Info Security

Subscribe to Info Security  feed
Updated: 2 hours 16 min ago

National Lottery Hacker Jailed for Nine Months

Mon, 01/13/2020 - 10:00
National Lottery Hacker Jailed for Nine Months

A cyber-criminal has been jailed for nine months for committing offences against the National Lottery.

Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offences under the Computer Misuse Act 1990 and one fraud charge.

The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records.

Daniel Thompson, 27, of Newcastle, and Idris Kayode Akinwunmi, 21, of Birmingham, were jailed for eight months and four months respectively for the attack in July 2018, having used an online application to bombard victims’ web domains with thousands of attempts to log in to customer accounts.

The NCA stated that Batson was responsible for using a widely available hacking tool – Sentry MBA – to create a file that launched the attack, telling others they could make quick cash by using the tool against Camelot (which runs the National Lottery) and also giving the username and password of one lottery player to Akinwunmi, who stole £13 from his account before sending Batson £5.

Batson was arrested in May 2017 and, whilst he first denied any involvement in the crime, police officers discovered conversations between him and others about hacking, buying and selling of username and password lists, configuration files and personal details. His computer also contained a conversation with Akinwunmi about stealing the £13, the NCA added.

NCA senior investigating officer Andrew Shorrock said: “Even the most basic forms of cybercrime can have a substantial impact on victims.

“No one should think cybercrime is victimless or that they can get away with it. The NCA will pursue and identify offenders and any conviction can be devastating to their futures.”

Categories: Cyber Risk News

Citrix Admins Urged to Act as PoC Exploits Surface

Mon, 01/13/2020 - 09:45
Citrix Admins Urged to Act as PoC Exploits Surface

IT administrators are being urged to put in place mitigations for a serious Citrix vulnerability which the vendor says won’t be patched until next week at the earliest, after proof-of-concept (PoC) exploits were published.

The tech giant revealed the CVE-2019-19781 vulnerability in its Citrix Application Delivery Controller (ADC) and Citrix Gateway back in mid-December last year.

If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution, the firm warned, strongly advising customers to apply the relevant mitigations and update the firmware when a new version becomes available.

However, in a new blog post, Citrix revealed that these fixes would not be available until January 20 at the earliest, with version 10.5 not receiving one until January 31.

That could give attackers enough time to compromise organizations which have not applied the relevant mitigations. PoCs have started to emerge on GitHub over the past few days which could allow attackers to gain full control over affected devices.

Troy Mursch, chief research officer at Bad Packets, warned that he had detected multiple exploit attempts from a host in Poland over the weekend.

“Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781,” he added.

It’s believed that tens of thousands of systems could be at risk.

Tripwire researcher Craig Young claimed that 39,378 of the 58,620 IP addresses he detected likely to be NetScaler or ADC VPN portals did not have mitigations enabled.

“The list contains countless high value targets across a swath of verticals including finance, government, and healthcare,” he added. “In total, there were 141 distinct domain names ending .gov plus another 351 distinct names containing .gov. in the domain.”

Categories: Cyber Risk News

Cyber-Attack Makes Pennsylvania Students Learn "Old School" Style

Fri, 01/10/2020 - 18:45
Cyber-Attack Makes Pennsylvania Students Learn "Old School" Style

Students in the Pittsburg Unified School District of Pennsylvania were left without internet access on Monday as the result of a ransomware attack.

With schools' internet servers and email compromised, youngsters returning to classes after the winter break were forced to enrich their brains the old-fashioned way, through books and direct teaching. 

“We will be teaching and learning like ‘back in the day,’ without laptops and internet,” wrote Pittsburg Unified School District Superintendent Janet Schulze on social media on Monday night. 

“Our schools have access to student information and our phones are working.”

Alongside her message that students would be going back to "old school," Schulze said that a ransomware attack had disabled the district’s network systems during the festive break.

According to The Mercury News, the district took all the servers affected by the attack offline, along with any servers that may have potentially been compromised. 

No personal data is reported to have been accessed as a result of the incident, and normal teaching schedules were resumed on Tuesday. 

"At this time, we do not have any indication that personal data/information has been compromised," wrote Schulze. 

"We are continuing to investigate and work with a cybersecurity team and experts. Since the investigation is continuing, complete findings are not available, and it is still too early for us to provide further details."

It was reported on Tuesday that the district was working with two internet technology companies to find a remedy for the attack. Contact has also been established with attorneys who specialize in dealing with the fallout from ransomware attacks.

The latest ransomware attack is the second such incident to befall a Contra Costa County system since the new year began. On Friday, January 3, a similar attack on Contra Costa County Library System resulted in a network outage in which services at 26 branches were impacted.

Library services are yet to be restored, and visitors to the system’s website are being greeted with the message: "Our network is currently down, and patrons are unable to login at this time. We are investigating the issue and will establish service as soon as possible."

Categories: Cyber Risk News

Patients of Hacked US Surgical Company Hit with Ransom Demands

Fri, 01/10/2020 - 17:55
Patients of Hacked US Surgical Company Hit with Ransom Demands

Patients of a hacked facial surgery company in Florida are being individually threatened by cyber-criminals, who are demanding money in return for not releasing stolen personal information to the public.

The Center for Facial Restoration, Inc. (TCFFR), located in Miramar, became the victim of a cyber-attack in November last year. 

In a statement published on the TCFFR website, plastic surgeon and company founder Dr. Richard Davis wrote: "On November 8, 2019, I received an anonymous communication from cyber criminals stating that my clinic’s server [was] breached."

"The hackers claimed to have 'the complete patient’s data' for TCFFR that 'can be publicly exposed or traded to third parties.'"

Along with the message that his business had been compromised, Davis received a demand for an undisclosed ransom. 

The ambitious cyber-criminals, not content with whatever money they may have been able to extort from the specialist rhinoplasty company, then began demanding ransoms from individual TCFFR patients. 

"They demanded a ransom negotiation, and as of November 29, 2019, about 15–20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met," wrote Davis.

Davis believes up to 3,500 former and current patients may have been affected by the cyber-attack. Compromised data may include driving licenses, passports, home addresses, email addresses, phone numbers, patient photographs, and credit card payment receipts. 

The incident was reported to the FBI's Cyber Crimes Center on November 12, and on November 14 Davis met with the Bureau to pass on detailed information regarding the attack and the ransom demands. 

Davis wrote: "The investigation is currently ongoing. The FBI requests that patients receiving ransom demands file an independent cybercrime complaint online at www.ic3.gov."

Since the attack, Davis has installed new hard drives, firewalls, and virus/malware detection software in hopes of preventing a similar incident from happening. 

"I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act," wrote Davis.

The doctor published a public notice concerning the incident as the company's data storage practices made it difficult to contact patients individually.

"Because we store PII as the scan of the patient’s intake demographic questionnaire, and not in an electronic demographic database, obtaining contact information in order to individually notify all 3,500 patients has been painstakingly slow and labor intensive, and access to the data has been hindered by ongoing IT service disruptions," wrote Davis.

Categories: Cyber Risk News

MAZE Relaunches "Name and Shame" Website

Fri, 01/10/2020 - 17:20
MAZE Relaunches "Name and Shame" Website

A threat group has once again taken to the internet to publish data stolen from alleged victims who refuse to cooperate with its ransom demands. 

In December 2019, the MAZE ransomware group published online a portion of the 120 GB of data they claimed to have stolen from Southwire, North America’s most prominent wire and cable manufacturer, after the company refused to pay a $6m ransom. 

The data was published on the http(colon)//mazenews(dot)top/ site, which was hosted at an ISP in Ireland. Southwire subsequently filed a lawsuit in the Northern District of Georgia, USA, on December 31 against the MAZE operators and won their case, and the site was taken down. 

But yesterday at around 5 p.m. ET the “mazenews” website was back up online, this time hosted out of Singapore via Alibaba. 

Using an ominous black backdrop and bright red text, the website lists the companies that have allegedly been compromised. In some instances, the total amount of data that has been exfiltrated is also displayed. 

On the site, MAZE states: "Represented here companies do not wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!"

Companies listed so far are Southwire, RBC, THEONE, Vernay, Bakerwotring, BILTON, greccoauto, Groupe Igrec, Mitch Co International, Einhell, CONTINENTALNH3, Groupe Europe Handling SAS, Auteuil Tour Eiffel, Fratelli Beretta, Randalegal, crossroadsnet, SAXBST, American tax advisory firm BST & Co, and laboratory testing facility MDL. The Florida city of Pensacola is also listed.  

Downloadable files, presented as proof that a compromise has taken place, are available for Einhell, Fratelli Beretta, Crossroadsnet, MDL, BST & Co, SAXBST, Auteuil Tour Eiffel, and Southwire. Under the "proofs" category for the other companies, MAZE has written only "coming soon." 

The ransomware group claims to have exfiltrated 3 GB of data from Fratelli Beretta, and 25 GB of data each from SAXBST and BST & Co. MAZE further claims that 10% of the 120 GB it allegedly stole from Southwire is "available for downloading." 

For some unstated reason, the threat group showed mercy on alleged victim Pensacola. 

"We are going to make a gift to City of Pensacola: we will not publish leaked private data, but we publish the list of leak data and hosts to proof, that we did it, we really hacked City of Pensacola," wrote MAZE.

The city's operational departments that MAZE claims to have compromised include the treasury, finance, risk management, executive, legal, housing, and human resources departments.

Categories: Cyber Risk News

US Pressures UK on Final Huawei Decision

Fri, 01/10/2020 - 12:01
US Pressures UK on Final Huawei Decision

The US made a last ditch bid to convince the British government to fall into line over Huawei this week, as newly introduced legislation proposed excluding allies from intelligence sharing agreements.

Secretary of state, Mike Pompeo, was expected to press his counterpart Dominic Raab at a meeting in Washington this week over the UK’s position on its 5G networks.

A final decision is expected to be taken by Boris Johnson’s new government later this month, but a government leak last April suggested the UK is happy to keep Huawei equipment in “non-core” parts of its networks.

That puts it at odds with a Trump administration that is trying to pressure allies into its harder line opposition to the Shenzhen-based company, which it claims is a national security risk due to its ties to the Communist Party of China.

“The security and resilience of the UK’s telecoms networks is of paramount importance,” a Foreign Office spokesperson told Reuters. “The government continues to consider its position on high-risk vendors and a decision will be made in due course.”

Also this week, Republican senator Tom Cotton introduced a new bill that would prevent Washington from sharing intelligence with any countries which allow 5G technology from Huawei to operate “within their borders.”

The legislation is seen as an attempt to put more pressure on the Five Eyes intelligence sharing alliance which includes the US, Australia, New Zealand, Canada and the UK.

Donald Trump last year declared a National Emergency to prevent “foreign adversaries” from providing equipment for its critical 5G network infrastructure. An entity list prevented US firms from selling key components to Huawei and scores of other Chinese companies.

However, its efforts to convince allies around the world to do the same has been met with mixed results, especially as blacklisting Huawei would set their development of 5G back considerably, while Trump's “America First” rhetoric makes the US a less convincing ally.

Categories: Cyber Risk News

Facebook Improves Political Ad Transparency but Refuses Ban

Fri, 01/10/2020 - 11:00
Facebook Improves Political Ad Transparency but Refuses Ban

Facebook has revealed new capabilities to improve transparency and user control over political ads, but repeated its refusal to ban such advertising outright.

In a blog post on Thursday, director of product management, Rob Leathern, said updates to the Ad Library would help users shine a light on political ads delivered via the social network.

Specifically, users will soon be able to limit the number of political and social issue ads they see on Facebook and Instagram by topic, and remove interests.

They will also be able to stop seeing ads based on advertisers’ “Custom Audiences” — lists they use to target advertising. Users can also see ads that an advertiser had chosen to exclude them from receiving.

This is important because campaigners have argued that political candidates use online advertising to target different groups of voters with often conflicting messages, with neither side aware they are being promised contradictory things.

Users will also be able to see the estimated target audience size for an ad, and Facebook has improved the search and filtering functionality in the Ad Library to help researchers and journalists.

However, Leathern doubled down on the social network’s refusal to join Twitter in banning political ads outright, or Google in limiting the targeting of these ads.

“Ultimately, we don’t think decisions about political ads should be made by private companies, which is why we are arguing for regulation that would apply across the industry. The Honest Ads Act is a good example — legislation that we endorse and many parts of which we’ve already implemented — and we are engaging with policy makers in the European Union and elsewhere to press the case for regulation too,” he continued.

“Frankly, we believe the sooner Facebook and other companies are subject to democratically accountable rules on this the better.”

Experts have warned that, left unregulated, online political advertising could slowly chip away at the legitimacy of election results, especially if ads are micro-targeted. Rights groups have argued that, although strict rules apply to regular advertisers around factual accuracy, politicians can lie on the network without repercussions.

Categories: Cyber Risk News

Dixons Carphone Receives Maximum Fine for Major Breach

Fri, 01/10/2020 - 10:01
Dixons Carphone Receives Maximum Fine for Major Breach

A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.

Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after POS malware was installed on 5390 tills.

The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.

The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said ICO director of investigations, Steve Eckersley.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Eckersley claimed that the stolen data exposed customers to significant risk of follow-on identity fraud and financial theft, with almost 3300 of them contacting the ICO by March 2019 about the breach.

However, the retailer said it is considering an appeal.

“When we found the unauthorized access to data, we promptly launched an investigation, added extra security measures and contained the incident,” said CEO Alex Baldock in a statement.

“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

Another business in the group, Carphone Warehouse, was fined £400,000 by the ICO in 2018 for similar security issues.

Categories: Cyber Risk News

Amazon Ring Workers Fired After Watching Users' Videos

Thu, 01/09/2020 - 18:02
Amazon Ring Workers Fired After Watching Users' Videos

Four employees of Amazon's home security company Ring have been fired after being caught snooping at users' videos. 

The online retail giant admitted terminating individuals over unauthorized access in a letter dated January 6 that was addressed to US senators Ron Wyden, Edward Markey, Gary Peters, Chris Van Hollen, and Christopher Coons. 

In the letter, Amazon states: "Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data. Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. 

"In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual."

Amazon's letter was written in response to an earlier letter dated November 20 that was sent to the company by the aforementioned senators. In that letter, the senators asked Amazon to answer a long list of questions regarding the data and security practices of the Ring company and the security of its camera-bearing doorbell devices, which have been purchased in the millions.

One of the questions asked was "How many employees of Amazon and Ring have access to American users' camera data?" Amazon answered that R&D teams can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent.

"Aside from this," wrote Amazon, "a very limited number of employees (currently three) have the ability to access stored customer videos for the purpose of maintaining Ring’s AWS infrastructure."

The company said that Ring logs and monitors all access, adding that employees and contractors are warned that improper access to, or use of, confidential information or technology could result in termination.

The news puts a fly in the ointment of Ring's attempt to make users feel more secure by launching a "privacy dashboard" at the CES 2020 conference on Monday. The newly unveiled account control panel was designed to help users manage their access settings better and block intruders from viewing their video footage.

After a stream of headlines slamming the security of its video doorbell devices, this latest revelation could potentially push the Amazon-owned company one step closer to bringing down the curtain on its beleaguered devices.

Categories: Cyber Risk News

UK Banks Foiled by Travelex Ransomware Attack

Thu, 01/09/2020 - 16:52
UK Banks Foiled by Travelex Ransomware Attack

The New Year's Eve cyber-attack on currency exchange bureau Travelex is disrupting services for UK bank customers. 

Travelex took all its systems offline as a precautionary measure after being hit by what it initially described as a "software virus" on December 31. On January 7, the company released a statement fingering the culprit as a type of ransomware known as Sodinokibi and also commonly referred to as REvil.

Although the malware has been contained, Travelex has so far been unable to resume normal operations, though the company has said that a number of internal systems are now back up and running normally. 

The ransomware attack is not only causing misery for Travelex and its customers but has also spurned a brouhaha for British banks that rely on the travel money giant. 

RBS, Sainsbury's Bank, First Direct, Virgin Money, and Barclays are among more than a dozen banks that have said their online foreign currency services are down as a result of the incident. 

Requests for foreign currency are being handled in-branch by many of the banks affected. 

According to the BBC, threat actors behind the ransomware attack are attempting to extort $6m from Travelex by encrypting the company's data. 

Travelex said on Tuesday that it was not yet clear what data had been affected by the incident. 

"To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated," Travelex stated on January 7.

Until normal service is resumed, Travelex is doing business the old-fashioned way. The company’s chief executive, Tony D’Souza, said: "Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim."

With all the hullaballoo it seems that reporting the incident to the authorities may have slipped Travelex’s mind. Organizations are legally obliged to inform the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a data breach; however, the ICO said on Tuesday that it had not received a data breach report from Travelex.

Categories: Cyber Risk News

Accenture to Acquire Symantec's Cyber Security Services Business

Thu, 01/09/2020 - 16:05
Accenture to Acquire Symantec's Cyber Security Services Business

Accenture Security is to acquire Symantec's Cyber Security Services business from Broadcom.

No financial terms were disclosed regarding the acquisition, which is expected to close in March 2020, subject to customary conditions.  

The impending Symantec deal is the latest in a long line of acquisitions by Accenture Security in the threat intelligence and cybersecurity fields. Already in Accenture's cyber-stable are Deja vu SecurityiDefenseMaglanRedcoreArismore, and FusionX.

With this latest acquisition, Accenture Security has signaled its intention to become one of the main players on the managed security services stage.

“Cybersecurity has become one of the most critical business imperatives for all organizations regardless of industry or geographic location,” said Accenture’s CEO, Julie Sweet.

“With the addition of Symantec’s Cyber Security Services business, Accenture Security will offer one of the most comprehensive managed services for global businesses to detect and manage cybersecurity threats aimed at their companies.”

The cybersecurity services arm of Symantec operates from six operations centers set in Australia, India, Japan, Singapore, the UK, and the US. 

Included in Symantec’s portfolio of cybersecurity services are global threat monitoring and analysis through a network of security operation centers, real-time adversary and industry-specific threat intelligence, and incident response services. 

Once the acquisition is complete, Accenture hopes to be able to offer clients a more personalized cybersecurity service.

Kelly Bissell, senior managing director of Accenture Security, said: “Companies are facing an unprecedented volume of cyber threats that are highly sophisticated and targeted to their businesses, and they can no longer rely solely on generic solutions. This acquisition is a game-changer and will help Accenture provide flexibility rather than a ‘one size fits all’ approach to managed security services. 

“With Symantec’s Cyber Security Services business, we can now bring clients our combined expertise fine-tuned to their industry with tailored global threat intelligence powered by advanced analytics, automation and machine learning.”

Symantec’s Enterprise Security business, now a division of Broadcom, is headquartered in Mountain View, California, and its Cyber Security Services business includes more than 300 employees around the world who serve top-tier organizations across a diverse range of industries, including financial services, utilities, health, government, communications, media, technology, and retail.

Categories: Cyber Risk News

Interpol Reduces Cryptojacking Infections by 78%

Thu, 01/09/2020 - 12:01
Interpol Reduces Cryptojacking Infections by 78%

Interpol is celebrating after a region-wide operation led to a drastic reduction in the number of routers in southeast Asia infected with cryptomining malware.

Operation Goldfish Alpha began in June 2019 after intelligence identified over 20,000 compromised routers in the ASEAN region, accounting for nearly a fifth (18%) of global infections.

Over the succeeding five months of the operation, law enforcers and CERT staff from Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam worked together with private sector organizations including Trend Micro.

Their mission: to locate the infected routers, alert the victims and patch the devices.

Their efforts led to a 78% reduction in the number of infected routers, with efforts continuing to identify and patch the remaining devices, Interpol said.

The policing organization hailed the support of the Cyber Defense Institute and Trend Micro in helping with information sharing and analysis, as well as providing crucial guidelines for patching infected routers and advice on preventing future infections.

“When faced with emerging cybercrimes like cryptojacking, the importance of strong partnerships between police and the cybersecurity industry cannot be overstated,” said Interpol’s director of cybercrime, Craig Jones.

“By combining the expertise and data on cyber-threats held by the private sector with the investigative capabilities of law enforcement, we can best protect our communities from all forms of cybercrime.”

Trend Micro explained in a blog post that its guidance document detailed how to detect and remove the Coinhive JavaScript being used by hackers to mine for cryptocurrency on affected MicroTik routers.

The firm claimed cryptojacking was its most detected threat in the first half of 2019, in terms of file-based threat components.

“Unlike serious data breaches, phishing attacks, ransomware and banking Trojans, cryptojacking doesn’t have a major impact on the victim. They don’t lose sensitive personal data, there’s no risk of follow-on identity fraud and they’re not extorted for funds by being locked out of their PC,” it continued.

“However, it’s not without consequences: cryptomining malware can slow your home network to a crawl while running up serious energy bills. It may even bring your home computers to a premature end. Also, there’s always the risk with any kind of malware infection that hackers may switch tactics and use their footprint on your home machines to launch other attacks in the future.”

Categories: Cyber Risk News

Police to Implement Facial Recognition at Cardiff-Swansea Football Match

Thu, 01/09/2020 - 11:15
Police to Implement Facial Recognition at Cardiff-Swansea Football Match

South Wales Police has announced that it will be deploying facial recognition technology at the upcoming Premier League football match between Cardiff City FC and Swansea City FC at Cardiff City Stadium this Sunday, 12 January.

In a statement, South Wales Police said: “We will be deploying our facial recognition technology at key areas ahead of the match to assist in identifying those have been issued with banning orders and may attempt to attend the game.”

This comes after the same technology was used by the police when the two teams played each other earlier in the season, a move that, despite causing some controversy regarding privacy concerns, was found to be legally justified and proportionate by the High Court back in September 2019.

Assistant chief constable Andy Valentine said: “This is only the third time in more than two-and-a-half years that the technology has been utilized at a football match and is intended to prevent disorder that has in the past affected matches involving both clubs.

“We are deploying Automated Facial Recognition to prevent offences by identifying individuals who are wanted for questioning for football-related offences or who have been convicted of football-related criminality and are now subject to football banning orders that preclude them from attending.

Football banning orders are issued by the court to those who have misbehaved at a previous football game and hence this provides us with a clear rational in our strategy to prevent any crime and disorder, he added.

“In line with our standard operating procedures, the data of all those captured by the technology on the day, but not on the watch list, will have their data instantaneously deleted.  

However, the news has once again raised privacy concerns and critical comments from the likes of Big Brother Watch, Football Supporters’ Association Wales and North Wales Police and Crime Commissioner Arfon Jones, along with security experts.

Jake Moore, cybersecurity specialist at ESET, said: “Facial recognition software is still very much in its early stages of production and there are many instances of it making mistakes or false positives.

“Something needs to be done in such large gatherings of people but until such a system is in place that can be completely trusted in terms of security and it’s function, I think it could do more harm than good.” 

In November 2019, the UK’s privacy watchdog raised “serious concerns” about police use of facial recognition technology, and called for the introduction of a statutory code of practice to govern when and how it should be deployed.

Categories: Cyber Risk News

TikTok Patches Critical Account Takeover Bugs

Thu, 01/09/2020 - 10:45
TikTok Patches Critical Account Takeover Bugs

TikTok has been forced to patch several critical vulnerabilities which may have allowed hackers to hijack user accounts and steal personal data.

Check Point researchers discovered the flaws in the wildly popular social media platform, including one SMS link spoofing bug affecting a feature on the main TikTok site that lets users send a message to their phone to download the app.

This could allow attackers able to find out a victim’s phone number to send them a custom malicious link, enabling them to take over an account and delete videos, post content and make private videos public.

Check Point also discovered a cross-site scripting (XSS) vulnerability in an ads subdomain of the main TikTok site; specifically in a help center section. This could allow attackers to inject malicious JavaScript into the site to harvest personal user account info, the firm warned.

These bugs were amplified by the lack of anti-cross-site request forgery mechanism, it added in a blog post.

“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface,” explained Check Point head of product vulnerability research, Oded Vanunu.

“Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”

TikTok patched the bugs in its latest version of the app, although security concerns about the company persist in Washington, thanks to its Chinese ownership.

Beijing-based ByteDance bought the app from US firm Music.ly in 2017, but given its popularity in the States, lawmakers are becoming increasingly uneasy about the purchase.

Reports suggest that both the US Army and Navy have banned servicemen and women from using the app on government-issued devices.

In the meantime, the increasingly powerful Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. 

Categories: Cyber Risk News

Cyber-Attacks Hit UK Firms Once Per Minute in 2019

Thu, 01/09/2020 - 09:42
Cyber-Attacks Hit UK Firms Once Per Minute in 2019

UK businesses were deluged with cyber-attacks in 2019, with the average firm hit by over half a million attempts to compromise systems, according to new stats from Beaming.

The Hastings-based business Internet Service Provider (ISP) extrapolated the findings from data on its own corporate customers across the country.

It calculated the average number of attacks aimed at a single business last year was 576,575, around 152% higher than the 281,094 recorded in 2018 and the highest since the ISP began analyzing this kind of data in 2016.

That means UK businesses were forced to repel 66 attacks per hour on average in 2019.

The firm identified 1.8 million unique IP addresses responsible for the attacks last year, just under a fifth (18%) of which were located in China. However, this is more an indication of the sheer number of potentially hijacked machines based in the country rather than the origin of the attackers.

There was a fairly big drop to second placed Brazil (7%), which was followed by Taiwan (6%) and Russia (5%) in terms of originating IP addresses for attacks.

Attackers most commonly targeted network device admin tools and IoT endpoints like connected security cameras and building control systems, according to Beaming. These suffered 92,448 attacks in total last year, while 35,807 were targeted at file sharing applications.

Beaming managing director, Sonia Blizzard, described 2019 as the “worst year on record” for cyber-attacks against UK firms, claiming that most were “completely indiscriminate.”

“Most business leaders, particularly at the smaller end of the spectrum, still don't recognize the threat or incorrectly assume that their broadband router and antivirus systems will be sufficient to keep them safe,” she continued.

“With the number of companies falling victim to cybercrime increasing each year, it is clear that most need to do more to protect themselves. We advise businesses to put in place multiple layers of protection, use methods such as two-factor authentication, and to secure their data while it travels over the internet.”

Categories: Cyber Risk News

Apple Is Scanning Your Photos

Wed, 01/08/2020 - 17:43
Apple Is Scanning Your Photos

Apple's senior director of global privacy has confirmed that the company scans photos uploaded to the iCloud for evidence of illegal activities such as child sexual abuse.

Jane Horvath made the admission while speaking at the Consumer Electronics Show (CES) 2020 conference in Las Vegas yesterday, according to The Telegraph.

While speaking at the tech conference, Horvath said that photographs that are backed up to Apple's online storage service are automatically screened for illicit content.

The company has been criticized by law enforcement agencies for allowing criminals to hide behind lanes of protective encryption and for refusing to break into the phones of suspected wrongdoers. 

Addressing this issue yesterday in Las Vegas, Horvath said that giving criminals nowhere to hide by scrapping encryption was "not the way we’re solving these issues" but added: "We are utilizing some technologies to help screen for child sexual abuse material."

Exactly what technologies Apple is using to screen their customers' digital photographs and how long they have been doing so was not specified. 

On the company's website it states: "Apple is dedicated to protecting children throughout our ecosystem wherever our products are used, and we continue to support innovation in this space.

"As part of this commitment, Apple uses image matching technology to help find and report child exploitation. Much like spam filters in email, our systems use electronic signatures to find suspected child exploitation."

Companies including Facebook, Google, and Twitter check for images depicting the sexual abuse of minors with Microsoft’s PhotoDNA system. The system uses hashing technology to check images posted online against a database of previously identified photographs.

Paul Bischoff, privacy advocate at Comparitech.com, believes that Apple may be doing something similar. 

"Here's what I think is happening: Apple has access to a law enforcement database of child abuse photos. Apple hashes or encrypts those photos with each user's security key (password) to create unique signatures. If the signatures of any encrypted photos uploaded from an iPhone match the signatures from the database, then the photo is flagged and presumably reported to authorities. 

"This allows Apple to match photos uploaded to the cloud against the law enforcement database without ever breaking encryption or actually viewing the photos." 

If this is the system that Apple is using, then Bischoff warns it has a serious flaw. 

He said: "If a child abuse photo is cropped or edited, if it's converted to another type of image file, or if it's compressed, then the encrypted signatures won't match up."

Categories: Cyber Risk News

Las Vegas Suffers Cyber-Attack

Wed, 01/08/2020 - 16:49
Las Vegas Suffers Cyber-Attack

The city of Las Vegas is licking its wounds after suffering a cyber-attack on its computer network.

It is not yet known whether any sensitive information was compromised in the incident, which took place in the early hours of Tuesday morning. 

City spokesperson David Riggleman said that it was likely that the threat actors gained access to the city's network via a malicious email. 

Riggleman said that the city's IT department moved fast to counter the invasion and stated that "the city is taking extensive steps to protect its systems."

City officials were notified after unusual activity occurred at around 4:30 a.m. on Tuesday, but by the evening the full extent of the damage wrought by the incident was yet to be confirmed. Riggleman said a clearer picture is likely to emerge over the next day or two.

According to Riggleman, the City of Lost Wages encounters an average of 279,000 attempts to breach its systems every month. 

He observed: "A lot of people out there . . . are trying to open that cyber door."

While Las Vegas works out who it was that managed to step over its digital threshold and what they got up to, city residents are likely to experience some disruption. 

Riggleman said that the city's emails may be affected by system analysts' ongoing investigation into the breach. He expected any disruption, however, to be "minimal."

If the breach turns out to be the latest in a string of ransomware attacks on US cities, then it is highly unlikely that Las Vegas will cough up the money. The city's mayor, Carolyn Goodman, went on record in July as sponsor of a resolution not to pay ransoms in the event of a cybersecurity breach. The resolution was approved by the US Conference of Mayors. 

Given the timing of the attack, some may wonder if it was launched by a vengeful Iran as retaliation for the recent killing of Iranian major general Qassem Suleimani. 

Following the announcement of Suleimani's death on January 2, the US Department of Homeland Security issued a warning for Americans to be on high alert for cyber-attacks coming from Iran.

Categories: Cyber Risk News

Nigerian Betting Company Denies Breach

Wed, 01/08/2020 - 15:53
Nigerian Betting Company Denies Breach

Nigerian online betting company SureBet247 has told the public not to be deceived by "false" reports that the firm has suffered a serious data breach.

According to the website iAfrikan.com, over 32GB of SureBet247 data, spread across six databases, has been exposed online. The information affected by the alleged incident includes user profiles, betting slip logs, a list of SureBet247 staff email addresses, and data linked to the company's website surebet247.com.

The alleged breach came to light after an anonymous source found SureBet247 data online and tipped off Australian security researcher and haveibeenpwned founder Troy Hunt. 

"Within the databases there’s everything from user records to betting histories, the latter consuming more than 100M rows in one of the databases," said Hunt.

"I’m yet to total the user records, but multiple databases contained hundreds of thousands of user records each, so the number is substantial. Impacted data includes names, email addresses, dates of birth and betting records. It’s not yet clear whether passwords were also compromised, that’s something I’m hoping to clarify with them."

The anonymous source reached out to Hunt in December 2019 after an attempt to warn SureBet247 of a potential security issue was spurned. Hunt contacted iAfrikan after his own efforts to notify SureBet247 of the alleged breach elicited no response. 

When iAfrikan's Tefo Mohapi contacted the gambling company to warn them of the alleged breach, he received a suggestion to email technical support and the response that it was SureBet247's decision whether or not to notify their customers of a possible data breach. 

According to MyNaijaBlog.com, the director-normal of Nigeria's National Information Technology Development Agency (NITDA) has requested that an investigation into the alleged breach be carried out by the Data Breach Investigation Workforce.

SureBet247 has publicly denied that any data breach has taken place. Earlier today, the company posted the following message on Twitter: "Dont be decieve [sic] by any false info. We weren’t breached on any data. Thanks."

SureBet247 was founded in 2011 and trades under the name ChessPlus International Limited.

According to Mohapi, other online sports betting operators may have been affected by the alleged security incident. The exposed databases indicate that BetAlfa, BetWay, BongoBongo, and TopBet may have been compromised. 

Categories: Cyber Risk News

Google Shifts to 90-Day Bug Disclosures by Default

Wed, 01/08/2020 - 12:00
Google Shifts to 90-Day Bug Disclosures by Default

Google has tweaked its Project Zero disclosure policy in a bid to drive more thorough patch development and improved adoption.

The new direction for 2020 centers around one major change: from January 1 this year the firm will implement a full 90-day disclosure policy regardless of when a vulnerability is fixed by a vendor. In the past, the relevant researchers could decide whether disclosure came at the end of the 90-day period or when a bug was fixed.

Although the rationale for the previous policy was to speed patch development by affected vendors, Google now also wants to focus on additional goals, according to Project Zero manager, Tim Willis.

With 97.7% of issues identified by Project Zero now fixed within the deadline, thoughts moved to improving the underlying principles of simplicity, fairness and consistency, he said.

With that in mind, Google not only wants to continue pursuing faster patch development but also now to improving the thoroughness of patches.

“Too many times, we've seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” explained Willis. “One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”

Providing a full 90-day window means vendors will therefore have more time to perform root cause and variant analysis.

“We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits,” said Willis.

Google’s second goal for 2020 is to improve adoption of any patches that arise from Project Zero research.

“End user security doesn't improve when a bug is found, and it doesn't improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device,” argued Willis.

“To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.”

Once again, the 90-day time frame should provide more opportunity and incentive for vendors to encourage installation of their fixes by a larger user population.

Google is also betting that leveling the playing field with a mandatory 90-day window will encourage vendors to work more closely with its researchers on bigger problems.

“We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration,” Willis concluded.

Categories: Cyber Risk News

NGOs Demand Google Crackdown on Pre-Installed Apps

Wed, 01/08/2020 - 10:30
NGOs Demand Google Crackdown on Pre-Installed Apps

Global rights groups have joined forces to demand that Google tackles the problem of budget Android smartphones pre-installed with privacy infringing apps that users can’t remove.

Over 50 organizations, including the UK’s Privacy International, today asked the tech giant to stop manufacturers and other Android partners from delivering devices that could undermine user privacy and security.

They argued that because the apps come pre-installed, they can choose which permissions they want — sometimes using the device’s camera, microphone or location without the user's knowledge.

“The failure of Google to moderate the pre-installed app ecosystem has opened it up to a wild-west of exploitation, putting users’ privacy and security at risk,” argued Privacy International technology lead, Christopher Weatherhead. “Google must act now to deter bad actors who shovel malicious and exploitative apps on individuals’ devices.”

The rights groups called for changes so that users can permanently uninstall any apps on their phones, including related background services that run even if the apps themselves are disabled.

They also want pre-installed apps to stick to the same rules as Play Store apps, especially in relation to custom permissions, and to have some form of update mechanism.

When manufacturers or vendors break these rules, Google should refuse certification for privacy reasons, they added.

The initiative comes after research released last March by Universidad Carlos III de Madrid (UC3M), the IMDEA Networks Institute, the International Computer Science Institute (ICSI) at Berkeley and Stony Brook University of New York.

The first-of-its-kind study covered 82,000 pre-installed Android apps on more than 1700 devices manufactured by 214 brands.

“As we demonstrated in this paper, this situation has become a peril to users’ privacy and even security due to an abuse of privilege or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors,” it concluded.

Categories: Cyber Risk News

Pages