Research has revealed that 40% of IT security professionals think paying to retrieve data targeted by ransomware should be made illegal.
The findings come from a survey of 145 security pros who visited AT&T's booth at this year's Black Hat USA in Las Vegas. Despite 60% of respondents saying that they wanted to have the option to pay ransomware without falling foul of the law, only 11% said that they would willingly splash their cash if targeted.
A further 31% of respondents said that they would grudgingly cough up the cash to ransomware creators only as a last resort.
There was no question in the survey designed to ascertain whether ransomware was bad news in general, but if there had been, it's likely that 100% of respondents would have replied in the affirmative. But despite the widespread and growing use of ransomware by threat actors, nearly a third of survey respondents considered themselves ill-equipped to deal with an attack.
When asked if they felt prepared for a ransomware attack, 31% said they were unsure. That's not really what you want to hear, especially after Malwarebytes Labs reported a 195% increase in business detection of malware from Q4 2018 to Q1 2019, with attacks up more than 500% compared to the same period the year before.
“It’s clear from this research that organizations are still struggling when it comes to ransomware. Many do not know the best practices when it comes to ransomware, or worse, do not feel confident to handle attacks efficiently,” said Rick Langston, lead product manager at AT&T Cybersecurity.
“Companies not only have to mitigate ransomware by having a solid security program that uses protection tools to close down all possible attack vectors, but also have back-ups that are separate from the network in case the worst happens.”
Incentivizing companies to get their act together when it comes to the increasingly complex world of cybersecurity might be tough. With no security system 100% impregnable, it could be comforting to have the option to simply pay to get data back. However, not everyone will be happy to put a price on their ethical principles and let the bad guys win.
Research into insider threats has found that employees are so reticent to snitch on bosses they suspect are threat actors that senior staff are virtually immune from being reported.
Researchers at Red Goat Cyber Security questioned 1,145 participants across a range of roles, countries, and industries to gain insight into insider threat reporting practices. Respondents were asked how likely they would be to report colleagues, friends, new staff, senior staff, and contractors as threat actors in five different suspicious scenarios.
Scenarios included observing withdrawn behavior in the person and becoming aware that the person had criticized the company on social media.
The data gathered revealed an overall reluctance to report friends and colleagues irrespective of the severity of their actions. And even in the fifth and most potentially damning scenario—clocking that a person was keeping strange hours and bringing unauthorized people into the business—only 14% of respondents said they would report a senior staff member.
Employees were most likely to report suspicious behavior observed outside their immediate tribe. When it came to scenario five, 96% of respondents would rat on new staff, and 97% would point the finger at a contractor.
Piers Shearman, partner at Red Goat Cyber Security, said the results indicate "that the people with the most authority and the most access to data will not be reported if they abuse their position."
With a rise in the number of companies falling victim to insider threats, this new research exposes a problem destined to become more serious. According to research carried out by Verizon, the percentage of companies hit by insider attacks increased from 26% in 2016 to 34% in 2018.
Insider threats are not only hard to spot—who hasn't appeared withdrawn at work at some point?—but the majority stem from accidents, negligence, and staff unwittingly being taken in by phishing scams.
Asked how businesses can neutralize insider threats, Shearman said: "Make sure HR are heavily involved in any insider threat program you implement. Provide staff with adequate training on detection of concerning behaviors, why they are concerning, and how to report them.
"The key point to note when it comes to monitoring behavior is to be able to identify significant and sustained changes in someone. This requires a holistic view and needs to be handled sensitively too."
Security flaws have been discovered in 600,000 GPS tracking devices intended to keep society's most vulnerable members safe.
Researchers at Avast Threat Labs found a number of vulnerabilities in 29 different device models commonly used to track the whereabouts of children, seniors, and pets.
Affected trackers expose data sent to the cloud, enabling hackers to lock on to the real-time GPS coordinates of the device's wearer. Design flaws in the trackers also made it possible for third parties to hack into devices and falsify data to give an inaccurate location reading.
In what seems like an obvious drop of the ball, data being sent from the devices to the cloud was unencrypted, unauthenticated, and written in plaintext, making it an easy target for hackers.
Furthermore, devices with built-in cameras and microphones were found to contain a flaw that made it possible for them to be used by hackers wishing to spy or eavesdrop on the wearer.
The faulty devices, which are widely available for $25–$50 from online merchants, are made by Chinese manufacturer Shenzhen i365 Tech and resold under various brand names.
Analysis by Avast's Threat Intelligence Team found that users of the T8 Mini GPS Tracker Locator were directed to an unsecure website to download the device's companion mobile app. Users who downloaded the app had their information exposed.
User account information was also made vulnerable by the mass assignment to users of the default password "123456," commonly recognized as the password equivalent of throwing hackers a welcome party with free booze.
Avast made their findings known to Shenzhen i365 Tech and were met with radio silence.
Martin Hron, senior researcher at Avast, said: "We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices.”
Avast advised people to steer clear of suspiciously cheap and knock-off smart devices, and noted that the use by children of even those tracking devices deemed safe from an information security perspective may affect their ability to learn how to be independent and may also give adults a false sense of safety.
A 21-year-old Washington man has pleaded guilty to charges related to his role in developing and deploying the infamous Satori IoT botnet.
Kenneth Currin Schuchman, of Portland suburb Vancouver, pleaded guilty to one count of aiding and abetting computer intrusions.
Between July 2017 and October 2018, he’s said to have participated with at least two others in a conspiracy to develop the botnet and use it to launch DDoS attacks against a range of targets. The group is said to have monetized these efforts by selling access to the botnet to others.
Court documents claim Schuchman’s speciality was in finding new vulnerabilities in IoT devices which could be exploited to conscript them into the botnet.
Satori was originally developed using the source code for Mirai, which was released online in 2016. However, Schuchman — who went by the moniker “Nexus” and “Nexus-Zeta” — and co-conspirators “Vamp” and “Drake,” built upon that code with new features, eventually compromising 100,000 devices.
Continually improving the botnet, they gave new names to the new iterations, such as “Okiru” and “Masuta” — with the latter eventually infecting as many as 700,000 endpoints.
By around March 2018, the botnet had evolved into Tsunami/Fbot, supported by tens of thousands of compromised Goahead cameras and High Silicon DVR systems.
Schuchman doesn’t seem to have employed particularly effective OpSec during his work: the control server he used was registered in his name.
Even after being indicted in August 2018, he developed another IoT botnet, Qbot, while on supervised release, the court docs claim. He’s also said to have called in a swatting attack on “Vamp’s” home.
Several sources have told journalist Brian Krebs that UK-resident Vamp was involved in the 2015 attack on TalkTalk and the 2016 Mirai DDoS that overwhelmed DNS service provider Dyn, leading to some of the internet’s biggest websites crashing.
Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!
A Massachusetts city has revealed that cyber-criminals tried to hold its data ransom to the tune of more than $5m over the summer, in a sign of the growing risk to organizations from online extortionists.
The city of New Bedford was hit with the popular Ryuk strain of ransomware in early July, encrypting data on over 150 workstations, according to mayor Jon Mitchell.
Fortunately, the attack came during the July 4 holiday when systems were powered off, preventing the malware from spreading further. The city’s Management Information Systems (MIS) staff disconnected servers and shut down systems when they came in the next day.
In the end only around 4% of the city’s PCs were affected.
Mitchell revealed in a press conference on Wednesday that the hackers wanted $5.3m in Bitcoin, a figure he countered with a much lower sum of $400,000 as this apparently would have been covered by cyber insurance.
The attackers rejected that sum outright, highlighting just how high the bar is now for victims of ransomware attacks. In New Bedford’s case the relatively small number of machines affected meant restoring from back-up was pretty straightforward and no critical systems were impacted.
Only the city’s financial management system and several workstations used by the Fire Department for admin purposes were temporarily affected.
“We live in a world now that is so interconnected that simply pulling up the proverbial drawbridge is unrealistic,” Mitchell said. “We will rely on the advice of our experts to guide us, but we must remain constantly vigilant and willing to devote the resources necessary to protect our system from a much more debilitating attack than the one we just experienced.”
New Bedford is just the latest in a long line of US cities targeted by ransomware. Two cities in Florida paid hundreds of thousands of dollars for decryption keys after being hit, while others including Baltimore, Albany and 23 government entities in Texas have also suffered major infections.
In July, the United States Conference of Mayors passed a resolution not to cooperate with ransomware attackers. However, when critical services like emergency responders are impacted, it can be difficult for city leaders not to cave, even if it’s not guaranteed that the decryption key will work.
Google and YouTube have agreed to pay $170m to settle a case brought by the FTC and New York Attorney General alleging they illegally harvested personal data on children.
The Children's Online Privacy Protection Act (COPPA) requires online firms to first seek parental consent if they try to collect data on under-13-year-olds from content specifically targeted at kids.
However, the FTC and New York Attorney General allege in their complaint that Google/YouTube violated COPPA by collecting personal information from viewers of child-oriented channels without asking parents first.
This info came in the form of the “persistent identifiers,” or cookies, used to track individuals across the web for behavioral advertising purposes. Google is said to have made millions off the back of advertising which was targeted using these cookies.
The FTC alleged that although YouTube is a general purpose site, some of its channels — such as the ones run by toy manufacturers like Hasbro and Mattel — are specifically targeted at children and so must comply with COPPA.
In fact, it argued, YouTube explicitly marketed itself as a top online destination for kids in presentations to children’s toy-makers.
“YouTube touted its popularity with children to prospective corporate clients,” said FTC chairman Joe Simons. “Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”
The settlement is the largest ever seen in a COPPA case since the law was passed in 1998. Some $136m will go to the FTC and $34 to New York.
In addition, Google and YouTube will be required to put in place a new system that allows channel owners to flag any child-directed content on YouTube so that it can ensure it is complying with COPPA.
The firms must also notify channel owners that child-directed content may be subject to the COPPA rules and provide annual training on compliance for employees who deal with YouTube channel owners.
A global cyber-skills training provider has become the first company to integrate its platform with the MITRE ATT&CK framework.
Immersive Labs has mapped its training to the globally recognized knowledge base, which organizes and categorizes various types of tactics, techniques, and procedures used by digital-threat actors to help organizations spot flaws in their cyber-defenses.
According to Immersive Labs CEO James Hadley, this new approach of mapping skills against a framework of threats was driven by market need.
He said: "We are being asked for this by CISOs, so we looked at a variety of different frameworks, and MITRE was the one that we discovered had the most depth and credibility in the industry, and therefore it has had our initial focus.
"MITRE’s advantage is that it highlights specific types of threat-actor tactics, enabling organizations to better organize threat intelligence as well as testing their capabilities against real-world attacks.
"As far as we know, no other company has mapped skills to MITRE in this way. It is a mindset switch for companies to start thinking of people as a part of their defensive perimeter in the same way that they think of technology."
MITRE, a systems engineering company set up in 1958 to work on issues of national defense, set up the not-for-profit ATT&CK framework in 2013. The framework provides a valuable record of cyber-attacks. However, since it is updated only quarterly via publicly available threat intelligence and incident reporting by security experts, it may not always provide an accurate picture of the current threat landscape.
To mitigate against any time lag between the ATT&CK framework and the status quo, Immersive Labs' platform uses real-time feeds of the latest attack techniques, hacker psychology, and technological vulnerabilities to rapidly build gamified learning environments for IT and security teams. Platform users can then have a crack at tackling the newest wave of threats and identify any gaps in their cybersecurity knowledge.
For Hadley, a strong, forward-looking cybersecurity strategy relies on company-wide training.
He said: "Cybersecurity is no longer something handled by a select few while the majority remain ignorant; it is everyone’s problem, and because of this, cyber-skills initiatives need to engage and inspire every part of an organization."
Five companies accused of falsely claiming that they were certified under the EU–U.S. Privacy Shield framework have settled with the Federal Trade Commission (FTC).
The Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with the European Union Directive on Data Protection.
In separate actions, the FTC alleged that DCR Workforce, Inc., EmpiriStat, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. all fallaciously stated on their websites that they were certified under the framework when in fact their certification had either lapsed or never been ratified.
According to the FTC, management software provider DCR Workforce obtained Privacy Shield certification in January 2017 but continued to claim its participation in the framework even after that certification lapsed in February 2018.
EmpiriStat did slightly better. The company obtained Privacy Shield certification in February 2017 and actually initiated an application for re-certification in January 2018. However, the FTC alleged that the statistical analysis and support services provider failed to complete all the steps necessary to gain re-certification from the Department of Commerce.
Facial-recognition software provider 214 Technologies, cloud-based file-transfer software provider Thru, and LotaData, which provides analyses of mobile users’ data, are all alleged to have claimed participation in the framework despite having neglected to complete their applications for certification.
LotaData is possibly the worst offender, with the FTC alleging that the company also falsely claimed that it was a certified participant in the Swiss–U.S. Privacy Shield framework, which establishes a data-transfer process similar to the EU–U.S. Privacy Shield framework.
“These companies made false claims about complying with Privacy Shield, and today’s settlements show that the FTC is protecting Privacy Shield’s integrity and supporting the thousands of U.S. businesses who do it right,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
As part of the proposed settlements with the FTC, all five companies are prohibited from misrepresenting the extent to which they participate in any privacy or data-security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program or return or delete the information.
A bill intended to strengthen and modernize the cybersecurity of federal agencies will be introduced to the United States House of Representatives this week.
The Advancing Cybersecurity Diagnostics and Mitigation Act would formally codify the dynamic Continuous Diagnostics and Mitigation (CDM) program, introduced by the Department of Homeland Security (DHS) in 2013 to ensure federal agencies can access the industry-leading tools and services they need to fight cybercrime.
Under the CDM program, agency-installed sensors are deployed to search for known cybersecurity flaws. Results from the sensors are fed into an agency dashboard, which produces automated reports and issues prioritized alerts for the systems most vulnerable to attack.
This steady flow of reports and alerts is used by network managers to allocate resources based on the severity of the risk of attack, allowing them to respond to threats in a matter of minutes. Progress reports and summary information is then fed into a federal enterprise-level dashboard.
The bill, which will be introduced by Representatives John Ratcliffe and Ro Khanna, requires that the CDM program be made available to state, local, and tribal governments. It also demands that the DHS comes up with a strategy that will allow the CDM program to tackle new cyber-threats as they emerge.
Ratcliffe was in the running to become America’s next national intelligence director but withdrew himself from consideration following a dearth of support for his candidacy.
Commenting on the proposed bill, Ratcliffe said: "As cyber-threats continue to increase in frequency and complexity, we must constantly work to enhance our nation’s cyber-defense capabilities.”
Khanna said: “The technology is there: we just have to ensure our agencies have the necessary tools to defend against hackers and cyber-threats. A strong CDM program will be instrumental in that effort.”
A Senate version of the bill was introduced in July 2019 by Senators Maggie Hassan and John Cornyn. It was referred to the Senate Homeland Security and Governmental Affairs Committee but is yet to produce any action beyond uniting Democrats and Republicans in the fight against a common enemy.
Hassan said: “I'm pleased that the House of Representatives is introducing their version of this critical bill, and I look forward to continuing to work on a bipartisan basis across the House and Senate to move this bill forward."
Online scammers are using changes to European banking rules around customer authentication to trick consumers into handing over their sensitive financial details, according to Which?
The consumer rights group warned that attackers are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.
Firms across the EU are gearing up for the changes, part of PSD2, which will require a form of two-factor authentication on any online transactions over €30, although some exceptions apply.
Ironically, payments providers and e-commerce firms in the UK have been given a further 18 months to comply with the new rules, originally set for a September 14 deadline.
Yet that hasn’t stopped the scammers: Which? claimed it has already spotted phishing emails imitating emails from Santander, Royal Bank of Scotland (RBS) and HSBC.
Urging the recipient to update their banking information ahead of “new procedures,” they include links designed to take the victim to a legitimate-looking page designed to harvest banking details.
Which? argued that in many cases, legitimate brands are making it harder for consumers to spot phishing emails, by including links in their own emails, and by using multiple unusual domains for various landing pages.
The group claimed that 78% of its members think banks and other financial firms should never include links in emails, to make phishing attempts easier to spot.
Tripwire VP, Tim Erlin, agreed, arguing that companies can’t simultaneously tell customers not to follow links in emails but then continue to send them emails urging them to click through.
“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails,” he added.
“Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.”
Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!
The infamous Stuxnet cyber-attack on Iran’s nuclear program was made possible by an insider recruited by a Dutch intelligence agency, who fed back crucial information and deployed the virus, according to a new report.
Although not confirmed by Dutch agency AIVD, the CIA or Mossad, a Yahoo News story cites four unnamed intelligence sources to back-up its claims.
Operation “Olympic Games,” as it was known, is said to have involved not just these but also intelligence agencies from Germany, France and the UK.
The AIVD was useful to the operation because the crucial centrifuges at the Iranian Natanz nuclear facility were apparently based on designs stolen from a Dutch company in the 1970s by a Pakistani scientist.
It was these centrifuges, used to enrich the uranium needed to produce nuclear weapons, that the Western allies decided they needed to disrupt in order to set Iran’s nuclear program back.
The AIVD then played another crucial role, using an insider in Iran to gain employment at the plant as a mechanic.
Once there, he was able to gather vital intelligence on the configuration of the centrifuges, so that the Stuxnet code could be written to sabotage the facility only in specific operational circumstances.
He then deployed the virus via USB to jump the air-gap — either directly or by infecting a Natanz engineer’s computer system, according to the report.
Later versions are said to have circumvented the lack of direct connectivity at the plant by infecting targets who they unwittingly carried the malware inside with them.
Phil Neray, VP of industrial cybersecurity for CyberX, explained that it’s much easier to infect industrial environments today.
“The air gap has disappeared in virtually all environments except perhaps nuclear facilities, driven by business initiatives like Industry 4.0 and IIoT that require increased connectivity between OT networks, IT networks, and the internet,” he added.
“It's a lot easier today to send a phishing email to an employee or third-party contractor who has remote access to the control network, and then steal their credentials to conduct cyber-espionage to identify the specific manufacturers and model numbers of devices in the environment, followed by remotely inserting custom malware specifically designed to compromise those devices.”
The UK’s Crown Prosecution Service (CPS) is in the dock after recording a sharp rise in device losses, an increase in unauthorized disclosure of sensitive data and rising electronic media losses.
The government agency for criminal prosecutions in England and Wales made 1378 unauthorized disclosures of confidential data in 2018-19, up from 1329 in the previous financial year.
Of these, the majority were low-risk, as the actual data loss was classed as “minor” or “retained within the criminal justice profession who are bound to professional standards of data protection,” the CPS Annual Report and Accounts claimed.
However, the number of “serious” incidents rose from 108 to 115 over the period. In these instances, data loss is significant and/or data is not recovered/not retained within the criminal justice profession.
There was also an 80% increase in lost laptops, tablets and BlackBerrys — from 15 to 27 — although the CPS clarified that in 77% of cases the device was recovered, and in any case they are encrypted to government standards.
Perhaps more alarming is the rise in losses of electronic media and paper documents from secured government premises, which increased by 156% from 2017-18 to 2018-19, to reach 172 incidents. Similar losses from outside secured government premises rose from 36 to 53.
The CPS also played down these findings, claiming that in a majority of cases in both categories the data loss was either “very minor and eventually recovered,” or the incident was “reported but caused by non-CPS staff.”
This is not the first time the prosecution service’s data security processes have come under scrutiny. In 2018, it was fined £325,000 by the Information Commissioner’s Office (ICO) for losing DVDs containing recordings of police interviews with child sex abuse victims.
Given the seriousness of the case and the potential distress it caused to victims, this would certainly have garnered a major financial penalty under the GDPR.
“The CPS is an organization which oversees some of the most sensitive data imaginable. Clearly their information security posture is in need of overall strengthening and improvement, to ensure that the public have complete confidence that critical files are completely protected at all times, from witness statements to court documents,” argued Absolute Software VP, Andy Harcup.
“Such a sharp rise in device losses and unauthorized disclosures of confidential data is a gift to cyber-criminals and fraudsters. It’s vital that the CPS improves its endpoint security measures and reduces the number of data leaks as a matter of urgency.”
A new Chinese face-swapping app has been kicked off China's most popular messaging app WeChat over security concerns.
The iPhone app ZAO allows users to insert themselves into their favorite movies, TV shows and music videos by face-swapping their own features onto the image of a cast member. It was developed by Changsha Shenduronghe Network Technology, a wholly owned subsidiary of Chinese company Momo.
Currently the app can only be used for a limited number of clips but that hasn't stopped its meteoric rise. The AI-based app went viral shortly after being released on August 30 2019, topping the free charts on the Chinese iOS App Store according to App Annie.
The app works by using ‘deepfake’ technology, a human image synthesis technique based on artificial intelligence, to produce a video clip in around eight seconds. All users have to do to live out their dreams of being onscreen is upload a single selfie. Users can produce a more realistic effect by uploading multiple pictures in which they open and close their mouth and eyes.
The ZAO app has since changed its user agreement to say that the company will not use pictures or videos uploaded by users without their consent for anything other than app improvements.
WeChat has restricted its users from downloading the ZAO app from its platform and from sending an invite link to the face-swapping app to another WeChat user. However, WeChat users are still able to upload videos they have created with the ZAO app.
WeChat, which was first released in 2011, has over one billion monthly active users. If users try to download the ZAO app or invite another WeChat user to download it, they are shown a message which reads “This page cannot be accessed now. This web page has been reported multiple times and contains security risks. To maintain a safe online environment, access to this page has been blocked.”
North Korea has denied allegations that it obtained $2bn by carrying out state-sponsored cyber-attacks on banks and cryptocurrency exchanges.
Claims that the one-party republic had used “widespread and increasingly sophisticated” cyber-attacks to steal money to fund the development of weapons of mass destruction (WMDs) were made in a confidential United Nations report submitted to the UN Security Council North Korea Sanctions Committee in July this year.
As reported by news agency Reuters in August, the report stated: “Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programs, with total proceeds to date estimated at up to two billion US dollars."
On Sunday, North Korea's state-controlled news agency KCNA reported that a spokesperson for the National Coordination Committee of the Democratic People's Republic of Korea (DPRK) for Anti-Money Laundering and Countering the Financing of Terrorism said: “The United States and other hostile forces are now spreading ill-hearted rumors that we have illegally forced the transfer of $2bn needed for the development of WMD programs by involving cyber actors.”
The spokesperson went on to liken “the fabrication of such a sheer lie” to “the same old trick as Hitler fascist propagandists used to cling to.”
Chief among the allegations against North Korea is a claim that the country is deeply connected to hacking group Lazarus, which has been linked to an $81m cyber-heist that targeted the Bangladesh central bank in 2016. The group was also accused by the U.S. Federal Bureau of Investigation of hacking into Sony Pictures in 2014.
According to the NCC spokesperson's statement, the DPRK's accusers fabricated the cybercrime allegations to justify the use of sanctions against the country.
The spokesperson said: “Such a fabrication by the hostile forces is nothing but a sort of a nasty game aimed at tarnishing the image of our Republic and finding justification for sanctions and a pressure campaign against the DPRK.”
A new study has found that, in the last 12 months, 43% of UK SMEs were targeted by phishing attacks in which hackers impersonated members of staff. Worryingly, the instigators behind two thirds of these attacks saw their plans bear fruit.
The study, conducted by security and data analytics firm CybSafe, surveyed 250 IT decision-makers at SMEs across the UK. Respondents were questioned about the attacks they had experienced and also asked what they were doing to protect the cybersecurity of their business.
CybSafe CEO Oz Alashe said: “Phishing is currently the dominant attack vector for entry into networks, and its popularity isn’t hard to understand. It’s easy to carry out, easy to profit from, and from the perspective of cybersecurity professionals, it’s notoriously difficult to defend against. Just one individual falling victim can be enough to give criminals the foothold required to access confidential information.
“Impersonation phishing attacks – personalised attacks which involve the impersonation of friends or family, or other members of staff – pose a particular threat. These attacks are highly convincing and have high success rates.”
A lack of company-wide awareness about phishing scams and cyber-threats in general could well be a contributing factor to the towering success rate hackers have enjoyed over the past year. The study found that fewer than half of the IT leaders questioned (just 47%) claimed to have a cybersecurity training and awareness program up and running.
“Our latest research shows that, despite the severity of this threat, UK businesses are taking very little action at the moment,” said Alashe. “Of those that are doing something, many are simply paying lip-service to security training for compliance reasons, and aren’t demonstrably reducing their human cyber-risk."
Respondents viewed email phishing as a much greater threat to their business than phone phishing. Pitted against nine other potential threats, email phishing was perceived to be the second most pressing threat (37%) behind only Malware. By contrast, phone phishing was believed to be the least (8.8%) urgent threat to business.
CybSafe’s report echoes the UK government’s own Cybersecurity Breaches Survey published earlier this year, which found that phishing attacks were the most common security attacks on businesses and charities in the UK.
The perception of cloud security appears to have reached a tipping point, with a majority of cybersecurity leaders now believing the risk of a breach is the same or lower than in on-premises environments, according to Nominet.
The .uk registry and DNS security firm polled 274 CISOs, CTOs, CIOs and others with responsibility for cybersecurity in their organization, in US and UK companies.
It found that 61% now feel that cloud breaches are just as likely or less likely than on-premises breaches, while 92% claimed they’re adopting cloud-based security tools.
However, concerns persist: 71% were moderately, very or extremely concerned about malicious activity in the cloud. Over half (56%) cited regulatory fines as their biggest concern, whilst a similar number (54%) pointed to the increasing sophistication of cyber-criminals.
Perhaps unsurprisingly, those with a multi-cloud strategy were most likely to have suffered a breach over the past year: 52% versus 24% of hybrid-cloud users and 24% of single-cloud users.
They were also more likely to have been hit by a larger number of breaches: 69% suffered 11-30 breaches versus 19% of single-cloud users and just 13% of hybrid-cloud businesses.
“When it comes to ensuring resilience and being able to source ‘best-in-class’ services, using multiple vendors makes sense,” explained Nominet VP of cybersecurity, Stuart Reed.
“However, from a security perspective, the multi-cloud approach also increases exposure to risk as there are a greater number of parties handling an organization’s sensitive data. This is exactly why an eye must be kept on integration and a concerted effort be made to gain the visibility needed to counter threats across all different types of environments.”
The most popular cloud security tools are firewalls (55%), email security (52%), anti-virus/anti-malware (48%) and data loss prevention (48%), with most respondents (57%) claiming that they expected their cloud security budget to increase in the next 12 months.
“As we move into the ‘cloud era’, arguably security teams need to channel their concern into finding solutions that work with the cloud, just as they have been doing in an on-premise environment,” Reed added.
“The shift in attitude between on-premise and cloud doesn’t change the remit for security teams, it just puts us on a different type of playing field.”
The successful, DCMS-backed online cybersecurity training program, Cyber Discovery, launched today for a third year across the UK.
Delivered by global IT security training provider the SANS Institute, Cyber Discovery aims to help close the UK’s cybersecurity skills gap by inspiring teenagers to pursue a career in the industry.
The program uses an online game platform with hundreds of hours of challenges and teaching to educate teenagers about the skills needed to be a cybersecurity expert. Over 46,000 young people aged between 14 and 18 have already taken part in the Cyber Discovery program over the past two years and, this year, the program is opening its doors to students aged 13 for the first time.
Cyber Discovery was launched as part of the UK’s National Cyber Security Strategy and offers training in a broad range of disciplines including: digital forensics, penetration testing, web attack defense, cryptography and ethics.
The program is comprised of four phases: an initial assessment stage, CyberStart Assess; CyberStart Game and CyberStart Essentials, designed to enhance the skills of those who have made it through the initial assessment stage. The top performers then attend CyberStart Elite camps, designed to further prepare them for a career in the cyber profession by providing industry-leading training, career advice, soft skills development and a Capture the Flag contest.
Cybersecurity Minister Nigel Adams said: “Our tech sector is one of the UK’s greatest strengths but to support its continued success we need a skilled and diverse workforce. Cyber Discovery has already inspired thousands of young people to think about a career in the cyber industry and I hope this year’s students will also have fun learning about the opportunities on offer.”
James Lyne, CTO at SANS Institute and one of the creators of the program, added: “I have been amazed by the level of young talent coming out of the Cyber Discovery program – and so excited for the launch of year three, with even more students learning about the fascinating arena of cybersecurity.
“Time and again over the past couple of years, I have seen students who originally had no idea they would be any good at security demonstrating amazing capabilities, so the key takeaway for me is to have a go! You might just be what we need to stop the bad guys, and have a lot of fun doing it!”
Daniel Milnes took part in Cyber Discovery in year two and has already gone on to secure a job in cybersecurity straight out of school. “Cyber Discovery has really been revolutionary for me and my future plans,” he said. “I’ve made friends through the program, pushed my existing skills to their limits, and learned so many more, so much so that I’m now working as a cybersecurity consultant, which is something I would never have dreamed of before Cyber Discovery.”
Registration and completion of the first assessment phase closes on October 25 2019. You can find out more here.
A French retail consultancy exposed data on millions of its clients’ customers as well as sensitive business information, after researchers discovered an unsecured Elasticsearch database.
Aliznet, which specializes in digital transformation, names the likes of tech giants IBM, Oracle and Salesforce, retail leaders like Auchan, and big brands including Yves Rocher and Lacoste as its clients.
However, researchers from vpnMentor were able to access a private Aliznet database containing data on 2.5 million Canadian Yves Rocher customers. This included names, phone numbers, email addresses, dates of birth and postcodes.
They also discovered over six million customer orders in the database, including transaction amount, currency used, delivery date and store location.
“Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, we were able to identify the individual who placed each order through their customer ID,” the researchers explained.
Along with this sensitive personally identifiable information (PII) on customers, vpnMentor found internal Yves Rocher data including: stats on store traffic, turnover and order volumes, product descriptions and ingredients for over 40,000 products, and product prices and offer codes.
This info could be a big asset to Yves Rocher’s competitors, allowing them to estimate store sales, order volumes and other trading data, the research team claimed.
“The exposed database also provides competitors with a list of Yves Rocher’s Canadian customers, complete with their name, age, contact information, and order histories,” it continued.
“Competing cosmetic and beauty companies could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors.”
The vpnMentor team also found an API vulnerability allowing them to access an application built for Yves Rocher employees by Aliznet.
Using employee IDs exposed in the previously detailed leak, hackers could log-in as Yves Rocher staff to obtain more data on the business and its customers and even add, delete or modify data in the company database, vpnMentor claimed.
The personal details of over 200,000 customers of a British holiday firm were left exposed in audio files for several years, according to a new report.
Truly Travels, which trades under the name Teletext Holidays, is unusual in that consumers browse its website for package deals before completing their order over the phone.
However, this is where the problems arose, after 212,000 audio files of these calls were found on an unsecured Amazon Web Services server by Verdict.
They took place between April 10 and August 10, 2016 and appear to have been made by British holidaymakers making and amending bookings.
As such, names, dates of birth, email and home addresses, flight times and other holiday details could clearly be heard, although only partial card details were revealed.
The audio files were apparently recorded as part of a call center analysis project. Although the travel company removed all 532,000 files, including the audio, when notified, they appear to have been exposed for over three years.
“We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations,” a spokesperson told the website.
“The company is taking all appropriate steps to ensure that this situation does not occur in the future.”
Although the format of the files would make it slightly more labor-intensive for a cyber-criminal to extract the personally identifiable information (PII) of holidaymakers and their family members, it is still a major security risk.
“Data breaches involving PII provide cyber-criminals with a treasure trove of information that could be used to carry out identity fraud, phishing or targeted email attacks,” argued Robert Ramsden-Board, VP EMEA at Securonix.
“The lack of cyber-hygiene demonstrated here tells us a lot about current cybersecurity culture and organizations need to make sure that any sensitive data is stored on secure servers.”
Malcolm Taylor, director of cyber advisory at ITC Secure, described the exposed data as “an intelligence feed for hackers” which could lead to “more and worse” attacks on the affected customers.
A new system of social and corporate control in China raises serious new data security risks for multi-national foreign firms operating in the country, according to a new report from the EU Chamber of Commerce in China.
The new study, The Digital Hand: How China’s Corporate Social Credit System Conditions Market Actors, is meant to serve as a wake-up call to EU firms which may not have got their compliance plans in place.
The Corporate Social Credit System (SCS) will require all firms operating in China to provide the government with data feeds covering a wide sweep of operations — in areas as diverse as environmental regulations and health and safety.
They will then be given an algorithmically calculated score which will change over time: those with low scores face more frequent audit inspections, customs delays, public shaming, and even blacklisting by the government.
However, the European Chamber warned that the data transfers themselves could be problematic for companies.
“Taken individually, most of the transferred data points are not highly sensitive information,” the report explained. “However, the integration and systematically cross-cutting use of data on the government’s side can become a challenge. It provides the government with a full picture of the detailed performance and capability of a company.”
There may also be concerns over sharing sensitive IP and information on personnel, the report claimed.
It urged foreign MNCs to engage with Beijing now “with the goal of modifying data transfer requirements and excluding such information.”
“Ensuring the security of this data is one of the key promises of the government,” it added. “Companies need to hold the government authorities to this promise and make sure that no detrimental use of this comprehensive data occurs.”
It remains to be seen how flexible the Chinese government will be in allowing firms to exclude certain sensitive data points, and how prepared it will be to ensure the security and integrity of the data.
The European Chamber warned that SMEs could be particularly at risk from non-compliance given the onerous, resource-intensive data collection requirements. A complicating factor is that the scores given to third-party suppliers may drag down a company’s overall score, so a great deal of work will need to be done to vet partner organizations.
“It is no exaggeration to say that the Corporate SCS will be the most comprehensive system created by any government to impose a self-regulating marketplace, nor is it inconceivable that the Corporate SCS could mean life or death for individual companies,” warned European Chamber President, Jörg Wuttke.