The perceived value of threat intelligence is growing, with 68% of organizations currently creating or consuming data around the latest cybersecurity campaigns.
According to the SANS 2018 Cyber Threat Intelligence Survey, about a fifth (22%) of organizations have plans to use threat intelligence in the future.
The adoption of threat intelligence programs has steadily grown, with more respondents than ever before using them to improve their overall cybersecurity posture. The rate climbed to 81% this year, compared to 78% in 2017 and 64% in 2016.
According to the report, some of the most popular security operations tasks that threat intelligence programs support include detection (79%), incident response (71%), blocking threats (70%) and threat hunting (62%). Many of the survey responses indicated that the increased emphasis on threat intelligence and information sharing was key to allowing operations teams to quickly search for existing compromises and proactively block access from external clients.
“Despite the onslaught of new threats that have been waged this past year, the SANS survey findings reflect [that] threat intelligence platforms and programs are improving overall prevention, detection, and response efforts,” said Tim Helming, director of product management of DomainTools, which sponsored the survey. “Cyber-threat intelligence is such an effective and important part of security operations because it converts an organization’s general posture from a reactive to proactive mindset, which gets teams beyond the ‘if’ something will happen to ‘when something happens, we are ready for it.’”
The report also found that some threat intelligence is more useful than others, with detailed malware indicators (81%) and information on the vulnerabilities that are targeted by attackers (79%) seen as the top two.
The largest improvements in the threat intelligence ecosystem from last year were in improving security operations (this increased from 63% to 70%), preventing damage to business systems or data (increased from 36% to 45%), reducing time to identify and respond to incidents (increased from 50% to 59%) and revealing vulnerabilities to implement new controls (increased from 48% to 59%).
The prevalence of dedicated threat intelligence platforms is also on the rise, up from 41% in 2017 to 57% in 2018; This year, 48% connected to threat intelligence programs via API.
Attempted online fraud jumped 113% year-on-year in the final quarter of 2017, to hit a massive 251 million attacks, with e-commerce firms hit particularly hard, according to ThreatMetrix.
The fraud prevention company analyzed 7.6 billion transactions to compile its Q4 2017 Cybercrime Report.
The firm claimed that companies are most exposed to fraud during the period straight after a major data breach but before it has been reported or detected.
Given that Q4 covers the busy Christmas shopping period, it’s perhaps no surprise that e-commerce firms came under particular scrutiny from the fraudsters. Almost 193 million transactions were rejected by ThreatMetrix as fraudulent, a 173% increase on the same time in 2016.
However, fraudsters seem to be eschewing payment fraud in favor of account takeover and creation attacks.
In fact, e-commerce account creation and login attacks were four times more likely than payment fraud, with the log-in attack rate growing 294% compared to the same quarter in 2015.
Automated bots are playing an ever-increasing role in fraud, used on an unprecedented scale again during Q4, according to the report. There were 34 million bot attacks during the peak festive shopping period alone, rising to 800 million for the quarter.
They’re increasingly used for more than merely to test stolen credentials, the firm claimed.
“Bot attacks continue to evolve from their basic velocity-based functions, to complex bots that are used in more advanced ways to spoof IP addresses, emulate browsers or spoof apps, to masquerading bots, that are attempting to mask their true context and pretend to be legitimate user traffic,” the report noted.
Also last quarter, Russia and Vietnam emerged as top five attack originators, alongside the UK, US and Germany. However, more attacks are said to originate in Europe than anywhere else.
Police have swooped on 13 individuals around the globe arrested on suspicion of involvement in a notorious carding forum.
A federal indictment was unsealed yesterday charging 36 for their alleged roles in the “Infraud” organization which is said to have caused over $530m in actual losses and $2.2bn in intended losses for financial institutions, merchants and individuals.
The site itself was founded in 2010 by Svyatoslav Bondarenko (aka “Obnon,” “Rector,” and “Helkern”) 34, of Ukraine, with the slogan “In Fraud We Trust.”
It appears to have functioned as a conduit between potential buyers and sellers of stolen identity information, financial and banking data, malware and other unnamed “illicit goods.”
The site also offered an escrow service to support illegal crypto-currency transactions for members, and screened vendors to ensure the quality of their goods, according to the Department of Justice.
The DoJ claimed that members of the organization had very clear roles within its hierarchy, ranging from administrators managing day-to-day operations such as membership and strategic planning, to moderators and super moderators. Even buyers were split into two tiers: members and VIP members.
As of March 2017, there were almost 11,000 members buying from the site’s vendors.
The operation to arrest the 13 was carried out by police in Australia, the UK, France, Italy, Kosovo and Serbia.
Acting assistant attorney general, John Cronan, claimed the indictment and arrest comprised one of the largest cyber-fraud prosecutions ever seen.
“As alleged in the indictment, Infraud operated like a business to facilitate cyber-fraud on a global scale,” he added, in a statement.
“The Department of Justice refuses to allow these cyber-criminals to use the perceived anonymity of the internet as a shield for their crimes. We are committed to working closely with our international counterparts to identify, investigate, and bring to justice the perpetrators of these crimes, wherever in the world they operate.”
Swiss telecoms giant Swisscom has admitted suffering a data breach late last year which exposed the personal details of around 800,000 customers to unauthorized parties.
The company, which is majority-owned by the government, claimed that the intruders accessed the data via a sales partner last Autumn.
Most of those affected were mobile customers, although a “few” fixed network subscribers were also hit. The number of breached customers represents around 10% of the entire population of Switzerland.
Customers’ names, addresses, telephone numbers and dates of birth were compromised. Although Swisscom maintained this data is “non-sensitive” it would be enough to give fraudsters a useful start to help craft convincing follow-on phishing attacks.
That said, the firm has claimed no such activity has affected customers as yet.
“Swisscom discovered the incident during a routine check of operational activities and made it the subject of an in-depth internal investigation,” the company continued.
“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident. Rigorous long-established security mechanisms are already in place in this case.”
After discovering the incident, Swisscom said it blocked the offending partner’s access rights immediately. It promised to introduce two-factor authentication for all sales partners this year, put in place systems to raise the alarm in the case of any unusual activity and make it impossible to run high-volume queries for all customer info.
Ilia Kolochenko, CEO of High-Tech Bridge, argued that security exposure via partners is still a widely unacknowledged problem.
“Many large financial institutions and e-commerce businesses have lost millions of records because of hacked third-parties. Cyber-criminals won't assault the castle, but will instead find a weak supplier with legitimate access to the crown jewels,” he explained.
“However, the good news is that we see more and more companies who rigorously implement, for example, vendor risk assessment policies now, to prevent such risks. Swisscom's efforts to mitigate and investigate the breach are laudable, but they won't really help the victims.”
Uber’s top security official told lawmakers on Capitol Hill this week that the ride-share giant had “no justification” for not revealing its massive data breach in 2016.
“It was wrong not to disclose the breach earlier,” said John Flynn, Uber CISO said, in prepared statements.
The admission seems weak at best given the fact that it took the company a year to reveal a breach that affected 57 million customers and drivers worldwide, with names, email addresses and mobile phone numbers included in the trove of data stolen. The firm concealed the breach by paying off the hackers but failed to notify victims or relevant bodies. Finally, in November 2017, it admitted to the incident, noting that it had paid the hackers – after the breach – via the conduit of its HackerOne bug-bounty program.
“The bug bounty program is not an appropriate vehicle for dealing with intruders,” said Flynn, without explaining the justification for doing so at the time.
"[The] hearing spotlights the ethical considerations around how Uber responded to its recent breach,” said Bugcrowd founder and CTO Casey Ellis, via email. “This was not a bug-bounty payout. This was extortion, and the difference between the two is unambiguous. Extortion happens when a company is approached by an attacker that has gained valuable information and demands payment to keep the discovery quiet. Extortion is initiated by the attacker, and the attacker holds the power. Bug-bounty programs operate in a controlled environment with secure communication on all ends to facilitate interactions between businesses and the researcher community for safe and effective security testing.”
Needless to say, lawsuits are ongoing.
Flynn, along with representatives from HackerOne and other firms, appeared as part of a hearing before the Consumer Protection, Product Safety, Insurance and Data Security Subcommittee of the Senate Commerce, Science and Transportation Committee.
“Going forward, Uber is revisiting its incident response approach in circumstances such as these,” Flynn said. “We have hired Matt Olsen, a former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help structure the security team and guide new processes going forward.”
Lawmakers did not let the company off lightly.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Chairman Jerry Moran (R-KS), said in his opening statement.
Senator Richard Blumenthal (D-NY) said Uber’s management of the hack was “morally wrong and legally reprehensible,” before noting that the company has likely ran afoul of rules for data breach disclosure in various states across the country.
Looks can be deceiving: Many of the supposedly safest neighborhoods of the web are in fact risky places to visit.
Menlo Security’s third annual State of the Web report has found that 42% of the top 100,000 sites on the web, as ranked by Alexa, either are using software that leaves them vulnerable to attack or have already been compromised in some way.
Menlo deems a site risky if any one of three criteria is met: The site, either the homepage or associated background sites, is running vulnerable software; it has been used to distribute malware or launch attacks; or the site has suffered a security breach in the past 12 months.
One rarely discussed problem is that the average website connects to 25 background sites for content, such as video clips and online ads. Most enterprise security administrators don't have tools in place to monitor these connections, leaving them vulnerable to backdoor attacks.
Further, efforts to sort sites into "good" and "bad" simply by using categories are largely ineffectual. The business and economy category, for example, had more known bad sites (39% were found to be risky) and sites that had been used to launch attacks or distribute malicious code than did the gambling category – a counterintuitive finding at best.
Similarly, 49% of news and media sites met Menlo's criteria as "risky,” as did 38% of shopping sites.
Phishing and typosquatting also regularly occurs on sites in widely-trusted categories.
"This report confirms what most CISOs already know: that a false sense of security is a dangerous thing when using the web," said Amir Ben-Efraim, CEO of Menlo Security. "Despite website operators' best efforts, cybercriminals can now exploit widespread vulnerabilities to compromise even the most trusted brands on the web."
Email hackers meanwhile are using trusted hosting services to set up phishing sites, giving them safe-looking URLs. In 2017, Menlo discovered 80,000 phishing sites over the course of the year; of these, 4,600, were using legitimate hosting services.
“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms,” Menlo said in the report. “Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites. Also, hosting services typically allow customers to set up multiple subdomains. For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”
A new strain of Gojdue ransomware, dubbed ShurL0ckr, has been found on the dark web. Discovered by Bitglass and Cylance, the malware managed to evade being flagged by two well-known cloud platforms with built-in malware protection, Google Drive and Microsoft Office 365 – and it’s not alone in that capability.
ShurL0ckr is a zero-day ransomware-as-a-service that works the same way as the well-known Satan ransomware: Hackers pay a percentage to the author after generating and distributing a ransomware payload that encrypts files on disk.
Worryingly, Bitglass also tested the malware on VirusTotal and found that only 7% of the 67 tested AV engines successfully detected the new malware.
To further analyze the proliferation of malware in the cloud and determine how common Gojdue’s evasion capabilities are, the Bitglass Threat Research Team also scanned tens of millions of files, discovering a high rate of infection in cloud applications and a low efficacy rate for apps with built-in malware protection. In its report, it noted that a full 44% of scanned organizations had some form of malware in at least one of their cloud applications. Put another way, the average organization held nearly 450,000 files in the cloud, with 1 in 20,000 containing malware.
The analysis also found that, on average, one in three corporate instances of SaaS apps contained malware. Of four popular SaaS applications – OneDrive, Google Drive, Box and Dropbox – Microsoft OneDrive had the highest rate of infection at 55%; Google Drive had the second highest rate of infection with 43% of instances being impacted, followed by Dropbox and Box with 33% each.
“Malware will always be a threat to the enterprise and cloud applications are an increasingly attractive distribution mechanism,” said Mike Schuricht, vice president of product management at Bitglass. “Most cloud providers do not provide any malware protection, and those that do struggle to detect zero-day threats.”
Bitglass also identified the top five file categories by infection rate: scripts and executables (42%), which can launch malicious applications with the click of a button, are the most common infected file type. Microsoft Office files, common corporate file types that most users trust and open without hesitation, ranked second (21%). Other formats include text files, images and more, while compressed formats include ZIP files.
Two men have been arrested and charged in Connecticut with using malware to target local ATMs for free cash.
Spaniard Alex Alberto Fajin-Diaz, 31, and Argenys Rodriguez, 21, of Springfield Massachusetts, were arrested on January 27 and charged with bank fraud stemming from a so-called ATM “jackpotting” campaign.
Police had been investigating a series of these attacks on ATMs in Guildford and Hampden, Connecticut, and Providence, Rhode Island.
The two were arrested after Citizens Bank officials in Cromford, Connecticut alerted the authorities to a possible attack on one of their ATMs.
Police are said to have apprehended the duo nearby, with the cash-point in question in the process of dispensing $20 notes thanks to jackpotting malware that had been installed on it.
A search of their vehicle, which was fitted with false number plates, revealed “tools and electronic devices consistent with items needed to compromise an ATM machine to dispense its cash content,” according to a Department of Justice notice.
Fajin-Diaz and Rodriguez were also said to be carrying more than $9000 in $20 notes.
They’re now facing up to 30 years behind bars.
It’s unclear whether the duo are also suspected of the jackpotting raids elsewhere in Connecticut and Rhode Island.
Such attacks are nothing new, but can vary in sophistication.
An analysis in 2016 uncovered a group suspected of carrying out raids in 14 countries across Europe. The Cobalt Group used phishing emails to infect the targeted banks’ networks, before pivoting to the individual ATMs to plant the malicious code and then send a remote command to issue the cash.
Kaspersky Lab has previously advised ATM operators to build-in default-deny policies and device control, alongside other technical measures to protect ATMs against physical access.
Press release network Business Wire has admitted suffering an ongoing Distributed Denial of Service (DDoS) attack lasting a week so far, in a sign of the continued pressure high-profile firms are under from anonymous attackers.
The firm, which is owned by Warren Buffett’s Berkshire Hathaway conglomerate, relies on its web infrastructure to get online press releases and media alerts in front of readers.
However, a memo sent to partners by COO Richard DeLeo and seen by Infosecurity admitted the firm had been under attack since January 31.
“The attack is attempting to make our service portal unavailable. DDoS attacks are malicious attempts to render a website unavailable by overwhelming the site with an enormous amount of traffic from multiple sources. As a result of this attack, clients may experience slowness on BusinessWire.com,” he said.
“Please note that Business Wire’s ability to disseminate your content has not been impacted in any way. Additionally, there is no evidence that any systems or client information have been compromised.”
DeLeo sought to reassure customers that his team was working with partners to “mitigate and resolve the issue and stabilize the environment.”
The firm is not alone in its current struggles against shadowy DDoS-ers.
According to security vendor A10 Networks, the average company suffers 15 DDoS attacks per year, with an average attack causing at least 17 hours of downtime. This could range from slowdowns to denied customer access or even site crashes.
Attacks are also thought to be getting harder to defend against, with average peak bandwidths of 30-40 Gbps, and many attacks going even higher.
Mounir Hahad, head of threat research at Juniper Networks, claimed that unsecured IoT devices could add extra DDoS challenges for firms in 2018, as targeted Linux malware is developed to remotely infect and control them.
“In the case of a targeted DDoS attack such as the one on BusinessWire, it is always prudent to look for signs of another sneakier attack going on while the security teams are fighting off what is essentially a diversion,” he added.
Adobe has rushed out an unscheduled patch to fix two critical vulnerabilities, including one being actively exploited in the wild by suspected North Korean hackers.
The Priority 1 bulletin APSB18-03 fixes two use after free flaws in the bug-prone Flash Player which could lead to remote code execution.
“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” the firm said in an advisory. “These attacks leverage Office documents with embedded malicious Flash content distributed via email.”
That bug was first flagged on January 31 when South Korean CERT KISA confirmed it existed in Adobe Flash Player 184.108.40.206 and earlier versions.
FireEye soon waded in, claiming the threat actors exploiting it were known to them as suspected North Korean group TEMP.Reaper (aka Group 123).
“We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific,” it explained last week.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”
The purpose of the exploit is to download an encrypted embedded payload from a compromised third-party website hosted in South Korea, with the end goal to distribute the Dogcall (Rokrat) Remote Access Trojan.
The second vulnerability patched by Adobe yesterday (CVE-2018-4877) was discovered by the Qihoo 360 Vulcan Team working with Trend Micro's Zero Day Initiative (ZDI).
It’s also a use after free bug which could lead to remote code execution, although isn’t thought to be active in the wild.
Last year set the record for both the most breaches and the most data compromised in a year, as several new trends (like a surge in cloud storage misconfigurations) characterized the proceedings.
According to Risk Based Security’s 2017 Data Breach QuickView Report, there were 5,207 breaches recorded last year, surpassing the previous high mark by nearly 20%, set in 2015. The number of records compromised also surpassed all other years, with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous high of 6.3 billion.
“The level of breach activity this year was disheartening,” said Inga Goddijn, executive vice president for Risk Based Security. “We knew things were off to a bad start once the phishing season for W-2 data kicked into high gear. But by the time April 18 came and went, breach disclosures leveled off and we went into summer hopeful the worst was behind us. Unfortunately, that wasn’t the case.”
The increased level of breach activity has been observed by the cyber-insurance industry as well. Manny Cho, EVP at Risk Placement Services, a national insurance brokerage and sponsor of the Year End QuickView Report, added: “The use of malware and ransomware, such as WannaCry and NotPetya, impacted companies and individuals across the globe. While large breaches continue to grab the headlines, SMEs [small and medium-sized enterprises] are losing money and assets to hacker organizations every day thanks to increased phishing and spoofing attacks.”
In addition to the number of breaches and amount of data lost, 2017 stood out for another reason. For the past eight years, hacking has exposed more records than any other breach type. In 2017, web breaches - which are largely composed of accidentally exposing sensitive data to the Internet - took over the top spot, compromising 69.2%, or 5.4 billion records.
Hacking still remained the leading breach type, account for 55% of reported incidents, but its impact on records exposed fell to the No. 2 spot, with 2.3 billion records compromised. For the first time since 2008, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.
“We’re seeing a lot of interest in calling out organizations that mishandle sensitive data,” said Goddijn. “Several of the security researchers that are actively engaged in searching for exposed datasets are no longer willing to keep their findings confidential. Likewise, more individuals are calling out breaches when they discover their own data is exposed.”
A prime example of this is an August breach impacting 11,887 Aetna members. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process. Unfortunately, the letter shop used envelopes with an especially large glassine window, exposing highly sensitive HIV status information. The breach was brought to light by a letter recipient – triggering both civil lawsuits and an investigation by the New York Attorney General and ending with Aetna agreeing to pay $18.3 million to settle the various proceedings.
“While this is an extreme example, 2017 saw many other situations where customers, clients and unrelated third parties discovered the problem and chose to take action,” the firm noted in its report.
Comparing the number of breaches discovered internally to the number of breaches found by outsiders highlights one dynamic behind the trend. Of the 3,904 breaches with a confirmed discovery method, only 728, or 18.6%, were discovered by the organization responsible for protecting the data. The remaining 3,176 were found by law enforcement, external fraud detection or monitoring, customers or unrelated parties, including disclosure by the malicious actors themselves.
“While there is not a direct correlation between discovery method and interest in publicizing breach activity, this data does show that the majority of breaches still go undetected by the compromised organization,” the report said.
Enterprises are spending more than $16 million – each – per year on detection-based security, thanks to surging hidden costs.
More specifically, initial, upfront licensing and deployment investment in security-detection tools like antivirus is dwarfed by the cost of human skills and effort to manage and assess the millions of alerts and false-positive threat intelligence generated, according to new analysis.
A survey from Bromium, which polled 500 CISOs from global enterprises, found that organizations invest about $345,300 per year on these kinds of tools, yet the average annual cost to maintain detect-to-protect endpoint security spirals to more than $16,714,186 per enterprise because of hidden human costs.
The solutions that organizations are spending money on up front vary and include: advanced threat detection (annual spend $159,220); next-generation and traditional antivirus (annual spend $44,200); whitelisting and blacklisting ($29,540 annual spend); and detonation environments ($112,340 annual spend).
However, labor costs are soaring as a direct result of detection-based technology failures: security operation center (SOC) teams receive more than 1 million alerts every year, but 75% are false positives; SOC teams thus spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines, and 780 hours on emergency patching. All together, that’s 417,148 hours per year, resulting in an annual labor cost of $16,368,886 per enterprise
“Detection requires a patient zero – someone must get owned and then protection begins. Yet, because of this, rebuilds are unavoidable; false positives balloon; triage becomes more complex and emergency patching is increasingly disruptive,” said Gregory Webb, CEO, Bromium. “It’s no surprise that 63% of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives, and they are spending millions to address them.”
Aside from the expected upfront expenditures, during evaluations CISOs need to be asking questions that uncover the hidden costs, such as:
- Where are most of the attacks happening?
- Are advanced threats getting through current defenses?
- Is employee productivity negatively impacted by current security measures?
- How many alerts are being generated? Of those, how many are false positives?
- Is it likely that machines will still become compromised and need to be rebuilt?
“Meanwhile, advanced malware is still getting through because cybercriminals are focusing on the weak spots, like email attachments, phishing links, and downloads,” Webb said. “This is why organizations must consider the total cost of ownership when making security investments rather than just following the detect-to-fail crowd.”
A new method of covert channel data exchange has been uncovered. It uses a well-known and widely implemented public key certificates standard (X.509), which is a hallmark of both TLS and SSL IP implementations for securing web communications.
According to Jason Reaves, threat research principal engineer at Fidelis Security, there’s a flaw in the way the certificates are exchanged, which could allow them to be hijacked for command-and-control (CnC) communication. The process also ends up bypassing common security measures.
Reaves created a proof of concept (PoC) that shows a malicious binary being transferred over TLS negotiation traffic to simulate a threat actor transferring the Mimikatz data-extraction malware to an already compromised system.
Essentially, certificates are exchanged during the TLS handshake, before the secure connection is made. By placing arbitrary binary data into the certificates themselves, Reaves uncovered a system that could be used to send or receive data from both a client and a server perspective. Meanwhile, the data transferred via X.509 extensions may bypass detection methods that do not inspect certificate values. As he explained in an analysis:
X.509 certificates have many fields where strings can be stored...The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse...takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.
When it comes to mitigation and detection, the PoC uses self-signed certificates, so blocking self-signed certificates at the perimeter could be a useful protection mechanism for these attacks. Another possibility for signaturing is checking for executables in certificates.
While no exploit has yet been seen in the wild, the widespread use of these certificates means that many organizations are potentially open to this new data transfer method, which in and of itself is not all that unusual.
“Using covert channels to move data across a network is not new…Appending data to ICMP, for example, was proposed as a means to transfer data back in 2005, with citations pointed to publications from 1997,” Reaves said. “Indeed, one of the earliest mentions of practical covert channel use comes in a government publication from 1993. Researchers continue to find novel ways to abuse protocols and RFC implementations to achieve difficult-to-detect data transfer methods.”
Every NHS Trust has failed to meet the recommended data security standards, a parliamentary committee has heard.
NHS Digital deputy chief executive Rob Shaw told a Public Accounts Committee hearing that his agency had completed 200 on-site assessments, and no Trusts had managed to meet the recommendations set out by Fiona Caldicott.
The national data guardian for health and care set out 10 data security standards, confirmed by the government in July 2017.
These include accreditation to the government-backed Cyber Essentials Plus scheme, which aims to improve baseline security with a series of best practice steps organizations can take. Unlike the regular Cyber Essentials scheme it requires a third-party assessment.
The requirements include basic steps to help mitigate the risk of phishing, hacking, password-guessing and more. It covers five technical control areas: firewalls; secure configuration; access controls; malware protection; and patch management.
However, Shaw suggested that even this was too high a standard for the NHS Trusts that were assessed.
“The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar,” he told the committee. “So some of them have failed purely on patching which is what the vulnerability was around WannaCry.”
The committee was holding an inquiry into the ransomware outbreak which is said to have led to an estimated 19,000 cancelled appointments and operations. It could have been wholly prevented if NHS organizations had patched the Windows vulnerability they were told to two months earlier.
Neil Haskins, director of advisory services at pen testing firm IOActive, described the news as “shocking.”
“Unfortunately, the NHS is more used to treating the symptoms of its patients, rather than causes of disease, and the same could be said for its approach to cybersecurity. In almost all cases in cybersecurity, however, by the time symptoms appear, it is too late,” he told Infosecurity.
“In the wake of WannaCry, if you were waiting for a life-saving operation, it may have been cancelled. If you were in a car crash, the ambulance may have been diverted 40 miles away. Forget your run-of-the-mill breach, where data and trust is all that’s lost. WannaCry was a genuine loss-of-life cyber-event, all because Windows 7 wasn’t patched. Is that acceptable for an organization, trusted with the care and well-being of you and your loved ones?”
He argued that the NHS and other organizations need to move away from a tick-box approach to cybersecurity to one where vulnerabilities are continuously being spotted and mitigated.
“Cyber and information security is not an IT issue, it’s a business one. As such, the NHS should absolutely be focused on having skilled experts providing actionable intelligence, enabling them to make business decisions based on risk, impact and likelihood,” Haskins concluded.
“Action should be taken on this advice, driven from the top down.”
An alleged British hacker has won a legal appeal against extradition to the US.
Lauri Love, 33, from Stradishall, Suffolk, was arrested back in 2013 under the Computer Misuse Act on suspicion of hacking the FBI, NASA, and the Federal Reserve, among other targets.
In September 2016 a judge at Westminster Magistrates' Court ruled that Love should be extradited to the US and two months later home secretary Amber Rudd signed the order, despite a letter from MPs sent to Barack Obama requesting he halt the process.
Love has Asperger’s syndrome and depression, and his lawyers argued that he was at “high risk” of killing himself if sent to the US to face charges.
He could face a sentence of up to 99 years behind bars if found guilty.
On Monday, judges at the High Court in London agreed, ruling that an extradition would be “oppressive by reason of his physical and mental condition.”
“We accept that the evidence shows that the fact of extradition would bring on severe depression, and that Mr Love would probably be determined to commit suicide, here or in America," they said, according to the BBC.
Lord chief justice Lord Burnett and Mr justice Ouseley apparently claimed that the CPS — which had been arguing for Love’s extradition — should now be working with the US authorities, because of the “gravity of the allegations in this case, and the harm done to the victims.”
Love is alleged to have stolen troves of data from various US agencies in 2012 and 2013.
His case is reminiscent of fellow Asperger’s sufferer Gary McKinnon, who fought a long and ultimately successful campaign against extradition to the US after then-home secretary Theresa May stepped in to claim such a move would be “incompatible with Mr McKinnon's human rights.”
Love’s ordeal is far from over, however, with the US authorities given a fortnight to request an appeal hearing at the UK Supreme Court.
Nearly three-quarters of global firms fell short of adequate cyber-readiness, despite the majority ranking online threats as the number one risk to their business, according to Hiscox.
The insurer’s Cyber Readiness Report 2018 used interviews with a representative sample of 4000 organizations in the US, UK, Germany, Spain and the Netherlands to assess their cybersecurity strategy and the quality of its execution.
The annual report found that only 11% scored highly enough in both areas to be ranked as cybersecurity “experts,” while 16% achieved expert status in either strategy or execution, but not both.
Yet the cyber-threat is well understood: two-thirds of respondents claimed it’s their top business risk, alongside fraud
Perhaps unsurprisingly, large firms and those that spend more on security were judged to be the best prepared.
Some 21% of large companies ranked as cyber experts, versus only 7% of small firms, while cyber-experts spend twice as much on IT as those that failed the test ($19.8m versus $9.9m) and devote a higher proportion to cybersecurity (12.6% versus 9.9%).
The good news is that spending is on the rise, with 59% of respondents planning to increase their outlay on security.
Almost half (45%) of those polled claimed to have suffered at least one attack over the previous 12 months, and 66% of them were hit twice or more, with financial services, energy, telecoms and government sectors the biggest targets.
The average cost across all respondents of these attacks was only $229,000, although this rose to up to $20m for individual UK and German firms and $25m for their US counterparts.
Nick Hammond, lead advisor for financial services at World Wide Technology, argued that the report should be a reminder to those in the financial sector of the difficulty of getting security right.
“This kind of protection is all the more necessary this year, in the wake of new regulations such as MiFID II, PSD2 and GDPR. Unlike older rules that only required yearly tick-box compliance exercises, these new regulations require continued assurance of critical applications,” he added.
“But with the complexity of existing IT systems, which have been built with different and sometimes opposing metrics over the years, this is easier said than done. This web of opaque interdependencies is creating problems for cyber security. Without a clear view of how the system is plumbed together, there can be knock-on effects downstream when one application is prevented from sharing data with another system or user.”
Held at Grosvenor House, 1200 people attended the celebration, hosted by Maggie Philbin OBE, CEO of TeenTech and keynoted by Baroness Martha Lane-Fox.
Ten women were shortlisted in the Security Champion of the Year category, of which Emily Briggs was victorious. Other contenders were:
- Rebecca Angwin, IBM
- Kiran Bhagotra, ProtectBox
- Naina Bhattacharya, Deloitte
- Emily Biggs, Digital Shadows
- Helena Fearon, Auto Trader
- Jane Frankland, Cyber Security Capital
- Emma Leith, BP
- Lesley Marjoribanks, RBS
- Zuzana Skrinarova, Yoox Net-a-Porter Group
- Elisabetta Zaccaria, Secure Chorus
Over the next couple of weeks, Infosecurity will be running a mini interview series, featuring each of the security champion shortlisted contestants.
Today, we feature Emily Biggs, winner of the Women in IT Awards security champion category.
Infosecurity Magazine: How did it feel to win the security category at the Women in IT awards?
Emily Biggs: Surprised more than anything. Although we are in a minority, there are a huge number of fantastic women working in this space and it really is a privilege to be recognized amongst them.
IM: What do you think gave you advantage over the others shortlisted?
EB: My role is to shape the Digital Shadows SearchLight product, so I would think that its success was a big part of the decision.
IM: What was your route into cybersecurity?
EB: I studied computer science at university and started my career as a developer and architect. I had the fantastic opportunity to join Digital Shadows just as it was starting out.
IM: If you weren’t an infosec professional, what would be your dream job?
EB:I always wanted to be a marine biologist when I was younger, but I get terrible sea sickness!
IM: What’s the best thing about your job?
EB: Working at a small company where what I do every day makes a real difference to our customers and the success of our business.
IM: If you could give your 21-year-old self just one piece of career advice, what would it be?
EB: Don’t think twice about joining a start-up – succeed or otherwise you will learn more than you can imagine.
IM: What’s your biggest professional regret?
EB: No longer coding every day. I love my role and I wouldn’t change my decisions to get to this point, but there is something extremely rewarding about developing algorithms and physically writing software.
IM: Who do you really admire in the industry?
EB: Baroness Martha Lane Fox gave a really inspiring key note speech at the awards ceremony and her contribution to gender equality within technology has been immense.
IM: If you could change one thing about the information security sector, what would it be?
EB: Although cheesy, given the context of these awards, I do think equality and diversity really needs to change within our sector. The fact that our sector is so homogeneous actually stops us being as effective as we could be in achieving our goals.
IM: What’s your guilty pleasure?
EB: Tequila! Although I'm 7months pregnant so that is off the table for a while.
IM: What’s your take on the women in information security conversation…Are you fed up of talking about it? Or do we need to talk about it more?
EB: I have always thought of myself simply as a person in technology doing the best I can at whatever opportunity is in front of me but unfortunately the stats on gender equality within our sector are hard to argue with. For that reason alone, I do think equality and diversity still needs to be part of the conversation for our industry to be as successful as it can be. In my mind, the defining attributes of anyone within the workplace should be their effectiveness in their role not their gender, race, disability or sexual orientation. Hopefully one day that is the only conversation that needs to be had.
Bio: Emily joined Digital Shadows at its inception 6 years ago and developed its core product, SearchLight, growing the company’s development team. She now oversees all product strategy for the company. Emily specializes in architecting enterprise-level critical systems, particularly in the big data risk intelligence domain. She previously worked at BAE Systems Detica as lead developer, technical project manager, and technical architect. She holds a degree in computer science from Oxford University.
A new Adobe Flash zero-day vulnerability (CVE-2018-4878) has been spotted being exploited in the wild.
The vulnerability exists in Adobe Flash Player 220.127.116.11 and earlier versions; successful exploitation could allow an attacker to take control of the affected system.
The actors are using a malicious document or spreadsheet with an embedded SWF file. Once the document is opened and the exploitation successfully launched, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea.
FireEye also said that the actor behind the attack appears to be a North Korean group known as TEMP.Reaper – a group that typically targets South Korean government, military and defense-industrial entities. Cisco calls the group Group 123.
“We have observed TEMP.Reaper operators directly interacting with their command-and-control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang,” FireEye researchers said in an analysis. “The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific.”
FireEye’s preliminary analysis indicates that the actors are exploiting the vulnerability to distribute the DOGCALL malware to South Korean victims; Cisco calls the malware ROKRAT. In any case it’s a remote administration tool (RAT), which contains a wiper as one of its modules and is mainly focused on espionage and data exfiltration.
The wiper is a new trick for TEMP.Reaper/Group 123. “In the past year, FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper, which we detect as RUHAPPY,” said FireEye. “While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks, we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets.”
Adobe plans to release a fix for the issue this week.
The espionage campaign against Winter Olympics targets has widened its net, with several second-stage implants providing attackers with top-tier spyware capabilities and the ability to achieve permanent persistence on victim machines.
McAfee's Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The gambit used a targeted spear-phishing email with a malicious document attached, which was sent to 333 victim organizations. Once executed, the document paved the way for a basic PowerShell implant that established a channel to the attacker’s server to gather system-level data and that employed image steganography techniques to hide.
“What was not determined at that time was what occurred after the attacker gained access to the victim’s system,” McAfee researchers said.
McAfee ATR has now discovered that additional implants are being used as a second-stage payload in the Olympics-related attacks, used to gain persistence for continued data exfiltration and for targeted access: Gold Dragon, Brave Prince, Ghost419, and Running Rat, all named for phrases found in their code.
“The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed,” McAfee said. “The implants are delivered as a second stage once the attacker gains an initial foothold using file-less malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.”
The Gold Dragon Korean-language implant was first seen on Christmas Eve.
“The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server,” McAfee said. “[It] acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system.”
Brave Prince meanwhile gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes and more; Ghost419 is also a system reconnaissance malware and shares code with Gold Dragon. Stealing keystrokes is the main function of RunningRat; however, it contains code for more extensive functionality, including copying the clipboard, deleting files, compressing files, clearing event logs, shutting down the machine and much more. It’s unclear how the additional code could be executed.
“With the discovery of these implants, we now have a better understanding of the scope of this operation,” researchers said. Gold Dragon, Brave Prince, Ghost419 and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.”
McAfee said that a North Korean threat actor is likely behind the attacks.
Octoly, a Paris-based brand marketing company, has inadvertently revealed the contact information and personal details of 12,000 social media stars.
Octoly supplies the online celebs with beauty products and merchandise from the marketing firm’s industry clients, which include household names like Dior, Estée Lauder, Lancôme and Blizzard Entertainment. UpGuard's Cyber Risk Team discovered that the company had a misconfigured cloud storage bucket that made public a raft of information about these influential "creators" – mostly Instagram, Twitter and YouTube personalities.
The information includes real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates. Also exposed were authentication tokens that could be used to take over accounts and thousands of hashed user passwords, which, if decrypted, could lead to password reuse attacks against various online accounts belonging to creators, the usernames for which are also in the repository.
The names of 600 brands that use Octoly’s services were included as well.
The Amazon Web Services S3 cloud storage database (now closed) also includes 12,000 Deep Social reports, which have been generated for each individual creator registered with Octoly. These reports provide highly detailed and specific analysis of creators’ online influence, down to the ages, interests and locations of followers, as well as which brands are most appealing to them – corporate intelligence that could be damaging if made available to competitors.
“The potential for identity theft, password reuse attacks and account takeovers of affected creators, launched by malicious actors, is considerable,” the UpGuard team said in a blog. “This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives.”
It also “invites the danger of gruesome ‘swatting’ attacks on their homes,” the researchers added. Swatting is a harassment tactic where someone hoaxes an emergency services dispatcher or 911 operator to send police or an emergency service response team to another person's address.
Octoly faces potentially significant business damage as a result of this leak.
“The public disclosure of the deep analytical work Octoly provides for brands certainly constitutes a damaging leak of information that could be used by competitors and unsavory online marketers,” UpGuard said. “The publication of the brands using Octoly’s services also introduces the specter of third-party vendor risk, in which external partners can leak damaging internal information shared out of necessity…The essence of third-party vendor risk is that an external entity can, by the very nature of modern data sharing, expose other enterprises to risks they would not otherwise invite.”