Info Security

Subscribe to Info Security  feed
Updated: 25 min 49 sec ago

WEF Fears Cyber-Threats and Digital Fragmentation

Thu, 01/16/2020 - 10:14
WEF Fears Cyber-Threats and Digital Fragmentation

Digital fragmentation and cyber-threats are among the top 10 biggest risks facing global businesses over the coming decade, according to the latest World Economic Forum (WEF) report.

The annual Global Risks Report is compiled from interviews with business leaders, academics and others from around the world.

This year there was a heavy focus on environmental concerns, but cyber-related risks also featured strongly, as they have done for years.

In total, 76% of respondents claimed that cyber-attacks disrupting operations and infrastructure would increase in 2020, while a similar number (75%) said the same about online data and financial theft.

Cyber-attacks were also placed in the top 10 risks table in terms of likelihood and impact over the coming decade, while data theft/fraud made it into just the former category.

Information infrastructure breakdown also made it into the top 10 most impactful risks for the coming decade, reflecting respondents’ concerns around the increasingly fragmented online world brought about by geopolitical rivalries and competing standards.

The WEF report pointed to fourth industrial revolution (4IR) technologies as bringing tremendous gains to society and the global economy, but also unintended cyber-risk, as the attack surface grows exponentially.

Quantum computing, 5G, cloud computing, AI and IoT were all highlighted as areas of concern, as was the lack of an effective and unified global cyber-governance framework.

Fragmentation of the digital world threatens to stifle the development of 4IR technologies and will add extra cost for businesses, it warned.

“Businesses are facing the challenge of implementing existing cybersecurity and 4IR standards (where they exist), while ensuring compliance with fragmented regulations on accountability, transparency, bias and privacy for developing — or simply applying — 4IR technologies,” the report continued.

“Because government and corporate leaders equally share the responsibility for promoting global cybersecurity and digital trust, cooperation between the public and private sectors is more vital than ever in areas such as information-sharing, collaboration with law enforcement agencies, and skill and capacity development.”

Renaud Deraison, CTO at Tenable, said the report’s findings made sense.

“As the world seeks continued growth and competitiveness in the global economy, we’re seeing many new projects take off, including building modern factories that are highly automated. This innovation can’t happen without a good grasp of the security and integrity of the digital components those factories rely on,” he argued.

“It’s not just about stopping bad actors from damaging these mission-critical services, as experienced in cities across the world, it's also about preventing them from getting a foothold in our environments to cause harm, be it physical, data theft or financial gain.”

Categories: Cyber Risk News

Dagenham Duo Jailed for Hacking Bank Accounts

Wed, 01/15/2020 - 16:53
Dagenham Duo Jailed for Hacking Bank Accounts

Two Dagenham residents have been put behind bars after compromising more than 700 bank accounts and cell phone accounts to commit fraud in a six-year crime spree.

Nigerian-born Oluwaseun Ajayi, aged 39, and 49-year-old Inga Irbe hacked into bank accounts then applied for loans, credit cards, and additional bank accounts in the names of their victims. 

An investigation by the Metropolitan Police’s Central Specialist Crime—Cyber Crime Unit revealed that the duo also committed multiple incidences of phone upgrade fraud by gaining unauthorized access to strangers' cell phone accounts and ordering £12,000 worth of new devices. 

Police searches of the address shared by Irbe and Ajayi resulted in the seizure of numerous items, including multiple cell phones, SIM Cards, iPads, and a laptop. Correspondence and bank cards in other people’s names were also confiscated, along with £1,200 cash in £50 notes.

The pair, who both reside at Orchard Road, Dagenham, and who may be romantically involved, were found guilty of two counts of conspiracy to defraud and two counts of conspiracy to commit fraud by false representation between February 1, 2012, and May 14, 2018. Ajayi was further found guilty of failing to comply with a Section 49 RIPA notice to disclose his phone's PIN number to police.

The guilty verdicts were reached by a jury at Croydon Crown Court on November 27. In the same court, on Friday, January 10, Ajayi was sentenced to five years and six months in prison, while Irbe was handed a community order of 12 months and ordered to complete 170 hours of unpaid work.

Detective Inspector Gary Myers said: "Ajayi and Irbe committed these offences in a manner that showed a lot of pre-planning and deception.

"However, they were not able to deceive officers, who carried out a thorough investigation which has brought these two criminals to justice.

"While cybercrime can often be complex and investigations take months, Met officers will not relent in pursuing those that hide behind their keyboards to steal other people's money and make their lives a misery."

Categories: Cyber Risk News

Hidden Hotel Room Cameras Spark Investigation

Wed, 01/15/2020 - 15:49
Hidden Hotel Room Cameras Spark Investigation

An investigation has been launched by the Wisconsin Department of Justice and local police after hidden cameras were found in a downtown Minneapolis, Minnesota, hotel room.

The creepy discovery was made by a group of high school students who were staying at the Hyatt Regency Minneapolis hotel on 7th Street while on an overnight field trip with their school's business club. The trip took place over the first weekend of December last year. 

Police confirmed that students found multiple cameras in the room but have not disclosed exactly how many devices were involved in the incident. 

After East High School DECA students informed the school of the discovery, the Madison school district placed an unidentified staff member who had accompanied the students on the field trip on an administrative leave as a precautionary measure. 

DECA is an international organization that aims to educate youngsters about jobs in marketing, finance, and hospitality. The organization runs events and competitions to encourage student interest in the business world. 

The Wisconsin Department of Justice (DoJ) agents and Minneapolis police are investigating the incident, along with previous trips run by East DECA. 

In an email sent to students' parents on December 16, interim principal of East High School Brendan Kearney wrote: "We are sorry to have to contact you in this way and can only imagine what you must be feeling. 

"We want you to know that East and (the Madison school district) will do whatever we can to protect and support both our current and former students."

Included in Kearney's missive was a message from DoJ agent Jesse Crowe, which confirmed that the agency’s Division of Criminal Investigation was leading an investigation into any events that occurred prior to the business club's December trip, including anything that occurred outside the state.

According to CBSN Minnesota, a search warrant was served on a home in Cottage Grove, Wisconsin, on December 12 in connection with the incident, but no arrests were made. Police later asked a judge to seal the contents of the warrant.

Former DECA trip participants have been provided with an email address to which they were invited to submit any relevant information regarding former events and excursions. 

The Madison school district intends to carry out its own investigation into the incident after the investigation by law enforcement concludes.

Categories: Cyber Risk News

UK Announces AI Warship Contracts

Wed, 01/15/2020 - 14:57
UK Announces AI Warship Contracts

Britain's Ministry of Defense today announced contracts to create "revolutionary" warships that use artificial intelligence (AI) to make quicker decisions.

The Defense and Security Accelerator (DASA), part of the Ministry of Defense (MoD), said that an initial funding wave of £4m had been allocated to the project.

"The funding aims to revolutionize the way warships make decisions and process thousands of strands of intelligence and data by using Artificial Intelligence," said DASA.

The contracts are part of DASA’s Intelligent Ship—The Next Generation competition, which seeks to uncover inventive approaches for Human–AI and AI–AI teaming across a variety of defense platforms, such as warships, aircraft, and land vehicles. 

The competition was set up to source tech-based solutions that will prove effective in 2040 and beyond, with the possibility to completely change the way warships are built and how they operate. 

DASA, on behalf of the Defense Science and Technology Laboratory (Dstl), is looking at how future defense platforms can be designed and optimized to exploit current and future advances in automation, autonomy, machine learning, and artificial intelligence. 

Nine projects will share an initial £1m to develop technology and innovative solutions capable of overcoming the increasing information overload faced by Royal Navy crews. 

"Crews are already facing information overload with thousands of sources of data, intelligence, and information. By harnessing automation, autonomy, machine learning and artificial intelligence with the real-life skill and experience of our men and women, we can revolutionize the way future fleets are put together and operate to keep the UK safe," said Julia Tagg, technical lead from Dstl.

Despite being titled Intelligent Ship, a warship is just the prototype demonstrator for this competition. Effective technological solutions born from the project could be rolled out to the British Army and also the Royal Air Force.

"The astonishing pace at which global threats are evolving requires new approaches and fresh-thinking to the way we develop our ideas and technology. The funding will research pioneering projects into how A.I and automation can support our armed forces in their essential day-to-day work," said Defense Minister James Heappey.

Categories: Cyber Risk News

UK Consultancies Leak Data on Thousands of Workers

Wed, 01/15/2020 - 12:00
UK Consultancies Leak Data on Thousands of Workers

Thousands of UK business professionals have had their personal details exposed online via a leaky Amazon Web Services bucket, after researchers discovered files belonging to multiple consulting firms.

The misconfigured S3 resource is thought to have been left publicly viewable with no authentication by a London-based company known as CHS Consulting, according to vpnMentor.

However, as the firm has no website the researchers have been unable to confirm ownership of the database, labelled “CHS.”

What they do know is that it contained files from the HR departments of multiple UK consulting firms including Eximius Consultants, Dynamic Partners and IQ Consulting. Most of the data is from 2014-15 although records go back to 2011.

It included passport scans, tax documents, criminal record information and background checks, HMRC-related paperwork, emails and private messages as well as a range of PII including names, email and home addresses, dates of birth and phone numbers.

“Had criminal hackers discovered this database, it would have been a goldmine for illicit activities and fraud, with potentially devastating results for those exposed,” argued vpnMentor.

“If you’re a UK-based consultant or consulting firm and are concerned about this breach, contact the CERT-UK to understand what steps are being taken to keep your data safe and ensure it has not been leaked.”

The researchers contacted the CERT-UK on December 10, a day after discovering the leak, and followed up with AWS a week later. The cloud giant took action a day later on December 19 to secure the database.

This is just the latest of several incidents in which large cloud databases containing highly sensitive personal information have been discovered by the research team.

Other companies found wanting include LightInTheBox, Yves Rocher and Autoclerk. In one incident, the names, phone numbers and financial information of approximately 20 million Ecuadoreans, virtually the entire population, were exposed online.

Categories: Cyber Risk News

Mobile Apps Sharing Personal Data Illegally, Consumer Group Claims

Wed, 01/15/2020 - 11:15
Mobile Apps Sharing Personal Data Illegally, Consumer Group Claims

Several mobile apps such as Grindr, OKCupid and Tinder have been found to be leaking personal information to advertising tech companies in possible violation of European data privacy laws, an investigation by a Norwegian consumer group has discovered.

As stated in the Out of Control report, the Norwegian Consumer Council, a government-funded non-profit group, commissioned cybersecurity company Mnemonic to study 10 Android mobile apps. It said it found “serious privacy infringements” in its analysis of how online ad companies track and profile smartphone users, with the apps sending user data to at least 135 different third party services involved in advertising or behavioral profiling.

“As it stands, the situation is completely out of control, harming consumers, societies, and businesses,” the report said. Most of the adtech companies that Mnemonic observed receiving personal data have a “questionable legal basis” for harvesting and using consumer data, the report continued.

“If these companies do not have a legally valid basis for processing personal data, the backbone of much of the adtech system may be systemically in breach of the GDPR.”

The Norwegian Consumer Council therefore urged data protection authorities to enforce the GDPR, and for advertisers and publishers to look toward alternative digital advertising methods that respect fundamental rights.

“The digital marketing and adtech industry has to make comprehensive changes in order to comply with European regulation, and to ensure that they respect consumers’ fundamental rights and freedoms.”

Jake Moore, cybersecurity specialist at ESET, said: “When you join a high profile site such as Grindr, you expect to have your data protected and dealt with sensitively. Sadly, data on people is a lucrative currency, and so it can be tempting to share when given the opportunity. I always recommend that people limit the amount of personal data shared on these sites due to the possibility that the data could be targeted with a cyber-attack.”

James McQuiggan, security awareness advocate at KnowBe4, added that it is difficult in today’s society with social media apps for people to actually read the privacy or end user agreements and to understand what is happening with their name, address, pictures, contacts and GPS location once the data is entered into or collected by an app.

“On a lot of social media apps that are not charging users for their service, the users are undoubtedly the product,” he said. “Their information is collected and sold off to third party organizations for revenue for the social media app. Only in recent years are governments finally taking actions such as the GDPR in the UK and recently, the California Consumer Protection Act (CCPA).”

Categories: Cyber Risk News

Russian Phishers Hit Firm at Center of Trump Impeachment

Wed, 01/15/2020 - 10:40
Russian Phishers Hit Firm at Center of Trump Impeachment

An infamous Kremlin-backed hacking group has launched a coordinated phishing campaign aimed at Ukrainian firm Burisma Holdings, in what looks like an attempt to find internal information which could benefit Donald Trump.

Security vendor Area 1 claimed the attacks were carried out by the GRU-linked Fancy Bear (APT28) group responsible for stealing and releasing emails from the Democratic National Committee (DNC) which many believe gave Trump an advantage ahead of the 2016 Presidential election.

It’s no coincidence that the son of current Democratic Presidential hopeful Joe Biden sat on the board of Burisma Holdings. It was Trump’s decision to improperly pressure the Ukrainian President to investigate dealings at the firm that led to his impeachment by the House on charges of abuse of power and obstruction of Congress.

“Our report is not noteworthy because we identify the GRU launching a phishing campaign, nor is the targeting of a Ukrainian company particularly novel. It is significant because Burisma Holdings is publically entangled in US foreign and domestic politics,” noted the report.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyber-attacks undertaken during the 2016 US elections.”

Specifically, the group used a lookalike domain to spoof the legitimate Burisma Holdings webmail login portal to access employee accounts. With this access they could read sensitive corporate emails and use accounts to launch further attacks.

To increase the chances of success, the attackers focused on subsidiaries of the company such as KUB-Gas and CUB Energy, and set up email sender authentication records using SPF and DKIM, Area 1 said.

The attacks are thought to have been successful in tricking some Burisma employees to part with their logins.

Rosa Smothers, senior VP of cyber operations at KnowBe4, explained that phishing is the “go-to methodology” for Russian intelligence services seeking to infiltrate target networks.

“Like any fairly sophisticated and organised hacking campaign, they also ran multiple domains that were just similar enough to legitimate Burisma domains that they went unnoticed by users,” she added.

“At the end of the day, the story here is one of ongoing and escalating social engineering efforts by the Russians against their targets of interest — which is why we should expect and plan for such activities during our upcoming election cycle."

Categories: Cyber Risk News

Microsoft Patches Serious Crypto Flaw Found by NSA

Wed, 01/15/2020 - 09:40
Microsoft Patches Serious Crypto Flaw Found by NSA

Microsoft has kicked off the new decade with fixes for half a century of vulnerabilities, including one discovered by the NSA that could allow hackers to spoof digital certificates to bypass security measures.

This month’s Patch Tuesday focused around the CVE-2020-0601 flaw, which security experts praised the NSA for disclosing responsibly rather than trying to weaponize in attacks.

Affecting Windows 10 and Windows Server 2016 and 2019, the bug exists in the way the CryptoAPI DLL validates Elliptic Curve Cryptography (ECC) certificates.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” warned Microsoft. “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

If successful, an attacker could then conduct man-in-the-middle attacks and decrypt confidential information, or run malware even in environments using app whitelisting.

“Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software,” argued Kevin Bocek, VP of security strategy and threat intelligence at Venafi.

Todd Schell, senior product manager at Ivanti, urged admins to prioritize fixing the problem.

“The vulnerability is only rated as important, but there have been many examples of CVEs that were only rated as important being exploited in the wild,” he said. “Due to the nature of this vulnerability we would urge companies to treat this as a top priority this month and remediate quickly.”

A second flaw in Windows’ cryptographic services is rated with a lower CVSS score, but should also be prioritized, Schell claimed.

CVE-2020-0620 could allow attackers to overwrite or modify a protected file and elevate their privileges accordingly, although it first requires them to execute on a targeted system.

“Gaining execute rights on a system is a pretty low bar for most threat actors. Again, our guidance is to treat this as a priority 1 and address it in a timely manner,” said Schell.

This is the last Patch Tuesday that will include fixes for Windows 7 and Server 2008 systems, unless organizations have paid for extended support. If they have not, they will need to upgrade, or invest in virtual patching capabilities to mitigate the increased risk of attack.

“This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a ‘soft spot’ for a compromise,” warned Trustwave threat intelligence manager, Karl Sigler.

Categories: Cyber Risk News

App Leaks Thousands of Baby Photos and Videos Online

Tue, 01/14/2020 - 17:06
App Leaks Thousands of Baby Photos and Videos Online

An app designed to record and share milestones in a child's development has leaked thousands of images and videos of babies online.

Bithouse Inc., the developer of the Peekaboo Moments app, failed to secure a 100 GB Elasticsearch database containing more than 70 million log files dating from March 2019. As a result, information including email addresses, geographic location data, detailed device data, and links to photos and videos has been exposed.

The breach was discovered by Dan Ehrlich, who operates Texas-based computer security consulting firm Twelve Security.

Ehrlich estimates that at least 800,000 email addresses are in the exposed data, which is stored on servers hosted by Singapore-based Alibaba Cloud.

"I've never seen a server so blatantly open," Ehrlich told Information Security Media Group. "Everything about the server, the company's website and the iOS/Android app was both bizarrely done and grossly insecure."

Peekaboo Moments, which appears to be run by a company based in China, allows parents to record their baby's birth date and track the infant's length and weight. Now parents will be able to use it to record an unexpected milestone—their baby's first ever data breach.

The free app claims to take the security of users' data seriously and to offer users a "secured space" in which to record their child's precious moments. The company makes money by offering additional storage, with subscription plans starting at $8.99 per quarter.

On its Google Play app profile page, it states: "Data privacy and security come as our priority. Every Baby’s photos, audios & videos or diaries will be stored in secured space. Only families & friends can have access to baby’s moments at your control."

The length of time the Elasticsearch server has been unsecured or who may have accessed its contents are unclear. 

Information Security Media Group said that repeated efforts to contact Peekaboo Moments CEO Jason Liu—based in San Francisco, according to his LinkedIn profile—have drawn a blank. 

Attempts to contact the company and other Peekaboo employees have also proved unsuccessful.

According to Google Play, the Peekaboo Moments app has been downloaded 1 million times since launching in 2012.

Categories: Cyber Risk News

Play Store Still Peppered with Fleeceware Apps

Tue, 01/14/2020 - 15:56
Play Store Still Peppered with Fleeceware Apps

Four months after fleeceware's initial exposure, Android users who purchase "subscriptions" to apps from the Google Play Store are still at risk of being ripped off.

Fleeceware hit the news in September 2019, when researchers at SophosLabs showed how some app publishers were using a sneaky business model to drastically overcharge Android users for basic services. 

On the Google Play Store, researchers found multiple instances of app publishers operating a system where users could be charged excessive amounts of money for apps if they didn’t cancel a “subscription” before the short free trial window closed.

New research published today by SophosLabs reveals that fleeceware has not been shorn from the store. 

"While the company did take down all the apps we had previously reported to them, fleeceware remains a big problem on Google Play," wrote researchers.

"Since our September post, we’ve seen many more Fleeceware apps appear on the official Android app store."

New fleeceware flagged by SophosLabs includes entertainment or utility apps, fortune-telling apps, instant messengers, video editors, and beauty apps. 

Some apps, offering basic services such as a reverse-image search, which Google does for free, charge over $200 for an annual subscription. 

Researchers said that the total number of installations of these apps totals nearly 600 million across fewer than 25 apps. Some of the individual apps on the store appear to have been installed on more than 100 million devices.

One popular keyboard app investigated by researchers allegedly transmits the full text of whatever its users type back to China. 

Clues to the fleeceware apps' financial chicanery can be found in customers' reviews.

"User reviews reveal serious complaints about overcharging, and that many of these apps are substandard, and don’t work as expected," wrote researchers. 

Some users claim to have been charged an annual subscription fee despite unsubscribing by a certain date as per the app's instructions. 

Researchers noted apps offering weekly and monthly subscription payment options in an attempt to make their product seem more budget friendly. 

"In one case, we found an app displaying subscription fees of €8.99 per week, or €23.99 per month, which works out annually to €467.48 (if you pay the weekly amount for 52 weeks) or €287.88 (if you pay the monthly amount for 12 months)," wrote researchers. 

Categories: Cyber Risk News

Texan Arrested for Cyber-stalking Realtors and Threatening Their Kids

Tue, 01/14/2020 - 15:38
Texan Arrested for Cyber-stalking Realtors and Threatening Their Kids

A Texas man has been arrested on suspicion of sending perverse and threatening text messages to real estate agents across America.

Lubbock resident Andy Castillo allegedly used multiple phone numbers and an app to mask his identity when cyber-stalking as many as 100 realtors in up to 22 different states. 

The 56-year-old is accused of sending pornographic images to agents along with sexually explicit text messages soliciting sex. It is further alleged that Castillo attempted to solicit sex from some agents' children. 

Castillo is accused of downloading photographs of agents' kids from social media and sending the pictures to the agents, along with chilling descriptions of his desire to sexually assault their children.

All the real estate agents targeted in this particularly disturbing cyber-stalking case are women. 

Detective Joseph Scaramucci said Castillo "was searching the top 10 realtors in different cities" and "saving female realtors' photographs right off the internet with their contact information."

Castillo was arrested in his apartment last week and taken into custody by McLennan County Sheriff's Office (MCSO). Authorities seized two cellphones and an electronic tablet belonging to Castillo.

Deputies allege that just five minutes prior to his arrest, Castillo sent lewd and threatening messages to people in San Francisco and New Orleans.

McLennan County sheriff Parnell McNamara said the MCSO began investigating Castillo in late December 2019 after receiving complaints from seven Waco-based realtors about pornographic images and messages that they had received from unknown numbers.

The results of the investigation suggest Castillo sent sexually explicit and threatening messages to women in at least twenty cities in ten different states. However, McNamara said Castillo could have stalked hundreds of women in up to 22 states and that he is expecting further victims to come forward.

Currently, Castillo is accused of cyber-stalking agents throughout Texas, including in Amarillo, El Paso, Lubbock, San Antonio, and Waco. The Texan is facing a second-degree felony charge of criminal solicitation with intent to commit aggravated sexual assault of a child.

Police are investigating reports of similar cyber-stalking behavior that have been filed in Tucson, Arizona; Anaheim, Berkeley, Irvine, San Jose, and Santa Clara, California; Broward County and Daytona Beach, Florida; New Orleans, Louisiana; Reno, Nevada; Albany and Manhattan, New York; Belfort, South Carolina; Seattle, Washington; and Washington, D.C.

Categories: Cyber Risk News

Most Firms Still on Windows 7 as Support Deadline Arrives

Tue, 01/14/2020 - 12:30
Most Firms Still on Windows 7 as Support Deadline Arrives

Two-thirds of UK businesses and two-fifths of US firms are still running Windows 7, according to new research released on the day the operating system, and Windows Server 2008, reach their end-of-support deadline.

Organizations that fail to upgrade their operating systems or invest in costly extended support from Microsoft will no longer receive patches from the vendor, exposing themselves to unnecessary cyber risk, according to Kollective, which issued the research.

“It took many businesses up to three years to move from XP to Windows 7 and we can expect a similar timeline for the move to Windows 10. While a lot of companies have migrated the majority of their systems away from Windows 7, being “almost there” isn’t good enough,” argued Jon O’Connor, solution architect at Kollective.

“It only takes a handful of unsecured devices to launch a full-scale cyber-attack, so having even one or two Windows 7 PCs on your network could pose a serious risk. IT teams need to know for certain that every single device on their networks is off of Windows 7 — but the reality is that most simply don’t know.”

As if to emphasize the potential risks of staying on unsupported operating system versions, news emerged this week that Microsoft is shipping a fix today for a critical flaw in a core Windows component, which could have wide-ranging consequences if left unpatched. The bug is so bad that reports suggest Redmond has already secretly supplied the patch to high-value customers.

Carl Wearn, head of e-crime at Mimecast, urged organizations to ensure they have third-party security tools in place to help shield any exposure to threats.

“As organization’s move their operations to the cloud, legacy support issues like this will likely become a thing of the past in the next 10 to 15 years, but as Windows 7 remains in use across many organisations at present people should be aware of the increased vulnerability which this OS will now experience as it is no longer supported,” he continued.

“Ensuring good cyber hygiene and the use of fallback facilities, as-well as ensuring the updating of a good antivirus solution, becomes even more critical to an organization if it continues to use an unsupported OS.”

Trend Micro argued that “virtual patching,” or intrusion prevention technology, can also help in these circumstances, by protecting unsupported and unpatched operating systems.

“Speaking to numerous businesses over recent weeks, a worryingly high number are prepared to adopt a wait-and-see policy following the end of Server 2008 support on 14 January 2020,” argued VP of sales, Ross Baker.

“This amounts to an extreme hedging of bets and something we would definitely not recommend.”

Some organizations may not be able to upgrade to new OS versions if they have compatibility issues with business-critical legacy applications, or, for example, if Windows has been embedded in OT systems by a manufacturer, added VP of security research, Rik Ferguson.

Categories: Cyber Risk News

Texas School District Loses $2.3m in Phishing Raid

Tue, 01/14/2020 - 10:50
Texas School District Loses $2.3m in Phishing Raid

A Texas school district has found out the hard way that phishing attacks remain a serious financial threat to organizations of all shapes and sizes, losing an estimated $2.3m in a recent scam.

Manor Independent School District took to Twitter to post official confirmation that the FBI is currently investigating the incident.

“This investigation is still ongoing and although there are strong leads in the case we are still encouraging anyone with information to contact Detective Lopez at the Manor Police Department,” it added.

According to reports, three separate fraudulent transactions took place in November last year following the phishing attack, although there are few other details to go on.

The news comes as school districts in the US battle against a growing threat from ransomware.

Data released by Armor in December 2019 revealed that 72 districts had been impacted during the year, affecting an estimated 1039 schools nationwide. Separate findings from Emisoft released at the end of the year claimed as many as 1224 schools may have been affected.

Javvad Malik, security awareness advocate at KnowBe4, argued that employee error needs to be addressed more effectively by organizations at risk of phishing attacks.

“Cyber-criminals will attack organizations with the intention of getting the highest return on investment. Usually this translates into social engineering attacks, which are in essence cons against people to do things against the interest of the company,” he added.

“This usually occurs in the form of phishing emails, but can also be SMS messages or phone calls. Therefore, organizations should take time to invest in security awareness and training so that they can be better-prepared to identify and report any suspicious activity.”

Ed Macnair, CEO of Censornet, argued that in failing to mitigate the risk of phishing, the Texas school district also potentially exposed its 10,000 pupils to data theft.

“There is no doubt about the importance of training employees to recognize these modern phishing techniques. Unfortunately, emotions often take over from reason in these situations and no amount of training can account for this,” he added.

“Employee awareness therefore needs to be combined with a robust, multi-layered approach to email security. Traditional pattern matching technologies are useless against modern techniques and organizations need to combine algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves.”

Categories: Cyber Risk News

Aussie Bushfires Donation Site Hit by Magecart Thieves

Tue, 01/14/2020 - 09:42
Aussie Bushfires Donation Site Hit by Magecart Thieves

A website set-up to accept donations for victims of the devastating Australian bushfires has become a victim itself — of digital skimming code designed to harvest card details.

Security researchers at Malwarebytes took to Twitter to reveal the problems that hit the unnamed donations site, which was raising money for those affected by fires in Lake Conjola that have destroyed scores of homes.

In such Magecart-style attacks, hackers typically inject malicious JavaScript into payment pages to harvest card and personal data as it is entered in by shoppers, or in this case, donators to a worthy cause. It is then exfiltrated to an external domain under the attackers’ control.

It’s a tried-and-tested method for data theft that lands the attackers with a complete set of information for each victim, worth more on the dark web than individual components.

In this incident, the malicious script in question was identified as “ATMZOW” and the known bad domain it exfiltrated data to was spotted as vamberlo[.]com.

Replying to the post on Twitter, Troy Mursch of security firm Bad Packets claimed that the same malicious script had been identified targeting an additional 39 separate websites.

Deepak Patel, security evangelist at PerimeterX, argued that Magecart attackers have hit new lows with this latest raid.

“Given the lack of visibility into such client-side attacks, the website owners often find out about the data breach days or weeks after the code injection. This extended time allows skimmers to monetize the stolen cards to the fullest extent,” he explained.

“Any site that processes user PII and accepts payments should take steps to shore up their application security by tracking and monitoring first- and third-party code execution on their sites in real time.”

RiskIQ last year claimed to have identified over two million Magecart detections in the wild — a sign of its growing popularity among black hat data thieves.

Categories: Cyber Risk News

US to Axe Drone Fleet Containing Chinese Tech

Mon, 01/13/2020 - 16:21
US to Axe Drone Fleet Containing Chinese Tech

The US government is planning to ground a fleet of nearly 1,000 drones it fears could be compromised by the People's Republic of China (PRC).

As reported by the Financial Times yesterday, the Interior Department is halting the use of over 800 drones that contain parts developed in the PRC. 

The decision to ground the unmanned flying fleet was triggered by concerns that the Chinese parts could be utilized by the PRC government for the purpose of spying on the activities of the United States.

A total of 810 remotely controlled quadcopters were grounded in October 2019 pending an investigation into their security. Now officials have warned that the PRC government has the ability to access images captured by the drones together with their location data. 

The Times was informed of the plan to permanently ground the fleet by two individuals who had been party to a briefing on the subject. Documents obtained by the paper indicate that the proposal has met with objections from various agencies.   

“Unmanned aircraft systems are a unique tool that fit into this mission and allow us to make high-quality surface observations at a fraction of the price of manned aircraft operations,” an Interior Department staff member wrote in an email obtained by the Times

The grounding has not yet been officially approved by Interior Secretary David Bernhardt. However, the Times' sources have said that it is likely that Bernhardt will take the drones out of service, reserving them for training purposes and providing assistance in emergency scenarios such as tackling wildfires. 

Drones are already used by the Interior Department as a cheaper and safer alternative to tracking natural resources, mapping terrain, inspecting dams, and monitoring wildfires with manned aircraft. 

An all-American drone designed and manufactured completely in the United States is still years away from becoming a reality, according to the Times' official sources. 

Legislation banning the US government from using drones manufactured by countries deemed to be "non-cooperative" with America is currently being considered by Congress. The two pieces of legislation proposed are the American Drone Security Act in the Senate and the Drone Origin Security Enhancement Act in the House.

Categories: Cyber Risk News

#THIREurope: How Target Improved its Threat Hunting Capabilities

Mon, 01/13/2020 - 15:45
#THIREurope: How Target Improved its Threat Hunting Capabilities

A threat hunting team can be better enabled when given the time and interest to focus on what it wants.

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, David Bianco, principal engineer, cybersecurity and Cat Self, lead information security analyst, Target, explained how the threat hunting team was evolved at the company.

Bianco said that Target had the idea to develop the threat hunting team “into something more modern, as we had the same program for several years.” 

Looking at the existing program, the company asked what was working well and what was not working as well, and assessed what else could be accomplished. Self said that by working with level 2 and 1 analysts and engaging them on what they were frustrated by and what they would like to make changes on, they were able to determine three ways to improve the threat hunting efforts:

  • Program focus – change focus to align with what Target needed the program to do
  • Operational consistency – so they know how things are running
  • Hunt topic strategy – to gain a layer of strategy on top of hunting

“The program was created to find new incidents that had been missed,” Bianco added, saying that over time the focus of the program shifted and moved from finding incidents and ensuring visibility, to being a source of knowledge transfer between SOC analysts.

He said that human scale detection cannot be relied upon, and the “number one goal was to tweak the focus from finding incidents to figuring out how to do better at automated detection.”

Self also said that an analyst would determine and research a topic as well as carry out associated work and writing, on top of the full-time job, and this was being done for one week in an eight-week cycle. “It was asking too much to do all the work,” she said.

Bianco said the concept was changed to include a mix of long term projects and special requests, as well as asking the analysts what they wanted to hunt on.

They concluded by recommending a working strategy which includes hiring threat hunters, allowing them time to prepare and doing threat hunting effectively to find what is not known and not being exploited, and to avoid “hitting everyone everywhere.”

Categories: Cyber Risk News

TSA Desires "Cybersecurity by Design"

Mon, 01/13/2020 - 15:12
TSA Desires "Cybersecurity by Design"

The United States Transport Security Administration (TSA) has publicly announced that it's on a "quest to merge cybersecurity and information technology."

Instead of cybersecurity's being an add-on or afterthought, the TSA wants the industry to adopt a culture of "cybersecurity by design" when dreaming up and manufacturing security equipment. 

The transport-focused sub-tier of the Department of Homeland Security has not taken on this mission alone, but rather says that it's acting with the support of America's airport facilities. 

The joint call for a new mindset from the security industry was announced in a special notice on January 7.

"The purpose of this special notice is to inform [the] industry of TSA's and airport facilities' quest to merge
cybersecurity and information technology," wrote the TSA.

"This and future notifications will provide [the] industry with ongoing meeting overviews and actions that specifically address information security and security screening technologies."

Along with its desires for an integrated approach, the TSA listed 17 key requirements for the information security and security screening technologies industry, with the aim of ensuring all parties are working toward a common goal.

Demonstrable "cybersecurity by design" for security equipment topped a list that also called for password control that allows airport operators to change system-level passwords and the vetting of all maintenance personnel, both local and remote, via background checks. 

Systems must be updatable as vulnerabilities are discovered, and security assessment tools should run on devices to scan for them. In addition, systems must ensure the unique identification of people, activity, or equipment access and be able to audit, analyze, and monitor events.

To protect supply-chain integrity, a complete list of all software and hardware making up screening equipment will be required from vendors.

Vendors are also expected to protect screening algorithms from compromise with systems that issue alerts when accessed. Steps must also be taken to prevent unauthorized physical access—via USB ports, for example.

"Sharing these requirements with [the] industry and the public will: Increase security levels; raise the bar of cybersecurity across screening solutions; provide vendors an opportunity to demonstrate their cybersecurity credentials; and provide an aligned approach across the industry—making it easier for vendors to adapt to end user requirements," wrote the TSA.

Categories: Cyber Risk News

Seattle to Host Major New Cybersecurity Event

Mon, 01/13/2020 - 14:30
Seattle to Host Major New Cybersecurity Event

The verdant city of Seattle is to host a new three-day event dedicated to cybersecurity and the cloud.

CSA SECtember will feature in-depth training sessions, networking opportunities, and the chance to interact with a score of global experts. 

The event is the brainchild of global non-profit the Cloud Security Alliance (CSA), which is headquartered in Seattle. The organization is known around the world for its popular cloud security provider certification program, the CSA Security, Trust & Assurance Registry (STAR).

The inaugural SECtember will go down at the Sheraton Grand Seattle hotel from September 14 to 17, 2020. 

"Seattle is well-established around the world as the center of cloud computing, and with the introduction of SECtember, it can be the focal point of cybersecurity, as well," said Jim Reavis, CEO and co-founder, Cloud Security Alliance.

A major focus of the event will be to educate the industry on key trends and issues affecting the cloud and cybersecurity industry. Close attention will also be paid to where and how cybersecurity and the cloud intersect.  

Reavis said: "In 2020, cloud computing is now the primary mode of computing around the world and is also the foundation for cybersecurity writ large and the means by which we secure all forms of computing, such as the Internet of Things."

According to Reavis, the CSA's new September spectacular is unlikely to be a one-off event. 

He said: "CSA is making a permanent commitment to bring this signature event to our home city on an annual basis, which is rapidly becoming a magnet for companies in the technology and cloud space.” 

Attendees of the first ever SECtember will be spoiled for choice when it comes to training opportunities. Courses already confirmed include the Certificate of Cloud Security Knowledge (CCSK) Foundation (1 day), CCSK Plus (2 days) along with CCSK Plus AWS and Azure, Cloud Governance & Compliance (1 day), Advanced Cloud Security Practitioner (2 days), and Certificate of Cloud Auditing Knowledge (2 days).

Though the event is primarily educational, the CSA has factored in a little playtime. 

"SECtember will bring together thought leaders from five continents to provide a global perspective on strategic cloud and cybersecurity issues and will provide state-of-the-art educational activities," said Reavis.

"While the topic of our conference is serious, we guarantee that the event will also be fun."

Categories: Cyber Risk News

#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks

Mon, 01/13/2020 - 13:30
#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, Tom Hall, principal consultant for incident response and Mitch Clarke, incident response consultant UK&I, at Mandiant, talked about lessons learned from the APT41 detection last summer, and how tools are being used by different threat actors.

The speakers said that they believed that APT41 are “sponsored by the Chinese government” and not part of the state’s offensive operations, and the group have been seen conducting espionage operations during daytime working hours, and doing “cybercrime activities” in the evening. This includes targeting healthcare and telco companies for IP theft.

Clarke explained that the group “flip the infrastructure and use it for cybercrime and non espionage tasks” and this has involved stealing source code and certificates, and in the day job they flip back to espionage and use those certificates to sign malware to run in their operations.

Hall explained that APT41 have used stolen certificates to sign tools and hide from incident responders and forensic investigators. “It is not a case of if it is signed you can trust it.”

However, in attacks conducted by the APT34 group, the Mandiant researchers said that another tool called “SEASHARPEE,” which comprises of a loader and embedded payload, was used as a second stage webshell.

Hall explained that SEASHARPEE has “anti-forensic capabilities and extended functionality dependent on the sample” and while they were first seen in APT34 intrusions in October 2015, the APT34 toolsets were leaked and reported in April 2019 and were reported as being used by the APT27 attackers in 2019.

Clarke said that the presence of this particular type of malware shows that attribution cannot be completely relied upon, as you need to keep an open mind for who or what is being used and for which activity.

“Just because it is signed, it doesn’t mean it is trusted,” Clarke said. “You can add malicious certificates into root stores and an invalid cert would be available in the store.”

Speaking to Infosecurity, and asked if they felt that groups were exchanging tools or selling them on dark markets, Clarke said that sharing was very rare among threat actors, but it was more likely that different actors were using a similar kit.

Categories: Cyber Risk News

St Louis Man Jailed for $12m Tax Refund Scam

Mon, 01/13/2020 - 12:00
St Louis Man Jailed for $12m Tax Refund Scam

A St Louis man has been sentenced to four years behind bars for his part in a major identity fraud campaign in which a group claimed over $12m in tax refunds.

Babatunde Olusegun Taiwo will spend 48 months in prison plus three years of supervised release and will pay restitution of $889,712, according to the Department of Justice (DoJ).

That amounts to the total the IRS paid out in tax refunds to Taiwo and his co-conspirators after they filed over 2000 fraudulent returns, the DoJ said.

They apparently used personally identifiable information (PII) obtained from a breach at a payroll company to file returns on behalf of hundreds of school district employees in Alabama and Mississippi.

In a bid to try and conceal the fraud, they stole and used “electronic filing identification numbers” from businesses that help their clients with tax returns. However, they directed the IRS to send refunds to their homes in St Louis, which is likely to have raised internal red flags.

“Today’s sentencing of Babtunde Taiwo highlights how seriously IRS Criminal Investigation and our law enforcement partners take the issue of identity theft,” said Thomas Holloman, special agent in charge, of the Atlanta IRS Criminal Investigation field office.

“We will continue to pursue criminals who prey on innocent victims and we will continue to enforce our nation’s tax laws. Today’s sentencings should send a clear message to would-be criminals — you will be caught and you will be punished.”

Co-conspirator Kevin Williams has already been sentenced to 78 months behind bars for his role in the scheme, as well as voter fraud and re-entering the US after having been removed.

The IRS, and the UK’s HMRC, are frequently targeted by scammers impersonating legitimate taxpayers, and are often themselves spoofed in phishing emails sent to victims.

The “Dirty Dozen” list of tax scams circulated by the IRS last year highlighted the most popular tricks used by fraudsters, but the tax office warned that such “aggressive” schemes are constantly evolving.

Categories: Cyber Risk News