Info Security

Subscribe to Info Security  feed
Updated: 2 hours 47 min ago

Hackers Target Instagram, Users Blame Russia

Tue, 08/14/2018 - 16:05
Hackers Target Instagram, Users Blame Russia

The Facebook-owned photo-sharing application Instagram has reportedly fallen victim to an attack, which appears to have originated in Russia, according to news from The Sun. Both Mashable and Reddit have reported a surge in the use of the word "hack" in tweets related to Instagram accounts. Additionally, Google Trends shows that a significant jump in searches for "Instagram hacked" occurred 7-11 August.

A tweet storm continues to thrash on Twitter, resulting in a social media meltdown that's revealing widespread user frustrations over the lack of response from Instagram.

One user tweeted, “your help center is so unhelpful. How an i supposed to gain access to my hacked account if all you want to do is send an email asking me to reset my password and that email has been changed to theirs???”

Flurry of tweets

One user advised Instagram users to immediately activate two-factor authentication. "I very much doubt 2FA was in use in the hacked accounts, so switching on 2FA will certainly prevent this type of attack,” said Andy Norton, director of threat intelligence at Lastline.

However, there have been anecdotal reports that some accounts were using the layered protection of 2FA.

“Although this is an excellent security control and should always be used, it's not foolproof and can be defeated if someone is either able to take control of the mobile phone number that receives the text message code or if they can trick the account holder into visiting a fake version of the real website that interacts with the real website and prompts the user to enter the two-factor code,” said Rob Shapland, principal cybersecurity consultant at Falanx Group.

While the account takeovers all seem to be linking to Russian email addresses and could indicate an attack from a Russian hacking group, it remains possible that another group is pretending to be Russian.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion. Email addresses are easily spoofed, either to conceal identity or to encourage finger-pointing toward the wrong place," said Lee Munson, security researcher at

Categories: Cyber Risk News

Mobile App-Based Fraud Jumps in Q2

Tue, 08/14/2018 - 10:45
Mobile App-Based Fraud Jumps in Q2

RSA Security has said it recovered over five million compromised cards from underground marketplaces and other sources in the last quarter, a 60% increase on the previous three months.

The security vendor’s Quarterly Fraud Report for Q2 2018 also revealed that the threats facing consumers and brands have evolved slightly, with mobile playing a greater role.

While phishing emails, texts (smishing) and phone calls (vishing) remained the most prolific type of fraud attack in the period, accounting for 41% of the total, trojan malware and rogue apps swapped places.

Attacks involving financial malware dropped from 25% in the previous quarter to 16% in Q2, while the number of rogue mobile apps RSA detected jumped 13% to reach 9185: 28% of the total number of observed attacks.

These apps typically abuse consumer trust in brands by faking well-known apps to harvest information.

In addition, mobile app and mobile browser transactions comprised 71% of total fraud transactions, up 9% from Q1 2018. Fraudulent transactions via mobile channels increased 16% year-on-year.

RSA also revealed the growing popularity of new account fraud.

Just 0.4% of legitimate payment transactions were attempted from a new account and device. This is in stark contrast to the 27% of the total value of fraudulent payments made through new accounts and devices in the period.

RSA claimed fraudsters continue to use burner devices and fake accounts to try and circumvent fraud filters.

What’s more, 28% of fraud originates from a known or trusted account and device, suggesting these devices have been infected with financial malware designed to carry out account takeover attacks.

The figures come as new stats from Compare the Market out this week revealed UK cyber-enabled fraud losses soared past £2bn last year, with the amount stolen rising 38% over the period, from £600 per person to £833.

Categories: Cyber Risk News

Fax Attack: Researchers Warn of New Vector for Hackers

Tue, 08/14/2018 - 10:01
Fax Attack: Researchers Warn of New Vector for Hackers

Security researchers have been able to exploit vulnerabilities on all-in-one printers by sending a malicious fax, enabling then to infiltrate corporate networks.

The vulnerabilities were discovered by Check Point in a common implementation of the fax protocol, using HP Officejet all-in-one printers. HP has since released a patch after working with the security firm, but the issue could persist on other machines.

Check Point claimed that the issue is critical given that faxes are still widely in use: a cursory internet search apparently yielded hundreds of millions of numbers.

The attack could enable hackers to infiltrate corporate networks or use the connected printer to remotely steal sensitive documents, mine Bitcoin or carry out other nefarious tasks.

“Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer,” the vendor claimed.

“We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.”

The research team revealed two vulnerabilities discovered in the course of the research: CVE-2018-5925 – buffer-overflow while parsing COM markers – and CVE-2018-5924 – stack-based buffer-overflow while parsing DHT markers.

The white hats used the latter in their actual attack as it was easier to exploit. Infamous NSA exploits Eternal Blue and Double Pulsar were then used to autonomously spread the payload over a connected network.

However, not everyone was convinced about the seriousness of the implications. ThinkMarble Red Team leader, Tom B, claimed that there are several barriers for malicious attackers.

“First of all, receiving a fax is essentially like receiving a telephone call — they are generally traceable. Furthermore, phone calls also cost money. Phoning millions of fax machines to find a vulnerable model is expensive, and this will dissuade the common cyber-criminal,” he explained.

“Even where cost and traceability are not an issue, faxes take a relatively long time to come through. Sending a malicious fax to millions of fax machines with the hope of finding a vulnerable model, would take a very long time.”

Even in a highly targeted attack the attacker would first need the model number of a machine and details of a working exploit to succeed.

“Once crafted, there would be no guarantees that the payload would not simply crash the device instead of executing the code,” he argued.

The best way to keep fax machines and printers secure is to ensure they’re regularly patched and updated, he concluded.

Categories: Cyber Risk News

NHS Patient Data at Risk from Historic Breach: Report

Tue, 08/14/2018 - 09:09
NHS Patient Data at Risk from Historic Breach: Report

A historic breach at a third-party supplier has put the data of countless NHS patients at risk, according to a new report.

An investigation by the Sunday Telegraph revealed a 2016 breach at online training business Embrace Learning exposed the email addresses and unencrypted passwords of 10,000 public sector healthcare workers.

The risk is that if these affected workers reused their Embrace Learning credentials for their NHS accounts, hackers could theoretically have used them to break into networks in search of lucrative patient data.

Some 19 NHS trusts and organizations including local councils were affected, none of which were aware of the breach when contacted by the paper.

A statement from the distance learning company confirmed the historic breach and claimed there had been “no successful attacks on our servers since new measures were implemented in 2016.” However, that doesn’t cover the possibility of other organizations being affected by the password theft.

“On reflection, our security measures at that time were clearly not sophisticated enough to prevent data being stolen,” it noted.

“The breach prompted immediate action. In consultation with our ISP UKFast, we significantly increased the level and sophistication of security and encryption. Since then we have taken further measures to protect data from increasingly sophisticated hacking attempts.”

The hope is that the trusts affected operate a policy of regularly enforcing password changes, or else require 2FA for log-ins, both of which would largely mitigate the threat.

Cumbria Partnership NHS Foundation Trust, which had passwords stolen from 200 employees, told the paper it has contacted each member of staff affected.

“As a trust we take data security very seriously and as such all staff are forced to change their passwords regularly therefore we are confident that our staff details remain safe,” it said. “We have robust policies and processes in place and regularly update our staff of the importance of all types of cybersecurity.”

Jamie Graves, CEO of ZoneFox, said the case highlights the complexity and cyber-risks involved in modern supply chains.

“Robust company-wide education programs are vital for safeguarding confidential data,” he added. “What's more, robust password managers are a must for anyone, not least our front-line NHS staff whose life-saving work inevitably entails access to sensitive patient data."

Categories: Cyber Risk News

Variant of KeyPass Trojan Takes Manual Control

Mon, 08/13/2018 - 17:28
Variant of KeyPass Trojan Takes Manual Control

Multiple researchers have identified a dangerous new variant of KeyPass ransomware, featuring a manual-control functionality, and according to Kaspersky Lab, the modified version mainly targets developing countries.

“For now, the most targeted regions are mainly developing countries – the modification primarily targets Brazil (19.51%) and Vietnam (14.63%). As the malware continues to spread worldwide via fake installers that download the ransomware module, experts have noticed a distinguishing feature: it can be used for manual attacks,” a Kaspersky Lab spokesperson wrote.

When the Trojan starts on the victim’s computer, it copies its executable to %LocalAppData%. After the executable launches, the malware then deletes itself from the original location but propagates multiple copies of its own process, “passing the encryption key and victim ID as command line arguments,” researchers wrote in a blog post.

The malware reportedly uses a simple scheme to encrypt data at the beginning of each file. Designed by the Trojan’s developers, the symmetric algorithm AES-256 is in CipherFeedback (CFB) mode with zero IV and the same 32-byte key for all files.

Source: Kaspersky Lab

The MalwareHunter Team said that the variant, noticed during the late evening hours on 8 August, received 100 submissions to IDR from more than 20 countries, adding that the KeyPass Ransomware, “is spreading all over the world.”

Kaspersky Lab researchers took particular interest in the KeyPass Trojan’s ability to take manual control. Researchers wrote, “The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks."

“The capability to perform manual control is truly worrisome since it provides criminals behind the Trojan an opportunity to customize the malware. It might be an indication that the era of mass-scale extortions is gone and now we might be facing a growing trend of individually targeted ransomware attacks,” said Fedor Sinitsyn, security researcher, Kaspersky Lab.

Categories: Cyber Risk News

More Than 10K Recorded Vulnerabilities in 2018

Mon, 08/13/2018 - 16:45
More Than 10K Recorded Vulnerabilities in 2018

The number of recorded vulnerability disclosures continues to rise, with 10,644 published throughout the first half of 2018 by Risk Based Security’s VulnDB team. That total is reportedly 3,279 more vulnerabilities than those listed on CVE/NVD, according to the 2018 Mid-Year VulnDB QuickView Report

The numbers reflect only a 1% increase over the same period last year. Of those discovered in the first six months of 2018, 73% of vulnerabilities have a documented solution, while only 32.1% have public exploits; however, 50% of the vulnerabilities can be exploited remotely.

Of the vulnerabilities disclosed, 16.6% scored 9.0 or higher on the CVBSSv2 scale. Nearly half (48.2%) of the vulnerabilities were disclosed through coordinated disclosure, yet only 13.1% of those coordinated disclosures were through bug bounty programs.

“An important and compelling statistic is that of the 3,279 vulnerabilities not reported by CVE/NVD, 44.2% have CVSSv2 scores between 9.0 and 10 (high to critical severity). While criteria other than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organization is not aware of higher-severity vulnerabilities that pose a risk to their assets,” said Carsten Eiram, chief research officer for Risk Based Security.

“We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government–funded organization’s continued underrepresentation of identifiable vulnerabilities,” said Brian Martin, VP of vulnerability intelligence for Risk Based Security.

“While some contend that the CVE/NVD solution is ‘good enough,’ the number of data breaches based on hacking points to a different conclusion. In today's hostile computing environment, with nonstop attacks from around the world, organizations using subpar vulnerability intelligence are taking on significant risk needlessly.”

Categories: Cyber Risk News

Firms at Mercy of Smarter, Faster Cyber-Criminals

Mon, 08/13/2018 - 15:57
Firms at Mercy of Smarter, Faster Cyber-Criminals

With more than 100,000 vulnerabilities published on the CVE list, organizations are struggling to keep pace with patching, leaving almost all firms vulnerable to attack, according to the new Threat Landscape Report released by Fortinet.

In today’s blog post, Fortinet researchers wrote that despite the vast number of known vulnerabilities, only 5.7% of those on the CVE list are being exploited in the wild, suggesting that trying to patch every vulnerability might be a fruitless endeavor for organizations.

Still, nearly all firms (96%) have experienced at least one severe exploit, and a quarter of companies were hit with crypto-mining malware. While the research did not find any new developments related to Apache Struts and Heartbleed during Q2, the report found that Microsoft was the number-one exploit target.

Of additional note was the finding that criminals are now using crypto-jacking on internet of things (IoT) home devices. Cyber-criminals have added IoT devices to their repertoires, often targeting home media devices because of their computational horsepower. The devices are always on and connected, so criminals target them and load continuously mining malware.

“Cyber-adversaries are relentless. Increasingly, they are automating their tool sets and creating variations of known exploits. Of late, they are also more precise in their targeting, relying less on blanket attempts to find exploitable victims,” said Phil Quade, CISO, Fortinet in a press release.

Analysis of data on botnet trends revealed how cyber-criminals maximized impact, as was the case with Wicked, a new Mirai botnet variant, which added at least three exploits to its arsenal to target unpatched IoT devices.

In addition to the threats on critical infrastructure attacks using VPNFilter, Q2 also saw a new Anubis variant from the Bankbot family, capable of performing ransomware, keylogger, RAT functions, SMS interception, lock screen and call forwarding.

Malware authors have moved beyond polymorphism as a means of evading detection, and the report found that they have developed more agile practices that make it easier for them to bypass anti-malware products.

“Organizations should leverage automated and integrated defenses to address the problems of speed and scale, utilize high-performance behavior-based detection, and rely on AI-informed threat intelligence insights to focus their efforts on patching vulnerabilities that matter,” Quade said.

Categories: Cyber Risk News

IT Security Pros Lay Bare Election Hacking Fears

Mon, 08/13/2018 - 12:01
IT Security Pros Lay Bare Election Hacking Fears

The vast majority of IT security professionals believe election infrastructure is at risk and that attackers will target voting data in transit, according to the latest stats from Venafi.

The security vendor polled over 400 cybersecurity pros in the US, UK and Australia about their views on the subject, ahead of key mid-term elections in the US in November. Intelligence on Russian state-sponsored interference in the 2016 presidential election found that hackers used encrypted tunnels to hide their attacks on vulnerabilities in election infrastructure.

IT security pros appear well-informed of the threats, with 93% claiming election infrastructure is at risk and 81% saying hackers will target key data as it is transmitted from local polling stations to centralized points. 

Part of the challenge of securing electoral infrastructure is that it tends to be spread out: over half of respondents pointed not only to encrypted comms channels but also the voting machines themselves and the systems that store voter registration data as being vulnerable.

Tellingly, just a handful claimed confidence in the ability of governments and local states to detect (2%) and block (3%) such attacks.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told Infosecurity that following the indictment of 12 Russian agents for the 2016 attacks, election hacking is no longer a theoretical threat.

“The intent of adversaries is to sow distrust in democracy and Western governments. A hack does not need to change an election directly; merely creating doubts about the integrity of our election infrastructure and processes achieves the goal,” he added.

“This research shows how IT professionals are keenly aware of these risks and all the ways that election hacking can be done: whether it’s going after the back-end systems that store the results, or editing the voter rolls before the big day. For example, a careful purging of the voter rolls could easily tip the balance one way or the other without an attacker actually changing a single vote.”

Bocek claimed a return to paper voting is too time-consuming and prone to error to be feasible.

“These are the actions our adversaries would love to see as it would show that we’ve lost confidence in technology and democracy,” he concluded.

“The real solution is ensuring that we have systems in place which allow us to actually trust the machines we’re using and run the voting process, and therefore the democratic process as a whole.”

Governments around the world must therefore focus on improving the security of encrypted machine-to-machine communications, the firm claimed.

Categories: Cyber Risk News

Butlin’s Customers Face Anxious Holiday After Breach Alert

Mon, 08/13/2018 - 09:30
Butlin’s Customers Face Anxious Holiday After Breach Alert

Tens of thousands of holidaymakers may be at a heightened risk from phishing attacks after Butlin’s admitted a data breach affecting customers’ personal information.  

The holiday camp owner published a notice late last week revealing that up to 34,000 booking reference numbers, lead guest names, holiday arrival dates, postal and email addresses and telephone numbers may have been breached.

Managing director, Dermot King, claimed that affected guests would be contacted by the end of Monday 13 August. Payment details and username/password combinations are safe and there has been no sign of fraudulent activity thus far on the stolen data, he added.

The firm blamed “a phishing attack via an unauthorized email” for the incident and said it had since “improved a number of our security processes.” However, it’s difficult to counter the threat posed by phishing emails as they rely fundamentally on tricking the employee rather than their machine.

That’s why 93% of breaches last year involved some form of phishing, according to Verizon.

McAfee chief scientist, Raj Samani, argued that not only will Butlin’s customers be at risk from follow-on phishing attacks using the stolen information to appear more convincing, but because the hackers have access to info on holiday arrival dates, their houses may be at risk from burglars.

“Recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to. If you use the same password across a number of apps and accounts you need to change it now,” he cautioned. “Introduce a password generator to ensure you have unique passwords across all accounts. And for holidaymakers’ home security, they should ensure they have a trusted neighbor keeping an eye on the property while away and alarms set.”

Unlike Reddit, Butlin’s reported the incident within 72-hours and has proactively notified all affected customers, so it should escape the wrath of GDPR investigators.

Categories: Cyber Risk News

UK Online Fraud Blasts Past £2bn

Mon, 08/13/2018 - 08:57
UK Online Fraud Blasts Past £2bn

Cyber-enabled fraud losses have rocketed over the past 12 months with more than £2bn collectively stolen from the bank accounts of UK cardholders, according to Compare the Market.

The price comparison site’s poll of 2000 UK adults revealed that 9% had been defrauded over the past year, which roughly equates to 4.7 million people nationwide.

The figure is significantly less than the 5.5 million estimated to have lost money between May 2016 and May 2017. However, the amount stolen has risen 38% over the period, from £600 per person to £833.

The most common form of fraud was via online payments (28%), although 27% said they don’t know or can’t remember how they were defrauded.

Over half (56%) of respondents said they were also concerned about the security of card details saved in the browser. The autofill function is increasingly popular with consumers, with 31% of respondents claiming to use it. However, last year it emerged that it could be abused by fraudsters to harvest credentials if users are tricked by specially crafted phishing sites.

Of potentially even greater concern is the stat that 44% of respondents interviewed by Compare the Market claimed they had to alert their bank about fraudulent activity, not the other way round.

Despite this, 79% said they haven’t changed bank or credit card provider after experiencing an online attack and are not considering changing. This may reflect the perception that fraud is inevitable irrespective of provider.

“It is reassuring to see that some behavior is changing as a result of fraud. People are more likely to check their bank and credit card accounts regularly, and to have different passwords and PINs for their various accounts, and most now won’t give out their bank details over the phone,” said head of money at Compare the Money, Shakila Hashmi.

“All of these measures need to be ramped up in order for people to lessen the chance of being hacked. However, if a provider has not spotted suspicious activity or has not dealt with a fraud to the best of their ability then it is vital that people vote with their feet and move to suppliers with a better client service rating.”

The figures contrast separate findings from FICO last month which claimed card-not-present (CNP) fraud losses in the UK had dropped 8% over the past year, despite rising 2% across Europe.

Categories: Cyber Risk News

#DEFCON Government Attacks and Surveillance Continue to Increase

Sat, 08/11/2018 - 22:19
#DEFCON Government Attacks and Surveillance Continue to Increase

Speaking at DEFCON to deliver research on “a comprehensive list of Nation-State Big Brothers,” security researcher Eduardo Lzycki said that there had been an increased number of governments both censoring and shutting down online services, as well as acquiring cyber espionage and offensive tools.

Saying that the internet was something that “people gathered around as a common idea without a top down authority,” his research – done with colleague Rodrigo Colli – found that the “most active actor in cyber space is states doing things – attacking – and [conducting] attacks against other states and other groups.”

Drawing from five sources: academia and NGOs, data leaks, censorship and transparency reports, Lzycki said that what they had seen showed that 55% of attacks had some sort of state-sponsored level of attribution, from 402 single APT groups, which includes 19 countries with “a state sponsored threat.” Showing the map below, Lzycki said that that it was interesting to see how diffused the number of actors were.

“When you look at the types of targets, it is interesting to notice that in 46 cases we had political targets: opposition parties, NGOs, and in the first place ahead of military and diplomatic targets was evidence that attacks were directed to political targets.”

The research further showed that 71 countries acquired offensive solutions, and Lzycki and Colli were able to identify the user or buyer in 41 cases, which they said was typically military and defense.

Speaking on the research around censorship and government shutdowns of social media, Lzycki said that they detected 40 countries who had an examples of censorships, and 74% of which (32 countries) where a shutdown reached the national level.

He said that 54.9% of people live in countries which have been attacked, and 56.7% of users were subject to shutdowns. Also, 92.2% of countries have some sort of offensive capability.

Categories: Cyber Risk News

#DEFCON L0pht Reunite to Find Security Unimproved

Sat, 08/11/2018 - 08:01
#DEFCON L0pht Reunite to Find Security Unimproved

Despite security coming a long way from warnings of the internet being able to be taken down in fewer than 30 minutes, it has “still got a long way to go.”

Reuniting six members of the L0pht hacker team at the DEFCON conference in Las Vegas, moderator Elinor Mills asked Dildog, Space Rogue, Mudge, John Tan, Weldpond and Kingpin, who used their hacker names as they had done 20 years ago when testifying to the US Senate and had done again when visiting again this year, whether they felt that the original testimony had worked.

Weldpond, aka CA Veracode CTO Chris Wysopal, said that their appearance was a “visceral representation of what the adversary viewpoint was” and their appearance made hacking a reality to the government, but it also “conveyed the poor state of software security.”

Mudge, aka Cyber ITL director Peiter Zatko, said that the greatest achievement was that two years later it was leveraged to create Presidential Directive 63, “so if anyone got a scholarship, it was largely driven by that testimony.”

Asked by Mills how things have changed since then, Dildog, CA Veracode co-founder and chief scientist Christian Rioux, said that exploits have got harder to create “and the cost associated has sky rocketed,” while the profile of the attacker has changed and exploits are now turned around in months rather than weeks.

Mudge cited examples such as Windows 10 and Google Chrome as being “huge steps” about how hardened targets had become, while Weldpond said that the adversary is now more recognized as you “wouldn’t ask about governments [attacking] in 1998, but in 2018 it is in the news everyday.”

Kingpin, aka author, presenter and consultant Joe Grand - who was only 16 at the time of the testimony, said that bugs are now being named, and there is a conveyor belt of media frenzy about vulnerabilities. 

Asked if such a group could exist today, Kingpin said that we see hacker spaces now, and while L0pht were not completely private, they did have a physical location. Mudge cited the Chaos Computer Club and Google Project Zero as examples of hackers working together, and said: “Who doesn’t want to be a part of that? It exists in organizations and it is much better than it used to be.”

Concerning the well-cited comment about the internet being taken down in fewer than 30 minutes, Mudge said that the original Senate question was on why it had not been done, and the reason why it had not been done is because there “is no value in taking down all of the internet as you would take down all of the targets as well.”

Space Rogue, aka Cris Thomas head of IBM’S X-Force Red, said that while IoT and electronic voting has shown how far technology has come, and we “are not dealing with the same doom and gloom, we have got a long way to go.”

Weldpond said that despite the advances, there are still flaws and we still have problems, and this year’s Senate meeting showed that we have become more and more dependent on the technical infrastructure. “No one going is going to fix the foundations.”

Categories: Cyber Risk News

#DEFCON Vote Hacking Village Refute NASS 'Unfair' Claims

Fri, 08/10/2018 - 23:26
#DEFCON Vote Hacking Village Refute NASS 'Unfair' Claims

DEFCON has hit back at criticisms levied at it by the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines.

In a statement released on 9th August, the NASS said that while it applauded “the goal of DEFCON attendees to find and report vulnerabilities in election systems" it felt it was important to point out that work has been done by states' own information technology teams, and also named the Department of Homeland Security (DHS), the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the private sector, the National Guard and universities as being involved “to enhance and reinforce their cyber postures with penetration testing, risk and vulnerability assessments and many other tools.”

In particular, the NASS said that its main concern with the approach taken by DEFCON “is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security” and while delegates have access to voting machines, NASS said that many of these are no longer in use, and the environment does not "replicate accurate physical and cyber protections established by state and local governments before, and on Election Day." 

The NASS also said that it was concerned that creating “mock” election office networks and voter registration databases for participants to defend and/or hack was also unrealistic. It said: “It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols.”

In response, a statement from the DEFCON Vote Hacking Village sent to Infosecurity claimed that the goal of the village is to present the most realistic election network possible, to further the education, discovery, and the free exchange of facts.

“Therefore, the Voting Village made a concerted effort to involve as many local election officials as possible,” it said.

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”

In particular, it named the state of Ohio and Cook County, Illinois whose participation enabled the village “to incorporate several key elements of the voting process to replicate the election infrastructure.”

The village also disregarded claims that the machines are old and out of use, as all but one are still in use.

“We did our public demonstrations with the decommissioned WinVote out of a sense of responsibility to not broadcast a guide to hacking an actively in-use machine to the public,” the statement said.

“We invite NASS and all election machine manufacturers to learn about the vulnerabilities we find this year, and we invite them to participate next year because as we know, cyber threats are constantly evolving and becoming more sophisticated.”

DEFCON’s Voting Machine Hacking Village is the latest village for the Las Vegas conference, following on from initiatives around IoT, lockpicking, and social engineering.

Categories: Cyber Risk News

#Defcon DHS Says Collaboration Needed for Secure Infrastructure and Elections

Fri, 08/10/2018 - 19:07
#Defcon DHS Says Collaboration Needed for Secure Infrastructure and Elections

Speaking at DefCon 26 in Las Vegas on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, assistant secretary, Office of Cybersecurity and Communications from the Department of Homeland Security stressed the need for public and private sector collaboration.

She said that “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.”

In terms of critical infrastructure, Manfra said that this is “purely voluntary in the private sector” and includes “everyone working for yourself or your company, and this includes academic institutions and the broader private and public partnership to work together to figure our critical infrastructure.”

She went on to talk about the concept of collective defense, saying that government is “one player in the community,” and with companies and citizens on the front line with government sectors “we have to share information and be transparent and build trust with individuals and entities that we have not done before.”

This was part of finding ways to cooperate on capabilities as “adversaries have taken advantage for a long time” and ways need to be found to reverse the fight.

Looking back at the 2016 election, Manfra said that prior to that attackers had been trying to hack the election process “for decades”, and while it was very difficult to manipulate an election, those running elections are not the most resourced, so the challenge had to be on how to help them ensure their security and use best practices for when they deal with old technology and software.

Joking that she “yearns for the days when only the electricity went out,” Manfra said that adversaries “undermine the traditional concept of democracy, of intellectual property, of privacy, of business and if we don’t come together sand figure out how collectively defend, they are going to turn the internet into a model that suits their concept.”

Speaking at DefCon 26 in Las Vegas on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, assistant secretary, Office of Cybersecurity and Communications from the Department of Homeland Security stressed the need for public and private sector collaboration. Saying that “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.”

In terms of critical infrastructure, Manfra said that this is “purely voluntary in private sector” and includes “everyone working for yourself or your company, and this includes academic institutions and the broader private and public partnership to work together to figure our CNI.”

She went on to talk about the concept of collective defense, saying that government is “one player in the community,” and with companies and citizens on the front line with government sectors “we have to share information and be transparent and build trust with individuals and entities that we have not done before.”

This was part of finding ways to cooperate on capabilities as “adversaries have taken advantage for a long time” and ways need to be found to reverse the fight.

Looking at the 2016 elections, Manfra said that prior to the 2016 elections, attackers had been trying to hack the election process “for decades”, and while it was very difficult to manipulate an election, those running elections are not the most resourced, so the challenge had to be on how to help them ensure their security and use best practices for when they deal with old technology and software.

Joking that she “yearns for the days when only the electricity went out,” Manfra said that adversaries “undermine the traditional concept of democracy, of intellectual property, of privacy, of business and if we don’t come together sand figure out how collectively defend, they are going to turn the internet into a model that suits their concept.”

Categories: Cyber Risk News

New Security Awareness Practitioner Certification

Fri, 08/10/2018 - 15:45
New Security Awareness Practitioner Certification

Recognizing that the weak link in most security chains is human beings, the InfoSec Institute announced a new certification for security awareness practitioners. The Certified Security Awareness Practitioner (CSAP) boot camp is an intensive three-day course that prepares participants in building and managing their organization’s security awareness training program.

Information covered in the boot camp expands across seven domains of knowledge. Students will demonstrate a mastery of understanding in the need for enterprise security awareness training, the security awareness practitioner role and responsibilities, security awareness program planning, development and implementation, managing a security awareness program as a project and common challenges related to security awareness training.

With the goal of making end-user behavior more secure, CSAP will train participants to evaluate human risk and the current corporate culture as it relates to security. In addition, students will be able to assess the current security training programs within their organizations and recognize the areas of weakness that might be making them more vulnerable to attacks.

Critical to the success of any security awareness training program is top-level support, so the course also explores ways to gain buy-in from corporate leadership. Designed to ensure that candidates become experts at both developing and implementing successful enterprise security awareness training, students will be able to enforce security policies while engaging learners by using the best training platform for their company.

“The best security awareness programs go beyond routine phishing simulations and training campaigns to sustainably shift workforce security culture. With our new CSAP boot camp and certification we’ll arm program managers with the strategies, tactics and ideas to kick-start a strong security awareness program and reduce cyber-attack susceptibility,” said Jack Koziol, CEO and founder of InfoSec Institute, in a press release.

Registration for the boot camp includes a voucher for the 50-question multiple-choice exam. Students will need to pass the test with a 70% or better to earn the IACRB CSAP certification. Participants have four different options for completing the course, which include interactive, live-streamed instruction; public training boot camps hosted nationwide; customized team training at the client’s location and self-paced, computer-based instruction.

Categories: Cyber Risk News

Risk of Fraud in Mobile Point-of-Sale Device Flaw

Fri, 08/10/2018 - 13:34
Risk of Fraud in Mobile Point-of-Sale Device Flaw

At yesterday’s final day of Black Hat USA 2018, researchers from Positive Technologies demonstrated how attackers could exploit a flaw in mobile point-of-sale (mPOS) devices to charge fraudulent transactions and alter the amount charged during a transaction.

The flaw enabled attackers to execute man-in-the-middle transactions, send random code through Bluetooth or other mobile applications, and change payment values for magstripe transactions. Researchers Leigh-Anne Galloway and Tim Yunusov also found that the mPOS devices are also vulnerable to remote code execution (RCE), which gave an attacker access to the whole operating system of the reader.

The researchers discovered the vulnerabilities in four market-leading mPOS devices – Square, SumUp, iZettle and PayPal – and have disclosed the vulnerabilities to all of the providers.

The use of mPOS has grown in the last few years. While it is the endpoint of payment infrastructure, there is no barrier to entry for a device to begin accepting card payments. Thus, mPOS providers are attractive targets to criminals.

“These days it's hard to find a business that doesn't accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept noncash payments,” Galloway said.

“Currently there are very few checks on merchants before they can start using an mPOS device and less-scrupulous individuals can, therefore, essentially steal money from people with relative ease if they have the technical know-how," Galloway continued. "As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

Even though more than half (58.5 percent) of debit and credit cards in the US are EMV enabled, only 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat, according to Positive Technologies.

“Anyone who is making a payment on an mPOS device should not make the transaction via magstripe but instead use chip and pin, chip and signature, or contactless,” Yunusov said.

“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority.”

Categories: Cyber Risk News

Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene

Fri, 08/10/2018 - 11:33
Lack of Hardened Benchmarks Leads to Poor Cyber Hygiene

The Center for Internet Security (CIS) refers to an organization's implementation of security controls as its “cyber hygiene,” but a new survey finds that nearly two-thirds of organizations are not practicing good cyber hygiene habits as they have no established benchmarks for implementing security controls.  

The new State of Cyber Hygiene Report by Tripwire surveyed 306 IT security professionals to learn if and how organizations are implementing security controls. Conducted in July 2018 in partnership with Dimensional Research, the survey found that almost two-thirds of organizations admitted that they do not use hardening benchmarks, such as CIS or Defense Information Systems Agency (DISA) guidelines, to establish a secure baseline.

“These industry standards are one way to leverage the broader community, which is important with the resource constraints that most organizations experience," said Tripwire’s Tim Erlin, vice president of product management and strategy, in a press release. "It's surprising that so many respondents aren’t using established frameworks to provide a baseline for measuring their security posture. It’s vital to get a clear picture of where you are so that you can plan a path forward."

Maintaining visibility of their environments is an ongoing challenge for many organizations, which makes it difficult for them to quickly address unauthorized potential issues. While attackers can launch a successful network attack in minutes, 57 percent of respondents said it takes them hours, weeks, months or longer to detect new devices connecting to their organization’s network.

Despite best practice recommendations, 40 percent of organizations fail to have a weekly cadence of scanning for vulnerabilities, and only half run the more comprehensive authenticated scans. Organizations are also slow when it comes to patches. Deploying a patch can take anywhere from one month to more than a year for 27 percent of organizations.

Additionally, 44 percent do not have a central location for collecting logs from all critical systems, even though 98 percent admit they should be more efficient at checking logs. One fourth of respondents (25 percent) confessed that they are not efficient at all and another 73 percent claimed to be fairly efficient but said that they could improve.

"When cyber-attacks make the news, it can be tempting to think a new shiny tool is needed to protect your environment against those threats, but that’s often not the case," Erlin said. "Many of the most impactful and widespread cybersecurity issues stem from a lack of getting the basics right. Cyber hygiene provides the foundational breadth necessary to manage risk in a changing landscape, and it should be the highest priority cybersecurity investment."

Categories: Cyber Risk News

Satellite Flaws Raise Aviation Fears

Fri, 08/10/2018 - 10:28
Satellite Flaws Raise Aviation Fears

Security researchers have revealed new vulnerabilities in satellite communication and on-board operating systems with potentially critical safety implications for the aviation and maritime industries.

IOActive’s Ruben Santamarta authored the first paper, launched at Black Hat yesterday, which is a follow-up to his 2014 research on satcom vulnerabilities.

It details how attackers could exploit the flaws to take control of satcom systems and earth stations on commercial aircraft such as Norwegian, Icelandair and Southwest and those used by the US military in conflict zones.

Although there was no risk to aircraft safety, the vulnerabilities could be exploited from the ground to attack crew and passenger devices and control satellite antenna positioning and communications, the report claimed.

The impact on the military, however, could be more destructive, if the enemy were able to use the flaws to disrupt or modify on-board satellite comms and/or pinpoint the location of military units.

A separate safety risk lies with satcom generated High Intensity Radiated Fields (HIRF), which the report claimed could be manipulated to launch a cyber-physical attack to “provoke malfunctions in critical navigation systems or even health damages to persons exposed to this kind of non-ionizing RF.”

The issues highlighted in the report have been addressed by the aviation industry, but experts said they should serve as a wake-up call.

“It’s not the first time this year that the security of satellite systems has been called into question, but the news that software vulnerabilities exist in the US national security infrastructure must jolt the global security industry into action," argued Paul Farrington, director of EMEA solutions architects at Veracode. "Security must be built into software from the outset, then it must be continuously, rigorously tested with preventative patching immediately undertaken on vulnerabilities."

The other report, set to be delivered on Sunday, details vulnerabilities in the popular WingOS operating system used by countless airlines around the world to provide Wi-Fi to passengers, as well as hospitals, casinos and even the New York City subway.

They could theoretically be exploited not only to compromise passenger devices but also to move to other more critical systems on board, according to report author Josep Rodriguez.

“Since the attacker now has code execution at the WingOS device, now the attacker can pivot and try to attack these other assets inside the internal network of the New York City subway or at the aircraft scenario,” he explained.

“Obviously, we don't know for sure what is beyond that, but what is clearly obvious is that this is technically possible and clearly this is also a really juicy entry point for attackers that might want to attack other assets in the internal network of that particular scenario.”

Categories: Cyber Risk News

Cops Claim Victory After Busting $1m Phone Fraud Ring

Fri, 08/10/2018 - 09:45
Cops Claim Victory After Busting $1m Phone Fraud Ring

Twelve defendants have been charged with offenses relating to a $1m smartphone fraud ring in which over 3300 customer accounts were illegally accessed.

The massive fraud campaign is said to date back to at least 2014. Members of the gang would hijack customer accounts using credentials either phished or bought on the dark web, or even fake ID in store.

They would then physically buy new devices or upgrades in-store, charging the majority of the cost back to the customer’s account. Some also opened new accounts using victims’ Social Security numbers. The devices were mainly sold for profit in the Bronx, according to the Department of Justice.

During the investigation, a Homeland Security Investigations (HSI) team searched a property in Mt Vernon, New York where six of the 12 defendants were found along with 47 electronic devices. Investigators claimed two IP addresses associated with the property were used to access around 3300 smartphone customer accounts and fraudulently purchase at least 1294 devices.

The 11 computers also seized contained evidence of a 15-minute “how to” video on smartphone fraud, indicators they’d been used to visit dark web sites and numerous Google searches relating to fraud.

Each of the 12 has been charged with one count of conspiracy to commit wire fraud, and one count of aggravated identity theft, which could land them a sentence of over 20 years.

“Those arrested today were allegedly part of a fraud network operating in New York, the Dominican Republic and the Darknet. Their activities left a trail of unsuspecting victims across the United States and cost businesses significant losses,” said HSI special agent in charge, Angel Melendez.

“They traveled to 30 states to obtain cellphones that were later sold through fencing operations in the Bronx. Telecommunications fraud is a huge business and where there is a profit to be made by criminals, HSI’s longstanding El Dorado Task Force will follow the money to bring those perpetrators to justice.”

Categories: Cyber Risk News

Smart Cities at Risk from 'Panic Attacks'

Fri, 08/10/2018 - 09:04
Smart Cities at Risk from 'Panic Attacks'

Security researchers have warned of potentially catastrophic cyber “panic attacks” against smart city systems after revealing 17 new zero-day vulnerabilities.

Threatcare and IBM X-Force Red joined forces to test how resilient intelligent transportation systems, disaster management and the industrial Internet of Things (IoT) are to remote “supervillain-level” attacks.

They found 17 zero-days in systems from Libelium, Echelon and Battelle which included some basic issues such as default passwords, authentication bypass and SQL injections.

However, because these systems often perform crucial tasks there’s a real risk that a bad actor could cause mass panic by exploiting them.

Scenarios could include manipulation of water level sensors to report flooding in an area where there is none, or silencing sensors when there is a flood. Vulnerabilities could also be exploited to trigger radiation leak alarms, or alter traffic management systems to create gridlock in urban areas, the report claimed.

“After we found the vulnerabilities and developed exploits to test their viabilities in an attack scenario, our team found dozens (and, in some cases, hundreds) of each vendor’s devices exposed to remote access on the internet. All we did was use common search engines like Shodan or Censys, which are accessible to anyone using a computer,” IBM explained.

“We found a European country using vulnerable devices for radiation detection and a major US city using them for traffic monitoring. Upon discovering these vulnerabilities, our team promptly alerted the proper authorities and agencies of these risks.”

The three vendors studied in this survey were described as “responsive” when contacted about the issues and have since released updates to fix the vulnerabilities highlighted.

However, IBM urged more rigorous testing of smart city systems including application scanning and red team exercises. It also suggested IP address restrictions when connecting smart city systems, use of SIEM to spot suspicious traffic and safer password and API key practices.

Categories: Cyber Risk News