News has surfaced of an attempted cyber-attack on the Australian government.
As reported by the BBC, authorities in Australia are said to be investigating an effort that was made to hack into its parliament computer network.
It is believed that information was not accessed and that the passwords of politicians were reset as a precaution.
Australian Prime Minister Scott Morrison has thus far declined to comment on the incident in detail and further information on the supposed attack remains scarce, although it has been suggested by local cybersecurity experts that a foreign state was likely behind it.
Senator for Western Australia Jordon Steele-Johntook to Twitter to state “Parliament House had a cybersecurity data breach last night. ALL passwords were reset.”
He added: “We’re supposed to have faith that unprecedented, internet-breaking powers will be safe from cyber-threats.”
Alvin Rodrigues, security strategist, APAC and Sam Ghebranious, senior regional director, ANZ, Forcepoint, said: “Reports emerging today that the Australian Parliament’s computer network has been hacked are deeply concerning – and yet not surprising. The government should be lauded for their efforts to quickly identify the breach and take precautionary steps to avert any leakage of data. While investigations into the attack are still underway, the precaution taken – resetting passwords – suggests that nefarious actors may be looking to steal the digital identities/credentials of approved users, so as to operate within the parliamentary computer network without being identified.”
The Metropolitan Police force has been ‘trialing’ its controversial facial recognition cameras again and the latest deployment resulted in just one individual being charged.
The capital’s police have been using these cameras for several years but FOI responses from several forces sent to rights group Big Brother Watch last year revealed the technology is 98-100% inaccurate.
The latest two-day deployment in the Essex town of Romford last week resulted in the arrest of a 35-year-old on suspicion of breach of a molestation order, for which he subsequently received 11 weeks behind bars.
The press release issued by the Met notes a handful of other arrests during the operation, although none of the individuals were charged and these arrests were not due to individuals being detected by the facial recognition software against a pre-defined list of suspects.
In fact, the deployment caused controversy when one man tried to cover his face whilst passing a camera.
According to Big Brother Watch, whose representatives were on-site: “He protested that there was no reason to be stopped as he was surrounded by police, and when he got annoyed he was fined £90 for a supposed public order offence.”
Green Party member of the House of Lords, Jenny Jones, tweeted that she is writing to the Met police commissioner to raise her concerns about the operation.
Big Brother Watch and Jones have mounted a legal challenge to the use of the technology, which is being used in the absence of any formal legal framework to protect innocent citizens’ privacy.
The Met was criticized in December for running a similar operation in central London, claiming that anyone who declined to be scanned wouldn’t be viewed as suspicious — which seems to contradict the approach taken in Romford.
Although it claimed the operation was well publicized, reports suggested the opposite was true, right down to the use of cameras attached to unmarked vans.
Researchers have warned users of a new phishing technique which uses Google Translate to add authenticity to scams.
Akamai security researcher Larry Cashdollar explained in a blog post that he was targeted by this tactic early in the new year, receiving an email telling him his Google account had been accessed from a new Windows device.
Clicking through on the attached link would bring victims to a fake Google log-in page, with the malicious domain loaded through Google Translate.
“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses,” Cashdollar warned.
“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google's older login portal), it fails completely when viewed from a computer.”
This is because on a full computer screen, users can see the true malicious domain more clearly.
However, if a user falls for the scam, they will not only have their Google log-ins harvested but then be taken to a spoofed Facebook mobile log-in page.
“It isn't every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device, but it's highly uncommon to see such an attack target two brands in the same session,” said Cashdollar.
“One interesting side note relates to the person driving these attacks, or at the least the author of the Facebook landing page — they linked it to their actual Facebook account, which is where the victim will land should they fall for the scam.”
He urged users to be more suspicious of unsolicited messages, especially if viewing them on their mobile device, and consider whether the author is trying to create a sense of urgency, fear, or authority to persuade the recipient to click.
Android users could be remotely hacked simply by viewing a legitimate-looking PNG image, Google has warned in its latest security update.
The Android Security Bulletin for February lists 42 vulnerabilities in the Google mobile operating system, 11 of which are critical.
“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” it warned.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
Although there are no reports of users being actively targeted in the wild via this vulnerability, this could change as the window for individual ecosystem vendors to issue patches can run into several weeks or even months.
“Vulnerabilities like these bring to light the disparate update strategies across Android phones,” explained Tripwire VP, Tim Erlin. “While those on Google devices will receive timely security fixes, other manufacturers may wait months to protect users from attackers. Of course, users have to actually apply updates to protect themselves."
Simon Wiseman, CTO at Deep Secure, explained the criticality of the flaw.
“It means your web browser can fetch a crafted image from a website and the attacker now is in control of your browser and its environment. That means it has access to your stored passwords and you’ve given away access to all the secure sites you visit,” he said.
“The same goes for your email client — the attacker has control of your mailbox so can intercept your mail, perfect for harvesting password resets, and generate mail on your behalf, ideal for propagating the attack within your organization.”
He recommended users search for updates daily and erase all passwords from their mobile browsers as an extra precaution.
Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint.
It’s Q4 threat report found that banking trojans accounted for 56% of all malicious payloads in email in Q4, while remote access trojans (RATs) accounted for 8.4%. Proofpoint claimed that this marked a “significant change” for RATs, as in previous years they were rarely used by attackers.
The report stated that email remains the top vector for malware distribution and phishing, while email fraud, also known as business email compromise (BEC), continues to grow rapidly.
Ransomware message volumes dropped significantly from Q2 to Q4 “suggesting that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale.”
Speaking to the Risky Business podcast in November, Sherrod DeGrippo, Proofpoint’s director of threat research and detection, said that ransomware “has basically evaporated” after it was in the headlines for many months.
“I probably attribute that to the fact that cryptocurrency is so difficult for the average consumer to use, and what we’ve seen instead is, back to cryptocurrency, they are bolting on crypto-miners to just about everything: commodity banking trojans, commodity RATs and keyloggers and pretty basic crimeware stuff,” she said.
“We’re starting to see banking trojans have crypto-miners bolted on to them so they steal the money from the traditional bank account and then leave the crypto-miner behind.”
In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that this research highlights that ransomware is actually less of a prevalent threat both to the individual and business, and criminals know that trojans work.
“They have been thoroughly road tested with a widespread user base to great reward,” he explained. “Ransomware still has an issue in terms of the duped user needing a certain amount of literacy in payment terms in order to make this as financially successful as its trojan cousin.”
During Q4 of 2018, Proofpoint observed over twice as many URL messages as attachment messages. “For the entire year, malicious URLs appeared over three-times as often as messages with malicious attachments, suggesting that the pendulum may be swinging back toward attachments as it tends to do periodically,” the report claimed.
It also claimed that banking trojans, stealers and downloaders together accounted for over 90% of all initial payloads in Q4. In particular, the Emotet banking trojan, which was described by US-CERT as “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors” was named as the main threat.
Emotet uses PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC as a disguise, and initial infection occurs when a user opens or clicks the malicious download link, PDF or macro-enabled Microsoft Word document included in the email.
Proofpoint said: “Taken together, Emotet, Panda Banker, and Ursnif comprised almost 97% of observed banking trojans in Q4.”
Tucker added: “Research such as this, more than ever, emphasizes that businesses should use evidence-based risk approaches from which to make informed decisions. This naturally incorporates a clear view of an actual threat, albeit in most cases that threat will be widespread and sporadic.
“Ransomware has been, and remains, just another factor within the overall risk management framework regardless of the hysteria that has surrounded it.”
Infosecurity’s Online Summit will take place on March 26-27, with live sessions including “The Death of Ransomware: Long Live Other Malware” and “How To: Phish Your Employees.” Registration is now open, and CPE credits are offered for the 14 sessions across the two days.
A new study from Comparitech has named Algeria the ‘least cyber-secure’ nation in the world, whilst Japan has been ranked the ‘most cyber-secure.’
The information, tools and comparisons provider studied 60 countries to gauge their ability to meet seven key criteria:
- The percentage of mobiles infected with malware
- The percentage of computers infected with malware
- The number of financial malware attacks
- The percentage of telnet attacks (by originating country)
- The percentage of attacks by crypto-miners
- The best-prepared countries for cyber-attacks
- The countries with the most up-to-date legislation
In a blog post on its website, Comparitech explained that, for each criterion, countries were given a point based on where they ranked between the highest-ranking and lowest-ranking countries. Countries with the least cyber-secure scores were given 100 points, while countries with the most cyber-secure scores were allocated zero points. All of the countries in between these two scores received a score on a percentile basis, depending on where they ranked.
Comparitech was quick to point out that it found huge variances in a number of the categories and that there was no country that came ‘top of the class’ across the board. However, “there were some countries that lacked significantly in a variety of areas and others who outperformed the majority of countries,” the company said.
“So with that in mind, we’ve created rankings for these 60 countries, from the least cyber-safe to the most cyber-safe,” Comparitech added.
Algeria was deemed the least overall cyber-secure country, being the highest-ranking nation for lack of legislation and computer malware rates, and also receiving a high score in the categories for mobile malware and preparation for cyber-attacks
Algeria was followed by Indonesia and Vietnam as the second and third least cyber-secure nations, with Tanzania and Uzbekistan ranked fourth and fifth least cyber-secure, respectively.
Conversely, countries that performed well overall in Comparitech’s research were Japan (which was ranked the most cyber-secure country in the world, scoring “incredibly low” across the majority of categories), France, Canada, Denmark and the United States. The United Kingdom was ranked the eighth most cyber-secure nation.
Speaking to Infosecurity, Paul Bischoff, privacy advocate at Comparitech, said the report findings are evidence that, generally, developed countries have better cybersecurity than developing ones.
“The reason might be because people in developing countries are less experienced with the internet and the devices they use to access it. They have less awareness of cybersecurity threats, while ISPs and online companies are not as well prepared for cyber-attacks as their counterparts in developed nations. As internet adoption ramps up, security lags behind. A New York Times report states that hackers use developing countries as test beds for new malware.”
However, there were a few surprising results to come out of the research, he added. “I was surprised to see that Germany suffered the highest number of financial malware attacks, which bucks the trend of developed nations being more cyber-secure than undeveloped ones – 3% of users in Germany were targeted by financial malware.”
Cyber-criminals are taking advantage of a little-known feature in Gmail to escalate their scam operations more efficiently, according to new research from Agari.
The email security vendor claimed in a blog post that the problem stems from what it describes as “dot accounts.”
This relates to a decision by Google to allow Gmail users to own “all dotted versions” of their address.
In the example given by Agari senior threat researcher, Ronnie Tokazowski, if a user registers a domain as ‘badguy007[at]gmail.com’ they could then use multiple versions of that same address, placing the dot in different places before the @, such as ‘b.a.d.g.u.y.007[at]gmail.com’ and ‘bad.guy.007[at]gmail.com’ and ‘ba.dg.uy.007[at]gmail.com.’
“While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the internet treats each variant as a distinctly separate email address, associated with a unique separate account and identity,” he continued.
“For example, if I sign up for a Netflix account using the email address badguy007[at]gmail.com and then again with b.adg.uy007[at]gmail.com, Netflix — like most other online services — would think that these are two different accounts linked to two different people. This is where, and how, cyber-criminals are able to take advantage.”
Fraudsters are therefore able to create multiple accounts with a single provider that all direct back to one email inbox, making their scams quicker and easier to scale and manage.
Agari said it recently spotted email scammers using Gmail ‘dot accounts’ to carry out widespread fraud.
They submitted 48 credit card applications at four US financial institutions, with at least $65,000 in fraudulent credit approved.
They also: filed 13 fraudulent tax returns, submitted 12 change of address requests with the US Postal Service, submitted 11 fraudulent Social Security benefit applications, applied for unemployment benefits under nine identities in a single US state and submitted applications for FEMA disaster assistance under three identities.
“In total, the group used 56 different dot variants of a single Gmail email address to register accounts on websites used for fraudulent purposes,” said Tokazowski.
He warned that scammers could also make use of the fact that @gmail and @googlemail addresses are routed to the same inbox, potentially doubling the permutations they have on offer.
Organizations were urged to check for excessive use of dots in newly created accounts to help mitigate this risk.
Security researchers have discovered another Chinese state-sponsored APT campaign, this time targeting a major European MSP with the likely intent of stealing IP from its customers.
Recorded Future and Rapid7 claimed in a new co-authored report that the notorious APT10 group, linked to China’s fearsome Ministry of State Security (MSS), was responsible for the campaign, running between November 2017 and September 2018.
It is said to have targeted Norwegian provider Visma, which has 850,000 customers around the globe, as well as a multi-national clothing giant and a US law firm with strong experience in IP law and clients in pharma, tech, automotive and other sectors.
The initial entry point in all three cases was stolen Citrix/LogMeIn credentials, enabling remote network access.
“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware,” the report continued.
“During the Visma intrusion, APT10 deployed their Trochilus malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers rather than the typically observed RC4 variant. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, known to have only been used by APT10.”
Visma data was compressed using WinRAR and exfiltrated to a Dropbox account using the cURL for Windows command-line tool. The same account was used to store data from the other breaches.
The MSS has been previously blamed for Operation Cloud Hopper, a major multi-year campaign targeting MSPs around the world which resulted in the indictment of two suspected state hackers late last year.
“Unfortunately, this is the type of nefarious behavior we witness regularly, but there are steps organizations can take to combat these issues. For example, we recommend implementing two-factor authentication for everything,” advised Rapid7 principal MDR analyts, Eoin Miller.
“Additionally, strengthening the reviews of authentication attempts against low cost VPN providers or 'out of the norm' networks or countries for an individual user is equally important. Organizations should also consider implementing extremely strict application white-listing on sensitive systems."
South Africa’s largest electricity supplier has come under fire for apparently ignoring a serious leak of customer data.
Eskom, which claims to transmit and distribute 95% of the electricity used in the country, was called out earlier this week on Twitter by a frustrated security researcher.
“You don't respond to several disclosure emails, email from journalistic entities, or twitter DMs, but how about a public tweet?” said Devin Stokes. “This is going on for weeks here. You need to remove this data from the public view!”
The leaked data appears to include customer details including account IDs, meter information and payment details.
Only the last four digits of card numbers are visible, as are CVV numbers: certainly enough to launch convincing phishing attacks and follow-on fraud.
Unfortunately for the energy giant, which also claims to provide 45% of the electricity used in Africa, it also appears to have been hit with a seemingly unrelated malware infection.
Twitter user @sS55752750 claimed that one of the company’s user's machines was infected with a trojan, adding that “all her credentials were stolen.”
Although the utility firm initially claimed that the email address provided was “not a valid Eskom email address,” it subsequently changed its position.
“This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention,” the firm tweeted on Wednesday.
It remains to be seen what action is being taken to address the exposed database.
Paul Edon, senior director at Tripwire, argued that a company the size of Eskom should have better visibility into its systems and take a more proactive approach to security.
“There is a tendency for boardroom executives to operate with a reactive mindset, and although understandable, since attacks are difficult to visualize until they happen, it is still unacceptable,” he added. “With cybersecurity, it is critical that organizations get the basics right. Continuously monitoring the security of their infrastructure can go a long way towards preventing a successful attack or reducing the impact.”
There is a growing disconnect between how companies capitalize on customer data and how consumers expect their data to be used, a new report from RSA Security has discovered.
The firm polled more than 6000 individuals across France, Germany, the United Kingdom and United States to explore the nuances of ethical data use and consumer perceptions of data privacy, compiling its findings into The RSA Data Privacy & Security Survey 2019.
Fewer than half (48%) of respondents believed there are ethical ways that companies can use their data, whilst 57% said they blame companies above anyone else, even a hacker, in the event of a data incident.
What’s more, whilst a focus on personalized consumer experiences is often considered a means to increase user activity and purchasing, the majority of those polled were against companies using their data to create a personalized experience if it compromised their privacy. As little as 17% of respondents felt tailored ads were ethical and just 24% thought personalization to create tailored newsfeeds was ethical.
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, vice-president of international, RSA. “Now is the time for organizations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.”
An IT developer at a Chinese bank has been jailed for over a decade after exploiting a vulnerability in its systems to withdraw more than $1m from ATMs.
Qin Qisheng, 43, was a manager in Huaxia Bank’s technology development center in Beijing who spotted that a glitch in the lender’s core OS meant cash withdrawals around midnight weren’t recorded.
He subsequently tested his theory, deliberately hiding his activity as he did so, making withdrawals of 5,000-20,000 yuan ($740-3000) from a test bank account.
After doing so for over a year without telling his superiors, he had built a small fortune of over seven million yuan ($1m) in his own bank account, investing some funds in the stock market.
However, his luck ran out after the unusual activity in the test account was spotted at a branch in Hebei.
Amazingly, however, the bank wanted police to drop the case, believing Qin’s excuse that he was merely pen-testing.
“Qin Qisheng said that the matter was complicated and involved lots of work … he believed the bank would not pay attention even if he reported it,” a representative said in court, according to the South China Morning Post.
“We think this reason for not reporting is legitimate.”
Although Qin returned all the money he stole from the bank, it wasn’t enough to save him from a 10-and-a-half year jail sentence. This is the final appeal ruling of the Beijing Intermediate People's Court, upholding a December conviction.
“On the one hand, [the bank] said that the accused’s behavior was in violation of the rules. On the other hand he said that he could conduct relevant tests. This is self-contradictory,” the judge is reported to have said.
MPs have been targeted by a new phishing campaign after a government whip’s accounts were hacked, according to reports.
Tory MP Mike Freer told BuzzFeed News that the "parliamentary authorities are currently investigating" following the incident.
According to the report, dozens of MPs were added to a WhatsApp group named “Hack warning 1” by an account linked to Freer’s personal mobile phone number.
The MPs left the group swiftly, followed by Freer’s number.
In a Facebook update to friends, he hinted that his email account had also been compromised.
“If anyone receives a text asking them to download a viber so we can have a secure call please ignore and delete. I’ve been hacked. Ditto for any email suggesting I need overseas contacts for a government payment. Delete," it noted.
The Whips’ Office subsequently sent an alert warning of a “malicious hack that accesses your contacts list and sends texts and emails to all your private contacts.”
CensorNet CTO, Richard Walters, warned that phishing attacks remain a staple of the cyber-criminal fraternity.
“The reason is simple; it relies on manipulating people who are inherently trusting, particularly when attacks are highly targeted. It’s easy to say that there’s been a fairly sizable error in judgement by anyone who fell for it, but it really could happen to anyone,” he added.
“It would, however, be sensible for organizations — whether government or not — to make sure that people are adequately aware of the risks and not, as in this case, download anything based on the say so of a ‘contact’. A little bit of caution would always be advised.”
This isn’t the first time MPs have been targeted by a phishing campaign.
Back in June 2017, around 1% of parliamentary email accounts were cracked open by hackers, potentially after brute-forcing or guessing credentials. The attackers then launched vishing attacks in the aftermath in an attempt to trick users into handing over their log-ins over the phone. The attacks were blamed on Iran.
There have been more than 59,000 breach notifications to regulators of the GDPR since it was introduced on May 25, 2018, according to new findings from DLA Piper.
The global law firm’s report runs all the way up to Data Protection Day on January 28 2019, meaning there was an average of over 7300 breach reports each month since the legislation was introduced.
The notifications range from the minor — such as emails being accidentally sent to the wrong recipient — to major attacks affecting millions, perhaps a reference to Marriott International.
The Netherlands was the surprise at the top of the breach reporting table, with organizations there having notified the supervisory authorities around 15,400 times. Next came Germany (12,600) and the UK (10,600).
The Netherlands also wins in terms of the country with most breach notifications per capita, followed by Ireland and Denmark. The UK came tenth in this regard.
Interestingly, the report claimed that there have already been 91 reported fines, but most appear to have slipped under the radar as they were so small. Most notable was the €50m penalty levied against Google, although a €20,000 fine against a German chat app Knuddels also stood out as the first major fine by a national regulator.
In fact, with over 60 fines already levied, Germany seems to be the most prolific in this regard.
DLA Piper clarified that the high number of breach reports is likely due to the large fines for covering up an incident, but said regulators are wading through a large backlog already.
It warned that the financial penalties will only increase.
“We anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of euros as regulators deal with the backlog of GDPR data breach notifications,” the report concluded.
“It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so. Competition lawyers are not known to shy away from imposing hefty fines and have imposed some eye-catching multi-billion Euro fines recently on large tech companies.”
The convergence of IT, operational technology (OT) and industrial internet of things (IIoT) has raised concerns about cybersecurity, safety and data privacy for many organizations, according to a new Ponemon Institute study.
Released today in partnership with TÜV Rheinland OpenSky, results of the 2019 Safety, Security & Privacy in the Interconnected World of IT, OT and IIoT study found that 62% of respondents agreed or strongly agreed that security maturity will increasingly depend upon the convergence of IT and OT control systems.
“Improving overall cybersecurity maturity will play a deterministic role in the success of a digitalization roadmap where the focus is to improve digital services in a complex and interconnected ecosystem," said Urmez Daver, global head of industrial security at TÜV Rheinland, in a press release.
"This is an area of focus for us at TÜV Rheinland OpenSky, and we were pleased to see that the outcome of the study reflects a similar prevalent opinion of cybersecurity practitioners across North America.”
Leaders are largely aware that the inability to achieve convergence will likely compromise trust with supply chain partners, but there are obstacles to achieving convergence that include a lack of strict data protection safeguards on information critical to operations.
While the majority of respondents (65%) agreed that digitalization is driving IT and OT convergence, 55% of those surveyed said that convergence is not possible in organizations with a long history of silos and "turf issues."
To achieve convergence, support needs to come from the top down. According to the survey, 73% of participants believe convergence cannot happen without the support of the CIO, while 62% said it is not possible with buy-in from C-level executives.
When asked about managing safety, 69% of respondents affirmed that their companies manage programs effectively, with 67% rating their companies as very effective in planning cybersecurity initiatives to support business priorities. An additional 66% say their leadership and governance practices are very effective.
“Fewer companies are effective in managing third party risks, compliance with regulations and standards and managing their privacy programs...Only 31% of respondents say they are very effective in managing their privacy programs, and 37% of respondents say they are very effective in complying with regulations and standards,” the report said.
Driverless vehicles and connected cars are creating a buzz in the marketplace, but as the industry races to produce the connected car of the future, it is letting cybersecurity fall to the wayside, according to new research from Synopsys.
In conjunction with SAE International, Synopsys published its report, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, which found that 84% of respondents have concerns that cybersecurity practices are not keeping pace with evolving technologies.
Nearly 600 professionals were surveyed as part of the study conducted by Ponemon Institute. Of those who partook in the survey, 30% reported that they do not have an established product cybersecurity program or team.
In addition, 63% said they test for vulnerabilities in less than half of their hardware, software or other technologies.
“Pressure to meet product deadlines, accidental coding errors, lack of education on secure coding practices, and vulnerability testing occurring too late in production are some of the most common factors that render software vulnerabilities,” the report said.
“Our report illustrates the need for more focus on cybersecurity; secure coding training; automated tools to find defects and security vulnerabilities in source code; and software composition analysis tools to identify third-party components that may have been introduced by suppliers.”
A large majority of respondents said they believe that an attacker could exploit a vulnerability, and 52% said they are aware of potential harms that insecure automotive technologies could cause to drivers, yet less than a third (31%) said they are capable of raising concerns that would actually be heard.
One issue that impedes the advancement of cybersecurity for automotive companies is a lack of both resources and skills. “On average, companies have only nine full-time employees in their product cybersecurity management programs. 62% of respondents say their organizations do not have the necessary cybersecurity skills. More than half (51%) say they do not have enough budget and human capital to address cybersecurity risks,” the report stated.
In addition to combing through thousands of intelligence reports from commercial clients, researchers also sought feedback from analysts. Attempting to identify the top challenges organizations are likely to face this year, the report found that the top threat to organizations is that they may find themselves caught in the cross hairs of information warfare.
“This activity encompasses a wide range of tactics, from orchestrating targeted breaches followed by data leaks to employing troll armies to push disinformation. So far, states have mainly used these capabilities for political and military purposes, like nudging voters and enflaming cultural conflict,” the report said.
“Booz Allen believes in 2019, states will increasingly use their growing information-warfare methods applied to economic conflict and will likely aim to generate investor, regulatory, consumer, or political backlash against targeted sectors and companies by fabricating or inflaming public relations and legal controversies.”
Certainly social media has created a pathway for companies to get caught in a misinformation web. “Increasingly, nation-states and other entities use the power of social media to support information warfare campaigns,” said Pravin Kothari, CEO, CipherCloud.
“Social media can be deployed as a cannon of misinformation to damage corporate reputations, attack government institutions and their policies, attack individual politicians and organizations, and in general obfuscate the truth and confuse the public.”
Though the additional key threats are legitimate concerns to both governments and businesses, some threats – especially the lack of security in many IoT devices and connected cars – do apply to consumers, according to Byron Rashed, vice president of marketing at Centripetal Networks.
"Combating these threats is difficult, especially cyber-threats from nation-states that have no budgetary limits. Keeping IT assets (security and infrastructure) up to date with the latest versions of software and patches will help to curb some threats that may find their way into the network,” Rashed said.
Graphic novel fans, particularly those Kindle readers who adore the popular John Wick series, may have unknowingly downloaded fake ebooks promising them the opportunity to stream the third film installment prior to its release in May, according to Malwarebytes.
The empty promise could do more than disappoint fans, though. According to researchers, the ebooks, which varied in price, actually sent the reader down a rabbit hole of malicious links to illicit sites claiming to offer streaming services.
It’s not unheard of for scammers to target the Kindle store, but historically the goal has been to steal authors’ content. This new tactic of packaging fake movie links in ebooks poses a different kind of threat.
“Roughly 40 or more individual items were uploaded from around January 25 to February 2, each one from a different 'author.' At first glance, you might think you’re looking at movies, thanks to the play button icon on each image preview. The fact that each entry is called something along the lines of “John Wick 3: free movie HD” probably helps, too,” wrote Malwarebytes lead malware intelligence analyst Chris Boyd.
Infosecurity contacted Amazon, which reportedly addressed the issue internally, though battling fake ebooks is nothing new for the online megastore. In his February 4 blog post, Boyd said, “It’s tricky to flag dubious content on the Kindle store, as you have to report each title individually and give reasons. We contacted Amazon customer support and have been informed these e-books have been escalated to the appropriate teams.”
As of today, search results appear to have been removed, but Boyd said, “We've also since found references to a similar eBook claiming to be a 'Spider-Man far from home' HD movie, which has also been removed. It's quite possible the scammers behind this may start taking aim at other big name film titles. Kindle owners should always check out a preview whenever possible, and not waste their money on anything proving nothing but a link to a streaming website."
The overall number of breaches fell in 2018, but the number of compromised records skyrocketed, resulting in a 126% increase, according to the 2018 End-of-Year Data Breach Report.
The Identity Theft Resource Center tracked the data breach events of 2018 and published a 180-page report in which it found that the total number of records compromised last year was 446,515,334, up from 197,612,748 in 2017.
The study also found that “vulnerabilities in software platforms and human error and susceptibility to increasingly sophisticated phishing scams are exploited by individuals trying to steal information. As consumers, we need to protect our information when companies that house our data are the target of breaches.”
According to the report, the majority of 2018's 1,244 data breaches were the result of hacking, with the business sector suffering the largest number of breaches (571) and the healthcare sector not far behind (363).
“Attackers will use one of many techniques, such as account manipulation, bash history, brute force, credential dumping, registry- based credentials, forced authentication, hooking, input capture, kerberoasting, and keychain attacks and many more,” said Anthony James, chief strategy officer, CipherCloud.
Three major breaches exposed more than 100 million records. The Facebook data breach resulted in hackers gaining access to the tokens for 50 million accounts, while Google’s two data breaches impacted 53 million users.
“A security bug allowed third-party developers to access public user profile data since 2015. If a user gave permission to an app to access their public profile data, the bug also let developers pull non-public profile fields for the user and user’s friends including: full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status,” the report said.
In addition to user error, third-party vendors have significantly multiplied the risks that both consumers and businesses face, according to Colin Bastable, CEO of cybersecurity test and training company, Lucy Security.
"The fewer moving parts we have between us and our data, the safer we are. By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk."
In advance of today's Safe Internet Day, Google surveyed a pool of 3,000 consumers to understand people’s beliefs and current behaviors around online security. According to the new Harris Poll data, two in three people recycle the same password across multiple accounts.
Of all the participants, who were aged 16 and older, 51% admitted that they use one particular "favorite" password for the majority of their accounts. In addition, a third of respondents (31%) said they either don’t know whether they are using two-factor authentication (2FA) or or intentionally choose not to use it.
Still, a whopping 69% of respondents gave themselves an A or B grade for their ability to protect their online accounts. Indeed, 59% said they are better than the average person at keeping their accounts safe from cyber-threats.
While 79% of participants understand that updating security software is a key part of staying safe online, only 67% said they regularly update (or know if they update) their applications.
When asked to define phishing, password manager and two-step verification, only 32% of respondents correctly defined all three terms.
Only 24% of survey respondents said they use a password manager, with those who are older than 50 being less likely to use a password management tool, though the 50-plus group is more likely to use a different password for each account. Those respondents ages 16-24, however, are more likely to use 2FA but are less likely to have changed their passwords within the past year.
In a blog post advising users of what they can do right now to improve online safety, Google wrote, “Create a unique password for each account to eliminate this risk. Make sure that each password is hard to guess and better yet, at least eight characters long.”
Google also recommended setting up 2FA, which “requires you to take a second step each time you sign in to your account on top of your username and password. Examples of second verification steps include: an SMS text message, a six-digit code generated by an app, a prompt that you receive on a trusted device or the use of a physical security key.”
The UK government is claiming to have a £6m pot of cash set aside for the winners of a new IoT security competition.
The Technology Strategy Board, also known as Innovate UK, will only choose projects including an element of artificial intelligence or machine learning and those that have “a clear plan for commercialization.”
They must focus on at least one of: technologies to protect and recover data, intelligent control systems for buildings and smart home protection. Projects could also look at “complementary technologies” like 5G or blockchain, the government claimed.
The idea is apparently to encourage companies to collaborate with the research community to drive new ideas in IoT security.
The initiative is part of the UK Research and Innovation Strategic Priorities Fund, and can be seen as part of a wider push by the government to enhance the UK’s position as a world leader in cybersecurity.
It comes after a £70m investment announcement last week through the Industrial Strategy Challenge Fund, focused on improving security-by-design, and a £30m pledge for the Ensuring the Security of Digital Technology at the Periphery program, to improve IoT security.
It’s unclear whether this latest announcement will be funded from the latter pot of money.
To encourage firms to get on board with the latest Innovate UK competition, the government said they could receive up to 70% off project costs, as long as they fall between the £2.5m-£4m range.
UK firms of any size can participate, working alongside public and private sector bodies as well as charities, but projects must include at least one academic partner and one SME. The competition is open from February 18, with the final deadline on May 1 2019.
Projects must start by December 1 2019 and can last between 18 and 24 months. Those that pass the written application stage will be invited to an interview panel between July 1-5 to present their ideas.