Info Security

Subscribe to Info Security  feed
Updated: 1 hour 30 min ago

#OSSummit: Seven Properties of Highly Secure IoT

Tue, 08/27/2019 - 08:00
#OSSummit: Seven Properties of Highly Secure IoT

Connected devices, commonly referred to as the Internet of Things (IoT), potentially represent a large risk to the safety and security of the internet as a whole, if not properly secured.

That was the key message that David Tarditi, principal software engineer lead for Microsoft Azure Sphere, conveyed during a session at the Open Source Summit in San Diego, California on August 22. Tarditi’s message wasn’t all doom and gloom either, as he outlined seven key properties that can be leveraged by manufacturers and users alike, to help sure IoT devices.

While there are risks from IoT devices, Tarditi noted that lessons have been learned in recent years by Microsoft and others about how to improve security. Fundamentally, he said that all code has bugs and it’s also likely that any given device can and will be hacked eventually, but that doesn't mean that all IoT needs to be insecure.

“Security is foundational, you have to build it in from the beginning,” Tarditi said. “Trying to bolt security on as an afterthought isn’t going to work.”

In Microsoft’s experience, there are seven key properties of highly secure IoT devices, with the first item being having a hardware root of trust. Tarditi said that it’s a good idea to have hardware that can provide the ability to protect a device's identity.

“So in practice, what this means is that on your hardware you want unforgeable cryptographic keys that are generated and protected by the hardware,” he explained. “You also want the hardware to secure software booting.”

Tarditi added that having a secure boot involves the use of some form of boot ROM that ensures that the operating system loads as expected without interference or potential malware. Once a user or vendor has ensured that the operating system software loader is secure than it is possible to ensure the integrity of everything else that loads on a given system, as it enables a foundation for a hardware root of trust.

Defense in Depth is the second key attribute for securing IoT, which basically means that there is more than one security control or mechanism that is responsible for keeping a device secure. The third key attribute identified by Microsoft is having a small trusted computing base.

“It’s pretty simple, less code equals fewer bugs,” Tarditi said. “You want to reduce the attack surface and make it harder for attackers to get in.”

Having dynamic compartments was the fourth key attribute outlined by Tarditi. He noted that compartmentalizing software also helps to limit the reach and impact of any single security breach.

A primary weakness on many IoT devices are passwords. Tarditi said that often it’s hard to get consumers to change the default password for IoT devices and even when they do, passwords are easily stolen by attackers. That leads to the fifth key property, which is to use certificate-based authentication, to help mitigate and even remove the risk of passwords. Tarditi said that with a hardware root of trust, it's possible to know if a device is in a good state when it is booted. A trusted authority can be setup which communicates with the hardware root of trust to validate a given device and then issue a certificate to enable access to services.

The sixth key property of highly secure IoT devices is to have some form of integrated failure reporting. Tarditi said that failure reporting is all about having the ability to gather reports from devices to be able to detect potential flaws and attacks.

Finally, the seventh key property is something that Microsoft refers to as, renewable security.

“You need to be able to update the device to address security threats,” Tarditi said. “You need to have cloud infrastructure that allows you to update device and you also need to have the technical ability to prevent a rollback attack.”

In a rollback attack, an attacker seeks to 'rollback' or revert a device update in order to exploit a known vulnerability. Overall, Tarditi emphasized that IoT security is only as good as the weakest link and it can often be challenging to get it right.

“Device security is like a stool that requires three legs, if you remove any one of those legs, you’ll end up on the floor,” he said.

Categories: Cyber Risk News

Hostinger Breach Prompts Reset of All User Passwords

Mon, 08/26/2019 - 16:28
Hostinger Breach Prompts Reset of All User Passwords

A data breach at web hosting company Hostinger has prompted the company to reset the passwords of all its customers. 

Hostinger, which operates from Kaunas, Lithuania, reset the passwords of 29 million customers in 178 countries as a precautionary security measure after the breach was detected on August 22, 2019. 

An intruder gained access to the company's internal system API, triggering an alert to be sent to Hostinger. The server broken into contained an authorization token, which was used to obtain further access and escalate privileges to Hostinger's RESTful API server, which was used to query information relating to clients and their accounts.

No financial information was accessed during the attack, but a database that contained hashed passwords, email addresses and client usernames was compromised. Up to 14 million accounts may have been affected.   

Hostinger encrypts client passwords by using a one-way mathematical function that changes whatever password a client has picked into a random sequence of characters. 

Customers of the web hosting company have been advised to pick strong passwords that are not in use anywhere else and to be wary of any unsolicited communications asking for personal information. 

To increase the security of client data, Hostinger has ditched the hashing algorithm SHA-1 in favor of using SHA-2, which is tougher for hackers to crack.  

The incident has been reported under Europe's General Data Protection Regulation. 

In a statement released on its blog, Hostinger said: "Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our Clients, including mandatory password reset for our Clients and systems within all of our infrastructure.

"Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities."

Hostinger assured clients that their financial data was safe. Since payments for Hostinger services are made through authorized and certified third-party payment providers, the company does not store card details or any other sensitive financial information on its servers.

Categories: Cyber Risk News

Astronaut Accused of Committing Cybercrime in Space

Mon, 08/26/2019 - 15:31
Astronaut Accused of Committing Cybercrime in Space

NASA is reportedly investigating claims that one of its astronauts has become the first person to commit a crime while in space. 

U.S. Army Astronaut Lt. Col. Anne McClain allegedly accessed a bank account belonging to her estranged wife, Summer Worden, while on active duty at the International Space Station. 

A complaint was filed by Worden with the Federal Trade Commission (FTC) in relation to the alleged case of identity theft. A second complaint was then filed by Worden's parents with NASA's Office of Inspector General. 

No allegations have been made against McClain regarding the movement or removal of any funds from Worden's account. 

McClain and Worden, who filed for divorce in 2018 after four years of marriage, are currently in dispute over the custody of their 6-year-old son. It is alleged that McClain told NASA investigators that she logged into her estranged wife's bank account to check that it contained enough money to ensure the former couple's son was being adequately provided for. 

NASA has yet to respond to the allegations against McClain, stating only that "NASA does not comment on personal or personnel matters." 

In a statement, NASA described McClain as "one of NASA's top astronauts," who "did a great job on her most recent NASA mission aboard the International Space Station."

Rusty Hardin, McClain's lawyer, told The New York Times that McClain is coopering fully with the investigation and “strenuously denies that she did anything improper."

Addressing the allegations on Twitter, McClain posted the following message: "There’s unequivocally no truth to these claims. We’ve been going through a painful, personal separation that’s now unfortunately in the media. I appreciate the outpouring of support and will reserve comment until after the investigation. I have total confidence in the IG process."

McClain boarded the International Space Station in December 2018 and spent six months there in preparation for NASA's first women-only spacewalk. The spacewalk, which McClain was due to perform with fellow astronaut Christina H. Koch, was cancelled in March 2019 after NASA couldn’t provide both women with spacesuits that fit. 

Before joining NASA's astronaut corps in 2013, McClain was a helicopter pilot in the army and flew 216 combat missions in Iraq. McClain later served as battalion operations manager and Kiowa helicopter instructor pilot at Fort Rucker, Alabama. 

Categories: Cyber Risk News

Over Half of Social Media Logins Are Fraudulent

Mon, 08/26/2019 - 14:27
Over Half of Social Media Logins Are Fraudulent

Social media sites like Facebook and Instagram have long been repositories for fake posts skillfully manipulated to present a rose-tinted version of users' lives to the digital world. 

A report released today by fraud remediators Arkose Labs revealed that it isn't just the content on social media that's giving off the foul reek of fakery. The Fraud & Abuse Report found that 53% of all logins on social media sites are fraudulent. 

The report, which analyzed more than 1.2 billion transactions made between April 1, 2019, and June 30, 2019, found that 11% of all online transactions, including account registrations, logins and payments, were actually cyber-attacks. 

Attacks were found to originate globally, in both wealthy countries and developing economies. The majority of fraud attacks came from the US, Russia, the Philippines, the UK and Indonesia. 

Interestingly, the attack mix varied across industries, with some spheres more likely to suffer human-driven cyber-attacks, while others were chiefly targeted by bots. 

The technology industry stood out as heavily targeted by human click-farms and sweatshops, with almost 43% of attacks driven by humans. However, it was the retail industry that saw the highest proportion of human culprits, with a 50/50 split between attacks driven by humans and bot-led assaults.

Cyber-criminals were found to use a two-pronged approach, sending humans to work on a target after large-scale automated attacks by bots proved unsuccessful.

Commenting on the report's findings, the VP of strategy at Arkose Labs, Vanita Pandey, said: "The sophistication of the bot attacks is increasing, and the merchant is getting bombarded with attacks from bots and humans at the same time.

"These criminals have unlimited technology and identities are widely available; the only limited resource is humans to hire to do the attacks."

Shockingly, 46% of all payment transactions for travel were found to be fraudulent, as were almost 10% of all login attempts on travel sites. 

Seasonality played a role in the results for the financial services industry, with a peak in the volume of attacks observed during high-traffic periods, like the US tax season. 

Indicating that peaks in the volume of attacks may be useful in helping to identify future breaches, Pandey stated: "We saw an increase in the number of attacks in what we later realized was the lead up to a big breach announcement."

Categories: Cyber Risk News

Malicious Android App Makes Double Debut On Google Play

Fri, 08/23/2019 - 17:41
Malicious Android App Makes Double Debut On Google Play

Open-source Android spyware has appeared twice on Google Play.

Research conducted by ESET discovered the first known instance of spyware based on the open-source espionage tool AhMyth lurking within a radio app available on Google Play. The app in question is Radio Balouch, detected as Android/Spy.Agent.AOX.

On the surface Radio Balouch functions as an internet radio app dedicated to playing the music of the Baloch people, who inhabit Iran, Afghanistan and Pakistan. However, an investigation led by ESET researcher Lukas Stefanko found that the app had been created as a way to spy on people who downloaded it. 

While listeners were enthralled by the sounds of the suroz and the benju, the spyware hidden in the app went to work stealing contact information and harvesting files stored on the devices affected.  

ESET sent a report to Google detailing its discovery. Google's security team removed the malicious Radio Balouch app within 24 hours, but 10 days later it had been re-posted on Google Play by the original developer.

Stefanko said: “We also detected and reported the second instance of this malware, which was then swiftly removed. However, the fact that Google let the same developer post this evident malware to the store repeatedly is disturbing." 

The Radio Balouch app first appeared on Google Play on July 2. It returned on July 13 and was again swiftly removed. The app was installed by over 100 people each time it was posted on Google Play. 

Radio Balouch may be the first app containing open-source Android spyware to make it onto Google Play, but it's unlikely to be the last. Judging from how easily the app returned to Google Play after being removed, Google may wish to put in place some more stringent security measures. 

“Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may soon appear on Google Play,” said Stefanko. 

Radio Balouch may have ended its brief fling with Google Play, but it is still available on alternative app stores. 

ESET stated: "It has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response.” 

Categories: Cyber Risk News

US Makes 80 Arrests Over $46 Million Online Fraud

Fri, 08/23/2019 - 16:32
US Makes 80 Arrests Over $46 Million Online Fraud

US authorities have charged 80 members of a Nigerian-based crime ring in connection with online scams designed to swindle victims around the world out of $46 million.

A 145-page indictment lists 252 charges against the 80 suspects, who are mostly Nigerian nationals. Charges of aggravated identity theft, conspiracy to launder money and conspiracy to commit fraud have been brought against all of the accused.

Speaking at a press conference held earlier today, US attorney Nick Hanna described the fraud as "one of the largest cases of its kind in US history."

Nigerian-born Valentine Iro and Chukwudi Christogunus Igbokwe were named as co-conspirators who allegedly worked alongside people in Nigeria and in the US to dupe victims into transferring money overseas. 

Iro and Igbokwe, who were arrested in the US, are accused of fraudulently getting their mitts on $6 million as part of a larger conspiracy intended to bag a cool $46 million.  
The internet scams at the center of this case promised victims romance or riches in return for financial assistance. 

The case began when a single bank account aroused the suspicions of the FBI back in 2016. The investigation expanded to include numerous victims around the world.

One woman in Japan fell victim to the scammers after becoming a digital pen pal on an international social network. The woman, who is referred to in court papers as F.K., was fooled into thinking she had found love with a US Army captain stationed in Syria. 

Over the course of a fictitious 10-month online romance, F.K. sent daily messages to Cpt. Terry Garcia and $200,000 to help him smuggle diamonds out of the country. Neither Garcia nor the stash of diamonds turned out to be real.

F.K. was left heartbroken and virtually bankrupt after borrowing money from her friends, her sister and even her ex-husband.

F.K. and other victims in this case were tricked by sophisticated versions of the Nigerian prince scam, also known as the 419 scam after the criminal code used for fraud in Nigeria. 

Despite being almost as old as email, 419 scams are effective because they exploit vulnerabilities in humans. And they are likely to remain so unless technology can find a bug fix for greed or love.

Categories: Cyber Risk News

#OSSUMMIT: Confidential Computing Consortium Takes Shape to Enable Secure Collaboration

Fri, 08/23/2019 - 14:40
#OSSUMMIT: Confidential Computing Consortium Takes Shape to Enable Secure Collaboration

At the Open Source Summit in San Diego, California on August 21, the Linux Foundation announced the formation of the Confidential Computing Consortium. Confidential computing is an approach using encrypted data that enables organizations to share and collaborate, while still maintaining privacy. Among the initial backers of the effort are Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.

“The context of confidential computing is that we can actually use the data encrypted while programs are working on it,” John Gossman, distinguished engineer at Microsoft, said during a keynote presentation announcing the new effort.

Initially there are three projects that are part of the Confidential Computing Consortium, with an expectation that more will be added over time. Microsoft has contributed its Open Enclave SDK, Red Hat is contributing the Enarx project for Trusted Execution Environments and Intel is contributing its Software Guard Extensions (SGX) software development kit.

Lorie Wigle, general manager, platform security product management at Intel, explained that Intel has had a capability built into some of its processors called software guard which essentially provides a hardware-based capability for protecting an area of memory.

“You can think of it as a trusted execution environment,” she said. “In that trusted execution environment, the hardware protection is there for both the data as well as the code.”

Wigle noted that as there is a move toward increasing use of artificial intelligence, people care about the privacy of data, but are also interested in protecting their own proprietary algorithms as well, since a lot of the time, that’s where the intellectual property resides.

While Inte’s SGX is a hardware level item, Microsoft’s Open Enclave SDK is designed to make it easier for users to get up and running with confidential computing. Gossman emphasized that the Open Enclave effort is all about making confidential computing accessible.

“This is middleware; it provides application portability and makes it easier to write applications that run across different devices and even into the cloud,” Gossman said.

The promise of confidential computing is already finding multiple use cases, according to Wigle. She said that, for example, collaboration is already happening with healthcare data, where sensitive data can be shared safely in a way that is helping to potentially unlock new innovations.

“We live in a world where a lot of times convenience and privacy are at tension with each other and this is a capability that has a promise of letting us have it all,” Wigle said. “However, we do need to cooperate with others to make that happen.”

Gossman explained that fundamentally what confidential computing can enable is transactions and collaboration between multiple parties that don’t necessarily entirely trust each other, yet still want to work with each other.

The overall promise of confidential computing could potentially be transformational in ways that aren’t yet known, which is one of the reasons why the Linux Foundation has helped to facilitate the creation of the new consortium.

“We're really excited about this effort,” said Jim Zemlin, executive director of the Linux Foundation. “We do think this is something that can improve security and privacy for all of us.”

Categories: Cyber Risk News

Did Denmark Make the Wrong Call on Location Data?

Fri, 08/23/2019 - 14:08
Did Denmark Make the Wrong Call on Location Data?

Danish authorities are reviewing 10,700 court cases over concerns that cellphone location-tracking data given as evidence may have been flawed. 

Concerns were raised after police discovered a glitch in an IT system used to convert data supplied by phone companies into evidence that can be used to place a suspect at a crime scene. The error caused data to be omitted during the conversion process, giving police an incomplete picture of where a cellphone had been taken.

The identified error was fixed in March, but a second problem emerged that could potentially place an innocent person at the scene of a crime. It transpired that some cellphone tracking data had linked phones to the wrong cellphone towers.

How decisive the flawed data may have been in determining the 10,700 verdicts affected is currently unknown. The court cases now under review date back to 2012. 

On Monday Denmark's director of public prosecutions, Jan Reckendorff, announced a two-month ban on the use of cellphone data in criminal cases while the large-scale review of verdicts is carried out. 

Speaking to the country's state broadcaster, Reckendorff said: “We cannot live with incorrect information sending people to prison.”

A steerage group has been established by the country's minister for justice to monitor the review process and assess any legal ramifications caused by the flawed data. Should it arise that flawed cellphone data has put innocent Danes behind bars, a device originally intended to connect people will have instead separated them from everyday society in the most definitive terms.

After review, a report on each case will be sent to the court and to the case's defense lawyer. Cases in which the flawed data is found to have had a significant impact on the verdict will be retried. 

Head of the Danish Bar and Law Society's criminal law committee, Karoline Normann, told The New York Times that prior to the discovery of the bugs, the accuracy of cellphone data hadn't been called into question. 

Normann said that going forward, lawyers will have to take into consideration that “evidence that may appear objective and technical doesn’t necessarily equal high-evidence value.”

Categories: Cyber Risk News

VMware Plans $2.1bn Carbon Black Acquisition

Fri, 08/23/2019 - 11:45
VMware Plans $2.1bn Carbon Black Acquisition

Carbon Black has announced a definitive agreement to merge with VMware, with the virtualization company paying around $2.1bn for the endpoint protection vendor.

With a view to create a “highly differentiated, intrinsic security cloud,” the deal will see VMware be better positioned to better protect enterprise workloads and clients through Big Data, behavioral analytics and AI.

“By bringing Carbon Black into the VMware family, we are now taking a huge step forward in security and delivering an enterprise-grade platform to administer and protect workloads, applications and networks,” said Pat Gelsinger, CEO, VMware.

The combination of Carbon Black’s solutions with VMware’s security offerings, including AppDefense, Workspace ONE, NSX and SecureState, will create a modern security cloud platform for any application, running on any cloud, on any device, the company said. “This combined offering will provide customers advanced threat detection and in-depth application behavior insight to stop sophisticated attacks and accelerate responses,” a statement read.  

Patrick Morley, CEO of Carbon Black, said in a blog post that this was “a massive opportunity” as there is an “opportunity here for Carbon Black to truly disrupt the security industry — and ultimately help more customers stay safe from cyber-attacks.”

Morley added: “VMware has a vision to create a modern security platform for any app, running on any cloud, delivered to any device – essentially, to build security into the fabric of the compute stack. Carbon Black’s cloud-native platform, our ability to see and stop attackers by leveraging the power of our rich data and behavioral analytics, and our deep cybersecurity expertise are all truly differentiating. As a result, VMware approached Carbon Black to deliver on this vision.

“Our product strategy stays the same. Our roadmap stays the same. Our customer support stays the same. The entire product portfolio, cloud and on-premises, is included in the merger – now backed by the extensive global footprint and GTM resources from VMware. In fact, the plan is to invest more aggressively in Carbon Black and leverage our combined strengths to accelerate our growth and execute our vision for our customers.”

Carbon Black will exist as an independent business unit within VMware, and become VMware’s Security Business Unit. Launched in 2007 as Bit9, the company was known as Bit9 & Carbon Black after it acquired Carbon Black in February 2014, and officially assumed the company name Carbon Black in February 2016.

Categories: Cyber Risk News

South Korea Exits Japanese Intel-Sharing Agreement

Fri, 08/23/2019 - 10:40
South Korea Exits Japanese Intel-Sharing Agreement

The South Korean government has said it will end a crucial intelligence-sharing arrangement with Japan, as a trade dispute between the two wartime foes deepens.

Kim You-geun, deputy director of the presidential National Security Council, said the move was a response to Tokyo’s decision to remove South Korea’s fast-track export status earlier this month.

“Under this situation, we have determined that it would not serve our national interest to maintain an agreement we signed with the aim of exchanging military information which is sensitive to security,” he reportedly told a news conference.

The General Security of Military Information Agreement (GSOMIA) was due for automatic renewal on Saturday. It enables the two Asian giants to directly share vital intelligence on North Korea’s nuclear and missile program.

In response, Japanese defense minister, Takeshi Iwaya has criticized Seoul for conflating trade and security matters.

“North Korea’s repeated missile tests threaten national security and cooperating between Japan and South Korea and with the US is crucial,” he’s reported to have said. “We strongly urge them to make a wise decision.”

Bilateral relations between the countries started to deteriorate after a South Korean court ruled last year that Japanese companies like Mitsubishi must pay compensation for their use of forced labor during Japan’s occupation of the country from 1910-45.

Japan seemed to respond by placing restrictions on the materials needed by South Korean chip-makers like Samsung to build semiconductors. Seoul came back tit-for-tat by removing Japan from a whitelist of trusted trade partners.

Commentators have argued that the spat has worrying echoes of American policy under the Trump administration: more focused on country first at the expense of vital security partnerships on the world stage.

The news could not come at a worse time, given the growing might of China in the region and its burgeoning military alliance with Russia, as well as the continued threat from North Korea.

There is an increasingly cyber-focused dimension to military alliances and warfare today. In 2017, NATO confirmed it was establishing cyber as a legitimate military domain in light of the North Korean WannaCry and Russia NotPetya attacks.

Categories: Cyber Risk News

Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Fri, 08/23/2019 - 09:47
Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Cryptocurrency exchange bitFlyer has announced that it is adding Ethereum (ETH) to its Buy/Sell trading platform.

BitFlyer Buy/Sell users in Europe and US will now be able to send and receive ETH while ensuring they adhere to the robust regulatory standards bitFlyer guarantees for Bitcoin (BTC) transactions.

Andy Bryant, co-head and COO, bitFlyer Europe, said: “At bitFlyer, we want to offer not just the most popular coins, but the most respected ones too, which makes ETH a logical choice to expand our service offering. Not only has ETH proved itself as a useful altcoin, particularly in relation to smart contracts, it has an incredibly strong community that surrounds it. We’re committed to offering the best customer experience whilst prioritizing security and regulatory standards, and we’re proud to say Buy/Sell now offers this capability with ETH.”

Hailey Lennon, head of legal and regulatory affairs at bitFlyer USA, explained that crypto-regulation is evolving, and bitFlyer works to ensure that everything listed on its exchange complies with the global regulatory standards. “We’re excited for today’s announcement, adding Ether to our growing portfolio of coins with NYDFS approval, and we’re looking forward to launching more coins in the coming months,” she added.

bitFlyer is the only cryptocurrency exchange to be licensed in Japan, the US and Europe combined.

Categories: Cyber Risk News

Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Fri, 08/23/2019 - 08:58
Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Ukrainian security service (SBU) agents have arrested several nuclear power plant employees in the country after they misguidedly tried to use their facility’s IT systems to mine for cryptocurrency.

Local media reports this week said the incident occurred on July 10 at the plant in Yuzhnoukrainsk in the south of the country.

The workers are said to have hooked up a supercomputer, which was kept air-gapped at the power plant, to the internet. In so doing, it’s claimed they unwittingly disclosed information on the physical security measures in place at the nuclear facility, which is a state secret.

The SBU officers seized unauthorized computer equipment which had been used to build a separate LAN designed to mine for cryptocurrency.

They reportedly took six Radeon RX 470 video cards, extension cords and cabling, various switches, a motherboard, a USB flash drive, a hard drive and even the metal frame on which was mounted the other items.

Equipment was also seized after separate searches were carried out at other parts of the facility, including premises used by a Ukrainian military unit stationed there.

This isn’t the first time such an incident has been discovered. In February 2018 it emerged that engineers at the Russian Federal Nuclear Center had been arrested for trying to mine Bitcoin with one of the country’s largest supercomputers.

“This is a great example of 'trust but verify',” argued Phil Neray, VP of industrial cybersecurity at CyberX. “Even with the strictest policies and regulations in the world, it's all theoretical if you aren't continuously monitoring for unusual or unauthorized activity.”

The news comes as new research from Kaspersky this week revealed human error was behind over half (52%) of cybersecurity incidents detected by the AV vendor in industrial environments last year.

Categories: Cyber Risk News

City of London Hit by One Million Cyber-Attacks Per Month

Fri, 08/23/2019 - 08:30
City of London Hit by One Million Cyber-Attacks Per Month

The City of London Corporation has suffered nearly one million cyber-attacks each month for the first quarter of 2019, according to Freedom of Information (FOI) data obtained by Centrify.

The security vendor wanted to find out more about the cyber-risks facing the local authority, which governs the part of the capital housing much of the UK’s financial center.

It found that the governing body was hit by nearly 2.8 million attacks in the first three months of the year: an average of 927,000 per month. That’s up significantly (90%) from the 489,000 per month recorded in April-December 2018.

In total, the City of London suffered 7.2 million attacks from April 2018 to March 2019, of which, the vast majority (6.9 million) were classed as spam.

The second highest category was “spoof mail,” at 244,293 attacks — presumably related to phishing attempts. There were also 17,556 detections of “top malware.”

The findings could either be interpreted as a worrying rise in attacks, or proof that detection methods are getting better.

As well as 10,000 residents, the City of London welcomes millions of annual tourists thanks to attractions like the Tower of London and hundreds of thousands of daily commuters who work in one of the world’s biggest financial hubs.

“The high volume of sensitive public information contained within the systems and databases of organisations like the City of London Corporation make it a top target for cyber-criminals. Malicious email scams such as phishing and malware attacks form a substantial part of the wider cyber threat facing councils across the country, in London and beyond,” warned Centrify VP, Andy Heather.

“With so many attacks taking place every day, it’s vital that all organizations adopt a zero trust approach to user activity, to prevent hackers gaining access to council systems using legitimate log-in details that may have been stolen or purchased on the dark web.”

In 2016 it emerged that the City was being hit by more ransomware attacks than many countries.

Categories: Cyber Risk News

Crackdown on Fake LinkedIn Profiles

Thu, 08/22/2019 - 18:53
Crackdown on Fake LinkedIn Profiles

People have been turning to LinkedIn since 2002 as a way to develop their network of business contacts. The professional social networking site has 645 million users in over 200 countries and territories around the world, who spend an average of 17 minutes on the site per month. 

While using LinkedIn may be preferable to eating stale croissants and swapping business cards at yet another networking breakfast event, it has one major downside: fake profiles.

Fake profiles are typically characterized by poor spelling and grammar, a lack of engagement, a limited number of connections and a suspicious or incomplete work history. 

It’s also not unusual for the photo in a fake profile to depict someone who, if they were really that good looking, would be making a living from modeling underwear on a beach somewhere rather than heading up a small HR team at a recruitment firm in Croydon. 

The faux profiles, which are often duplicated, are used to contact genuine professionals to fish for information such as how to get hired at a particular company. Spam of this type can be a frequent and extremely irritating problem for executives bugged daily by multiple connection requests from fake profiles.

LinkedIn is aware of the problem and has been making a concerted effort to rid the site of its pretenders.

Paul Rockwell, LinkedIn’s head of trust and safety, said: “Our teams are working to keep LinkedIn a safe place for professionals by proactively finding fake profiles then removing them and any content they share. Between January and June 2019, we took action on 21.6 million fake accounts.”

LinkedIn managed to prevent 19.5 million fake accounts from being created by automatically halting the registration process. The other 2 million fake accounts were restricted after the company paired human review with AI, machine learning and reports of fake accounts made by genuine members.  

Automation plays a key part in LinkedIn’s defense against the incoming wave of fakers. According to Rockwell, automated defenses, including AI and machine learning, prevented or took down 98% of all fake accounts. The rest were captured through manual review. 

Rockwell said: “When we stop fake accounts, we start more chances for economic opportunity."

Categories: Cyber Risk News

Fortnite Cheats Get Cheated

Thu, 08/22/2019 - 17:16
Fortnite Cheats Get Cheated

In an Aesop's fable for the digital age, Fortnite players who try to cheat are themselves being duped by ransomware disguised as a game hack.

Research conducted by cloud security specialists Cyren has found that a cheat tool claiming to improve the accuracy of a player's aim (known as an aimbot) is in reality a piece of malware designed to cause data loss. 

Roughly 250 million players of the online video game were targeted by the ransomware, which has the filename "SydneyFortniteHacks.exe" and is known as Syrk. 

Players who download Syrk in the misguided belief that they've stumbled across a sneaky way to up their game end up with a 12MB executable file. When the file is executed, the ransomware beast awakens and starts encrypting images, videos, music and documents stored on the player's computer. The encrypted files are marked with a .syrk file extension.

The unlucky player is then sent a threatening message demanding payment in return for a decryption password. The message includes an email address that the player must contact to discover how to make the payment.

The player is warned that if payment isn't received within two hours, files in their photo folder will be deleted, followed by files on their desktop. To underline the time-sensitive nature of the threat, the menacing message is unsubtly accompanied by a giant countdown clock. 

This nasty little piece of open source ransomware was built with tools readily available on the internet. And, in a doubly deceptive move, its creators built Syrk by reworking an existing piece of ransomware called Hidden-Cry. The source code for Hidden-Cry was shared on Github last year.

Fortunately, the files to decrypt the encrypted files can be found in machines infected with the ransomware. The file dh35s3h8d69s3b1k.exe – the Hidden-Cry decrypting tool – is one of the resources embedded in the main malware. 

The discovery of Syrk follows news earlier this month that Fortnite players had been targeted by malware named Baldr, also hidden in cheat hacks distributed as links via YouTube. The moral of the story is "don't cheat," but with a $30 million prize pool for the recent Fortnite World Cup, it's easy to see how players fall victim to temptation.

Categories: Cyber Risk News

Alaska is the Most Scammed State in America

Thu, 08/22/2019 - 15:53
Alaska is the Most Scammed State in America

An annual report on cybercrime by the Federal Bureau of Investigation has revealed Alaska to be the most scammed state in America for the second year running. 

With more than $450 million stolen, sunny California lost more money than any other state, but at 21.67 victims per 10,000 residents, Alaska had the highest per capita victim count.

Although more people were scammed in The Last Frontier State than in any other US state, Alaskans lost the least amount of money per person, with each victim being conned out of $2,256.30 on average. 

Across the state, the total number of people targeted by cyber-thieves was 1,606, based on the number of complaints received. Overall, the state's total losses in 2018 from internet scams was a painful $3.62 million. 

At the other end of the scale, the state with the fewest victims per capita for the second year in a row was South Dakota. The Midwestern state, known for the Black Hills into which the faces of four presidents have been carved, had just 5.3 victims per 10,000. 

Nearly $650 million was stolen from people aged 60 and over, who the report showed are the preferred prey for scammers. This age group is particularly vulnerable to confidence/relationship fraud, which occurs when scammers convince victims to send money to someone who appears to be a trustworthy person from a recognized brand, potential romantic partner or long-lost relative. 

The total losses to internet scams across the United States in 2018 exceeded $2.7 billion. 

The statistics are based on a total of 351,936 complaints received in 2018 by the FBI's Internet Crime Complaint Center (IC3). The real totals regarding the number of victims and the amount of money stolen through internet scams could potentially be much higher. 

Many of the scams were executed over social media but most of the money was stolen through the use of fake emails. Business email compromise (BEC) and Email account compromise (EAC) schemes accounted for more than $1 billion in losses. 

Matt Gorham, assistant director of the bureau’s cyber division, said: “The most prevalent crime types reported by victims were nonpayment/nondelivery, extortion and personal data breach. The top three crime types with the highest reported loss were BEC, confidence/romance fraud and nonpayment/nondelivery."

Categories: Cyber Risk News

#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

Thu, 08/22/2019 - 10:45
#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

Today, August 8, marks GCSE Results Day and shows a significant drop in the number of students taking Computing and ICT exams, with a clear gender gap also apparent.

The 2019 GCSE results indicated that 68,965 male students and 20,577 female students took Computing and ICT this year, compared to 94,587 (males) and 35,623 (females) in 2018. That represents an overall drop of 40,668 fewer students.

These figures are particularly concerning given the current skills gap that the cybersecurity industry is facing. In fact, global certification association (ISC)2 has estimated that the cybersecurity industry is suffering from a workforce shortage of 2.9 million employees

“It’s worrying to see less and less students are taking Computing and ICT subjects at GCSE, said Agata Nowakowska, AVP at Skillsoft. “Last year we saw 9000 fewer students take the exams, this year it’s 40,668 fewer. We need to take action now to turn this around.”

The digital skills gap in industry is fast expanding and already at a level that can't be filled quickly enough, Nowakowska added, and so encouraging more students to take these exams isn’t enough.

“We need to focus on getting them in and keeping them there – encouraging more students to pursue these subjects through to A-Levels, degrees and beyond. The current picture is bleak and goes much deeper than exam numbers.

“The challenge is changing the ingrained unconscious biases that say these subjects are dull, boring or just for boys. Whilst it is of course disappointing to see the gender gap continue in these subjects, what is more concerning is that these results are reflective of the lack of female role models in technology and STEM as a whole. Young girls have claimed in the past that they are put off of subjects such as Computing because they see them as ‘too difficult,’ but a large number of young women have also admitted to regretting not pursing these subjects for longer. There is an opportunity here for a paradigm shift that we are simply not taking."

Nowakowska therefore argued that the onus is on parents, teachers and business leaders to show that there is a place for girls in technology.

“There are so many programs aimed at getting girls interested in these areas, but we need to go further to challenge and eradicate the old fashioned views that are clearly still very much ingrained in the public consciousness.”

Categories: Cyber Risk News

IT Security Pros: Encryption Backdoors Are Election Hacking Risk

Thu, 08/22/2019 - 10:45
IT Security Pros: Encryption Backdoors Are Election Hacking Risk

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research.

The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr.

Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes.

Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users.

This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

Now the IT security community is arguing that backdoors would also expose countries to the threat of cyber-attacks on election infrastructure — an increasingly important issue as the 2020 Presidential election comes into view.

While 80% agreed with this sentiment, 74% said countries with government-mandated encryption backdoors are more susceptible to nation-state attacks, 72% claimed they don’t reduce the terrorist threat and 70% argued they put countries at a distinct economic disadvantage.

Last month a Senate report revealed that voting infrastructure in all 50 states was most likely compromised by Russian hackers ahead of the 2016 election. It warns that if Russia’s preferred candidate doesn’t win in 2020, it could seek to use this access to de-legitimize the result.

“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.

“On a consumer level, people want technology that prioritizes the security and privacy of their personal data. This kind of trust is priceless. Encryption backdoors would not only make us much less safe at a national level, they also clearly have the potential to inflict significant economic and political damage.”

Categories: Cyber Risk News

Over a Third of Firms Have Suffered a Cloud Attack

Thu, 08/22/2019 - 09:35
Over a Third of Firms Have Suffered a Cloud Attack

Over a third of organizations have already suffered an attack on their cloud systems, yet many are failing to eradicate potential security blind spots, according to a new poll from Outpost24.

The cyber-assessment vendor interviewed 300 attendees at this year’s Infosecurity Europe show in London in June.

It found that while 37% admitted suffering a cloud attack, over a quarter (27%) said they don’t know how quickly they could tell if their cloud data has been compromised.

This lack of visibility into cloud environments also extends to testing: 11% claimed they never run any kind of testing in the cloud, while nearly a fifth (19%) said they only do so annually.

Given these findings it’s perhaps not surprising that nearly half of respondents (42%) said they believe on-premises data is more secure than that hosted in the cloud.

Despite these misgivings, a third (34%) of businesses said that more than half of their products/apps are running in the cloud, while 15% said all their assets were.

Bob Egner, VP at Outpost24, argued that cloud environments offer major cost and scalability benefits, but security can get more complex when firms start to use multiple clouds across different providers.

“Organizations should treat their cloud assets just as they would their on-premises assets and apply all the same security principles of vulnerability and application security assessment, plus checks for cloud misconfigurations and security posture,” he added.

“It is extremely important to understand the shared responsibility model and what cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure can and cannot offer in terms of security. Ultimately the responsibility of protecting your data and cloud workloads lies with you, the organizations using cloud services.”

Cloud misconfiguration is a particular challenge, with hackers now stepping up efforts to find exposed databases via automated scans. The Cloud Security Alliance recently put this on its “egregious 11” list of top threats to cloud computing.

Categories: Cyber Risk News

IT Teams Urged Not to Prioritize Patches Using CVSS

Thu, 08/22/2019 - 08:43
IT Teams Urged Not to Prioritize Patches Using CVSS

Organizations that prioritize patch updates primarily according to compliance requirements and use the Common Vulnerability Scoring System (CVSS) struggle with their vulnerability management programs, according to new research.

Cyber risk firm Kenna Security commissioned the Cyentia Institute to analyze data from its own platform related to the patching challenges facing over 100 organizations.

Perhaps unsurprisingly it found that those with high performing vulnerability management programs tended to use specific tools to prioritize patches based on cyber-risk.

However, those that based their decisions on which vulnerabilities to prioritize based mainly on the CVSS performed worse than those organizations that simply ignored it, the report claimed.

Although the impact was less serious, there was also a correlation between using compliance requirements as a primary driver in prioritizing vulnerabilities and lower coverage rates.

“Compliance is oftentimes a necessary and important method for prioritization but using compliance as the primary remediation tactic correlated with reduction of overall coverage of high-risk vulnerabilities,” Kenna Security CTO, Ed Bellis, told Infosecurity.

“We believe using a remediation strategy that focuses on both the likelihood of the vulnerability being exploited along with the impact of the exploitation (high risk) to be the optimal approach. CVSS and some other methodologies are not a good measure of exploitation likelihood and can result in companies doing much more work or missing high risk vulnerabilities altogether.”

Elsewhere, the report found that companies which dedicate discrete teams to patch specific areas of the technology stack tend to fare better in vulnerability management. Defining service-level agreements (SLAs) for fixing vulnerabilities also improves the speed and overall performance of remediation, it claimed.

Bigger budgets correlated with an increased ability to remediate more bugs at a faster rate.

According to one vendor, over 22,000 vulnerabilities were publicly disclosed last year, a third of which received a CVSSv2 score of 7 or above.

Categories: Cyber Risk News