Info Security

Subscribe to Info Security  feed
Updated: 1 hour 46 min ago

Nevada Tops the List of Worst States for Cyberbullying

Mon, 11/20/2017 - 18:26
Nevada Tops the List of Worst States for Cyberbullying

When it comes to the worst US states for cyberbullying across the US, Nevada tops the list.

Research by Website Builder Expert investigated the extent of online bullying across the 50 states by cross-referencing data for the percentage of hostile comments, the percentage of people who have claimed online harassment, and whether or not each state has legislation in place to protect citizens against cyberbullying.

Individual rankings from these factors were then combined to expose the states with the biggest cyberbullying problem and where victims suffer the most due to loose or ineffective laws for punishing perpetrators.

Nevada was revealed as the state with the most toxic online bullies, where claims of online harassment or violent threats are some of the highest in the country. Interestingly, Nevada does have a law against cyberbullying, but the high level of malicious online behavior seen in the state suggests that this does little to dissuade people from posting aggressive content.

In fact, the study found that five of the ten worst states in the ranking—which includes Florida, Illinois and New York—already legislate against cyberbullying, further proving the inefficacy of current legislation.

Surprisingly, California, often perceived as more liberal and tech-tolerant, ranked in the top 10 worst states for cyberbullying, performing poorly for the volume of online abuse claims (sixth), despite cyberbullying being classified as a criminal misdemeanor.

Vermont and Maryland were revealed as two of the worst offenders for not adequately protecting their citizens, with little to no legal protection for victims. Vermont had the highest rate of hostile comments across the study, yet no cyberbullying law to penalize online offenders. Similarly, Maryland had the highest percentage of online harassment claimants but no legislation to help them get justice.

“The insurgence of ‘keyboard warriors’ and internet trolls shows just how badly the current legislature around digital behaviors is failing,” said Alex English, lead research at Website Builder Expert. “Unfortunately, in this digital age, it is easier than ever to post inflammatory comments online and seemingly, get away with it. We are in desperate need of new laws which bridge the gap between the real and virtual world.”

Categories: Cyber Risk News

DDoS Attacks Nearly Double Since January

Mon, 11/20/2017 - 18:13
DDoS Attacks Nearly Double Since January

Organizations experienced an average of 237 DDoS attack attempts per month during the third quarter (equivalent to eight DDoS attack attempts every day), which represents a 35% increase in monthly attempts compared to the previous quarter, and a 91% increase in monthly attack attempts compared to Q1.

That’s according to the latest DDoS Trends and Analysis report from Corero Network Security, which found that the rate of attacks, which is based on DDoS attack attempts against Corero customers, is being spurred along by the growing availability of DDoS-for-hire services, and the proliferation of unsecured internet of things (IoT) devices.

For example, the Reaper botnet is known to have already infected thousands of devices, and is believed to be particularly dangerous due to its ability to utilize known security flaws in the code of those insecure machines. Like a computer worm, it hacks into IoT devices and then hunts for new devices to infect in order to spread itself further.

 “The growing availability of DDoS-for-hire services is causing an explosion of attacks, and puts anyone and everyone into the crosshairs,” said Ashley Stephenson, CEO at Corero. “These services have lowered the barriers to entry in terms of both technical competence and price, allowing anyone to systematically attack and attempt to take down a company for less than $100. Alongside this trend is an attacker arms race to infect vulnerable devices, effectively thwarting other attackers from commandeering the device.  Cyber-criminals try to harness more and more internet-connected devices to build ever larger botnets.  The potential scale and power of IoT botnets has the ability to create internet chaos and dire results for target victims.”

In addition to the frequency of attacks, the Corero data reveals that hackers are using sophisticated, quick-fire, multi-vector attacks against an organization’s security. A fifth of the DDoS attack attempts recorded by Corero during Q2 2017 used multiple attack vectors. These attacks utilize several techniques in the hope that one, or the combination of a few, can penetrate the target network’s security defenses.

Stephenson added, “Despite the industry fascination with large-scale, internet-crippling DDoS attacks, the reality is that they don’t represent the biggest threat posed by DDoS attacks today. Cyber-criminals have evolved their techniques from simple volumetric attacks to sophisticated multi-vector DDoS attacks. Often lasting just a few minutes, these quick-fire attacks evade security teams and can sometimes be accompanied by malware and other data exfiltration threats. We believe they are often used in conjunction with other cyber-attacks, and organizations that miss them do so at their peril.”

Corero also observed a return of ransom denial of service, or RDoS, in the third quarter. A widespread wave of ransom DDoS threats from hacker group Phantom Squad started in September, targeting companies throughout the US, Europe and Asia. The extortion campaign spanned a variety of industries—from banking and financial institutions, to hosting providers, online gaming services and SaaS organizations—and threatened to launch attacks unless a Bitcoin payment was made.

 “Ransom is one of the oldest tricks in the cyber-criminal’s book, and with cryptocurrency, is an anonymous way for them to turn a profit,” said Stephenson. “As IoT botnets continue to rise, we may soon see hackers put on more dramatic RDoS displays to demonstrate the strength of their cyber firepower, so that their future demands for ransom will have to be taken more seriously. Paying the ransom is rarely the best defense, as it just encourages these demands to spread like wildfire. It is proven that with proper protection in place to automatically eliminate the DDoS threat, organizations will be in a much stronger position.”

Categories: Cyber Risk News

GitHub Rolls Out Security Alerts for Developers

Mon, 11/20/2017 - 11:27
GitHub Rolls Out Security Alerts for Developers

Popular software development platform GitHub made it easier last week for users to spot security issues with their code, by including a new vulnerability alerts feature.

The launch comes after an update last month which allows developers to track projects their code depends on via a “dependency graph”, currently supported for Javascript and Ruby.

“Today, for the over 75% of GitHub projects that have dependencies, we’re helping you do more than see those important projects,” announced GitHub director of product, Miju Han, in a blog post. “With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.”

The alerts will work whether the project is public or private, although for the latter, users will need to opt-in via repository settings or by allowing access in the dependency graph section of their repository’s Insights tab.

Following that, administrators will receive the security alerts by default, and can add other members of the team if desired.

Vulnerabilities that have been assigned a CVE number will be included, although Han pointed out that not all bugs do — even publicly disclosed ones.

“When we notify you about a potential vulnerability, we’ll highlight any dependencies that we recommend updating. If a known safe version exists, we’ll select one using machine learning and publicly available data, and include it in our suggestion”, she explained.

Security alerts currently work for Ruby and Javascript projects, with Python support coming next year.

Back in September, malware was found in PyPI — the official repository for the popular programming language — and subsequently made its way into multiple software packages. This kind of supply chain attack is becoming increasingly popular and takes advantage of the fact that many developers fail to include security early on enough in the application life-cycle.

Categories: Cyber Risk News

Mayor Urged to Halt “Intrusive” Met Facial Recognition Trials

Mon, 11/20/2017 - 10:51
Mayor Urged to Halt “Intrusive” Met Facial Recognition Trials

The Greater London Authority (GLA) has expressed “significant concerns” about the use of facial recognition technology by the Metropolitan Police, calling on the London mayor to push for greater transparency and engagement.

GLA Oversight Committee chair, Len Duvall, wrote a lengthy letter to mayor Sadiq Khan last week around the handling of personal data.

In it, he complained that there had been little, if any, consultation with the public or relevant stakeholders before the Met used facial recognition tools during trials at events including the Notting Hill Carnival.

He had the following:

“We agree with the UK Biometrics Commissioner that the Met ‘must carry out a proper evaluation and publish the results’. You, as Mayor, and [Mayor’s Office for Policing and Crime] MOPAC, through its oversight role, need to push the Met to improve its engagement and transparency on issues such as facial recognition. This is a hugely controversial topic and it is extremely disappointing that trials have been conducted at the Notting Hill Carnival with so little public engagement. Simply putting out press releases is not enough: the Met must engage with the public and with stakeholders in a much more meaningful way before going any further.”

Part of the problem is that the Met is conducting its trials in the absence of a legal framework, argued Duvall — who called on Khan to lobby the government to publish its long-delayed biometrics strategy.

He said there’s a strong case for the trials to be halted until such a framework is developed, either nationally or by the MOPAC.

“The concept of policing by consent is potentially at risk if the Met deploys such intrusive technology without proper debate and in the absence of any clear legal guideline,” he said.

He also argued that the GLA should make it easier for the public to find out how long their personal data is retained for, because different bodies — including TfL and the Met — hold data for different periods of time.

Duvall warned that the biggest threat to Londoners’ data comes from internal risks.

“It is vital that appropriate training is in place across the GLA Group, and that staff carry out this training regularly to minimize the risk of an accidental data breach occurring”, he concluded.

The GLA includes the mayor and a group of 25 officials elected to hold the executive to account.

Categories: Cyber Risk News

US Army Exposes Terabytes of Surveillance Data

Mon, 11/20/2017 - 10:11
US Army Exposes Terabytes of Surveillance Data

Major privacy concerns have been raised after researchers discovered terabytes worth of data scraped from the internet by the Pentagon on what appear to be law-abiding citizens around the world.

The data was found by UpGuard’s Chris Vickery, who discovered it exposed to the public internet as the result of yet another Amazon S3 database misconfiguration, back in early September.

In just one of the three buckets discovered, there are 1.8 billion internet posts dating back eight years, including content scraped from news sites, comment sections, web forums and social media sites like Facebook.

It relates to both American citizens and those from other countries, and linked to CENTCOM (US Central Command) and PACOM (US Pacific Command).

The data trove appears to have been managed by “VendorX” as part of a project known as “Outpost”, designed to monitor “high risk youth in unstable regions of the world.” There are also links here to the army’s “Coral Reef” program which helps the government better understand online connections between persons of interest.

“Taken together, this disparate collection of data appears to constitute an ingestion engine for the bulk collection of internet posts - organizing a mass quantity of data into a searchable form,” wrote UpGuard’s Dan O’Sullivan.

“Given the enormous size of these data stores, a cursory search reveals a number of foreign-sourced posts that either appear entirely benign, with no apparent ties to areas of concern for US intelligence agencies, or ones that originate from American citizens, including a vast quantity of Facebook and Twitter posts, some stating political opinions. Among the details collected are the web addresses of targeted posts, as well as other background details on the authors which provide further confirmation of their origins from American citizens.”

The findings are concerning because the government is legally prohibited from using the US military as a tool for law enforcement, except in cases of national emergency.

They also show the US army’s poor cybersecurity posture: PACOM and CENTCOM apparently have CSTAR risk scores of just 409 and 542.

“A simple permission settings change would have meant the difference between these data repositories being revealed to the wider internet, or remaining secure,” concluded O’Sullivan.

Categories: Cyber Risk News

Skip Black Friday for a Safer Shopping Day: Gray Saturday

Fri, 11/17/2017 - 22:42
Skip Black Friday for a Safer Shopping Day: Gray Saturday

Annual sales on Black Friday and Cyber Monday offer incredible savings opportunities for consumers, but according to Kaspersky Lab these are also peak days for financial phishing attacks. Kaspersky Lab’s annual review of phishing attacks during the holiday sales season found that consumers are significantly safer on Gray Saturday, when the number of such attacks can decrease by as much as 33%, despite it being a top shopping day.

With US consumers expected to spend an average of $967.13 during the holiday season this year, cyber-criminals will be looking for ways to divert some of that money into their own wallets. Impersonating a retail brand through phishing attacks is one way that cyber-criminals can effectively target consumers during the holiday shopping season. Traditionally distributed by email, phishing attacks can also lure consumers through web links, ad banners, social media and more. These attacks aim to persuade people to provide their personal financial data, such as bank account information, credit card details or account passwords, under the assumption that they are dealing with the actual, reputable brand.

The day after Black Friday represents a rare moment of respite from cyber-criminals in an increasingly busy holiday shopping season. Kaspersky Lab research found evidence of a dip in financial phishing attacks on Gray Saturday in both 2015 and 2016. In 2016, there was a decline of 33% in the number of attacks mimicking popular online retail and payment brands on this day (from around 770,000 to 510,000 detections), despite it being the second biggest shopping day of the holiday season.

The change in the number of phishing attacks using names of popular retail, banking and payment brands during Black Friday week in 2015 and 2016 (data from all Kaspersky Lab security components—heuristic, offline and cloud detections)

“The rise in people using online payments, banking and shopping means that financial phishing attacks are now consistently high all year round, but the holiday season makes it so much easier to hide in the noise,” said Nadezhda Demidova, lead web-content analyst, Kaspersky Lab. “At this time of year, marketing and advertising levels go through the roof, and with consumers increasingly making their transactions on mobile devices—often while out and about and in a hurry—almost everyone is more exposed and has less time to think and check. On Gray Saturday, we have seen the number of phishing attacks drop significantly. Weekends generally see lower numbers of attacks and fewer people online, but on this big shopping day that’s an extra advantage. We expect this trend from 2016 to continue in 2017, so if you plan on shopping online these holidays, choose the day wisely.”

Categories: Cyber Risk News

Poor Security Habits Plague Large Enterprises

Fri, 11/17/2017 - 22:22
Poor Security Habits Plague Large Enterprises

Despite being ripe targets for cybercriminals, most large enterprises lack control over employee data access and follow weak password practices. 

According to Preempt’s survey of 200 management-level professionals at organizations with 1,000 employees, employees have more access than they should. A quarter (25%) of employees have tried to access data at work that they weren’t supposed to. Of those 25%, nearly 60% were successful at accessing that data.

“The prevalence of successful attempts to access off-limits data and resources is startling and should be a major concern for IT security teams,” the firm said in the report. “The data exposed can put a company and its employees at significant risk of damage to business operations and reputations. Businesses should be able to better assess employee risk factors which can change over the course of their employment. For IT security these results point to a growing need for being able to better understand how to assess trust and risk of employees.”

Also, a large majority of workers have poor security habits as well. One out of every three employees admits to having bent the rules or found a security workaround in order to get something done for work—with more than 10% of respondents having done so regularly or on multiple occasions.

In addition, nearly 41% of employees use the same password for both personal and work accounts, and 20% of employees are aware that their passwords were compromised in a breach. Even so, 56% claim they only changed their passwords for the account that was breached.

Meanwhile, more than a third of employees had no clue if their username or password was exposed in a public breach or not.

“This shows that many people either don’t care or don’t know how to find out if their username and passwords were compromised in a breach,” the report said. “If an employee is using the same password for personal and business accounts and it was exposed in a breach, the organization is at risk. The password is listed in a database known to hackers and could be used in a breach attempt. The 'weak' password puts the enterprise at risk until it is changed.”

Despite the bad behavior, when asked how they rate their personal IT security health awareness and maintenance compared to the rest of their colleagues, 41% rated themselves in the top 25% of their organization, and half rated themselves as in the 25-75% range. Only 9% admitted they were below average, in the bottom 25% of their organization.

“The results of the survey clearly show that employees don’t completely understand their work habits and decisions put their organization (and themselves) at risk,” Preempt said. “Having overconfidence can lead to greater risks. When employees don’t understand that their behaviors and habits are risky, they aren’t likely to change them. This leaves the burden on IT security to pick up the slack. Gaining a better understanding of identity, behavior, and risk, can help IT be more proactive at preventing threats, enforcing policies, securing access and finding areas to reduce risk.”

Categories: Cyber Risk News

100% of Businesses Have Faced a Mobile Cyberattack

Fri, 11/17/2017 - 22:19
100% of Businesses Have Faced a Mobile Cyberattack

Mobile cyberattacks are hitting nearly every company, whether it’s mobile remote access trojans, data mining trojans, mobile adware or premium dialers.

According to Check Point’s survey of 850 organizations internationally, 100% of all businesses surveyed had experienced a mobile malware attack. The average number of mobile malware attacks experienced per company stands at 54, and 89% of enterprises also experienced at least one man-in-the-middle attack over a Wi-Fi network.

Also, enterprise mobility is susceptible to attack on both major mobile platforms, Android and iOS; yet, three-quarters (75%) of the organizations surveyed had at least one jailbroken iOS device or rooted Android device connected to their corporate networks, with the average number of rooted or jailbroken devices being 35 per company.

Threats to mobile users are capable of compromising any device and accessing sensitive data at any time. These threats impact every type of business from financial services to government to manufacturing.

“The financial value and frequency of attacks on mobile devices exceeded that for PCs in 2017, which help explain the findings of the report,” said Michael Shaulov, head of products for mobile and cloud security at Check Point. “Mobile devices are essentially the new ‘backdoor’ for cyber-criminals.”

Categories: Cyber Risk News

Aussie Broadcaster Left Two Years of Back-ups Exposed

Fri, 11/17/2017 - 11:54
Aussie Broadcaster Left Two Years of Back-ups Exposed

Australian broadcaster ABC has become the latest in a long line of companies to publicly expose highly sensitive corporate data because of misconfigured Amazon cloud databases.

Kromtech Security Center found at least two unsecured S3 buckets linked to ABC Commercial, containing 1800 daily MySQL backups dating back two years.

Also publicly exposed were several thousand emails, alongside logins and hashed passwords for ABC Commercial users.

The security firm also claimed it had access to “secret access key and login details for another repository, with advance video content”, as well as requests for licensed content sent by producers from across the globe to use ABC’s content and pay royalties.

“The publicly accessible Amazon S3 buckets was indexed by Censys (a public search engine that enables researchers to ask questions about the hosts and networks that compose the Internet) and identified during a regular security audit of misconfigured S3 environment on November 14,” explained Kromtech’s Bob Diachenko.

“It is unclear who else may have had access to ABC’s data or content. A majority of what would be considered sensitive or identifiable data came from the daily backups of ABC Commercial’s MySQL database.”

The incident should be seen as yet another cautionary tale for firms using Amazon S3. Kromtech and other security firms have discovered a large number of organizations from across the globe making the same mistakes.

In fact, just last week Kromtech Security Center discovered US ride-hailing service fasten had accidentally exposed details on one million customers for 48 hours.

Other organizations recently found wanting include Verizon, Time Warner, WWE, Dow Jones, the US Department of Defense and Tarte Cosmetics.

The latter was particularly dangerous, as cybercrime group CRU3LTY managed to get hold of the personal information on two million customers that was exposed through a database misconfiguration.

The group is said to have left a ransom note of 0.2 Bitcoins ($1193) to regain access to the data.

Categories: Cyber Risk News

Fake Black Friday Apps Set to Cause Consumer Chaos

Fri, 11/17/2017 - 11:11
Fake Black Friday Apps Set to Cause Consumer Chaos

Security experts have discovered over 32,000 malicious 'Black Friday' themed apps spoofing the branding of the top five US online retailers in an attempt to harvest lucrative customer data and spread malware.

RiskIQ technology analyzed two billion daily HTTP requests, 20 million mobile apps and 300 million domain records to compile its Black Friday E-commerce Blacklist report.

It revealed that one in 25 Black Friday apps are fake, with at least 15 malicious Black Friday apps for each of the top five American e-commerce brands. The brands were anonymized in the report but a spokesperson confirmed to Infosecurity that they have a global reach.

With UK consumers alone set to spend £10bn this year during the Black Friday period next week, it’s no surprise that cyber-criminals have jumped on the busy time to drive revenue of their own.

The apps are said to trick shoppers into entering credit card information or Facebook and Gmail log-in details, or even to download information-stealing malware and ransomware.

RiskIQ claimed the malicious applications can even be found on official marketplaces such as Google Play and the Apple App Store.

The top-five e-commerce brands studied in the report have had more than 1450 Black Friday-related URLs blacklisted because they are linked to spam, malware, or phishing campaigns, according to RiskIQ.

The news comes in the same week experts warned retailers to be prepared for a spike in attempts to hide fraudulent transactions during the busy shopping period.

ThreatMetrix claimed there would be at least 50 million fraud attempts next week, with scammers looking to use identity data harvested from the steady stream of recent major breaches.

Domain Tools has also been warning UK consumers about potential scams ahead, with a third (29%) planning to shop during the Cyber Monday sales bonanza following Black Friday.

In a recent survey it revealed that one in five UK consumers had been caught out by an online scam.

Among the brands it claimed were most likely to be spoofed are Amazon (87%), Argos (46%) and Tesco (35%).

Categories: Cyber Risk News

UK Faces Most Fraudulent Christmas Ever, Barclays Warns

Fri, 11/17/2017 - 10:17
UK Faces Most Fraudulent Christmas Ever, Barclays Warns

Record levels of cybercrime coupled with the growth of festive e-commerce will result in the most fraudulent Christmas ever for online shoppers, according to new data from Barclays.

The banking giant has warned of a ‘perfect storm’ for seasonal online theft as consumers gear up to start spending ahead of the big day with scams become increasingly more sophisticated.

Barclays said more than a quarter of online scams happen over the Christmas period and estimated that festive fraud will cost victims a total of £1.63bn (an average of £893 per individual hit). It will impact retailers too; online shops could be losing out on up to £72m worth of lost revenue.

What’s more, UK shoppers are failing to protect their data and stay safe online, with 38% of online consumers surveyed by Barclays admitting they either don’t know, or aren’t sure, how to identify a secure website when shopping online. Further, of victims who had previously fallen victim to online fraud, less than an a quarter said they checked for the padlock authentication symbol in the address bar on the payment page or that the web address started with ‘https’.

“While families across the UK are preparing to enjoy the festive season, criminals are getting ready to pounce on anyone who lets their guard down,” said Samantha White, who leads Barclays’ work to keep customers safe from fraudsters. “Buying your gifts online may be more convenient, but with Christmas 2017 set to be the most fraudulent on record, online shoppers must be more vigilant than ever.”

Speaking to Infosecurity Steve Durbin, managing director, Information Security Forum, advised consumers to “stop and think” before they press the button when shopping online, and advocated the following tips to try and be safer this holiday season:

  • Never use a debit card – this opens up your entire bank account and you could end up losing the lot; it may take several weeks for your bank to investigate the case and refund the money
  • Make sure you’ve updated your security software before you start making your purchases and make sure both your firewall and anti-virus programs are working
  • Avoid clicking on emails from companies you have never heard of offering great deals, don’t follow their links and don’t download attachments unless you are 100% certain that they’re genuine. This is a well-used path for malware
  • Consider changing your passwords – identity thieves may steal user IDs and passwords from one website and use them to log into other sites
  • Regularly review your transactions – if you do notice suspicious transactions when reviewing your account statements or online activity, immediately call the number on the back of your card

“Finally, if you receive an email from your bank warning of unusual card activity never click on the email link,” he added. “Visit your bank’s website directly by typing in the URL and using the messaging system offered on the bank’s website.”

Categories: Cyber Risk News

Cash Converters Hit by Suspected Data Breach

Fri, 11/17/2017 - 10:07
Cash Converters Hit by Suspected Data Breach

UK pawnbroker Cash Converters believes customer data may be in the hands of a malicious third party after a suspected breach of its old website.

The firm, which also issues payday loans, has sent an email informing customers of the incident and forced a reset of their passwords. It has apparently informed the relevant authorities in the UK and Australia, where it also operates.

"The current webshop site was independently and thoroughly security tested as part of its development process,” the firm reportedly said in its email. “We have no reason to believe it has any vulnerability, however additional testing is being completed to get assurance of this.”

User names, passwords and addresses may have been stolen as part of the breach, which affected account holders on the firm’s old “webshop”, retired in September.

However, one report from Australia quoting the company says it has:

“Received an email threat from a third party claiming to have gained unauthorized access to customer data within a Cash Converters’ United Kingdom website (‘Webshop’). The unidentified third party’s threat included the widespread release of the data unless it receives a financial payment.”

Javvad Malik, security advocate at AlienVault, argued the incident highlights the importance of advanced threat detection capabilities that can spot attack attempts early on.

“The problem with this scenario is that without having reliable logs, the victim doesn’t know if the criminals actually have the data they are claiming to possess — or indeed if they will stick to their word and not release it in the event of receiving payment”, he added.

James Romer, EMEA chief security architect at SecureAuth, warned that with password reuse rife, the incident could have wider repercussions for affected users.

“Given how frequently users repurpose passwords and email addresses for other services this could have wider repercussions. Any organization relying only on passwords and usernames as an authentication protocol is being fundamentally irresponsible,” he added.

“Even two-factor authentication isn’t sufficient as malware and basic phishing attacks can readily be used to extract the one-time-passwords from users and/or devices. Modern security depends on adaptive measures that keep hackers guessing.”

Categories: Cyber Risk News

Zeus Spawn 'Terdot' is a Banking Trojan with a Twist

Thu, 11/16/2017 - 18:47
Zeus Spawn 'Terdot' is a Banking Trojan with a Twist

A Zeus spinoff called Terdot, a banker trojan with espionage capabilities, has emerged as a highly customized man-in-the-middle (MITM) proxy, able to steal browsing information such as login credentials and stored credit-card information.

According to an investigation by Bitdefender, the malware can notably inject HTML code into visited web pages to carry out MiTM attacks. Thus, on the espionage front, Terdot can eavesdrop and modify traffic on most social media and email platforms.

Bitdefender researchers said that samples show the trojan targeting users of various web services such as Yahoo Mail and Gmail. Interestingly, the malware is specifically instructed not to gather any data from, Russia’s largest social media platform.

Terdot could evolve in the future: It has automatic update capabilities that allow it to download and execute any type of file when requested by its operator, so it can be updated with new capabilities at any time.

“Financial institutions should be concerned as this trojan is likely to be instrumental in attacks that result in customers' money loss by compromising transactions, or by stealing accounts and credit-card information,” said Bitdefender researchers, in an analysis. “Financial institutions can prepare by proactively monitoring user accounts for suspicious activity, especially when transactions do not match the customer’s regular usage habits. Additionally, targeted banks should proactively inform their customers about potential attacks and advise them to use security solutions that can intercept the threat.”

Terdot takes its cues from the infamous banking trojan Zeus, whose source code was leaked back in 2011.

Manoj Asnani, VP of product and design at Balbix, said that enterprises may have trouble defending against the malware.

“Terdot uses two attack vectors to exploit users—phishing and man-in-the-middle,” he said via email. “Enterprises that have deployed breach prediction systems that comprehensively cover all attack vectors are able to defend against Terdot more effectively. But, it should be noted that most of today’s detection solutions are single attack vector focused. A multi-vector system is needed in this case—and would have proactively flagged users that are at risk of phishing, in addition to compromised or spoofed certificates.”

Categories: Cyber Risk News

Sneaky Multi-Stage Android Malware Spreads Banking Trojans in Google Play

Thu, 11/16/2017 - 18:44
Sneaky Multi-Stage Android Malware Spreads Banking Trojans in Google Play

Another set of malicious mobile apps has made it into the official Google Play app store, which are notable thanks to their multi-stage architecture and the encryption they use to stay under the radar.

Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these apps form a new family of multi-stage Android malware, which use a delayed onset of malicious activity to masquerade as legitimate—there are no immediate red flags for the user to look for, in other words. After being downloaded and installed, these apps do not request any suspicious permissions and they even mimic the activity the user expects them to exhibit.

In the background though, they execute a second-stage payload that contains a hardcoded URL, from which it downloads a third-stage payload without the victim’s knowledge.

After a pre-defined delay of approximately five minutes, the user is prompted to install the third-stage downloaded app, which purports to be well-known software like Adobe Flash Player—or, something “legitimate-sounding yet completely fictional,” ESET researchers explained, such as “Android Update” or “Adobe Update”.

In any case, this app’s purpose is to obtain all the permissions that the final payload needs for its malicious actions. After that, it then decrypts and executes the fourth and final payload—typically a mobile banking trojan, which presents the user with fake login forms to steal credentials or credit-card details.

ESET discovered eight apps in the family on Google Play (Google has removed them). In terms of propagation, one of the malicious apps downloads its final payload using the URL shortener, which ESET found had been used almost 3,000 times with the vast majority of hits coming from the Netherlands.

“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does,” researchers said. “Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps and run a quality security solution on their mobile devices.”

Categories: Cyber Risk News

Bad Bots and Poor App Security Plague Vertical Markets

Thu, 11/16/2017 - 18:24
Bad Bots and Poor App Security Plague Vertical Markets

A proliferation of bot-driven web traffic is having a significant impact on organizations' application security—even as nearly half (45%) of them have experienced a data breach in the last year.

According to a Ponemon Institute survey of 600 CISOs and other security leaders across retail, healthcare, and financial services in six continents, bots conduct more than half (52%) of all internet traffic flow. For some organizations, bots represent more than 75% of their total traffic. This is a significant finding considering one-in-three (33%) organizations cannot distinguish between ‘good' bots and ‘bad' ones.

The report also found that 68% are not confident they can keep corporate information safe, and that they often leave sensitive data under-protected. Poor practices abound: Some 60% of organizations both share and consume data via APIs for instance—including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet, 52% don't inspect the data that is being transferred back and forth via their APIs, and 51% don't perform any security audits or analyze API vulnerabilities prior to integration. 

This affects some verticals more than others: While 72% of financial services organizations share usernames and passwords and 58% share payment details via APIs, 51% do not encrypt that traffic, potentially exposing valuable customer data in transit.

"It's alarming that executives at organizations with sensitive data from millions of consumers collectively don't feel confident in their security," said Carl Herberger, vice president of security solutions at Radware, which sponsored the report. "They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines."

Application security is a particular concern: Half (49%) of the respondents currently use continuous delivery for application services, and another 21% plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62% reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.

The report also found vertical-specific issues. For instance, bots are the backbone of online retail today, being used for price aggregation sites, electronic couponing, chatbots in customer service and more. In fact, 41% of retailers reported that more than 75% of their traffic comes from bots. However, they often can’t identify bad-bot traffic, and attackers are taking advantage of this: Web scraping bot attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo and buying out inventory to resell goods through unauthorized channels at markup.

Retailers also face two distinct but highly damaging threats during the holidays: Outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53%) are not confident in their ability to provide 100% uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30% of retailers suggest they lack the ability to secure sensitive data during these periods.

Healthcare has a similar bot problem: 42% of traffic is from bots in this segment, but only 20% of IT security execs were certain they could identify the "bad" ones. And, the report found that patient healthcare data is at risk. Just 27% of healthcare respondents have confidence they could safeguard patients' medical records, even though nearly 80% are required to comply with government regulations. Patching systems is critical to an organization's security and its ability to mitigate today's leading threats, but some 62% of healthcare respondents have little or no confidence in their organization's ability to rapidly adopt security patches and updates without compromising operations.

Further, more than half (55%) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the Dark Web for stolen data, with 37% saying they did so, compared to 56% in financial services, and 48% in retail.

Categories: Cyber Risk News

Beijing Delays Bug Reports While Hackers Exploit Flaws — Report

Thu, 11/16/2017 - 13:01
Beijing Delays Bug Reports While Hackers Exploit Flaws — Report

The Chinese government delays publication of critical vulnerabilities if they are being actively used in attacks by its own state-backed hackers, a new paper from Recorded Future has claimed.

The report compared the treatment of 300 CVEs by the US National Vulnerability Database (NVD) and China’s National Vulnerability Database (CNNVD).

As per the analyst’s recent report, the CNNVD largely beats the NVD to publishing details of vulnerabilities: taking just 13 days from the initial disclosure versus 33 days in the US.

Further, the CNNVD captures 90% of all vulnerabilities within 18 days, while the NVD takes 92 because it relies on voluntary submissions from vendors.

However, in those cases where the CNNVD lags, Recorded Future claimed it is because the government’s Ministry of State Security (MSS) wants to keep them quiet while Chinese APT groups do their work.

The report claimed the CNNVD — which “appears to be separate from the MSS in name only” — was first to publish flaws being actively used by Chinese government hackers in just 3% of the cases studied.

Recorded Future claimed:

“The probability that NVD would beat CNNVD to publication for this proportion of CVEs is incredibly small — less than .00001%. We believe CNNVD publication was likely delayed by the MSS because Chinese APT groups were actively exploiting those vulnerabilities.”

The report details more evidence: CVE-2017-0199 was actively being exploited by a Chinese APT group during a publication lag of 57 days after the NVD let organizations know about the threat.

Further, info on a pre-installed backdoor that sent large amounts of user data to servers in China was held back for an astonishing 236 days.

The report also revealed that in general, high threat bugs were “consistently published” anywhere from 21 to 156 days later than low-threat flaws.

Recorded Future advised firms not to rely on a single source of data for vulnerability reporting, claiming “CNNVD is typically faster to publication than NVD, but NVD usually contains better content, references, and remediation information”.

Categories: Cyber Risk News

Cyber Discovery Program Aims to Encourage More Teens into Industry

Thu, 11/16/2017 - 11:44
Cyber Discovery Program Aims to Encourage More Teens into Industry

The UK government has launched its latest bid to address chronic information security skill shortages with a new training program aimed at young people in school years 10-13.

Delivered by SANS Institute, BT, Cyber Security Challenge UK and FutureLearn, Cyber Discovery is a free extra-curricular program designed to find the stars of the future aged roughly 14-18 years old.

If they pass the initial online assessment — open until early January — participants will be taught via gamified learning activities created by industry experts.

Those who show aptitude will be able to access further teaching from experts and attend a three-day regional camp.

The curriculum itself covers digital forensics, cryptography, defending against web attacks, programming and ethics — with the emphasis throughout on providing a clear route into the industry.

The course includes online and face-to-face teaching alongside real-world technical challenges for students to pit their wits against.

Also on offer are extra-curricular clubs guided by an adult in which students can chat, collaborate and share ideas.

Culture secretary, Karen Bradley, explained the initiative is part of the government’s £1.9bn investment in cybersecurity.

“This government is committed to improving the skills of the next generation and encouraging the best young minds into cybersecurity,” she added in a statement. “Cyber Discovery will help inspire the digital talent of tomorrow and give thousands of young people the opportunity to develop cutting-edge cybersecurity skills and fast-track future careers.”

Debbie Tunstall, head of education at Cyber Security Challenge UK, argued that the industry is still in its infancy, meaning that few youngsters are aware of the major opportunities for employment that currently exist.

“With a critical skills gap looming and the cybercrime threat growing, we need to educate about cybersecurity while individuals are still young; piquing their interest in future cyber-careers and as a result, filling the pipeline of talent,” she added.

“The Challenge has years of experience in dealing with people in this age group and providing fun and educational face-to-face events and we’re delighted to bring our expertise to this innovative program.”

Like much of the rest of the world, the UK is facing a cybersecurity skills “cliff edge” as older practitioners retire without enough replacements entering the industry, according to the Center for Cyber Safety and Education.

Its latest Global Information Security Workforce Study (GISWS) revealed that 66% of UK organizations don’t have enough cybersecurity staff, with nearly half (47%) claiming the reason is a dearth of qualified applicants.

Categories: Cyber Risk News

Suspended .UK Domains Double in a Year

Thu, 11/16/2017 - 10:25
Suspended .UK Domains Double in a Year

The volume of .uk domains suspended by Nominet over the past year because of criminal activity has doubled, according to the registry.

The Oxford-based non-profit claimed the number of domains switched off over the 12 months to October 2017 stood at 16,632.

Although it’s a massive increase on the 8049 domains suspended over the previous year, the figure today still only equates to 0.14% of the more than 12 million .uk domains currently registered.

“A key part of our role in running the .uk internet infrastructure is to ensure that .uk is a difficult space for criminals to operate in,” argued Nominet CEO, Russell Haworth.

“The upward trend in suspended domains confirms that increasingly criminals seek opportunities online, but also shows how our cooperation with the law enforcement community and our expertise in network analytics helps tackle this problem thanks to the established processes and cybersecurity tools we have in place.”

To that end, the registry now collaborates with 10 police and other organizations and over the past year received requests from seven: DEFRA – Veterinary Medicines Directorate; Metropolitan Police – Fraud and Linked Crime Online (FALCON); the National Crime Agency (NCA); Medicines and Healthcare Products Regulatory Agency (MHRA); Trading Standards; National Fraud Intelligence Bureau (NFIB); and the Police Intellectual Property Crime Unit (PIPCU).

A Nominet spokesperson confirmed to Infosecurity that the biggest reason for domain suspensions was IP infringement, handled by the PIPCU. It submitted over 13,500 requests to Nominet, nearly double last year.

However, the spike in suspensions was also down to the increasing popularity of phishing, with 2781 requests coming from the NFIB. 

Over 108,000 phishing domains were being used in the first half of 2017, according to the Anti-Phishing Working Group (APWG).

However, the group’s latest report for 1H 2017 claimed: “UK (.uk) is one of the largest ccTLDs, but had a lower volume of phishing than would be expected.”

This time last year, Nominet also reported a doubling of suspended .uk domains, from 3889 to 8049.

Categories: Cyber Risk News

Forever 21 Confirms Data Breach

Wed, 11/15/2017 - 20:34
Forever 21 Confirms Data Breach

Fashion retailer Forever 21 has confirmed there has been unauthorized access to data from payment cards used at some of its stores.

The company is notifying its customers that it recently received a report from a third party that about the breach, which affected card transactions from March to October 2017. It was quick however to offer reassurances:

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point-of-sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company said in a statement.

Far from being reassuring, the apparent piecemeal approach to security gives some pause.

"Surprised and disappointed to hear this as it sounds like they weren’t (fully) PCI compliant. That is the first issue that they should disclose and whomever performed the audit should be held accountable. This continued poor hygiene needs to end,” Mike Kail, CTO at CYBRIC, said via email.

The LA-based retailer, which operates more than 815 stores in 57 countries, didn’t reveal just how many stores are affected (or where they’re located), citing an “ongoing investigation.” It said that once it had better clarity on the scope of the situation that it would update the public.

“Because a number of stores did not receive an encryption upgrade to their point of sale devices, hackers had the opening they needed to access payment card information,” said Adam Levin, chairman and founder at CyberScout, via email. “This is yet another cautionary tale that POS systems can become Points of Sabotage, when businesses fail to implement proper security measures. As we approach the busy holiday shopping season, retailers are prime targets for hack attacks and should make sure they practice safe cyber hygiene like encrypting data, regular penetration testing and monitoring of systems and employee training on proper privacy and security protocols. Holiday shoppers should not have to worry that their favorite pair of shoes or handbag comes with an unexpected and damaging price tag—their stolen data."

Categories: Cyber Risk News

Q3 Sees a Whopping 400M Malware Infections

Wed, 11/15/2017 - 18:52
Q3 Sees a Whopping 400M Malware Infections

There were nearly 400 million malware incidents around the world in the third quarter, permeating throughout every nation-state on the planet.

According to Comodo Threat Research Labs’ Q3 2017 global report, even the tiny island nation of Kiribati in the South Pacific has malware—a state of affairs that has propelled malware occurrences in Q3 to total roughly four times the number in Q2 (97 million).

The top five countries for malware infections in the quarter were Russia, the US, Poland, the UK, and Germany; and while malware is present everywhere, the top 20 countries accounted for over 80% of detections.

The report also uncovered that trojans, that Swiss Army knife of malware that can be used for any type of follow-on attack including ransomware, are the top malware threats, totaling 13.7 million. Trojans are followed by viruses (5.4 million), worms (2.8 million), backdoors (553,000) and packed malware (284,000).

In terms of regional trends, Comodo found that viruses and worms tend to afflict poorer nations with a prevalence of older, unlicensed, unpatched or pirated software; as a result, South America, Africa, Southeast Europe, and Southeast Asia had a high proportion of these types of infections.

Meanwhile, North Korea had a high number of backdoors. Comodo detections within North Korean network space showed fewer exposed vulnerabilities but a high number of targeted attacks.

The report also found that there’s been a rise in large-scale, global email-based phishing attacks, related to the Locky ransomware trojan. Comodo detected the phishing campaigns from August to September 2017, and found that they were launched primarily from the IP addresses of infected “zombie computers,” owned by telecom companies and ISPs. Of the enterprise customers attacked, only the ones with a “default deny” security posture were truly safe.

“This attack was unique in its combination of sophistication and size, backed by a botnet spread across more than 11,000 IP addresses in 133 countries in just the first stage of the attack,” said Fatih Orhan, head of the Comodo Threat Intelligence Lab (CTIL). “Also, the malware was designed to avoid detection by sandboxing and artificial intelligence technologies common in many endpoint protection systems.”

Categories: Cyber Risk News