactics, and so the next ‘exploit kit giant’ is very likely in development as we speak. We also suspect that some kits have gone private and are used exclusively by their developers in hopes of prolonging their viability.”
Instances of newly published sample exploit code have also increased, with the monthly average jumping 60% in 2017. With minimal adjustments – or none at all – attackers can turn these samples into fully functioning exploits for their own use. This scenario was the case with the NSA EternalBlue exploit leaked by The Shadow Brokers and used in the WannaCry and NotPetya attacks, among others. Such leaks are putting advanced attack tools in the hands of lower–skilled cyberattackers, enhancing the capabilities of an already well–outfitted threat landscape, the firm noted.
“Organizations need to stay up to speed with not only active exploits in the wild,” said Kidron, “but also factor in vulnerabilities with available exploit code to their prioritization processes. While the latter set doesn’t represent an imminent threat, they can make the jump to active exploitation very quickly – security teams need actionable intelligence at the ready when they do.”
The report also shows that in 2017 there was a 120% increase in new vulnerabilities specific to operational technology (OT), compared to the previous year (OT includes monitoring and control devices common in critical infrastructure organizations such as energy producers, utilities and manufacturers, among others). This spike is particularly concerning as many organizations have poor or nonexistent visibility of the OT network, especially when it comes to vulnerabilities as active scanning is generally prohibited.
“OT is too often in the dark, and that means security management isn’t getting the full picture of cyber-risk in their organization,” said Kidron. “Even when patchable vulnerabilities are identified, OT engineers are understandably hesitant to install the update, as it could disrupt services, cause equipment damage or even risk life and limb. Organizations with OT networks need to have strategies in place not just for OT vulnerability assessment and patching prioritization but also to unify such processes with those in the IT network to truly understand and manage risk.”
Overall, new vulnerabilities cataloged by MITRE’s National Vulnerability Database doubled in 2017. The jump was largely due to organizational improvements at MITRE and increased security research by vendors and third parties, including vendor-sponsored bug bounty programs, Skybox Security found. The result is more than 14,000 newly assigned common vulnerabilities and exposures (CVEs).
“In 2017, if you were still relying on traditional prioritization methods like CVSS scores only, your laundry list just got longer,” said Davidson. “In the year ahead, we may well see an even higher figure. Organizations have got to take a drastically different approach to vulnerability management.”
The dental hygiene-focused cryptocurrency known as Dentacoin has widened its availability with partnerships with Arklign Laboratories and PCP Dental Recruitment.
Arklign, a full-service dental laboratory based in San Jose, California, fabricates dental restorations and allows patients to track their services via the Arklign Case Relationship Management (aCRM) online patient portal. The deal is Dentacoin’s first in North America.
Meanwhile, PCP Dental Recruitment works with the NHS and with mixed and private practices in the UK to help the practices find dental nurses, hygienists/therapists, dentists, dental receptionists and practice managers. This expansion takes the blockchain to new areas of the dental ecosystem.
Dentacoin was pioneered as a custom currency to be used as a loyalty program concept. Patients can earn rewards (in the form of Dentacoin) for writing reviews of their mouth-care providers. All participants on the company’s Trusted Review Platform are rewarded for their contribution regardless of whether it’s positive or negative. The resulting Dentacoins can then be used to pay for future dental treatments or procedures or can simply be used to house stored value.
In future, PCP Dental Recruitment said that it will also consider accepting payments in Dentacoin for its professional recruitment services.
So far, 14 dental clinics have started accepting payments in Dentacoin, and the number of dentists and dental practices registered on the Trusted Review Platform is over 900, according to Dentacoin. Meanwhile, more than 700 new active users are signing up every week.
The business model showcases potential new uses of cryptocurrency. As the company explained in its press materials:
Think about the last time you visited your dentist. What was that experience like for you? Did you go home and tell your spouse about your experience? What about your co-workers? Did it even cross your mind that you should tell someone about your visit to the dentist? If you are like most people, the answer to that question is probably no. When it comes to talking about our experiences in the health industry, people are more likely to complain or praise a doctor or nurse, but not very much attention is given to the dental industry in terms of feedback or otherwise. Dentacoin wants to shed some light on the dental industry and help the industry because more robust and patient-focused so that people will rant and rave about their experiences.
It added, “While the cost of healthcare and dental care continues to rise, Dentacoin wants to help cut the costs associated with seeing a dentist and bridge the gap for people who need access to better dental care around the world.”
Millions of smart TVs can be controlled by hackers exploiting a vulnerability in the Roku smart-TV platform, allowing them to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content or kick the TV off the Wi-Fi network.
According to Consumer Reports, the remote takeover flaw affects Samsung and TCL televisions, the Roku Ultra set-top streaming device and other brands that use the Roku platform, including Hisense, Hitachi, Insignia, Philips, RCA and Sharp.
“We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening,” Consumer Reports said. “To a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.”
The good news is that the problem does not allow a hacker to spy on the user or steal information.
The Roku vulnerability involves the application programming interface, or API. “Roku devices have a totally unsecured remote-control API enabled by default,” said Eason Goodale, lead engineer at Consumer Reports security partner Disconnect. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.”
To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same Wi-Fi network as the television and then visit a site or download a mobile app with malicious code. Phishing emails or mobile malvertising could achieve this.
Roku pushed back on the idea that this is a vulnerability. “There is no security risk to our customers’ accounts or the Roku platform with the use of this API,” a Roku spokesperson said, noting that the External Control feature can be turned off in the settings. However, Consumer Reports noted that this will also disable control of the device through Roku’s own app, limiting functionality.
The Samsung vulnerability meanwhile can be exploited only if the user has installed a TV remote-control app on their mobile device. From there, visiting a malicious webpage using that device (again, this could be achieved by malicious, social-engineering emails) would execute the code.
“Samsung smart TVs attempt to ensure that only authorized applications can control the television,” Goodale said. “Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.”
Samsung, which said it’s evaluating the issue, told Consumer Reports: “We appreciate Consumer Reports’ alerting us to their potential concern.” The company said that a patch “will be in a 2018 update, [with timing] to be determined, but as soon as technically feasible.”
The advocacy group uncovered the vulnerabilities via testing based on its Digital Standard, which was developed in partnership with cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security and other digital rights.
“The Digital Standard can be used to evaluate many products that collect data and connect to the internet,” says Maria Rerecich, who oversees electronics testing at Consumer Reports. “But smart TVs were a natural place to start.”
Further evaluation showed an additional problem: Smart TVs across the board also collect a raft of information on users, creating potential privacy concerns. For one, they identify every show a user watched, using automatic content recognition, or ACR. The viewing information can be combined with demographics data and used for targeted advertising.
The impact is widespread: 82 million smart TVs are in US consumer hands today, and they represent the lion’s share of new television purchases. According to market research firm IHS Markit, 69% of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018.
“These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners,” Rerecich said. She added that in a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51% were at least somewhat worried about the privacy implications of smart TVs, and 62% were at least somewhat worried about the sets’ security practices.
Sony responded to the criticism: “If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals.”
Consumer Reports noted that consumers can indeed limit data collection, but in order to do that, they have to give up a lot of the TVs’ functionality—and know the right buttons to click and settings to look for.
Over-two-thirds (69%) of global consumers say they’d boycott any company they believe does not take data protection seriously, with many resorting to submitting false details in a bid to safeguard their personal info (PII), according to RSA Security.
The security vendor polled over 7500 adults in the US, UK, France, Germany and Italy to compile its Data Privacy and Security Report.
Surprisingly, it found that 41% of consumers are actively submitting erroneous personal data with companies when signing up for products and services because they have little faith in that information being kept safe or not being used for intrusive marketing.
A further 78% said they try to limit the amount of personal data they share.
The findings send a clear message to firms: data security is not only coming under growing scrutiny from regulators, but it could also be a competitive differentiator.
Nearly two-thirds (62%) of consumers said they’d blame the company first in the event of a data breach, before the hacker.
Some 90% of global respondents said they were concerned about their personal data being lost, manipulated or stolen, while 82% of UK consumers said they’d boycott a company that repeatedly demonstrated having no regard for customer data.
However, on the flip side, 50% of consumers polled said they’d be more likely to shop with a company that could prove it takes data protection seriously, while 26% said they’d gladly trade their data for improved customer service.
It remains to be seen whether forthcoming EU privacy regulations will help stem the tide of data breach incidents that have so undermined consumer confidence in businesses.
RSA Security EMEA field CTO, Rashmi Knowles, believes the regulation will at least start to change the behavior of businesses.
“The fact is it isn’t just the cost of the fine, there are much wider ramifications that will hit the business. Customers will have to be notified, which will impact trust and encourage churn. It could have a serious impact on share price and as we can see through the Yahoo sale, it could even hurt valuations and M&As,” she told Infosecurity.
“It has also been suggested that the authorities could remove a company’s ability to process data entirely if they are repeatedly in violation with GDPR. For example, if you are a US cloud provider you may be told that you are not allowed to store EU citizen data. So in practice, the fines will be the least of their worries if a business does actually become a victim of a breach or fails to comply.”
Apple has sought to play down fears over the security of its operating system after a portion of iOS source code was leaked on GitHub this week, claiming it’s from several years ago.
News outlets were awash with speculation on the potential implications of the leak, which apparently focused around the iBoot process that runs on a device as it’s booting up.
It was suggested that the code could give hackers invaluable insight, helping them find new vulnerabilities and ways to jailbreak devices.
Although Apple issued a swift DMCA takedown notice to GitHub, confirming that the code in question was its own and not open source, it’s likely to have been replicated elsewhere by now.
As for risk exposure, the vast majority of iOS users are now running newer versions of the operating system, according to official figures.
Apple has also sought to quell any potential concerns with a statement, claiming the code itself was old and that its multi-layered approach to security should mitigate any residual risk:
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
However, the once impenetrable operating system has certainly been found to be fallible in recent years.
In November it released a number of patches including a fix for the infamous KRACK attack which targets the WPA2 protocol, as well as others discovered by researchers on the latest versions of iOS.
A Zscaler report from 2016 claimed that iOS devices are leaking more metadata, PII and location data on average than Android devices.
A database containing the voter records of over 19.5 million Californians was exposed to the public internet before being locked down and held for ransom by cyber-criminals, just months after a similar incident, according to reports.
The information involved is apparently not defined as PII by the state, although it did contain names, addresses, dates-of-birth, political affiliation and other voter details — enough to craft convincing follow-up phishing attempts.
The data in question was being stored by newspaper the Sacramento Bee, which had obtained it legally for reporting purposes.
However, the MongoDB database it was stored in was left crucially exposed for a fortnight after a vendor performed routine maintenance and the firewall did not come back online.
That was all it took: cyber-criminals spotted the error and stepped in to encrypt the data, demanding a payment in Bitcoin to unlock it.
The Bee subsequently decided to delete the encrypted data rather than pay the ransom, although it’s unclear whether the black hats made a back-up copy.
A separate database containing the names, home addresses, email addresses and phone numbers of 52,873 Sacramento Bee subscribers was compromised in the same way.
A statement from the secretary of state’s office published by the newspaper had the following:
“It is important to emphasize that no confidential information — such as social security numbers, driver’s license numbers, state ID numbers, or voter signatures — is ever provided in response to a request for the state voter file. Those with access to the voter file have a responsibility to take the necessary measures to protect voter data, wherever and however it is used, and to report any compromises to the Secretary of State’s office and law enforcement in a timely manner.”
This is the second time a database of Californian voters has been held ransom. Security firm Kromtech reported a similar incident back in December, although on that occasion hackers stole the database, leaving a ransom note in its place. It’s still unknown who the database belonged to.
“Unfortunately, businesses and organizations continue to disregard basic security rules when it comes to cloud repositories with a public-facing interface,” argued Kromtech’s Bob Diachenko.
“Misconfigured MongoDBs and AWS S3 buckets are among the most reported cases of data leaks for the last year and 2018 seems to be another challenging year for companies struggling to keep their data safe but forgetting about simple cyber-hygiene rules.”
Conventional wisdom says that if something isn’t connected to the outside, it can’t be hacked. But research shows that Faraday rooms and air-gapped computers that are disconnected from the internet will not deter sophisticated cyber-attackers.
Air-gapped computers used for an organization’s most highly sensitive data might also be secluded in a hermetically sealed Faraday room or enclosure, which prevents electromagnetic signals from leaking out and being picked up remotely by eavesdropping adversaries. Yet research from Cyber @ Ben-Gurion University (BGU) of the Negev has demonstrated how attackers can bypass Faraday enclosures and air gaps to leak data from the even the most highly secured computers.
The Odini method, named after the escape artist Harry Houdini, exploits the magnetic field generated by a computer’s central processing unit (CPU) to circumvent even the most securely equipped room.
In another documented cyberattack, dubbed Magneto, researchers utilized malware keystrokes and passwords on an air-gapped computer to transfer data to a nearby smartphone via its magnetic sensor. Attackers can intercept this leaked data even when a smartphone is sealed in a Faraday bag or set on airplane mode to prevent incoming and outgoing communications.
“While Faraday rooms may successfully block electromagnetic signals that emanate from computers, low-frequency magnetic radiation disseminates through the air, penetrating metal shields within the rooms,” explained Mordechai Guri, the head of research and development of Cyber @ BGU. “That’s why a compass still works inside of a Faraday room. Attackers can use this covert magnetic channel to intercept sensitive data from virtually any desktop PCs, servers, laptops, embedded systems and other devices.”
Jumping air gaps is not unheard of; in 2016, a stealthy data stealer run from a thumb drive was discovered, which leaves no trace on a compromised computer.
When it comes to cryptocurrency preferences among criminals, Litecoin is surprisingly the second-most dominant coin on the dark web, after Bitcoin.
Recorded Future analyzed 150 of the most prominent message boards, marketplaces and illicit services and found that, that alongside Bitcoin, Litecoin is the second-most accepted cryptocurrency, followed by Dash.
“In mid-2016, Recorded Future noticed members of the cybercriminal underground discussing their growing dissatisfaction with Bitcoin as a payment vehicle, regardless of their geographical distribution, spoken language or niche business,” said the company, in an analysis. “Upon initial assessment of underground chatter, it appeared Dash was slated to become the next major dark web currency. However, after further research, this was proven false.”
Despite stated support of and references to Dash as the up-and-coming cryptocurrency, a poll conducted among several hundreds of members of a popular criminal forum revealed that there is no unified agreement for which currency should be adopted next. Yet a third (30%) of all vendors who implemented alternative payment methods are willing to accept Litecoin. Dash is closely trailing Litecoin with 20% of the market. Unexpectedly, Bitcoin Cash was the third-most common cryptocurrency with 13% of vendors trusting it as a payment method.
Recorded Future explained why Bitcoin has fallen out of favor: Larger payment fees, brought on by the skyrocketing popularity of Bitcoin among household users, speculators and institutional investors around the world since mid-2017. That has placed an enormous load on the blockchain network, and commission fees have increased tenfold, sometimes costing as much as 30% to 40% of the payment amounts.
“As we described in our previous blog, the underground economy is dependent on smaller transactions in its day-to-day operations, with the cost of the average product or service beginning between $50 and $300,” Recorded Future said. “With the addition of exuberant transaction fees, the price of such products and services suddenly inflates tremendously.”
Some criminals have complained that Bitcoin is just too slow to use. Most “vendors” have adopted a rule requiring three confirmations before treating transactions as complete, because of the opportunity for fraud.
As one active member on criminal discussion boards explained:
What’s happening at the moment is incomprehensible. Despite that I’ve used the recommended commission fees, my transactions have remained pending for the past three days, and my work has been paralyzed. Dear vendors, please implement alternative payment options; otherwise, I will miss out on this Christmas season.
Litecoin is the second-oldest cryptocurrency after Bitcoin. It was introduced in 2011 and was intended to be a superior version of BTC. Litecoin’s core technology is almost identical to Bitcoin’s, but improved, allowing it to conduct transactions faster, resulting in significantly lower commission fees and a larger number of coins being mined.