Info Security

Subscribe to Info Security  feed
Updated: 53 min 35 sec ago

Cybersecurity Leaders Oppose Voatz

Mon, 09/14/2020 - 16:49
Cybersecurity Leaders Oppose Voatz

A plea by a blockchain voting company for the US Supreme Court to consider good-faith security researchers a threat to cybersecurity has been opposed by industry leaders. 

The plea was put forward by the company Voatz in the form of an amicus brief submitted to the court in Nathan Van Buren v. United States on September 3. 

Amicus briefs are legal documents filed in appellate court cases by non-litigants with a strong interest in the subject matter. The briefs advise the court of relevant additional information or arguments that the court might wish to consider.

The brief submitted by Voatz argues in favor of a broad interpretation of the Computer Fraud and Abuse Act (CFAA) and positions independent security researchers seeking to detect vulnerabilities and bring them to the attention of vendors as "a threat"’ to cybersecurity. 

Today, cybersecurity leaders from the private and public sector signed a formal letter in opposition to the amicus brief from Voatz.

The letter urges the US Supreme Court, Congress, regulators, and election officials to discount Voatz’s arguments and instead adopt a narrow interpretation of the CFAA. This alternative perspective is supported by the Electronic Frontier Foundation, Professor Orin Kerr, Atlassian, Mozilla, and Shopify, among others.

Those in favor of a narrow interpretation believe that a broad interpretation could jeopardize security research at a national level and cause legal prohibitions to impede what they see as a societal obligation inherent in such work.  

The letter was submitted by leading security researcher Jack Cable on behalf of a coalition of key members of the cybersecurity community.

"Hackers are here to defend every aspect of our lives. From finding vulnerabilities in social networking software housing precious data to searching for security holes in elections systems, our democracy directly depends on those who can preserve our information and our votes from being abused," said Alex Rice, CTO and co-founder of HackerOne and one of the letter's signatories.

"This work is vital—even required for federal civilian agencies under CISA’s Binding Operational Directive 20-01—and we must establish the proper protections for those who do it."

Categories: Cyber Risk News

#GartnerSEC: Top Projects for 2020 Include Authentication, Risk Management and Cloud

Mon, 09/14/2020 - 15:40
#GartnerSEC: Top Projects for 2020 Include Authentication, Risk Management and Cloud

The top security projects for 2020 and 2021 include focus on the cloud, authentication and risk.

Speaking at the Gartner Security and Risk Virtual Summit, Gartner analyst Brian Reed said the initial forecast on projects had changed due to COVID-19, and have been constantly adjusted since then. “We can see that there are areas that have marked a considerable growth from a market standpoint and an annual growth rate,” he said.

Looking back at last year’s top projects, Reed said in 2019, five were new and five were existing; this year there are eight new projects, and these “focus heavily on risk management and understanding process breakdowns.”

He also claimed that “basics” still need to be done before the top 10 projects are considered, and some “may include considerable effort, some may include culture changes and some may include considerable cost.” However, he said these should be considered as the cost of doing business “and there are some basic capabilities here to take advantage of before we get a little bit more sophisticated through any new projects.”  The top projects for 2020-2021 were:

Securing the Remote Workforce: Reed said this has become the single greatest imperative for all organizations, and “this must focus on business requirements” and enable users and groups as they deal with their work responsibilities.

Risk-Based Vulnerability Management: Reed said vulnerability management was discussed last year, and we have to understand that systems will never be 100% patched, and aim to patch those vulnerabilities which present the most risk to the organization. This should include vulnerabilities that are exploitable, or have proven exploits in the wild. “This exercise goes beyond the bulk telemetry that most enterprises are using today,” he explained. “It is also worth noting that a significant amount of effort, particularly in this last mile, is going to be on the application owners, or operations or infrastructure side of IT, to take care of patching, and it is security’s job to recommend the patches, while it is someone else who is implementing and putting in these patches.”

Extended Detection and Response: Reed explained that this is different from SOAR and SIEM, as this is a unified incident detection and response platform, that automatically collects and correlates data from multiple proprietary components. This is about improving detection accuracy and threat containment, and improving the overall incident management program.

Cloud Security Posture Management: As part of a focus on cloud and cloud application security tools, Reed said this is about providing management capabilities, including the ability to take action on policy violations, as these deliver risk identifications by reviewing cloud audit and operational events, and can provide a map to frameworks and controls to better enable compliance.

Simplify Cloud Access Control Project: The second cloud project, Reed said this is typically implemented through a CASB tool, which offers real time security controls though either an inline proxy that can do policy enforcement or active blocking, as well as the flexibility to start out in an API or monitoring mode.

DMARC: Reed said this by no means a single answer for email security, but it can provide an additional level of trust and verification. This is because email is easily spoofed, and we rely on it too much, and DMARC can provide verification. “It can be a good tactical project and a quick win in a lot of ways to improve email security; it should really be one part of a holistic approach to email security.”

Passwordless Authentication: Citing a statistic that found 70% of users re-use passwords between the work and personal world, Reed said there are a number of options where a second factor can be used instead of a password, such as a known asset like a phone, tablet, keyfob or smart watch. There are also further examples of using a zero-factor or multi-factor authentication. “Complete elimination of passwords is still far off and we will ultimately never get rid of passwords, but there are a number of innovative approaches that we can take to turn static passwords from a liability into something that can be an asset,” he said.

Data Classification and Protection: This is one way to ensure data is treated with consideration, as not all users and data have the same value or you over or under classify. “We need to have the right level of automated versus manual on data classification and policies, and the answer is to use a bit of both.” He recommended getting the processes and definitions right before layering in the technology.

Planning for Digital Business Initiatives: This should consider the skills of your employees, and having the right people in the right roles. “So the importance of digital competencies is not to be understated,” he said. He claimed there is too much seeking unicorn candidates, and businesses need to realize that the perfect candidate does not exist.

Risk Assessment Automation: The last project relates to risk management, and can help security teams understand risks related to security operations. Reed cited a statistic which showed that 58% of security leaders consistently perform risk assessments for all significant new projects. “There is clearly work to do here, and there is clearly an opportunity to automate some of the risks and provide the business some visibility into where some gaps in a risk assessment might be.”

Reed said the other projects that were also reviewed were:

  • Employee monitoring and surveillance technologies
  • Threat attribution services
  • Automated threat hunting
  • Cyber-range and cyber-simulation systems
  • Chatbot-based security awareness and education
  • Biometric credential detection/protection
  • Quantum everything
  • Secure Access Service Edge (SASE)
  • Cyber-physical security
Categories: Cyber Risk News

#GartnerSEC: Professionals Survived #COVID19 as Businesses Relied on Security

Mon, 09/14/2020 - 13:15
#GartnerSEC: Professionals Survived #COVID19 as Businesses Relied on Security

The COVID-19 pandemic has presented an opportunity to create new security and risk professionals with “endless” opportunities.

Those were the words of Jeffrey Wheatman, Gartner VP analyst, speaking in the opening keynote of the Gartner Security and Risk Virtual Summit.

Wheatman explored how 2020 has turned out to be a challenging year and stated that the COVID-19 pandemic has “highlighted how uncertain our personal and business environments actually are.” Organizations are facing new risks due to changes and “defining risk appetite has become even more of a challenge for security leaders” this year, he added.

Wheatman said the ability to “balance change and chaos” is critical to working with business stakeholders regarding setting and managing an organizational risk appetite. However, in citing Gartner research, Wheatman said 70% of respondents believe investment in risk management is not keeping up with the newer and higher level of risks. “We see a huge opportunity ahead,” he said. “Security leaders must lead the charge in accelerating digital business, managing the risks in both volume and impact, responding with both agility in both proactive and reactive manners and maturing processes, while implementing cost optimization and evaluating investments in technologies and services.”

He explained the good news is that business executives continue to focus on security as a strategic issue, as organizations look at security as a way to help them transform their operating models. “As security and risk professionals, you have a fundamental role to play in helping your organizations through this transformation while avoiding unnecessary risk,” he said.

“You have a unique ability to give them the insights and tools to help them balance risk with the potential opportunity of digital transformation.”

He also said there has been an emergence of “dedicated trust and security teams focused on protecting our digital perimeters.” He added that these teams are tasked with assessing and remediating risks as risks increase, as the traditional data center model moves to a more cloud-based model, where network security evolves and identity replaces the traditional perimeter. This has led to the adoption of both Secure Access Service Edge (SASE) and zero trust network access.

Concluding, Wheatman said, as security and risk professionals, we could not have predicted the pandemic nor the subsequent impact, “however you have proven to be indispensable in helping the enterprise reduce the risk impact of many of the consequences of those disruptions. With your expertise in identifying, assessing and managing the new risks inherent in these technologies, the opportunities to succeed are endless.”

Categories: Cyber Risk News

Oracle Slated for TikTok “Partner” Role

Mon, 09/14/2020 - 11:16
Oracle Slated for TikTok “Partner” Role

Oracle appears to be in the driving seat to secure a much-touted deal with TikTok-owner ByteDance, although as a partner rather than owner of the social app.

Microsoft, which was the first to announce its intention to bid for the firm in early August and was later joined by Walmart, posted a brief statement on Sunday confirming it had not been successful.

“ByteDance let us know today they would not be selling TikTok’s US operations to Microsoft. We are confident our proposal would have been good for TikTok’s users, while protecting national security interests,” it said.

“To do this, we would have made significant changes to ensure the service met the highest standards for security, privacy, online safety and combatting disinformation, and we made these principles clear in our August statement. We look forward to seeing how the service evolves in these important areas.”

The rush to secure new US owners for the Chinese app was driven by new concerns from the Trump administration over Beijing-sponsored global surveillance. An executive order gives until tomorrow (September 15) until TikTok is effectively shut down in the US.

However, China has hit back by banning the sale of some homegrown AI technology, which could include the all-important algorithm behind TikTok. That could seriously reduce the value of any subsequent sale.

According to reports, Oracle is now primed to do the deal with ByteDance, although as a “technology partner” rather than outright owner. That would most likely see the enterprise IT giant merely host TikTok data on its extensive cloud infrastructure — a much diminished relationship from the one Trump envisaged, as ByteDance will still be its owner.

With final approval from both Washington and Bejing still needed over any future deal for TikTok, there’s still plenty of time for new developments.

Categories: Cyber Risk News

Forensic Risk Alliance Appoints First Chief Innovation Officer

Mon, 09/14/2020 - 10:20
Forensic Risk Alliance Appoints First Chief Innovation Officer

The Forensic Risk Alliance (FRA) has today announced the appointment of Harsh Sutaria as its first chief innovation officer.

The FRA is a forensic accounting, data governance, information management and compliance consultancy firm specializing in international corruption and fraud investigations.

Sutaria brings almost 15 years of experience in information governance and delivering pre-sales, professional and consulting services to the newly-created role. He will lead and expand FRA’s technology solutions offerings, advance innovation capabilities within the organization and drive new growth.

Sutaria said: “FRA is a market-leading consultancy with a proven track record of leveraging advanced technology to enhance client service, and I’m excited to lead this new chapter of innovation for the firm and uncover new ways to optimize technology-driven solutions to improve case management and reduce overall costs for clients navigating complex litigation, investigations and regulatory issues.”

Frances McLeod, founder, FRA, added: “We are delighted to welcome Harsh as our first chief innovation officer. His appointment is a significant step for FRA as the need for advanced technology solutions in investigating corruption and fraud is becoming increasingly critical. Cultivating innovation capabilities is central to the growth of our technology offering and we are confident that Harsh will develop and implement best practices to continue to serve our clients.”

Categories: Cyber Risk News

Travel Sites Riddled with Hundreds of Vulnerabilities

Mon, 09/14/2020 - 09:32
Travel Sites Riddled with Hundreds of Vulnerabilities

Security researchers have discovered hundreds of vulnerabilities across major hotel and airline and travel booking websites, some of which have already suffered major breaches.

UK-based consumer rights group Which? and tech consultancy 6point6 studied 98 travel sector companies, probing websites, subdomains, employee portals and other web properties with lawful online tools.

They found Marriott-owned websites were riddled with 497 bugs including over 100 assessed to be “high” (96) or “critical” (18). Some of these could have allowed an attacker to target users and their data, Which? said.

“We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? explained.

“It also claimed that some findings were ‘not attributable to Marriott,’ while others ‘could not be validated.’ It didn’t supply any specific examples of mitigations, but said that it would be ‘taking a closer look at and addressing Which?’s findings’.”

Marriott is facing a large fine from regulator the Information Commissioner’s Office (ICO) after last year revealing a historic breach of 339 million customers’ data.

Airline easyJet, which this year revealed a breach affecting nine million customers, was found to have 222 vulnerabilities across nine web domains, including one critical bug that could allow an attacker to hijack users’ browsing sessions.

The firm apparently took three domains offline and remediated the disclosed vulnerabilities on the other six sites.

British Airways was found to have 115 vulnerabilities on its websites including 12 judged to be critical. Although most of the issues identified were thought to be related to running old versions of software, the carrier gave no indication in its response to Which? that they would be updated.

BA famously exposed the details of around 500,000 customers to Magecart attackers last year, in an incident which could also land it a major fine from the ICO.

Elsewhere there were 291 potential vulnerabilities found at American Airlines, and a critical vulnerability at which could allow attackers to create fake log-in accounts.

“Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber-criminals,” argued Which? Travel editor, Rory Boland.

“Travel companies must up their game and better protect their customers from cyber-threats, otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced.”

Categories: Cyber Risk News

Misconfigured Database Leaks 370 Million Dating Site Records

Mon, 09/14/2020 - 08:30
Misconfigured Database Leaks 370 Million Dating Site Records

Global users of 70+ dating and e-commerce sites have had their personal data exposed after a popular marketing software provider misconfigured an online database.

Discovered by an ethical hacker and reported to vpnMentor, the issue is an unsecured and unencrypted Elasticsearch database, managed by Cyprus-headquartered Mailfire.

“The data was being stored on an Elasticsearch database, which is ordinarily not designed for URL use,” the researchers explained. “However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.”

The database itself sat behind a notification tool used by Mailfire clients to market to their users and notify them about private chat messages.

Most of the 70+ sites affected were dating sites from around the world, including South America and Asia.

When first discovered, the database was storing over 882GB of data from the previous four days. This contained over 370 million records for 66 million individual notifications sent during that time. These were mainly sent to alert users of new messages from potential dating matches, said vpnMentor.

As such, personally identifiable information (PII) including full names, ages and dates of birth, gender, email addresses, locations, IP addresses and profile pics were exposed, as well as potentially embarrassing conversations between dating site users.

“It’s also possible older data had been stored before this time,” said vpnMentor. “However, it appears that the exposed server was the victim of a recent and ongoing ‘Meow’ cyber-attack campaign that has been targeting unsecured Elasticsearch servers and wiping their data.”

The leak could have exposed hundreds of thousands of users from over 100 countries to the risk of fraud, identity theft and phishing/malware, account takeover, and potentially even blackmail.

Interestingly, many of the sites affected by the leak appeared to be scams themselves, flooded with chatbots and fake profiles to encourage sign-ups.

“We found throughout several websites that disingenuous accounts were a huge issue. Many profile photos used were registered on scam databases or reused across accounts. Some were simply photos of celebrities found online,” explained vpnMentor.

“Many of the sites had complicated, difficult to understand payment structures and some refused to offer refunds. Some required a credit card as ‘proof of age,’ yet the fine print declared the card would be charged $29.90 monthly.”

When notified, Mailfire took full responsibility for the incident and immediately remediated the leak.

Categories: Cyber Risk News

Razer Gaffe Exposes Customer Data

Fri, 09/11/2020 - 17:18
Razer Gaffe Exposes Customer Data

The data of around 100,000 Razer customers has been exposed online following a misconfiguration faux pas.

The lapse by the global hardware manufacturing company and eSports and financial services provider was discovered by cybersecurity expert Volodymyr "Bob" Diachenko.

Customer data impacted by the cyber-slipup included full name, email, phone number, customer internal ID, order number, order details, and billing and shipping address.

According to Diachenko, the data was part of a sizable log chunk stored on Razer's Elasticsearch cluster that had been "misconfigured for public access since August 18, 2020, and indeed by public search engines." 

The independent cybersecurity consultant and owner of said it was unclear precisely how many customers had been affected by the issue.

"The exact number of affected customers is yet to be assessed," said Diachenko, "Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K."

Reporting the misconfiguration mistake to Razer was a frustrating process for Diachenko. 

He said: "I have immediately notified the company via their support channel on the exposure, however my message never reached right people inside the company and was processed by non-technical support managers for more than 3 weeks until the instance was secured from public access."

In a statement sent to Diachenko, Razer said: "We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed."

Razer said it fixed the server misconfiguration on September 9. The company thanked Diachenko for reporting their error and said it would "conduct a thorough review of our IT security and systems."

Diachenko warned Razer customers that they could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data. 

"Leaving a database publicly accessible, unprotected without even a password, is a preventable yet common cause behind massive data leaks," commented Chris DeRamus, vice president of technology, cloud security practice, at Rapid7

"In fact, breaches caused by cloud misconfigurations in 2018 and 2019 exposed nearly 33.4 billion records in total."

Categories: Cyber Risk News

US Court Documents Published in Ransomware Attack

Fri, 09/11/2020 - 16:48
US Court Documents Published in Ransomware Attack

Cyber-criminals who launched a ransomware attack on a US court have published what they claim are stolen court documents online. 

Attackers claim to have successfully targeted the Fourth Judicial District Court of Louisiana with a ransomware strain known as Conti, first detected in the wild in December 2019. The malware has been observed to use the same ransom note deployed by the Ryuk crypto-malware family, and code similarities have been spotted between the two ransomware strains. 

Alleged proof of the attack was published on the dark web this week. Those claiming responsibility for the crime have uploaded what appear to be court documents exfiltrated in the incident. 

Among the allegedly swiped documents are responsive verdicts for a second-degree kidnapping, an armed robbery, and a case of aggravated rape. Other documents appear to relate to excuses given by jurors and a meeting of judges.

The website of the Fourth Judicial District Court of Louisiana,, is currently offline. The court covers Ouachita Parish and Morehouse Parish and is one of the state's 42 judicial districts. Cases handled by the court include civil, criminal, and juvenile cases, which are typically heard in Monroe and Bastrop.

Details of how big a ransom the attackers are demanding have not been revealed. 

Ransomware attacks are nothing new in the Pelican State. In December 2019, an attack of this nature was carried out against Louisiana educational establishment Baton Rouge Community College. The incident occurred just two days before a planned commencement ceremony at the college. 

A month earlier, a major ransomware attack on Louisiana state IT infrastructure forced multiple services offline, including government websites, email, and internal applications.

In July of 2019, the governor of Louisiana declared a state of emergency after ransomware attacks knocked out IT systems in three school districts. 

"This situation highlights how every organization possesses valuable data that threat actors can hold for ransom and paralyze operations," commented Hank Schless, senior manager of security solutions at Lookout.

Mulling over how the attack may have unfolded, Schless added: "An advanced hacking group like the one behind Conti would likely use social engineering to convince a target employee to download a document or file to their device."

Categories: Cyber Risk News

Political Disruptor Charged with Wire Fraud Conspiracy

Fri, 09/11/2020 - 16:27
Political Disruptor Charged with Wire Fraud Conspiracy

A member of an organization dedicated to disrupting America's political system has been charged with wire fraud conspiracy. 

Project Lakhta manager Artem Mikhaylovich Lifshits of St. Petersburg, Russia, is accused of using IDs stolen from US citizens to open fraudulent accounts at banking and cryptocurrency exchanges. 

According to a criminal complaint filed yesterday in the Eastern District of Virginia, the 27-year-old used the accounts to both promote Project Lakhta’s influence operations and for his own personal enrichment.

Based in Russia, Project Lakhta was set up to engage in political and electoral interference operations. Its members have previously been accused of conspiring to interfere with the 2018 midterm election, using social media and email to create and amplify divisive social and political content targeting a US audience. 

"Since at least May 2014, Project Lakhta’s stated goal in the United States has been to disrupt the democratic process and spread distrust towards candidates for political office and the political system in general," said a spokesperson for the United States Department of Justice.

For the previous six years, Project Lakhta has attempted to obscure its disruptive activities by operating through a number of entities, including the Internet Research Agency (IRA).  The Translator Department, in which Lifshits has fulfilled a managerial role since around January 2017, is alleged to be responsible for much of Project Lakhta’s influence operations.

The US Justice Department said that attempts by the Project to exploit events in America and turn its misled citizens against one another are still ongoing.

“Lifshits participated in this fraud in order to further Project Lakhta’s malign influence goals and for his own personal enrichment," said Assistant Attorney General for National Security John C. Demers. 

"This case provides a clear illustration of how these malicious actors fund their covert foreign influence activities and Russia’s status as a safe haven for cyber criminals who enrich themselves at others' expense.”

The Department of Treasury’s Office of Foreign Assets Control (OFAC) designated Lifshits and two other Project Lakhta members for sanctions based on the malicious cyber-enabled activity outlined in the complaint.  

“These designations are notable accomplishments in the Secret Service’s relentless efforts to safeguard the financial system from transnational cyber-crime,” said Matthew Miller, special agent in charge, Washington Field Office.

Categories: Cyber Risk News

LORCA Cohort Companies Exceed £150m in Funding in Two Years

Fri, 09/11/2020 - 14:00
LORCA Cohort Companies Exceed £150m in Funding in Two Years

Cybersecurity startup and scaleup companies which have progressed through the London Office for Rapid Cybersecurity Advancement (LORCA) innovation program have collectively raised over £150m in investment in just two years.

This is already 280% above the original target of achieving £40m in funding in three years set at LORCA’s inception in 2018, highlighting the program’s success as well as the recent rapid growth of the UK cybersecurity sector.

LORCA is a government-backed program that aims to act as a launchpad for cyber-companies through innovation and commercialization consultancy, product development and access to industry and more. In July, LORCA announced the 17 scaleups selected to join its fifth cohort of cyber-innovators.

The £153m in investment secured by LORCA cohort companies accounts for 76% of all funds raised by all cybersecurity businesses participating in government scale-up programs, as well as 69% of all cyber-investment in the UK since COVID-19 lockdown measures were introduced in the country in March.

LORCA said that the 72 startups and scaleups it has supported over the past two years have gone on to generate £26.5m in revenue, and are projected to create 800 jobs by 2022.

Speaking whilst visiting LORCA’s London HQ yesterday to mark the program’s two-year anniversary, secretary of state for Digital, Culture, Media & Sport (DCMS) Oliver Dowden, commented: “Good cybersecurity is the bedrock of our digital economy – giving people the confidence to shop, work and play online and keeping businesses safe from cybercrime.

“London Tech Week is a fitting time to mark the government’s investment in LORCA, as its network of cutting-edge UK startups smashes investment targets and creates jobs across the country.”

Saj Huq, director of LORCA, added: “Never before has cybersecurity been of such economic and strategic national importance. In the context of the global health pandemic, the UK’s cyber-entrepreneurs have continued to drive job creation, attract investment and consolidate the country’s position as a global hub for cybersecurity innovation. Breaking the milestone of raising £153m in just two years is testament to the quality and potential of the cyber-startup ecosystem that exists across the UK and the centrality of it to the UK’s long-term prosperity.”

The growth of the UK’s cybersecurity sector during COVID-19 was outlined in The LORCA Report 2020 published in July, which showed UK cyber-startups raised £496m in funding during the first half of 2020.

Categories: Cyber Risk News

Zero Trust Adoption Increases During Lockdown

Fri, 09/11/2020 - 13:01
Zero Trust Adoption Increases During Lockdown

The adoption of a zero trust concept of security defense has increased due to increased remote working as a result of the COVID-19 pandemic.

According to recent polls by Deloitte, 37.4% of security professionals say the pandemic has sped-up their organizations’ zero trust adoption efforts.

In particular, cybersecurity professionals say zero trust adoption is often driven by the framework’s ability to help manage cyber-risks including workforce risks like remote work and insider threats (35.7%) and third party risk (24.8%).

Commenting, Thomas Hatch, CTO and co-founder at SaltStack, said the COVID-19 shift has heightened the liabilities that employees have around trust and authentication, and “allowed for easier infiltration by foreign actors and makes internal threats much easier.” He claimed BYOD and distributed work, on distributed networks, greatly heightens the risks to businesses.

Asked which has posed the greatest challenge organizations’ adoption of zero trust, a poll of 1036 professionals found 28.3% cited a lack of appropriately skilled professionals, and 28.1% cited a lack of required budget.

Jonn Callahan, principal application security consultant at nVisium, said: “Within modern micro-service deployments, traditional edge-oriented security practices are obsolete. Should an attacker gain access to the internals of a micro-service architecture that does not implement zero trust, it is game over for any defense controls in place; the attacker will likely have carte blanche read and write access to all data handled by the architecture.

“Additionally, I've personally spent years negotiating, arguing and occasionally, fighting with security operations teams on their insistence that security controls only need to be implemented at the edge, regardless if you are running modern or legacy systems. This approach is akin to leaving the bank vault door open 24/7, while pointing to the locked front door as a sufficient control.”

Categories: Cyber Risk News

Portland Issues Sweeping Ban on All Facial Recognition Use

Fri, 09/11/2020 - 11:02
Portland Issues Sweeping Ban on All Facial Recognition Use

Portland appears to have become the first city in the US to enact a sweeping ban on facial recognition, covering both public and private sector organizations.

The Oregonian city joins other municipalities such as San Francisco and Boston in taking a hard-line stance against the technology, but rather than prohibit its use solely for police and local government, it has extended the ban to all businesses.

In voting unanimously for the motion, city councillors noted that “indiscriminate use of these technologies will degrade civil liberties” and could have a disproportionately detrimental effect on minorities.

“Black, indigenous and people of color communities have been subject to over surveillance and disparate and detrimental impact of the misuse of surveillance,” the ordinance noted. “Face recognition technologies have been documented to have an unacceptable gender and racial bias. The city needs to take precautionary actions until these technologies are certified and safe to use and civil liberties issues are resolved.”

The move comes in contrast to the use of facial recognition in the UK, where police have been conducting widespread trials for years, despite concerns over bias, civil liberties and the lack of a statutory code of practice.

In August, rights groups heralded a “world first” Court of Appeal verdict ruling that use of the technology by South Wales Police was unlawful. However, even then, police chief constable Matt Jukes was quoted as saying that “this is a judgement we can work with.”

Technology giant IBM recently announced it would no longer be selling the technology to police in the wake of the Black Lives Matters protests against racial injustice. Amazon said only that it would “pause” its use.

A UK government-sponsored report back in 2019 warned that the growing use of automation and machine learning algorithms in policing could amplify bias, in the absence of consistent guidelines.

Categories: Cyber Risk News

Zoom Adds 2FA Feature to Further Secure Platform

Fri, 09/11/2020 - 10:00
Zoom Adds 2FA Feature to Further Secure Platform

Video and web communications provider Zoom has announced the addition of a new layer of security to its platform – two-factor authentication (2FA).

As explained in a blog post on the company’s website, Zoom’s enhanced 2FA makes it easier for admins and organizations to protect their users and prevent security breaches whilst using the platform.

The announcement follows previous actions taken by Zoom to bolster the security of its service, which have included making available free end-to-end encryption for all users and hiring numerous experienced security experts to provide tailored expertise.

“Zoom’s 2FA within our unified communications platform provides a secure way to validate users and protect against security breaches and provides a number of benefits.” Zoom said these include improved security, enhanced compliance, reduced costs and easier credential management.

With Zoom’s 2FA, users have the option to use authentication apps that support time-based one-time password protocol or have Zoom send a code via SMS or phone call, as the second factor of the account authentication process.

Commenting on the news, Niamh Muldoon, senior director of trust and security at OneLogin, said: “This is a necessary development, considering the recent increase in Zoom usage over the last few months and the number of zoom-bombing episodes that have ensued. However, security is a two-way street. In order for this to be effective, users will need to enable the use of 2FA.”

Categories: Cyber Risk News

Ransomware the Biggest Cause of Insurance Claims in 1H 2020

Fri, 09/11/2020 - 09:30
Ransomware the Biggest Cause of Insurance Claims in 1H 2020

Over two-fifths (41%) of insurance claims in North America in the first half of the year were related to ransomware attacks, according to new industry data.

The figures from cyber-insurance provider Coalition, which claims to have over 25,000 SMB clients in the US and Canada, provide a handy insight into the biggest threats to organizations today.

Aside from ransomware, fund transfer losses (27%) and business email compromise (BEC) incidents (19%) rounded out the top three attack types by number of claims in the period.

These two are essentially the same kind of scam, although BEC is committed solely via email whereas fund transfer losses might involve other channels such as phone calls. Together the top three accounted for 87% of all claims in the first six months of 2020.

Coalition’s head of business operations, Jen McPhillips, explained that the number one root cause of ransomware incidents during the period was exploitation of remote access. This indicates that the shift to remote working has provided new opportunities for cyber-criminals to monetize corporate attacks.

This chimes with data released by ESET in June, which pointed to a sharp spike in RDP attacks over the first few months of 2020: from just under 30,000 in December to over 100,000 during May.

As for BEC and fund transfer scams, they accounted for almost half of all cybercrime losses recorded by the FBI last year: coming in at a staggering $1.8bn. This is up from around $1.3bn out of a total of $2.7bn in 2018.

“Email intrusion, invoice manipulation and domain spoofing were the most common attack techniques for funds transfer fraud incidents,” McPhillips continued. “Organizations that use Microsoft Outlook for email were more than three-times as likely to experience a business email compromise compared to organizations that use Google Gmail.”

Categories: Cyber Risk News

Microsoft: Russia, China and Iran Attack US Presidential Campaigns

Fri, 09/11/2020 - 08:30
Microsoft: Russia, China and Iran Attack US Presidential Campaigns

State-sponsored hackers have been in action again, trying to probe the Trump and Biden campaigns for information ahead of the US Presidential election in November, according to Microsoft.

The tech giant’s corporate vice-president for customer security and trust, Tom Burt, revealed that it had detected activity from prolific Iranian, Russian and Chinese groups.

Worryingly, he said that only “the majority” of attacks were “detected and stopped by security tools built into our products.”

Of most concern will be the return of the notorious APT28 (aka fancy Bear, Strontium) which previously hacked and released damaging emails from Democratic Party officials ahead of the 2016 election.

The group has targeted not only Republican and Democrat consultants but think tanks, national and state party organizations in the US, and European and UK political parties. In total, over 200 organizations have apparently been attacked.

Burt said APT28 is augmenting its typical spear-phishing attacks with new tactics.

“In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations,” he added.

“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”

Not to be outdone, China’s APT31 (aka Zirconium) has also been in action targeting the Biden and Trump campaigns, as well as noted figures in international affairs and academia. Microsoft said it has seen thousands of attacks between March and September, resulting in nearly 150 compromises. The activity was also spotted by Google back in June.

“Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account,” explained Burt.

“Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”

Finally, Iran’s APT35 (aka Charming Kitten, Phosphorous) has been unsuccessfully attempting to access the email accounts of Trump campaign staff, said Burt.

The news comes as a new book by noted journalist Bob Woodward has made some shocking new allegations about Trump’s handling of the COVID-19 crisis and attempts by political appointees to influence intelligence reports.

It claims the President knew about and deliberately played down the seriousness of the virus, and that staffers tried to manipulate intelligence reports to play down the intelligence threat from Russia and homegrown white supremacists and hype the threat from China.

Categories: Cyber Risk News

Chinese Ambassador's Twitter Account "Hacked"

Thu, 09/10/2020 - 17:33
Chinese Ambassador's Twitter Account "Hacked"

The People's Republic of China says the Twitter account of an ambassador who 'liked' a tweet containing pornographic content was hacked.

The account in question belongs to Liu Xiaoming, the PRC's ambassador to the United Kingdom. While Twitter is banned in the PRC, Chinese diplomats and their staff who live overseas are permitted to use the social media platform.

On Wednesday, the account appeared to give a digital thumbs up to a tweet in which a sexual act was depicted in a 10-second video.

Other posts 'liked' by the ambassador's account included comments that were critical of the PRC's Communist party. 

The Chinese embassy in London has said that action will be taken unless Twitter instigates an investigation into what the PRC is calling "abominable."

'Likes' appearing to have been digitally distributed by the ambassador remained active on Twitter for around an hour before being reneged. Other Twitter users, surprised by the content's seemingly meeting with the ambassador's approval, commented on their appearance. 

Typically, Liu shares news stories distributed by the Chinese state media that depict the PRC in a positive light. During an interview with the BBC in July, Liu denied human rights atrocities were being committed in Xinjiang despite being confronted with drone footage of the acts being committed. 

Several hours after the alleged cyber-incident, a spokesperson for the London embassy issued a statement condemning the hack and attributing it to anti-Chinese cyber-criminals.

“Recently some anti-China elements viciously attacked Ambassador Liu Xiaoming’s Twitter account and employed despicable methods to deceive the public," read the statement.

"The Chinese embassy strongly condemns such abominable behavior."

The embassy said that it had reported the alleged hack to Twitter and urged the company to "make thorough investigations and handle this matter seriously." 

The statement continued: "The embassy reserves the right to take further actions and hope that the public will not believe or spread such rumor.” 

Alleged hacking victim Liu republished the embassy’s tweet to his more than 85,000 followers, adding the phrase: “A good anvil does not fear the hammer.”

A hacker or hacking organization is yet to step forward and claim responsibility for the alleged hack.  

Categories: Cyber Risk News

Ripple20 a Major Threat

Thu, 09/10/2020 - 17:00
Ripple20 a Major Threat

A cluster of vulnerabilities known as Ripple20 pose a major threat to IT environments, according to new research by a Seattle enterprise cyber-analytics company.

The Ripple20 threat is a series of 19 vulnerabilities found in a low-level TCP/IP software library developed by Treck Inc. called the Treck networking stack. The library is used by device manufacturers across a host of different industries, including utilities, academia, government, and healthcare.

The vulnerability series (CVE-2020-11901) was first discovered by the JSOF threat research organization in June of this year. 

Yesterday, a threat research team at ExtraHop issued a warning over the potential impact of Ripple20 after finding out that 35% of IT environments are vulnerable to the threat. 

"The ExtraHop threat research team studied customer data and discovered vulnerable software in one out of every three IT environments," wrote researchers. 

"With industry average dwell times hovering around 56 days, these devices are a ticking time bomb if left alone."

The researchers predicted that this exploit will be widely used by attackers as an easy backdoor into networks the world over.

"The devices that utilize the Treck stack are far-reaching with the potential for vast exploitation," said Jeff Costlow, CISO at ExtraHop. 

"A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions like EDR or NGFW will not have visibility into this set of exploits."

Researchers recommended that device manufacturers and security vendors take immediate action and deploy mitigation tactics against the threat.

Specific actions advised include monitoring for scanning activity, isolating vulnerable devices, patching, and removing devices from services if a patch is unavailable.

"Vendors utilizing the Treck Software were given early access to the threat details so they could start producing patches immediately," wrote researchers. 

"Unfortunately, a large number of devices have discontinued support, which has made it difficult to account for all vulnerable device makes and models."

Concerned organizations should stay vigilant for unusual activity such as lateral movement and privilege escalation that can indicate a Ripple20 exploit is occurring. 

Categories: Cyber Risk News

MAZE Claims Attack on US School System

Thu, 09/10/2020 - 16:25
MAZE Claims Attack on US School System

The threat group MAZE claims to have carried out a ransomware attack on the twelfth-largest school system in the United States.

According to their website, the cyber-criminal gang has successfully targeted Fairfax County Public Schools in Virginia with crypto-ransomware.

As proof of the attack, the threat actors have uploaded a zip file of data they claim was exfiltrated from the school system. At time of publication, Maze had published just 2% of the data they claim to have swiped from Fairfax County Public Schools. 

Commenting on the alleged attack, Emsisoft's Brett Callow told Infosecurity Magazine: "FCPS is the 206th public sector entity in the US to be impacted by ransomware so far in 2020 and the 53rd school district." 

Callow said that operations at up to 11,190 individual schools and colleges have potentially been affected by ransomware attacks since January. 

The costs associated with such incidents are high as victims pay for forensics specialists to determine how the attack happened, fund the implementation of new cybersecurity measures, and in some cases pay the ransom demanded by the attackers. 

"In 2019, 966 governments, healthcare providers and educational establishments were impacted at a cost of $7.5bn," said Callow. 

A recent report by Emsisoft predicted that the cost of ransomware attacks will increase as the practice of exfiltrating data from victims to use as leverage becomes more common.

"We anticipate that exfiltration+encryption attacks will become increasingly standard practice and, consequently, both the risks and the costs associated with ransomware incidents will continue to increase," wrote researchers.

"Additionally, as the big game hunters are successfully hunting ever bigger game, the overall economic impact of incidents will increase from its current level of $170bn."

If true, the ransomware attack on Fairfax County Public Schools is the second tech-based disaster to befall the school system in 2020. FCPS hit the headlines in April after repeated attempts to successfully roll out remote learning during the COVID-19-related school closures ended in failure. 

Back in 2010, a nine-year-old boy managed to hack into the Blackboard Learning System used by FCPS to change teachers' and staff members' passwords, change or delete course content, and change course enrollment.

Categories: Cyber Risk News

APT Groups Increasingly Targeting Linux-Based Devices

Thu, 09/10/2020 - 15:46
APT Groups Increasingly Targeting Linux-Based Devices

APT groups are increasingly executing targeted attacks against Linux-based devices as well as developing more Linux-focused tools, according to an investigation by Kaspersky.

This is as a result of a growing number of organizations’ selecting Linux ahead of Windows to run their strategically important servers and systems, and the perception that the Linux operating system is safer and less likely to be targeted by malware as it is less popular.

However, threat-actors have been observed to adapt their tactics to take advantage of this trend, and Kaspersky noted that “over a dozen APT actors have been observed to use Linux malware or some Linux-based modules” during the past eight years.

These include notorious groups such as Turla, Lazarus, Barium, Sofacy, the Lamberts and Equation. Kaspersky highlighted the example of Russian speaking APT group Turla using Linux backdoors as part of its changing toolset in recent years.

The cybersecurity company added that while targeted Linux-based systems are still uncommon, there is still malware designed to target them, including webshells, backdoors, rootkits and even custom-made exploits.

This means organizations should not be complacent about the threat posed, especially as the consequences of a successful compromise of a server running Linux are often severe. This can include attackers gaining access to the endpoints running Windows or macOS in addition to the infected device.

Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia commented: “The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.”

Commenting on the findings, Boris Cipot, senior security engineer at Synopsys said: "It is not a big shock that Linux-based systems also have vulnerabilities and are subject to attacks. There is a common misconception which suggests that Linux-based systems are unbreachable, or that a Mac cannot be affected by malware. Unfortunately, this is not accurate.”

Earlier today, ESET announced it has discovered an entirely new type of Linux malware designed to attack a specific VoIP platform.

Categories: Cyber Risk News