Info Security

Subscribe to Info Security  feed
Updated: 8 min 8 sec ago

NGOs Demand Google Crackdown on Pre-Installed Apps

Wed, 01/08/2020 - 10:30
NGOs Demand Google Crackdown on Pre-Installed Apps

Global rights groups have joined forces to demand that Google tackles the problem of budget Android smartphones pre-installed with privacy infringing apps that users can’t remove.

Over 50 organizations, including the UK’s Privacy International, today asked the tech giant to stop manufacturers and other Android partners from delivering devices that could undermine user privacy and security.

They argued that because the apps come pre-installed, they can choose which permissions they want — sometimes using the device’s camera, microphone or location without the user's knowledge.

“The failure of Google to moderate the pre-installed app ecosystem has opened it up to a wild-west of exploitation, putting users’ privacy and security at risk,” argued Privacy International technology lead, Christopher Weatherhead. “Google must act now to deter bad actors who shovel malicious and exploitative apps on individuals’ devices.”

The rights groups called for changes so that users can permanently uninstall any apps on their phones, including related background services that run even if the apps themselves are disabled.

They also want pre-installed apps to stick to the same rules as Play Store apps, especially in relation to custom permissions, and to have some form of update mechanism.

When manufacturers or vendors break these rules, Google should refuse certification for privacy reasons, they added.

The initiative comes after research released last March by Universidad Carlos III de Madrid (UC3M), the IMDEA Networks Institute, the International Computer Science Institute (ICSI) at Berkeley and Stony Brook University of New York.

The first-of-its-kind study covered 82,000 pre-installed Android apps on more than 1700 devices manufactured by 214 brands.

“As we demonstrated in this paper, this situation has become a peril to users’ privacy and even security due to an abuse of privilege or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors,” it concluded.

Categories: Cyber Risk News

UK Man Jailed for Using RAT to Spy on Women

Wed, 01/08/2020 - 09:50
UK Man Jailed for Using RAT to Spy on Women

A Merseyside man has been jailed for two years after using a notorious Remote Access Trojan (RAT) to spy on women via their webcams.

Scott Cowley, 27, of St Helens, was sentenced at Liverpool Crown Court this week after pleading guilty to offences under the UK’s Computer Misuse Act and Sexual Offences Act.

He’s said to have used the Imminent Monitor RAT (IM-RAT) to remotely spy on his victims. According to local reports, arresting officers found three folders on his laptop named after each of his victims. They apparently contained images and videos of the women undressing and of one of them having sex.

Officers from the North West Regional Organised Crime Unit (NWROCU) had little problem in tracking him down as he reportedly used a PayPal account linked to his real name and email address to purchase the malware.

NWROCU’s detective sergeant Steve Frame welcomed the sentencing on Monday.

“This conviction demonstrates that despite the high-tech nature of the Cyber Crime, offenders have no place to hide. We take all reports of cybercrime seriously and are absolutely committed to tackling and undermining this evolving threat,” he added in a statement.

“If you have been the victim of a similar crime, or suspect somebody is involved in committing this type of crime please call 101 and report it to your local police force.”

Cowley was arrested as part of a global crackdown on the RAT at the end of November 2019 led by the Australian Federal Police (AFP) and coordinated internationally by Europol.

Some 13 of the RAT’s “most prolific users” were arrested and 430 devices seized, according to Europol. In the UK alone, 21 search warrants led to the arrest of nine individuals including Cowley, and the recovery of 100 items.

The operation began in June 2019 when warrants were issued to search an alleged employee and developer of the IM-RAT.

The malware is thought to have been used in 124 countries and sold to more than 14,500 buyers, generating huge demand thanks to its ease-of-use and relatively low selling price of just $25.

Categories: Cyber Risk News

Utah Company and Its Former CEO Settle with FTC Over Alleged Security Failures

Tue, 01/07/2020 - 17:53
Utah Company and Its Former CEO Settle with FTC Over Alleged Security Failures

The US Federal Trade Commission has reached a settlement with a Utah company and its former CEO over allegations that shoddy security practices led to the personal information of over a million customers' being illegally accessed in multiple hacks.

InfoTrax Systems, L.C. and its founder and former CEO Mark Rawlins allegedly failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information they maintained on behalf of the company’s business clients. 

As a result of the alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. 

Sensitive personal information accessed by the hacker included consumers' Social Security numbers, full names, addresses, email addresses, telephone numbers, usernames, passwords, and payment account numbers with expiration data and CVVs, according to the FTC’s complaint. None of the consumer data stored had been encrypted.

It is further alleged that the presence of the intruder inside the company's system from May 5, 2014, to March 7, 2016, was only discovered because InfoTrax began receiving alerts that one of its servers had reached maximum capacity. 

In its complaint, the FTC wrote: "The only reason Respondents received any alerts is because an intruder had created a data archive file that had grown so large that the disk ran out of space. Only then did Respondents begin to take steps to remove the intruder from InfoTrax’s network."

More hacks occurred on March 14 and 29, 2016, when a threat actor gained access to the company's network, infecting it with malware that harvested payment card and other billing data. 

Under the terms of the settlement, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. 

In addition, the company and Rawlins are required to obtain third-party assessments of their company’s information security programs every two years.

Utah State University computer science graduate Rawlins founded MLM services provider InfoTrax Systems in 1998. Clients of the company include doTerra, Xango, and LifeVantage.

Categories: Cyber Risk News

Richard Branson Gets Animated Over Online Scams

Tue, 01/07/2020 - 16:53
Richard Branson Gets Animated Over Online Scams

Sir Richard Branson is so hacked off with cyber-criminals ripping off his name and image that he has released an animated guide to spotting online scams. 

The video features two extremely pink cartoon renderings of the Virgin founder who work together to highlight a variety of scamming tactics over a soundtrack that conjures the most daring of James Bond's espionage escapades.  

Fake Branson tries to tempt you into investing in get-rich-quick scams or giving your personal information away to a stranger, while genuine Branson tells you that he and his team would never do that. 

By the end of the brief video, the fake Branson is revealed to be a robot, whose head then explodes. 

All the fraudulent endorsements and scams mentioned in the video are real tactics that have been used against Branson and his business empire. One such tactic is to send direct messages to people who have posted on Virgin's social media feeds.

Animated Richard points out: "Scammers are contacting people who post on our social feeds. Even if it’s a verified account, know that I never direct message anyone, nor does my team. I never endorse any get-rich-quick schemes—this is a sure-fire way to lose your investment."

To step up the fight against scammers, Virgin has opened its own reporting portal at virgin.com/online-scams and urges anyone affected to report any cases featuring Richard or Virgin that seem suspicious.

If you spot anything else you suspect is a scam, Virgin recommends reporting it to Action Fraud, the UK’s national fraud and cybercrime center, via reporting.actionfraud.police.uk.

In 2017, Branson nearly fell prey to a fraudster posing as a UK government official who requested financial assistance to pay the ransom of a supposed kidnapping victim. 

The billionaire businessman is not alone in being targeted; according to figures released by the British Office of National Statistics in 2018, cases of fraud, including online scams, cost UK consumers £190bn every year.

"Only trust what we post on our official channels," says animated Branson.

"Help us stop scammers and report anything you think is suspicious. If you think it’s a con, send it on."

Categories: Cyber Risk News

Insight Partners Acquires Armis for $1.1bn

Tue, 01/07/2020 - 15:59
Insight Partners Acquires Armis for $1.1bn

In the first major cybersecurity acquisition of 2020, Israeli company Armis has been acquired by private equity firm Insight Partners

Under the terms of the agreement, Insight will acquire the company for cash at a valuation of $1.1bn, with participation from CapitalG for $100m and rollover from certain existing stockholders. 

The deal represents the largest ever acquisition of a private Israeli cybersecurity company and is also the biggest enterprise IoT security software acquisition to date. Closing is expected to occur in February.

Armis was founded in late 2015 with a mission to help enterprises adopt new connected devices without fear of being compromised by cyber threat actors. The company, which is headquartered in Palo Alto, California, counts numerous Fortune 1000 companies among its clients. 

Following the acquisition, Armis will continue to operate independently and will be fully managed by its two co-founders—Yevgeny Dibrov, CEO, and Nadir Izrael, CTO—and the executive team. Going forward, the C-suite will have the support of Insight's business strategy and ScaleUp division, OnsiteSupport.

This heady mix of freedom with an optional shoulder to lean on was a deal-maker for Armis' Dibrov.

He said: "Insight is one of the most sophisticated software investors in the sector, and it is due to the depth of their domain expertise that they really understand the enterprise IoT device challenge we are looking to solve, and the size of the market opportunity. 

"We considered growth rounds and strategic offers, but by partnering with Insight we have the best of both worlds—operational support and independence, both of which were important in our decision to take on a scaleup partner this early in our company journey."

Insight Partners is a leading global venture capital and private equity firm investing in high-growth technology and software companies with a reputation for driving transformative change in their industries. Founded in 1995, the firm currently has over $20 billion in assets under management and has cumulatively invested in more than 300 companies worldwide.

Teddie Wardi, managing director at Insight, said: "We've spoken with their users, who have told us how powerful the Armis platform is at device discovery, classification, and continuous threat assessment. In a world of unmanaged devices, Armis' technology is a game changer."

Categories: Cyber Risk News

Tech Ops Exec Pleads Guilty in $6m Fraud Case

Tue, 01/07/2020 - 12:01
Tech Ops Exec Pleads Guilty in $6m Fraud Case

A senior vice-president at a global internet marketing firm has pleaded guilty to a wire fraud case in which he illegally paid $6m into an IT shell company.

Hicham Kabbaj worked for over four years at affiliate marketing giant Rakuten Marketing, formerly known as Rakuten LinkShare and part of the Japanese multi-national e-commerce firm.

From 2015, he held positions there as director of operations, VP of global technical operations, SVP of technical operations and then SVP of tech ops and engineering, according to his LinkedIn profile.

However, from at least August 2015 until at least May 2019, Kabbaj was defrauding his employer by issuing invoices in the name of a shell company he created, Interactive Systems, for fictitious products and services such as firewalls and servers, according to the Department of Justice.

The resulting payments, amounting to more than $6m in total, were subsequently transferred to his personal accounts.

“Today, Mr Kabbaj pled guilty to a serious felony because he chose to misuse his position of trust as a corporate executive to steal company funds for his own personal gain,” said Internal Revenue Service, Criminal Investigation Division (IRS-CI) special agent in charge, Jonathan Larsen.

“As a result of the dedicated work of IRS-CI special agents, along with our partners at the US Attorney’s Office, Mr Kabbaj will face the consequences of his crime when he is sentenced by a federal judge.”

Kabbaj, 48, of Floral Park, New York, pleaded guilty to one count of wire fraud, which carries a maximum sentence of 20 years behind bars. He has handed over homes in Palm Beach Gardens, Florida, and Hewitt, New Jersey, as “property traceable to the offense,” and will pay over $6m in restitution.

Categories: Cyber Risk News

Facebook Moves to Detect and Remove Deepfake Videos

Tue, 01/07/2020 - 11:30
Facebook Moves to Detect and Remove Deepfake Videos

Facebook has announced plans to ban deepfake videos.

In a blog post, Monika Bickert, the company’s vice-president for global policy management, acknowledged that “while these videos are still rare on the internet, they present a significant challenge for our industry and society as their use increases.”

Bickert said that “misleading manipulated media” will be removed if it has been edited or synthesized – beyond adjustments for clarity or quality – in ways that aren’t apparent to an average person and would likely mislead someone into thinking that a subject of the video said words that they did not actually say. Videos will also be removed if they are the product of AI or machine learning that merges, replaces or superimposes content onto a video, making it appear to be authentic.

“This policy does not extend to content that is parody or satire, or video that has been edited solely to omit or change the order of words,” Bickert said. “This approach is critical to our strategy and one we heard specifically from our conversations with experts.

“If we simply removed all manipulated videos flagged by fact-checkers as false, the videos would still be available elsewhere on the internet or social media ecosystem. By leaving them up and labelling them as false, we’re providing people with important information and context.”

Jake Moore, cybersecurity specialist at ESET, said that deepfakes are increasingly more difficult to spot, and AI is required to help detect them. “Fake videos of famous or powerful people can be extremely manipulative, causing extremely damaging effects in some cases. It is a bold claim from Facebook to ban all such false videos from their platform, as the software used to recognize them is still in its immature phase and requires more research to be effective. 

“Most videos are altered in some way before they land on social media so there is the potential of teething problems with false positives- or even letting a number of genuine deepfakes slip through the net. Not only do we need better software to recognize these digitally manipulated videos, we also need to make people aware that we are moving towards a time where we shouldn’t always believe what we see.”

Facebook has been involved with deepfake detection, launching the Deep Fake Detection Challenge last year, and partnering with Reuters to help media identify deepfakes and manipulated media through a free online training course

Categories: Cyber Risk News

UK Probes London Stock Exchange Outage

Tue, 01/07/2020 - 10:45
UK Probes London Stock Exchange Outage

UK government intelligence experts are investigating whether an ‘outage’ at the London Stock Exchange (LSE) last August may have been caused by a cyber-attack, it has emerged.

People familiar with the matter told the Wall Street Journal that GCHQ’s inquiries focus around the August 16 incident, which was described by the LSE at the time as “a technical software issue” which affected trading in FTSE 100 and 250 stocks, among others.

This led to one of the stock exchange’s worst outages in eight years, delaying the start of trading by over 90 minutes.

GCHQ reportedly wants to know whether hackers may have been able to take advantage of what was an IT system update at the time to disrupt markets.

Cyber-threats are listed in the group’s annual report as one of the LSE’s primary operational risks, with ransomware, data theft, DDoS and cloud computing all mentioned by name.

“The group’s technology and operational support providers, internal and third-party, could suffer a security breach resulting in the loss or compromise of sensitive information (both internal and external) or loss of services. Such a breach could materialize as a result of weaknesses in system controls or processes, or through the inadvertent or malicious actions of employees, contractors or vendors,” it added.

“A major information security breach that results in data and intellectual property loss, system unavailability or sensitive data leakage, could have a significant negative impact on our reputation, financial results and the confidence of our clients and could lead to fines and regulatory censure.”

For its part, the LSE has maintained that the incident was the result of a software configuration issue following an upgrade.

“London Stock Exchange takes its commitment to run orderly markets for its members seriously and has thoroughly investigated the root cause of the issue to mitigate against any future incidents,” a spokesperson told the paper.

The UK Treasury is also said to be involved in the investigation.

Categories: Cyber Risk News

US Biz Closes Doors After Ransomware Attack

Tue, 01/07/2020 - 10:01
US Biz Closes Doors After Ransomware Attack

A US fundraising firm has been forced to close its doors after more than 60 years in business following a crippling ransomware attack in October.

The Heritage Company, based in Sherwood, Arkansas, let its 300 employees go just before Christmas, according to local reports.

“Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the key just to get our systems back up and running,” explained CEO Sandra Franecke in a December message to employees.

“Since then, IT has been doing everything they can to bring all our systems back up, but they still have quite a long way to go. Also, since then, I have been doing my utmost best to keep our doors open, even going as far as paying your wages from my own money to keep us going until we could recoup what we lost due to the cyber-attack.”

The ransomware took out the firm’s accounting systems and mail center so it had no way of processing and receiving funds and sending statements out, she added.

The firm, which describes itself as “the premiere and most experienced professional tele-fundraiser in the nation,” is still hopeful this is not the end of the road after six decades in business.

“The ONLY option we had at this time was to close the doors completely or suspend our services until we can regroup and reorganize and get our systems running again. Of course, we chose to suspend operations as Heritage is a company that doesn't like to give up,” said Franecke.

The incident is a timely reminder of the impact ransomware can have on small- and medium-sized businesses reliant on mission critical IT systems, but which have fewer resources or know-how to mitigate the risk of cyber-attacks.

“It would be easy to say that it wasn’t ransomware which brought about the apparent demise of The Heritage Company, but instead a lack of secure backups and a resilient disaster recovery plan,” observed security expert Graham Cluley.

Categories: Cyber Risk News

Imperva Appoints Pam Murphy as New CEO

Tue, 01/07/2020 - 09:45
Imperva Appoints Pam Murphy as New CEO

Cybersecurity company Imperva today announced the appointment of Pam Murphy as CEO, effective immediately.

Murphy will take over from interim CEO Charles Goodman, who will continue to serve as chairman of the board.

Murphy brings a wealth of experience to her new role, having previously served as COO of Infor and operated across multiple leadership positions at Oracle and Andersen Consulting and Arthur Andersen.

“Imperva offers incredible solutions that help our customers navigate the complex and dynamic world of security, risk and compliance, while at the same time enabling progressive business transformation in an increasingly challenging marketplace,” Murphy said. “I’m looking forward to building on the foundation laid by our outstanding leadership team and capitalizing on Imperva’s market-leading products. Our relentless focus on our customers and their needs will always come first as we seize the many opportunities that lie ahead and significantly grow the business both domestically and internationally.” 

Goodman added: “We’re excited to have Pam join us on our mission to protect critical assets from cyber-criminals’ ever-changing attacks. As an accomplished executive who has led operations for some of the world’s largest software companies, and demonstrated ability to deliver customer value on a massive scale, she is perfectly positioned to lead Imperva through our next phase of growth.”

Categories: Cyber Risk News

Bronze President Spies on Asia

Mon, 01/06/2020 - 18:28
Bronze President Spies on Asia

A cyber-espionage group dubbed Bronze President has been targeting countries in South and East Asia. 

Researchers at Secureworks' Counter Threat Unit (CTU) have observed the group spying on the activities of political and law enforcement organizations and NGOs. 

The threat group seems to have developed its own remote access tools, which it uses alongside publicly available remote access and post-compromise toolsets to gain entry to a network.

Using publicly available open-source tools could be a deliberate ploy by the group to cover its tracks and reduce the risk of attribution.

Once inside, the threat actors elevate their privileges and install malware on a large proportion of systems. Bronze President then runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities.

The threat actors appear to be monitoring their targets as they steal data from compromised systems over a long period of time. Countries that have been targeted include India and Mongolia. 

Activity from the threat actors has been observed by Secureworks' researchers since mid-2018, but it's is thought that the group may have started causing trouble as early as 2014. 

Among the group's phishing lures, researchers found emails suggesting an interest in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia.

Researchers believe the Bronze President group is operating from a base within the People's Republic of China (PRC). 

Connections were found between a subset of the group's operational infrastructure and PRC-based internet service providers. Furthermore, the group uses tools such as PlugX that have historically been leveraged by threat groups based in the PRC.

"It is likely that Bronze President is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups," wrote Secureworks' researchers. 

The operational tactics of the group indicate that the crew behind it are highly organized.

Researchers noted: "Bronze President has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences."

Categories: Cyber Risk News

Lawsuit Filed Against LifeLabs Over Data Breach

Mon, 01/06/2020 - 17:48
Lawsuit Filed Against LifeLabs Over Data Breach

A class-action lawsuit has been filed against a Canadian laboratory testing company following a cyber-attack in which the data of 15 million of its customers was accessed by criminals. 

LifeLabs reported the data breach to government partners on October 28, 2019, but waited until December 17 to notify its customers. 

Sensitive information exposed in the incident may have included customers' names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, and lab test results.

The cyber-criminals who accessed the data were paid an undisclosed amount by LifeLabs in return for a promise to not make the information public.

On December 27, lawyers Peter Waldmann and Andrew Stein filed an unproven statement of claim in Ontario Superior Court in which LifeLabs is accused of breach of contract and negligence. The company is further accused of violating consumer protection laws and of violating their customers’ privacy and confidence.

The statement of claim was filed on behalf of five named plaintiffs, including lead plaintiff Christopher Sparling, who allege that LifeLabs violated their own privacy policy when they "failed to implement adequate measures and controls to detect and respond swiftly to threats and risks to the Personal Information and health records of the class members."

It is further alleged that LifeLabs stored customers' personal information on unsecured networks or servers, failed to implement "any, or adequate, cyber-security measures," didn't encrypt data, and neglected to hire or train any personnel responsible for network security management.

According to Canadian Underwriter, Waldmann and Stein are seeking more than $1.13bn in compensation for LifeLabs' Canadian customers to make up for the mental anguish, wasted time, and damage to their credit reputation they have suffered. The plaintiffs are seeking additional punitive and moral damages. 

In an open letter, LifeLabs CEO Charles Brown wrote that up to 15 million customers, almost all of them in Ontario and British Columbia, may have been affected by the data breach.

On December 18, a toll-free helpline, set up to field calls from concerned LifeLabs customers, received over 5,000 calls. According to CTV news, a second line had to be set up to deal with the volume of calls.

LifeLabs is owned by one of the biggest pension funds in Canada, the Ontario Municipal Employees Retirement System, which has $92 billion in assets.

Categories: Cyber Risk News

Austria's Foreign Ministry Hit by Cyber-Attack

Mon, 01/06/2020 - 16:34
Austria's Foreign Ministry Hit by Cyber-Attack

The Austrian government has been hit by a cyber-attack that could be the work of a rival foreign power. 

The attack, which was leveled against the country's Foreign Ministry, began late on Saturday night. A spokesperson for the ministry described the incident as "serious" and said that experts had warned it could continue for several days.

On the same day the attack was launched, at a congress held in the city of Salzburg, Austria's Green Party said that it was in favor of forming a coalition with the conservative People's Party.

The ministry said that the attack had been caught early and countermeasures had immediately been put in place. The signatures and the pattern of the attack suggest that it could be the work of a state-sponsored threat actor. 

"Despite all intensive security measures, there is never 100 percent protection against cyber-attacks," the ministry said, before adding that other European countries had been affected by similar incidents in the past. 

By Sunday, the ministry's official website was once again accessible.

Commenting on the news, Hugo van den Toorn, manager of offensive security at Outpost24, said: "It is true that despite the precautions taken and all the controls in place, a motivated attacker can always find a way through an organization’s defenses. Although we see an increase in politically motivated attacks over the past few years, we should remain vigilant in blaming certain threat actors or nation-states. 

"As we also see that attribution remains difficult with cyber-attacks, past attacks have taught us that adversaries will attempt to make their attacks look like other actors in an attempt to avoid taking the blame or to provoke conflicting parties."

This latest incident in Austria follows the serious cyber-attack on the German government's IT network, which was launched in March 2018. A group of Russian-backed threat actors known as APT28 or Fancy Bear was suspected to be behind not only that attack, but also an earlier cyber-hit on the German parliament carried out in 2015. 

APT28 are similarly suspected of waging cyber-warfare on entities in Eastern Europe and in the United States.

Categories: Cyber Risk News

US Braced for Cyber Retaliation from Iran

Mon, 01/06/2020 - 11:12
US Braced for Cyber Retaliation from Iran

The US government has echoed concerns from the cybersecurity industry that Iranian state hackers could respond to the assassination of a top Tehran general with attacks on US critical infrastructure (CNI).

Widely considered the second most powerful man in Iran, Qassem Suleimani was killed by a US drone strike in Baghdad on Friday.

Military and political leaders in the country have warned of retribution, while signs posted along the vast funeral procession today are reported to have read: “Harsh revenge is awaiting.”

The Department for Homeland Security (DHS) has duly issued an alert warning of a terror threat on home soil, although it admitted “at this time we have no information indicating a specific, credible threat to the homeland.”

However, an attack could come with little or no warning, with cyber a likely vector, it said.

“Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber-enabled attacks against a range of US- based targets,” the notice continued.

“Iran maintains a robust cyber program and can execute cyber-attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

On Saturday, the website of the government-run American Federal Depository Library Program (FDLP) was defaced with an image of a bloodied Donald Trump. Industry experts believe things could escalate even further.

John Hultquist, director of intelligence analysis at FireEye, warned of an uptick in cyber-espionage against government entities, designed to give Tehran a geopolitical advantage, and destructive attacks on CNI.

“Iran has leveraged wiper malware in destructive attacks on several occasions in recent years. Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations,” he added.

“We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.”

Categories: Cyber Risk News

Japanese Love Hotel Site Breached

Mon, 01/06/2020 - 10:44
Japanese Love Hotel Site Breached

A booking site for customers of Japanese “love hotels” has been hacked, raising fears over follow-on identity fraud and blackmail attempts.

In a country known for its focus on convenience, love hotels are a popular feature in towns and cities, offering a place for amorous couples to bed down for a few hours or a whole night without needing to trek back to their tiny apartments.

In such establishments, privacy is of the utmost importance, with the check-in counter often designed so that guests can pay for a room without coming face-to-face with any hotel employees.

However, the compromise at Almex, which runs the popular HappyHotels[dot]jp site, threatens to unmask those guests.

In a notice, the firm said customer data including guest email addresses, handle name, birth date and gender, telephone number, log-ins, address and credit card information could all have been swiped by attackers.

“We sincerely apologize for the inconvenience and anxiety that may have caused our customers and other concerned parties. The service has been suspended because we are currently investigating the cause and taking measures,” it added.

“This password may have been leaked at this time, so if you use the same e-mail address and password as those of other companies 'services, please change the password of other companies' services as soon as possible.”

Given the sensitive nature of the website, and the fact that some users may have been visiting love hotels with someone other than their partner, there’s an obvious risk of online blackmail and extortion for guests who’ve been exposed.

According to recent stats, over a third (38%) of Japanese women claimed that their husband or boyfriend has cheated on them in the past, with the figure slightly lower (31%) for women that have cheated on their partners.

Categories: Cyber Risk News

Travelex Site Still Down After New Year’s Eve Attack

Mon, 01/06/2020 - 09:45
Travelex Site Still Down After New Year’s Eve Attack

The websites of a major global currency exchange business are still down after a “software virus” struck the firm on New Year’s Eve last week.

London-headquartered Travelex, which describes itself as “the world's leading foreign exchange specialist,” operates online around the world and in airports, as well as supporting travel money services for several high street lenders in the UK.

A statement on its main UK website written in English, French, Japanese, German, Dutch, Italian and Czech claims that “planned maintenance” is the cause of the “temporary” outage and that it will be back online soon.

However, a notice posted to Twitter and the firm’s dot-com site reveals a different story — that a “software virus” discovered last Tuesday has “compromised some of its services.”

“As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all our systems offline. Our investigation to date shows no indication that any personal or customer data has been compromised,” it explained.

“We have deployed teams of IT specialists and external cybersecurity experts who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems.”

The firm’s bricks-and-mortar branches are still working as normal, Travelex added, but reports suggest that both the app and its services to UK banks are impacted.

Some experts suggested ransomware as a likely cause of the incident, with the firm praised for its speedy response.

“Having a well-tested resilience plan in place that covers the technical aspects, communication with the public and clear responsibilities for handling incidents can ultimately make a difference between a costly response and maintaining customer trust,” argued Iain Kothari-Johnson, financial services Lead for cybersecurity at Fujitsu UK.

“Break-glass incident response services, where experts are on-hand to rapidly investigate and mitigate threats, can also help reduce the financial and reputational impact of this type of incident and should be considered as part of any good resilience plan.”

Categories: Cyber Risk News

Adam Sandler's Twitter Account Hacked

Fri, 01/03/2020 - 17:55
Adam Sandler's Twitter Account Hacked

Two days after singing megastar Mariah Carey had her Twitter account hacked, the same fate has befallen American actor and comedian Adam Sandler. 

According to The Hollywood Reporter, a hacker or hackers compromised the account of the Happy Gilmore star yesterday to post a string of racist, sexist, and anti-Semitic tweets. Several of the barely literate messages contained the N-word.

In this latest celebrity Twitter hack, various tweets were retweeted from several other accounts, including one tweet from @MJerkme. Showing an extremely poor grasp of the English language, this missive, directed at former US president Barack Obama, described Donald Trump's predecessor as an "arangatang monkey." 

The message went on to garble "u ruined my life when u messed with the food stamp rates i hate u forever retart."

Given the content of the tweets, this cyber-attack is, perhaps more than anything, a damning indictment of the American education system. 

One thing the hacker(s) couldn't be accused of was political bias, since they took swipes at both the Democrats and the Republicans. In one tweet to @realDonaldTrump they accused the current US president of being "a racist cracker."

Other messages retweeted by the hacker(s) came from the Twitter account @iNuBLoM. This particular Twitter handle was referenced during Carey’s hack, which is believed to have been perpetrated by the Chuckling Squad hacking group. 

The Chuckling Squad claimed responsibility for hacking Twitter CEO Jack Dorsey's Twitter account in August last year. Apparently, they haven't reached the level of comedic sophistication at which one can divine when a joke has gone on long enough. 

According to reports, other tweets posted by the hacker(s) that appear to have been deleted referenced Carey’s hacking. In one, the poster claimed to have "just had phone sex with @MariaCarey."

While SIM-swapping was used to carry out the Dorsey hack, it is as yet unknown how Carey and Sandler's Twitter accounts came to be compromised. 

The Sandler hack occurred at around 5:30 p.m. yesterday. According to Sandler's representative, the compromised account was locked as soon as the issue occurred. 

Sandler's account, which is currently promoting the actor's latest film Uncut Gems, has 2.4 million followers.

Categories: Cyber Risk News

Xiaomi Security Camera Shows User Wrong Video Feed

Fri, 01/03/2020 - 17:11
Xiaomi Security Camera Shows User Wrong Video Feed

A user who accessed their Xiaomi home security camera via their Google account was shown still images of strangers in unknown locations.

The Netherlands-based user, known as "Dio-V," was confronted with random snapshots from other people's lives after trying to stream content from a Xiaomi Mijia to a Google Nest Hub.

Dio-V reported the incident on Reddit yesterday. Along with footage to demonstrate the serious security flaw, Dio-V posted the comment: "When I load the Xiaomi camera in my Google home hub I get stills from other people's homes!!"

The still black and white images include shots of a baby lying down in a crib beneath a mobile and several different scenes in which strangers' living rooms, a staircase, and an enclosed porch area are depicted. In one restful scene, a mature gentleman is taking a nap in a kitchen. 

Exactly when Dio-V's feed first began showing still images of other people's homes or how long the camera was connected to his Google account before this alarming situation started happening is not clear.  

Dio-V said that the camera and the Nest Hub were both purchased new, ruling out any possibility that the incident involves a lingering connection with a previous owner. 

Since learning of the flaw, Google has disabled Xiaomi integration for Google Home and the Assistant until a fix is found. 

Google said: "We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices."

The Xiaomi Mijia 1080p Smart IP Security Camera that Dio-V used can be linked to a Google account for use with Google/Nest devices through Xiaomi's Mi Home app/service. 

Commenting on the flaw, Xiaomi stated: "Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. 

"In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions. We have also found 1044 users were with such integrations and only a few with extremely poor network conditions might be affected. 

"This issue will not happen if the camera is linked to the Xiaomi’s Mi Home app. Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again."

Categories: Cyber Risk News

Summer Exit Planned for Head of UK's National Cyber Security Centre

Fri, 01/03/2020 - 16:14
Summer Exit Planned for Head of UK's National Cyber Security Centre

After six and half years in the job, Ciaran Martin is to relinquish his role as head of UK cybersecurity. 

The 45-year-old has announced plans to surrender his title of chief executive of the National Cyber Security Centre (NCSC) in the summer of 2020. 

Oxford University graduate Martin, who has dedicated his entire working life to the UK civil service, described his years with the NCSC as "the privilege of a lifetime."

British government ministers established the NCSC four years ago on the recommendation of Martin, who was then appointed to lead it. 

Martin in a statement: "When we created the NCSC we set out to achieve something truly special, and I hope and believe we are leaving UK cyber security in much better shape."

Martin, who was recently appointed a Companion of the Order of the Bath by Queen Elizabeth in the New Year's Honor's List, said that the time was ripe to bring a fresh perspective to the demanding role. However, he believes his successor will not be in for an easy ride. 

"Challenges around securing technology are only going to get ever more complex," said Martin, "so it’s right that after six and a half years that someone else takes this world-class organization to the next level."

Britain's Government Communications Headquarters, commonly known as GCHQ, has said that a new NCSC chief executive will be appointed and in place by the end of the summer. 

Martin joined the board of GCHQ in December 2013 as head of cybersecurity. His recommendation to set up the NCSC as a division of GCHQ was made after the 2015 election. 

The NCSC now employs approximately 1,000 staff and operates from a head office in London's Victoria area on an annual budget of £250m. The center offers practical cybersecurity advice for individuals and organizations via a website.

Since its inception, the NCSC has dealt with over 2,000 cybersecurity incidents targeting the UK. In the 12 months ending August 2019, the NCSC supported nearly 900 British organizations to recover from cyberattacks.

Categories: Cyber Risk News

Data Leak Forces Password Reset at Crypto Exchange Poloniex

Fri, 01/03/2020 - 12:00
Data Leak Forces Password Reset at Crypto Exchange Poloniex

A cryptocurrency exchange has been forced to reset customer passwords after a suspected data leak via social media, although its incident response efforts caused more confusion among some users.

US-based exchange Poloniex informed around 1% of its customer base that they had to reset their log-ins, following a tweet claiming to contain a list of leaked email/password combos.

However, customers took to Twitter warning that the email itself was a phishing scam, forcing the exchange to re-emphasize its legitimacy.

It followed-up with a blog post to clarify the situation.

“Our immediate priority was to ensure that our customers’ accounts were safe. As a result, we reset the passwords of potentially impacted customers, as users often reuse passwords or minor variants of the same password,” it explained.

“Our second priority was to determine the source of the leak and we can now confirm that neither this list, nor the information contained, originated from Poloniex. For those interested in our security protocols, we do not store passwords in plain text or a recoverable form, but rather we store them as salted bcrypt hashes.”

In fact, 90% of the compromised passwords on that list have already appeared on breach notification site HaveIBeenPwned?, it said.

“If you have a Poloniex account and did not receive an email from us related to this, you can be confident that your email address was not on the list,” the firm continued. “Less than 5% of the email addresses on the posted list were associated with Poloniex accounts.”

The incident highlights the increasing difficulty online firms are having to convince customers of the legitimacy of urgent communications, in light of a continued epidemic of phishing scams.

Following the collapse of UK travel agency Thomas Cook last year, UK banks were criticized for sending unsolicited text messages to affected customers containing clickable links.

Categories: Cyber Risk News

Pages