Info Security

Subscribe to Info Security  feed
Updated: 2 hours 34 min ago

Over 50% of Enterprises Are Failing on Cloud Security

Wed, 08/07/2019 - 09:46
Over 50% of Enterprises Are Failing on Cloud Security

Over half of organizations are struggling to protect their workloads, claiming the maturity of their security posture can’t keep up with the rapid pace of cloud adoption, according to Symantec.

The security giant polled 1250 IT decision-makers in 11 countries worldwide to compile its 2019 Cloud Security Threat Report.

It revealed that while 53% of enterprise workloads have now been migrated to the cloud, a similar percentage of organizations (54%) are struggling to keep pace with the expansion of cloud apps.

Most (93%) said they are having trouble keeping track of workloads and estimated that more than a third of files in the cloud shouldn’t be there.

Some 83% claimed they don’t have the right processes in place to effectively manage security incidents, meaning a quarter of alerts go unaddressed.

Nearly three-quarters (73%) said they’ve experienced an incident because their cloud security isn’t mature enough – i.e. they lack controls like encryption and multi-factor authentication (MFA) and are poorly configured. Some 65% of organizations failed to implement MFA in IaaS environments and 80% don’t use encryption, according to the report.

As a result, they face an increased risk of insider threats – ranked by respondents as the third biggest threat to cloud infrastructure.

Nico Popp, Symantec’s senior vice-president of cloud & information protection, explained that 69% of responding organizations believe their data is already on the dark web for sale and fear an increased risk of data breaches because of their cloud migration.

“The adoption of new technology has almost always led to gaps in security, but we’ve found the gap created by cloud computing poses a greater risk than we realize, given the troves of sensitive and business-critical data stored in the cloud,” he added.

“Data breaches can have a clear impact on enterprises’ bottom line, and security teams are desperate to prevent them. However, it’s not the underlying cloud technology that has exacerbated the data breach problem – it’s the immature security practices, overtaxed IT staff and risky end-user behavior surrounding cloud adoption.”

Categories: Cyber Risk News

New Intel SWAPGS Flaw Spells Bad News for Users

Wed, 08/07/2019 - 08:35
New Intel SWAPGS Flaw Spells Bad News for Users

Security researchers are warning of a new speculative execution vulnerability affecting all modern Intel processors which could allow attackers to access sensitive data stored in the kernel.

The CVE-2019-1125 flaw bypasses all mitigations put in place after the discovery of Spectre and Meltdown in early 2018, according to Bitdefender. It’s said to affect all processors built since 2012, running on Windows, Linux or FreeBSD laptops and servers – meaning consumers and enterprises are at risk.

It could enable a side-channel attack that abuses a little-known system instruction called SWAPGS, exposing data in privileged portions of the kernel memory such as passwords, tokens, private conversations, encryption and more.

“This attack exposes sensitive information from the OS kernel by abusing speculative execution of SWAPGS instruction. An attacker can force arbitrary memory dereferences in kernel, which leaves traces within the data caches,” explained Bitdefender.

“These signals can be picked-up by the attacker to infer the value located at the given kernel address. Consequently, attackers can exploit this vulnerability to search values in kernel memory (check if a given value is located at a given kernel address) or leak values from arbitrary kernel addresses.”

Bitdefender has been working with Intel for over a year on this research and claims its Hypervisor Introspection (HVI) tool will provide protection until patches are available, instrumenting each vulnerable SWAPGS instruction to ensure it will not execute speculatively.

Patches are apparently being readied by ecosystem partners like Microsoft and users are urged to implement them as soon as they're available.

“Criminals with knowledge of these attacks would have the power to uncover the most vital, best-protected information of both companies and private individuals around the world, and the corresponding power to steal, blackmail, sabotage and spy,” said Gavin Hill, vice-president, datacenter and network security products at Bitdefender.

“Research into these attacks is on the cutting edge as it gets to the very roots of how modern CPUs operate and requires a thorough understanding of CPU internals, OS internals, and speculative-execution side-channel attacks in-general.”

Categories: Cyber Risk News

#BSidesLV Democrats CISO Stresses Usability in Security Technology

Tue, 08/06/2019 - 20:26
#BSidesLV Democrats CISO Stresses Usability in Security Technology

In the opening keynote at BSides Las Vegas, Bob Lord, CISO of Democratic National Committee (DNC), talked of the “Ghosts of Past, Present and Future” and considered what we need to do going forward.

Lord, who also served as CISO of Yahoo, Netscape and Rapid7, talked about stories such as the Yahoo attack and breach, and how the lessons learned “should be talked about,” but there are too many cases where we “talk technology but have forgotten how to tell stories to executives.”

He said that this problem of communication is “repeated breach after breach” and that the industry often fails to tell a story and be heard.

Pointing to his current work at the DNC, Lord said that this involves working with state parties and campaigns, which have separate funding and separate charters, and are separate legal entities with different levels of maturity.

This led to a suggestion to kill the checklist of security best practice, which Lord called “a roadmap of our failure to build usable security in products”. The only way to resolve it, he offered, is to sit down one-on-one to get it done. That, he countered, doesn’t scale.

He said: “We realize doing the basics is hard and time consuming” and if have to do it one-on-one we have “failed users” and we need to take a more active role and move to “secure by design.” This includes making updates painless, automatic and transparent, enabling encryption on laptops which doesn’t have to be paid for, and is not hard to install.

Lord also called for better security standardization, especially in authentication. Instructing someone how to use a password manager, he said, “is a real struggle to help someone under the best circumstances.”

He pointed at the case of 2FA. If a user has to search for how to enable 2FA, he said, then “something is not quite right.” He also advised against connecting to “sketchy wifi,” but conceded that it is hard to determine what a “sketchy wifi” network looks like.  

“You shouldn’t have to pay more to be good at security,” Lord said. “Don’t treat it as a luxury item.” 

He concluded by saying that things should be more “secure for default for average folks, in all devices and services, with no action required by users” and praised the work of FIDO Alliance which he said is “a real game changer in making things secure for the average person.”

Categories: Cyber Risk News

#BSidesLV I Am The Cavalry Reflect on 6 Years of Achievement with More to Accomplish

Tue, 08/06/2019 - 20:12
#BSidesLV I Am The Cavalry Reflect on 6 Years of Achievement with More to Accomplish

Marking the sixth birthday of the 'I Am the Cavalry' concept of driving better security standards, co-founder Josh Corman spoke at BSides Las Vegas on what the initiative had achieved so far, and what more had to be done. 

Corman said that over the past year, he had looked at what the movement had achieved, and what the milestones were and he determined that “we are sort of there for cars and part there for medical” and if there were an attack on medical devices, “we would probably be safe.”

However he felt that whilst a lot had been done for medical to make it “trustworthy and safe”, he believes the movement was “stuck” and needs to get back to its first principles. Corman said that there is a theme of “getting our asses kicked over and over” and whilst he still had a lot of fight in him, “someday we will fight our last fight.”

Looking at the concept of the cyber kill chain, Corman said that if we are being kicked again and again, we need to determine that “if we disrupt one link, the breach doesn’t happen.” We need to know, he said, what steps to take “so there are no mass casualties in hospitals” and so we can build trust in regulators.

Corman said that steps need to be taken to “start workshopping how to define a lifeline”. We need to determine how long it is and how many links are in the rope, he said. Further, we need to know “how many have to die first” and still catch it and accept it.

He said that by building trust with the founding principles of empathy, focusing on future success and not on past failures and using better language, the founders “didn’t know it if would work but it did.”

Despite this, Corman said that “we are one noise away from mass casualty” and that is a sobering shot down to reality, as there is a lot more work to do. “Every time we got a new team mate, we solved the next step of puzzle,” he said. 

Corman concluded by saying that the movement needs to “lead by example” and that the next step is to consider who else to bring into the fold and what aptitudes to bring in.  

Categories: Cyber Risk News

Microsoft, Apple Level Up Bounties

Tue, 08/06/2019 - 16:11
Microsoft, Apple Level Up Bounties

Microsoft and Apple have both leveled up their bug bounty programs with new incentives for security researchers.

Microsoft has doubled the top bounty reward for vulnerabilities in its Azure cloud software to $40,000. It also introduced a hacker environment called the Azure Security Lab, which is a cloud infrastructure dedicated to letting cybersecurity researchers test out their skills in an IaaS environment.

Hackers don't get to color outside the lines. Instead, the Lab includes a series of scenario-based challenges that they can follow to try and exploit the system. They can earn up to $300,000 if they succeed, according to Microsoft's blog post announcing the Lab.

Hackers wanting access to the Azure Security Lab must request a Windows or Linux VM.

Apple is also reportedly fleshing out its existing bounty program in two ways. Forbes reports that the company will announce plans to give security researchers developer versions of its iPhone, featuring access to the underlying software and hardware that normal users don't get. These phones, which will be available only to existing participants in Apple's invitation-only bug bounty program, will let them inspect system memory, for example.

Apple will also unveil a bug bounty program for its macOS operating system, according to the report. This could mean that researchers like Linus Henze, who discovered a bug in the Mac operating system's keychain password manager earlier this year, will finally get paid. The teenager had originally planned not to privately disclose the bug to Apple because it hadn't been paying for macOS bugs.

An announcement at Black Hat 2019 this week would mark the third anniversary of Apple's original bug bounty program, in which it promised to pay up to $200,000 for the best reported security flaws.

Categories: Cyber Risk News

Cloud Security Alliance Releases New Threat List

Tue, 08/06/2019 - 16:07
Cloud Security Alliance Releases New Threat List

Cloud Security Alliance has unveiled its Top Threats to Cloud Computing: Egregious Eleven report, which lists the top 11 cybersecurity problems facing cloud computing users. It is the first major update to the list since 2016, when Alliance released the Treacherous 12, although it has released reports taking a deep dive into the threats with case studies in the interim.

Data breaches still top the list, unmoved since 2016. Other perennial threats remaining on the list from last time are poor identity management, insecure APIs, account hijacking, insider threats and the abuse and nefarious use of cloud services.

That leaves room for five new threats.

Weak control plane

In this scenario, the user doesn't understand how data flows in the cloud and might not have secure processes for securing and verifying it.

Metastructure and applistructure failures

This risk revolves around the application programming interfaces that allow customers to extract information about security protections and operations in the cloud. Examples include logging and audit information. Cloud service providers (CSPs) must understand what to provide and customers must use this wisely, the report warns.

Misconfiguration and inadequate change control

It's no wonder that this threat appeared on the list. It concerns the misconfiguration of cloud resources that could then expose sensitive information. Every accidentally exposed S3 bucket or Elasticsearch database falls into this category.

Lack of cloud security architecture and strategy

The big problem here is a misunderstanding of the shared-responsibility model. Customers lift and shift their operations into the cloud assuming that the CSP will take care of all the security, without understanding their own responsibilities.

Limited cloud usage visibility

This is the culprit behind shadow IT, when users buy cloud applications without informing IT and then use them insecurely.

What's interesting about this release is its increasing focus on administrator mistakes rather than purely on external bad actors and more traditional security issues. In short, the security challenges are becoming more nuanced, according to Alliance, which suggests a gradual maturing of the cloud security landscape.

Categories: Cyber Risk News

Poor University Cybersecurity Opens UK Students Up to Phishing Attacks

Tue, 08/06/2019 - 16:03
Poor University Cybersecurity Opens UK Students Up to Phishing Attacks

As A-Level results day rolls around, UK universities are sorely lacking in cybersecurity protections, according to security company Proofpoint.

The company tested the UK's top universities, as ranked by the Complete University Guide, and found 65% of them were not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records.

DMARC is a protocol that organizations can use to decide whether email servers should accept an email, making it a useful weapon against phishers. Without it, you can't be sure that an email sent to you came from a legitimate sender rather than a phisher spoofing that domain.

Adenike Cosgrove, cybersecurity strategist at Proofpoint, said that the lack of a published DMARC record leaves universities open to impersonation attacks, which could be a problem next week when students start getting their A-Level results.

“In this particular example, cyber-criminals would spoof the university’s domain and send emails to would-be students’ consumer mailboxes (Gmail, Hotmail, etc.)," she explained. "Without DMARC, criminals can use the exact email address of the university in question. With DMARC, the university can block (with a ‘reject’ policy) any unauthorized use of its domain, communicating to receivers (i.e., the consumer ISPs in this case) that any unauthorized senders using its domains should be blocked. In essence, DMARC works to protect consumers (outbound), employees (inbound) and business partners from email fraud.”

Although 35% of the top 20 universities in the UK had published a DMARC record, only 5% of them were using the strictest settings, which are the ones that would block fake emails from reaching the students, Proofpoint warned.

Students should be extra diligent when receiving email from universities, the company warned, especially if they request log-in credentials or threaten to suspend an account if they don't click on a link. They should use strong passwords that are individual to each account, it concluded.

Categories: Cyber Risk News

Romance Scams Soar as Victims Become Unwitting Money Mules

Tue, 08/06/2019 - 10:15
Romance Scams Soar as Victims Become Unwitting Money Mules

Losses from romance scams soared by over 71% from 2017-18, with victims increasingly recruited as money mules, according to a new public service announcement from the FBI.

The bureau’s Internet Crime Complaint Center (IC3) claimed that 15,000 victims reported romance and confidence scams in 2017, at a cost of $211m. By the following year there were 18,000 victims reporting losses of over $362m.

These figures propelled the cybercrime category to the seventh most widely reported scam and second costliest to victims last year after BEC.

The IC3 said elderly widows are particularly vulnerable to such scams. Once trust has been established, the scammer — who often masquerades as a US/European citizen living abroad — will ask for money so they can buy a plane ticket to visit the victim.

Sometimes they claim that wired funds did not reach them and request another transfer. Often when they don’t arrive they’ll claim they were arrested and ask for bail money, the notice warned.

Often the victim is persuaded to open bank accounts and/or register a limited company in their name in order to send or receive funds – sometimes to facilitate a lucrative ‘business opportunity.’

Money mules are a key link in the cybercrime chain, enabling criminals to launder money from their online schemes.

The recruitment of victims via romance scams is just one method of tricking users into handing over their bank details. Often youngsters are approached on social media or WhatsApp with ads promising them an opportunity to make some quick cash.

Despite a potential jail sentence in the UK of up to 14 years, there was a 26% rise in reports of money mules aged 21 and under between 2017 and October 2018, according to anti-fraud non-profit Cifas.

In fact, it has become such a problem that Scottish police wrote to every secondary school in the country earlier this year warning parents and guardians that pupils are increasingly being recruited by cybercrime gangs as money mules.

Categories: Cyber Risk News

MegaCortex Redesign Signals $5.8m Challenge to Firms

Tue, 08/06/2019 - 09:25
MegaCortex Redesign Signals $5.8m Challenge to Firms

A new version of Matrix-themed ransomware MegaCortex is targeting organizations with demands of up to $5.8m to regain access to their encrypted data, according to Accenture researchers.

In version two, the authors have improved automation and usability and made it harder to stop, according to Leo Fernandes, senior manager of the firm’s iDefense Malware Analysis and Countermeasures (MAC) team.

One major change is the removal of a password requirement for installation. It is now hard-coded into the binary.

“The original version of MegaCortex had its main payload protected by a custom password that was only available during a live infection. As a result, this feature made the malware difficult for security vendors to analyze,” he explained.

“However, the password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network.”

The ransomware has also been redesigned to self-execute, and there are some new anti-analysis features in the main module, as well as a more streamlined way to “stop and kill a wide range of security products and services.” These no longer need to be manually executed as batch script files on each host.

“The changes in version two suggest that the malware authors traded some security for ease of use and automation. With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation,” Fernandes explained.

“Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns or dropped as secondary stage by other malware families.”

This would be bad news for businesses given the current demand for ransom money is anywhere between two and 600 Bitcoins: around $20,000-$5.8m.

First revealed in May this year, the MegaCortex ransom note contained various references to cult '90s film The Matrix, while the name itself echoes that of the company (MetaCortex) where hero Neo works .

Categories: Cyber Risk News

DDoS Attacks Jump 18% YoY in Q2

Tue, 08/06/2019 - 08:38
DDoS Attacks Jump 18% YoY in Q2

The number of DDoS attacks detected by Kaspersky jumped 18% year-on-year in the second quarter, according to the latest figures from the Russian AV vendor.

Although the number of detected attacks was down 44% from Q1, the vendor claimed that this seasonal change is normal as activity often dips in late spring and summer. However, the spike was even bigger when compared to the same period in 2017: an increase of 25%.

Application attacks, which the firm said are harder to defend against, increased by a third (32%) in Q2 2019 and now constitute nearly half (46%) of all detected attacks. The latter figure is up 9% from Q1 2019, and 15% from Q2 2018.

Crucially, the seasonal drop in attacks has barely touched targeting of the application layer, which fell just 4% from the previous quarter.

These attacks are difficult to detect and stop as they typically include legitimate requests, the firm said.

“Traditionally, troublemakers who conduct DDoS attacks for fun go on holiday during the summer and give up their activity until September. However, the statistics for this quarter show that professional attackers, who perform complex DDoS attacks, are working hard even over the summer months,” explained Alexey Kiselev, business development manager for the Kaspersky DDoS Protection team.

“This trend is rather worrying for businesses. Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require them to identify illegitimate activity even if its volume is low. We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”

Kaspersky also recorded the longest DDoS attack since it started monitoring botnet activity in 2015. Analysis of commands received by bots from command and control (C&C) servers revealed one in Q2 2019 lasting 509 hours, which is nearly 21 days. The previous longest attack, observed in Q4 2018, lasted 329 hours.

Categories: Cyber Risk News

BEC Scammers Cost US Universities Over $872K

Mon, 08/05/2019 - 10:45
BEC Scammers Cost US Universities Over $872K

A BEC scammer has pleaded guilty to his part in an operation in which he and co-conspirators tricked two US universities into sending over $872,000 to their accounts.

In July 2918, the University of California San Diego (UCSD) was sent an email spoofed to come from a Dell account demanding the institution redirect its payments to the firm to a new bank account in Minnesota.

The bank account belonged to Amil Hassan Raage, who pleaded guilty to fraudulently receiving nearly $750,000 in 28 payments from the university, From August 8 to September 12 2018.

Raage apparently withdrew the money each time it was wired and transferred it to another account.

His unnamed co-conspirators played a major part in the operation, by creating the spoofed Dell email account from a base in Kenya.

They went through the same modus operandi to defraud a second US university, this time based in Pennsylvania.

According to the Department of Justice (DoJ), the group again used the fake Dell email to trick university officials into wiring funds to a different account.

In total, it sent six payments of over $123,000.

After the Wells Fargo bank in Minnesota froze Raage’s account, he fled the country in September to Kenya, only to be tracked down by local law enforcers working with the FBI’s legal attache in the African country.

He was finally arrested in May 2019 and extradited a couple of weeks after.

“Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice. As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception,” said US attorney Robert Brewer.

BEC attacks cost businesses nearly $1.3bn last year, nearly half of the total cybercrime losses recorded by the FBI.

Categories: Cyber Risk News

Over Two Million Online Records Held to Ransom

Mon, 08/05/2019 - 09:35
Over Two Million Online Records Held to Ransom

A Mexican bookstore that exposed millions of records through a publicly accessible database has had the data stolen and ransomed by hackers.

Libreria Porrua left the 2.1 million customer records online in a MongoDB database at two separate IP addresses, according to Comparitech, who collaborated with security researcher Bob Diachenko on the case.

The company, a bookseller and publisher with a history going back over 100 years, failed to respond to Diachenko when he notified it of the discovery on July 15. Three days later, the data had been wiped and replaced with a ransom note demanding around $500 in Bitcoin.

Public access to the database was disabled the next day, but it’s unclear whether the company paid the ransom or not.

Two sets of records were included in the trove: the first featuring names, addresses, phone numbers, emails, shipping numbers, invoice details and hashed payment card info. The second featured full names, dates of birth, phone numbers, discount card activation codes and more.

“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration makes it possible for cyber-criminals to manage the whole system with full administrative privileges,” Diachenko is quoted as saying.

“Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Customers of the bookstore are potentially at risk from follow-on phishing attacks if the hackers decide to monetize their efforts further.

MongoDB has been a favorite target for hackers looking to capture and hold customer data to ransom over the past few years.

Several such cases emerged in 2017, but one of the most serious related to a 2018 incident when a database containing the voter records of over 19.5 million Californians was held to ransom.

Categories: Cyber Risk News

Destructive Malware Goes Mainstream as Attacks Soar 200%

Mon, 08/05/2019 - 08:48
Destructive Malware Goes Mainstream as Attacks Soar 200%

The volume of destructive malware attacks has risen by 200% year-on-year in the first half of 2019, according to new data from IBM X-Force.

Once the preserve of sophisticated nation state actors, it appears as if financially motivated cyber-criminals are now getting in on the act, which is bad news for a range of organizations, according to the Incident Response and Intelligence Services (IRIS) report.

Analyzing incident response data from the first six months of the year, the report claimed that such attacks now cost multi-nationals on average $239m — 61-times more than the industry average of around $3.9m.

They also take a long time to respond to and remediate — on average 512 hours — with many victim organizations using multiple companies to assist them, further increasing the time taken.

Most concerning for organizations caught out by a destructive attack: on average a single blitz destroys 12,000 machines per company.

Destructive attacks have most commonly been associated with sophisticated malware such as Stuxnet, DarkSeoul and Shamoon, as nation states go after geopolitical rivals, explained IBM X-Force in a blog post introducing the research.

“Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cyber-criminals increasingly incorporate destructive components, such as wiper malware, into their attacks,” it added.

“This is especially true for cyber-criminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.”

Half of these attacks — centered around the US, Middle East and Europe — targeted manufacturing during the reporting period, with oil and gas and education sectors also hit hard.

Hackers are often inside networks for weeks or months before launching their attacks, IBM said.

“Destructive malware adversaries often gain initial entry into systems through phishing emails, password guessing, third-party connections and watering hole attacks,” it added.

“We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.”

Defense-in-depth is the answer, with MFA, well-tested incident response plans, network monitoring, threat intelligence and regular offline back-ups essential, IBM recommended.

Categories: Cyber Risk News

BSides Manchester Hits Back at Sponsor Influence Claims

Fri, 08/02/2019 - 15:55
BSides Manchester Hits Back at Sponsor Influence Claims

The organizers of BSides Manchester have hit back at accusations of corporate influence by a sponsor. 

In a series of tweets, degenerateDaE highlighted the number of talks being given by employees of NCC Group, and noted that the company is also the platinum sponsor. “Out of the six organizers listed I was able to confirm at least 5/6 worked at NCC when BSides Manchester was created in 2014,” they said, pointing out that at least three still work for NCC Group.

“Figured I'd tweet about this because the link between NCC and BSides Manchester was not one that I was personally aware of, nor have I seen anyone else talk about this. It would be great to get some transpancy on this from the BSides Manchester team.”

Responding, BSides Manchester organizing committee member Matt Summers posted a statement calling the accusation “incredibly hurtful and makes us as organizers question why we do this.”

He clarified that “BSides Manchester is directed by three directors (board members) and listed as a Community Interest Company (CIC) which means that it is a not-for-profit and regulated as such.”

He went on to say that there are other directors who are not board members but who have helped organize the conference – some of whom are or have been directly employed by NCC Group. “However a few people who have remained in the shadows and who were not outed by this individual have never been employed by NCC Group. The directors and board members of the CIC have never hidden their employment from the community.”

Saying that the intention of BSides Manchester was about putting on a regional event as he “missed the camaraderie of BSides London,” and he pitched the idea of a BSides Manchester to a senior person at NCC Group. “Why? Because I needed some seed money to get the event off the ground.”

He said: “Since 2014 NCC Group consistently sponsored as a platinum sponsor with other companies coming and going as platinum sponsors, but we have never turned a company down when it came to the level of sponsorship they wanted.

“Over the last two years we have had three platinum sponsors. Over the years this has meant that we have had to rejig the layout of the venue to ensure that everyone gets what it is in the contract and every sponsor got a fair and honest slice of the pie.”

Regarding the accusations of conflict of interest and insinuations that NCC Group had gained an unfair advantage over other sponsors and speakers, Summers said he had always been forthright with people that I wear two hats, one for his employer and one for BSides “and anyone who knows me will know that I let my actions speak for me.”

He said: “This accusation is unfounded quite frankly insulting. Unfortunately, I can’t prove in any way that there is no conflict of interest. As board members and directors we insulated ourselves from the team that NCC Group put together to sponsor the event, I can’t prove this but I can say that we had a big enough job putting an event together without steering NCC Groups efforts at the event.

“There are also additional people who helped us put the event on that were not employed by NCC Group but I won’t call them out and drag them into this. NCC Group does have robust procedures about additional employment and ensuring that there are no conflicts of interest with any additional employment and I would hope that this would be enough for all parties.”

He also clarified that NCC Group is “probably the biggest employer of security people in Manchester,” and he praised them for being “incredibly supportive of those wishing to speak publicly.”

Security researcher Javvad Malik, who was one of the original organizing team of BSides London in 2011, along with Summers, praised him for being “one of the hardest workers in the room.”

Malik said: “It pains me to see accusations thrown at him, when I know he's a man of integrity and honesty. He invited me down to the first few BSides Manchesters to compere track one. I was incredibly honored. But again, I saw first hand how much of himself he puts into these events. BSidesMCR was no exception, and it was run really well.

“So the question is, does NCC have an undue influence over BSidesMCR? And if you knew Matt at all, that's a shameful question to ask. I would never believe it, and I've seen pretty close how he runs cons.”

Malik made the point that if anyone feels like there are too many NCC Group employees running the conference, “put yourself forward and offer to help run the con yourself. It'll open your eyes to a lot of things.” This was echoed by Summers, who said: “The last thing I want to say is that every year we have asked for people to join us as organizers. In fact it’s on our website that we want people to help us.

“If people want transparency, then they can join us as organizers to see for real.”

Categories: Cyber Risk News

Initiative Launched to Protect Automotive Supply Chain

Fri, 08/02/2019 - 15:01
Initiative Launched to Protect Automotive Supply Chain

A new initiative has been announced by the Automotive Industry Action Group (AIAG) to help automotive suppliers compare their current capabilities to industry best practice.

Developed in partnership with NCQ, the Cyber Safe Bundle includes a one-time virtual audit, along with either a basic or advanced enterprise risk assessment. Together, these resources allow suppliers to evaluate their overall cybersecurity efforts and identify the most critical areas for improvement.

The audit is a remote threat analysis that searches a supplier-provided URL or domain name for known vulnerabilities using a database of more than 53,000 common configuration issues, updated in real time with the latest threats. It then identifies system weaknesses without damaging the resource being checked and provides an automated corrective action plan with practical steps the supplier can take to improve its cybersecurity.

Tanya Bolden, AIAG’s director of supply chain products and services, said: “Cyber-attacks have become so prevalent that larger companies are now spending thousands and sometimes millions of dollars to protect their systems. AIAG feels strongly about the importance of making resources developed by OEMs available to smaller companies in the automotive supply chain – companies that may not have the budget or human resources available to proactively protect themselves from cyber-attack.

“The perception is that only larger companies are targeted for cyber-attack, but the fact is that small and medium-sized companies are particularly vulnerable. A supply chain is only as strong as its weakest partner, which is why cyber-attackers go after companies that may be easier targets.” 

Charles Morrison, NQC managing director, added: “We are very pleased to bring our expertise to this collaboration with AIAG, and we are confident this suite of tools will provide much needed protection to suppliers across the industry.”

Categories: Cyber Risk News

DCMS Committee Request Further Facebook Details on Cambridge Analytica Investigation

Fri, 08/02/2019 - 09:00
DCMS Committee Request Further Facebook Details on Cambridge Analytica Investigation

Chair of the Digital, Culture, Media and Sport Committee Damian Collins MP has written to Facebook VP for global affairs and communications Sir Nick Clegg about discrepancies relating to the Cambridge Analytica investigation.

Collins asked the former Deputy Prime Minister and Liberal Democrats leader, who joined Facebook in October 2018, about who at Facebook knew what and when about Cambridge Analytica’s activities on the platform with the “this is your digital life” app, which lead to the misuse of 87 million people’s data.

Claiming that “senior executives from Facebook, including its Chief Technology Officer Mike Schroepfer and Lord Richard Allan, consistently asserted in evidence over the course of 2018 to the Committee that Facebook first learned that Global Science Research (GSR) and Cambridge Analytica had compromised Facebook user data from a Guardian article published in December 2015,” the SEC said its complaint states that Facebook employees already knew about Cambridge Analytica prior December 2015.

“We therefore request a response on whether the SEC complaint is accurate that employees did raise concerns about Cambridge Analytica before December 2015 and how these discrepancies in evidence have occurred,” Collins letter stated.

Also, despite the red flags raised by Facebook employees about Cambridge Analytica from as early as September 2015, these incidents were not reported to senior management. In a letter to the Committee dated May 14 2018, Rebecca Stimson, Facebook’s UK head of public policy, confirmed that “Mr. Zuckerberg did not become aware of allegations that Cambridge Analytica may not have deleted data about Facebook users obtained through Dr Kogan’s app until March of 2018, when these issues were raised in the media.”

Also, Collins sought guarantees on the deletion of user data held by Cambridge Analytica, as the SEC Complaint notes that several Facebook employees were also aware of data misuse throughout 2016 and beyond. On February 8 2018, Simon Milner, policy director at Facebook, denied to the Committee that Cambridge Analytica held a “large chunk of Facebook user data.”  

Collins said that the Committee were requesting information on instances that concerns about Cambridge Analytica were raised by employees and why no action was taken until 2018, and why the Committee was not informed about these concerns in the sessions with Milner and Schroepfer.

Last week, the Securities and Exchange Commission fined Facebook $100m “for making misleading disclosures regarding the risk of misuse of Facebook user data.” The SEC’s complaint alleged that Facebook discovered the misuse of its users’ information in 2015, but did not correct its existing disclosure for more than two years.

Stephanie Avakian, co-director of the SEC’s Enforcement Division said: “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”

Categories: Cyber Risk News

70% of Orgs Will Use Security-as-a-Service by 2021

Fri, 08/02/2019 - 08:15
70% of Orgs Will Use Security-as-a-Service by 2021

More than 70% of organizations will be using Security-as-a-Service by 2021, according to new research from Thycotic.

The privileged access management provider surveyed IT managers and technology decision makers at the KuppingerCole European Identity & Cloud conference in Munich in May, compiling its findings in the Security as a Service on the Rise report.

Two out of three respondents said their organization is already adopting Security-as-a-Service, or will be in the next 12 months, with 70% planning to do so by 2021. Those polled cited reduced costs, faster IT services delivery and greater flexibility as reasons for opting for Security-as-a-Service solutions.

“Organizations typically use Security-as-a-Service solutions to limit or eliminate the need for on-premise hardware, software or specialized skilled resources,” said Joseph Carson, chief security scientist at Thycotic.

Respondents also indicated they are turning to cloud-based security services to help keep up with rapidly escalating threats, costs and a lack of staff resources with cybersecurity expertise.

“In another interesting result, the survey showed the security functions most frequently moved to Cloud-as-a-Service were led by Privileged Account Management and Identity Access Management,” added Carson.

Categories: Cyber Risk News

Vendor Blocks 65,000 Magecart Data Theft Attempts in July

Thu, 08/01/2019 - 15:30
Vendor Blocks 65,000 Magecart Data Theft Attempts in July

Magecart groups appear to be having a busy summer so far, with one security vendor blocking 65,000 attempts to steal card details from online stores in July alone.

Malwarebytes revealed the findings in a new blog post: it shows that US shoppers account for the vast majority of those targeted, nearly 54% in total. Canadians came in second with nearly 16% and then there’s a long tail of countries including Germany (7%), the Netherlands (6%), France and the UK (5%) and Australia (3%).

The firm claimed it is becoming increasingly difficult to differentiate digital skimming groups by code types alone, as copycats reuse existing tools.

There’s also a growing trend among these hackers to use some kind of obfuscation to stay hidden.

“This is an effort to thwart detection attempts and also serves to hide certain pieces of information, such as the gates (criminal controlled server) that are used to collect the stolen data,” said Jérôme Segura, director of threat intelligence at Malwarebytes.

Visiting only larger online sites is no guarantee that consumers will be safe from digital skimmers, especially given the attacks on big-name brands like BA, Newegg and others. BA was famously issued a record £183m proposed fine last month by the ICO for breaking the GDPR.

“Combating skimmers ought to start server-side with administrators remediating the threat and implementing a proper patching, hardening and mitigation regimen. However, based on our experience, a great majority of site owners are either oblivious or fail to prevent reinfections,” argued Segura.

“A more effective approach consists of filing abuse reports with CERTs and working with partners to take a more global approach by tackling the criminal infrastructure. However, even that is no guarantee, especially when threat actors rely on bulletproof services.”

One noteworthy bulletproof hosting service was revealed last month to be operating out of a war zone in eastern Ukraine.

Categories: Cyber Risk News

(ISC)2 Granted Approved Professional Organization Status by HMRC

Thu, 08/01/2019 - 14:55
(ISC)2 Granted Approved Professional Organization Status by HMRC

(ISC)2, the nonprofit membership association of certified cybersecurity professionals, announced that it has been granted Approved Professional Organizations and Learned Societies status by HM Revenue & Customs (HMRC).

This status recognizes (ISC)2 among a select number of essential professional societies and bodies that share or advance professional knowledge, maintain or improve professional conduct and competence or protect members from claims made against them while doing their job. It also allows UK members of (ISC)2 to claim tax relief on their annual maintenance fee.

The learned societies and professional associations on the list are predominantly nonprofit organizations, such as industry bodies, charter organizations and livery companies, as well as independent member associations that exist to raise standards and help their members. The inclusion of (ISC)2 on the list is recognition of its efforts to inspire a safe and secure cyber-world and advance cybersecurity knowledge and skills through training and certification.

Speaking to Infosecurity, Dr. Casey Marks, chief product officer and vice president, (ISC)2, said that the HMRC approval is validation that mission of (ISC)2 to inspire a safe and secure cyber-world is of vital importance to the UK government.

“It means that our members are now recognized by the UK’s tax authority as serving an essential professional function and as such, they can claim tax relief on their annual fees,” he added. “It will also help some of our members recoup their membership fees, as some UK employers only reimburse professional memberships if they are part of the HMRC list. The HMRC approval essentially lightens the out-of-pocket costs that these skilled professionals pay and lets them focus on defending their organizations from attacks.

“We hope that the HMRC approval incentivizes more interested professionals to pursue certification with us and build careers focused on bolstering cybersecurity defenses in both the private and public sectors.”

Categories: Cyber Risk News

Bug Bounties Paid for Deep Testing and Less for Traditional Flaws

Thu, 08/01/2019 - 13:10
Bug Bounties Paid for Deep Testing and Less for Traditional Flaws

The number of vulnerabilities being reported and bug bounty payouts per vulnerability have increased this year. 

According to Bugcrowd’s State of Crowdsourced Security in 2019 report, there has been a 92% increase in the total number of vulnerabilities reported in the last year, while the average payout per vulnerability increased this year by 83%.

Bugcrowd said that more industries are adopting crowdsourced security programs, and crowdsourced pen testing and vulnerability disclosure “are growing at breakneck pace and the number of companies running programs for multiple years has resulted in a marked increase in the number of public programs.”

David Baker, CSO and VP of operations at Bugcrowd, told Infosecurity that “this is both a good thing and proof there are always more bugs to be found.”

“More bugs are not the result of a lack of testing or poor SDLC [software development life cycle], but the shift to cloud, push to mobile apps and adoption of IoT,” he said. “Ultimately, the fact that the crowd is finding more and more P1s means that these critical bugs are being identified and resolved sooner. Finding bugs is a good thing; promoting better defense through a better offense is a great SDLC strategy.”

Bugcrowd also said that the average payout for critical vulnerabilities reached $2,669.92, a 27% increase over the last year. However, it claims that “researchers are no longer going after things like XSS, CSRF, and SSI as those are fairly easy to find by many scanners out there today” and are now doing deep testing, leading to the top five vulnerabilities over the past year as: 

  1. Broken access control
  2. Sensitive data exposure
  3. Server security misconfiguration
  4. Broken authentication and session management
  5. Cross-site scripting

Speaking to Infosecurity, Luta Security CEO Katie Moussouris said that “broken access control” is a very broad category “that absolutely can still be quantified as low-hanging fruit” and if an organization places no authentication at all on an asset or API, that's a simple mistake, not at all indicative of deeper or more sophisticated bugs. “Same goes for information disclosure findings that lead to data exposure, the second one in that list.” 

Moussouris said that even organizations with a lot of general process maturity and a strong secure development life cycle see basic XSS bugs crop up, especially in third-party developed websites.

“The fact of the matter is that while bug bounty hunting can help out," she said, "organizations cannot use them or any other external testing mechanism as a checkbox to excuse complacency in prevention of common classes of bugs, like authentication bugs.”

Moussouris went on to say that in the main some organizations view bug bounties “as a way to look busy and responsive in security, when it's actually masking underlying security negligence” and the classes of bugs most often found in bug bounties are still on the lower end of sophistication.

“Most organizations should be actively trying to prevent and detect those themselves, not outsource their detection to the luck of the bug bounty draw.”

Categories: Cyber Risk News