Info Security

Subscribe to Info Security  feed
Updated: 2 hours 55 min ago

Fortinet to Pay $545,000 for Violating False Claims Act

Tue, 04/16/2019 - 12:56
Fortinet to Pay $545,000 for Violating False Claims Act

Network security company Fortinet has agreed to pay $545,000 to resolve allegations that it violated the US's False Claims Act.

According to the settlement agreement made public on April 12, 2019, "Fortinet acknowledged that during the more than seven years between January of 2009 and the fall of 2016, a Fortinet employee responsible for supply chain management arranged to have labels on certain products altered to make the products appear to be compliant with the Trade Agreement Act (TAA). A portion of the products was resold through distributors and subsequent resellers to U.S. government end users." 

“Today’s announcement illustrates the continuing commitment of the US Attorney’s Office and our law enforcement partners to identify and prosecute fraudulent schemes relating to the sale of goods to the United States,” said US Attorney David L. Anderson.  

“Contractors that supply the US government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” said Defense Criminal Investigative Service (DCIS) Special Agent in Charge Bryan D. Denny. “The DCIS and its law enforcement partners are committed to combating procurement fraud and cyber-risk within US Department of Defense programs.”

The TAA prohibits certain government contractors from purchasing products that are not entirely from, or “substantially transformed” in, the United States or certain designated countries. According to the public announcement, in this case Fortinet acknowledged that the "Responsible Employee" directed certain employees and contractors to change product labels so that no country of origin was listed or to include the phrases “Designed in the United States and Canada,” or “Assembled in the United States.”  

According to Fortinet's website, the company serves government organization customers. Some of these include Alamance County in North Carolina and Salt Lake County in Utah. 

The company has agreed to pay $400,000 and to provide the United States Marine Corps with additional equipment valued at $145,000.  

The lawsuit was filed by former Fortinet employee Yuxin “Jay” Fang under the qui tam provisions of the False Claims Act. It was then investigated by the U.S. Attorney’s Office of the Northern District of California, along with other government organizations.

“This settlement displays the steadfast commitment of our agents and our federal law enforcement partners,” said the U.S. Army Criminal Investigation Command’s (USACIDC's) director of major procurement fraud unit, Marion "Frank" Robey. “This settlement is a clear signal to the supply community doing business with the Department of the Army; fraud will not be tolerated in any way, shape or form.” 

Commenting on the isuue, Fortinet said: “We hold ourselves to the highest ethical standards of trust and integrity. This was an isolated incident that involved events from more than two years ago in which a rogue former employee acted against our policies. When we were made aware of the incident, we took immediate action, including thoroughly investigating the matter, terminating the employee and implementing additional safeguards to prevent an issue like this from happening again. The nominal settlement amount of $545,000 reflects in part our cooperation to promptly and thoroughly address this matter.”

Categories: Cyber Risk News

Fortinet to Pay $545,000 for Violating False Claims Act

Tue, 04/16/2019 - 12:56
Fortinet to Pay $545,000 for Violating False Claims Act

Network security company Fortinet has agreed to pay $545,000 to resolve allegations that it violated the US's False Claims Act.

According to the settlement agreement made public on April 12, 2019, "Fortinet acknowledged that during the more than seven years between January of 2009 and the fall of 2016, a Fortinet employee responsible for supply chain management arranged to have labels on certain products altered to make the products appear to be compliant with the Trade Agreement Act (TAA). A portion of the products was resold through distributors and subsequent resellers to U.S. government end users." 

“Today’s announcement illustrates the continuing commitment of the US Attorney’s Office and our law enforcement partners to identify and prosecute fraudulent schemes relating to the sale of goods to the United States,” said US Attorney David L. Anderson.  

“Contractors that supply the US government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” said Defense Criminal Investigative Service (DCIS) Special Agent in Charge Bryan D. Denny. “The DCIS and its law enforcement partners are committed to combating procurement fraud and cyber-risk within US Department of Defense programs.”

The TAA prohibits certain government contractors from purchasing products that are not entirely from, or “substantially transformed” in, the United States or certain designated countries. According to the public announcement, in this case Fortinet acknowledged that the "Responsible Employee" directed certain employees and contractors to change product labels so that no country of origin was listed or to include the phrases “Designed in the United States and Canada,” or “Assembled in the United States.”  

According to Fortinet's website, the company serves government organization customers. Some of these include Alamance County in North Carolina and Salt Lake County in Utah. 

The company has agreed to pay $400,000 and to provide the United States Marine Corps with additional equipment valued at $145,000.  

The lawsuit was filed by former Fortinet employee Yuxin “Jay” Fang under the qui tam provisions of the False Claims Act. It was then investigated by the U.S. Attorney’s Office of the Northern District of California, along with other government organizations.

“This settlement displays the steadfast commitment of our agents and our federal law enforcement partners,” said the U.S. Army Criminal Investigation Command’s (USACIDC's) director of major procurement fraud unit, Marion "Frank" Robey. “This settlement is a clear signal to the supply community doing business with the Department of the Army; fraud will not be tolerated in any way, shape or form.” 

Categories: Cyber Risk News

NCSC Launches 2019 Cybersecurity Accelerator

Tue, 04/16/2019 - 09:55
NCSC Launches 2019 Cybersecurity Accelerator

The UK’s National Cyber Security Centre (NCSC) has launched its latest annual search for the hottest cybersecurity start-ups in the country.

The NCSC Cyber Accelerator is a government-funded initiative that claims to have doled out £20m in investment since its launch in 2017, offering up the expertise of NCSC and its parent organization GCHQ to help nurture talent.

It’s ultimately hoped that these star companies will go on to build products and services that not only enrich the UK economy but also make the country the safest place in which to live and work online.

“This call will allow us to cast the widest net possible for attracting start-ups developing technologies that will better protect us now and in the future,” said NCSC deputy director for skills and growth, Chris Ensor.

“We’ve worked with 23 companies over the past few years, offering them unique technical insights that have helped them grow their ideas and business.”

Some 16 of these firms have graduated from the nine-month program. As well as exclusive access to NCSC and GCHQ, it offers a £25,000 grant and access to the investor network of Telefonica start-up accelerator Wayra, which is co-hosting the program.

“The NCSC Cyber Accelerator, powered by Wayra UK, is representative of how Britain’s intelligence, cyber and security services, have evolved to counter emerging threats by supporting businesses on the frontiers of new tech innovation,” argued Wayra UK director, Gary Stewart.

“We’re proud to be a leading partner in identifying and nurturing the fourth cohort of start-ups that will help keep Britain safe for the next 100 years.”

Interested companies have until 23:59 on April 28 2019 to apply.

Categories: Cyber Risk News

TSB Offers to Cover APP Fraud Losses

Tue, 04/16/2019 - 09:25
TSB Offers to Cover APP Fraud Losses

UK bank TSB has promised to refund any customers that may be hit by so-called “authorized push payment” (APP) fraud, which is on the rise around the globe.

The high street lender is hoping to differentiate from its rivals, many of whom take a more uncompromising stance on this type of scam.

Unlike transaction fraud, account takeovers or account creation fraud, where the malicious activity happens without the victim’s knowledge, APP fraud occurs when an account holder is tricked into making a payment to another account.

There are two main types. In malicious payee fraud the victim authorizes a payment without realizing it's actually a scam, while in malicious redirection the victim intends to pay a legitimate payee but the fraudster directs them to pay a third-party instead.

TSB announced its Fraud Refund Guarantee on Monday, pointing to figures that over £1.2bn was stolen by fraudsters from UK banking customers last year.

Of that figure, a rather smaller sum of £354m was lost to APP fraud, although this had jumped 50% from 2017. APP fraud incidents soared by 90% from 2017 to 2018, although the surge could be down to more banks reporting these scams, according to industry body UK Finance.

“The vast majority of fraud claims across UK banking are from innocent victims of fraud, who have been targeted by criminals and organized gangs. However, all too often these customers must fight to be refunded and are not treated as victims of crime,” argued TSB executive chairman, Richard Meddings.

“We want to provide peace of mind to our customers, that’s why we’re proud to announce the TSB Fraud Refund Guarantee.”

As of January, new regulatory rules came into force designed to empower APP victims with greater powers of redress — by allowing them to complain to the bank that receives funds as well as their own.

However, lenders continue to take a hard line on customers who have fallen victim to such scams, which is why the Financial Ombudsman Service (FOS) and others are drawing up a voluntary code for the industry.

TSB will be hoping the new assurances on fraud reimbursements help to win back the support of its five million customers after major IT outages last year.

Categories: Cyber Risk News

FBI Non-Profit Probes Agent Data Breach

Tue, 04/16/2019 - 09:02
FBI Non-Profit Probes Agent Data Breach

A training non-profit linked to the FBI is investigating reports that it was successfully hacked, exposing the personal details of thousands of agents to attackers.

The FBI National Academy Associates (FBINAA) claims to be “dedicated to providing the highest degree of law enforcement expertise, leadership training, and information to law enforcement executives around the world.” Its members are graduates of the FBI National Academy Program for law enforcers.

In a notice over the weekend, it responded to media reports of a security breach at three FBINAA websites which apparently resulted in highly sensitive data on around 4000 law enforcers being put up for sale on a dark web site.

“We are working with federal authorities to investigate this allegation. We believe we have identified the three affected chapters that have been hacked and they are currently working on checking the breach with their data security authorities,” the statement noted.

“In each of these instances a third-party software was being used by the affected Chapters, however it is still too early to determine if this impacted the breach. Cybercrime is on the rise and phishing attacks occur every day.”

The FBINAA pointed out that its national database is “safe and secure” and used the opportunity to reassure members that their safety is paramount.

“If it is determined that there has been felonious activity, we will prosecute the culprits to the fullest extent of the law,” it concluded.

Web application vulnerabilities remain among the most high-risk security challenges facing IT teams. A Trustwave report from 2018 revealed that 100% of apps contain at least one flaw, with the median number standing at 11.

The average time it takes to fix a web app bug is over 77 days, according to a separate Edgescan report.

Categories: Cyber Risk News

Huawei Poses 'No Threat' According to Belgium, Trump Not Convinced

Mon, 04/15/2019 - 14:11
Huawei Poses 'No Threat' According to Belgium, Trump Not Convinced

The Belgian Centre for Cybersecurity (CCB) has reportedly decided not to issue "a negative opinion" on Huawei following several months of investigation with no concrete evidence found. 

According to The Brussels Times, the CCB has been looking for evidence of spying by Huawei. This comes as the Chinese technology company has faced several accusations globally of spying. 

In Belgium, Huawei works with Proximus, Orange and Telenet/Base. It also opened a cybersecurity lab in Brussels back in March.

CCB spokesperson Katrien Eggers said, "A final report on the issue will not be produced as yet because the situation is still being monitored."

According to the Financial Times, the European Commission wants to monitor the company rather than issue a blanket ban on its technology, which is putting it at odds with the US.

US President Donald Trump has tweeted a complaint about the appointment of a former Obama cybersecurity official as a lobbyist for Huawei.

Chinese Telecom Giant Huawei hires former Obama Cyber Security Official as a lobbyist. This is not good, or acceptable! @FoxNews @SteveHiltonx

— Donald J. Trump (@realDonaldTrump) April 15, 2019

Samir Jain was the former senior director for cybersecurity policy at the White House National Security Council during the Obama administration, but he has now registered as a lobbyist for Shenzhen-based Huawei. He works for lobbying firm Jones Day.

According to the firm's website, Jain also served as associate deputy attorney general at the Department of Justice, where his responsibilities included overseeing the development of proposals to modernize the Computer Fraud and Abuse Act, supervising evaluation of telecommunications license applications for significant national security risks, and representing the department in White House cybersecurity meetings.

He also took part in international negotiations to get China's agreement not to engage in cyber-enabled intellectual property theft for commercial gain.

Categories: Cyber Risk News

Kaspersky Labs Discovers 'Previously Unknown Vulnerability' in Microsoft Windows

Mon, 04/15/2019 - 13:23
Kaspersky Labs Discovers 'Previously Unknown Vulnerability' in Microsoft Windows

Today, Kaspersky Labs announced that it had detected a "previously unknown vulnerability" in Microsoft Windows, which was exploited by an unidentified criminal group. 

The company theorizes that it was an attempt to gain full control over a targeted device. The attack was aimed at the core of the system – its kernel – through a backdoor constructed from an essential element of Windows OS.

The vulnerability was reported to Microsoft and patched on April 10, 2019. HEUR:Exploit.Win32.Generic, HEUR:Trojan.Win32.Generic and PDM:Exploit.Win32.Generic were detected.

It was the fifth consecutive exploited local privilege escalation vulnerability in Windows that the company had discovered in recent months.

Kaspersky Lab's Exploit Prevention technology found the attempt to exploit the unknown vulnerability in Microsoft Windows OS, which some security solutions would not be able to recognize. This is because a backdoor that exploits a previously unknown bug in the system – a zero-day vulnerability – has significantly more chances to fly under the radar.

According to the company, "Once the malicious .exe file was launched, installation of the malware was initiated." The company explained that the infection exploited a zero-day vulnerability and achieved privileges for successful persistence on the victim’s machine. 

The malware then initiated the launch of a backdoor developed with a legitimate element of Windows, present on all machines running on this OS – a scripting framework called Windows PowerShell. This allowed threat actors to be stealthy and avoid detection, saving them time in writing the code for malicious tools. The malware then downloaded another backdoor from a popular legitimate text storage service, which in turn gave criminals full control over the infected system.

“In this attack, we observed two main trends that we often see in Advanced Persistent Threats (APTs). First, the use of local privilege escalation exploits to successfully persist on the victim’s machine. Second, the use of legitimate frameworks like Windows PowerShell for malicious activity on the victim’s machine. This combination gives the threat actors the ability to bypass standard security solutions. To detect such techniques, the security solution must use exploit prevention and behavioral detection engines,” explains Anton Ivanov, a security expert at Kaspersky Lab.

Categories: Cyber Risk News

Sophos Investigates Microsoft Reboot Failures Following Software Update

Mon, 04/15/2019 - 12:43
Sophos Investigates Microsoft Reboot Failures Following Software Update

Sophos is investigating user-reported issues of boot-up failures following a software update from April 9, 2019. 

Affecting Sophos Central users and systems running Windows 7, 8.1, 2008, 2008 R2, 2012 and 2012 R2, the security company has advised its Sophos Endpoint customers that Microsoft has “temporarily blocked devices from receiving this update” until a solution is available. The update was a security update that provided protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754), according to the Microsoft's Windows Support website

Sophos Central manages all Sophos products, including its Synchronized Security platform, which uses Security Heartbeat for endpoint protection. 

Spectre and Meltdown exploit vulnerabilities in the processor and can work on personal computers and mobile devices and in the cloud, according to a Graz Univeritsy of Technology report. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers, which makes it a real concern for businesses. 

“If you have not yet performed the update we recommend not doing so,” explained the Sophos website. “If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting.

“In addition if you are using Windows Server Update Services (WSUS) or a third party patch provider to distribute your Windows updates we recommend removing the updates from your approved list or de-authorising the updates from being applied to your machines.”

This comes after Microsoft had to fix two zero-day patches only last week. 

Categories: Cyber Risk News

Pregnancy Club Fined £400K After Illegally Sharing Data on Millions

Mon, 04/15/2019 - 11:01
Pregnancy Club Fined £400K After Illegally Sharing Data on Millions

The UK’s privacy watchdog has fined pregnancy club Bounty £400,000 after finding it guilty of sharing tens of millions of personal records with third parties including marketing agencies.

The parenting support company collects a range of sensitive information from its customers via its website, apps and offline forms: including names, dates of birth, email and home addresses, and gender and birth date of children.

However, it also operated up until the end of April 2018 as a data broker, providing that same information to companies like Sky, Equifax, Indicia and Acxiom without clearly informed consent from the data subjects.

Between June 2017 and April 2018, Bounty is said to have shared over 34 million personal records with 39 third-party organizations, including the details of new mothers and new born children.

Steve Eckersley, director of investigations at the Information Commissioner’s Office (ICO), described the number of those affected as “unprecedented.”

“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organizations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time,” he said.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organizations, including information about their pregnancy status and their children.”

Given the timing of the data sharing, the firm was prosecuted under the old data protection regime, the Data Protection Act 1998, rather than the GDPR.

A much larger fine would likely have been in the offing otherwise, given the large volume of data involved and the vulnerable nature of the victims.

Categories: Cyber Risk News

‘Nasty List’ Phishing Scam Targets Instagram Users

Mon, 04/15/2019 - 09:43
‘Nasty List’ Phishing Scam Targets Instagram Users

Instagram users are being warned not to fall for a new phishing scam doing the rounds which aims to harvest log-ins and spread worm-like across the social network.

According to Twitter users who have posted screenshots of the scam, users typically first receive a direct message from an account they are following. This could include one of several variations on the same theme, which is that the recipient has been featured on a ‘nasty list.’

If they click on the link in the message they’ll be taken to one of several Instagram profiles apparently registered for the purpose, with names like “the_nasty_list_848.” The profile description of these accounts also typically contains the same breathless text as the initial message — something like “This is so horrible!! We are all on here,” or “WOW you are really on here.”

However, clicking on the link in this profile description will take the user to an official-looking but fake Instagram log-in page. If they fill their details in here the hacker will hijack their account to send the same ‘nasty list’ message to all the contacts following them.

Phishing remains one of the most popular techniques in the hacker’s arsenal, given that it takes advantage not of technical deficiencies but a lack of cyber-savvy on the part of the user.

According to Microsoft, the volume of phishing attacks jumped 250% year-on-year in 2018.

Like most online consumer-facing platforms, Instagram has its fair share of cybersecurity challenges. Back in August last year it made a slew of announcements designed to make accounts more transparent and harder to hack.

This included support for third-party authenticator apps, which make it harder for individuals to crack open accounts.

Categories: Cyber Risk News

Dangerous Drone Encounters Soared in 2018

Mon, 04/15/2019 - 09:00
Dangerous Drone Encounters Soared in 2018

The number of near-misses involving unmanned aerial vehicles (UAVs) in the UK jumped by over a third from 2017 to 2018, according to new official figures.

The UK Airprox Board (UKAB) published its annual figures for 2018 recently, revealing 125 dangerous encounters between aircraft and drones in UK airspace. That’s up from 93 the year before and 71 in 2016.

Just under a third of these (39) were recorded near Heathrow Airport in London, whilst 10 took place near Manchester Airport, according to the figures.

The former was forced to halt flights in January after a drone was spotted near the airport.

However, a much more serious incident occurred at Gatwick Airport to the south of the capital in December, when an estimated 140,000 passengers had their travel plans disrupted after flights were cancelled for several days.

Incidents like this seem to have had a major impact on the public perception of drones, with 75% branding them a national security threat and 38% arguing that they should be banned, according to a Parliament Street report.

Cesar Cerrudo, CTO at IOActive, argued that the commercialization of drones has not been thought through clearly enough in terms of the potential harm UAVs can cause.

“Manufacturers of these devices are more concerned with getting their product to market than ensuring cybersecurity. But as we have seen, with malicious or even mischievous intent they have the ability to create mass disruption, as well as potentially putting passenger safety at risk,” he added.

“In the future, we could see drones move from merely being a disruption to being weaponized. As drones improve in range and functionality, and reduce in cost, their weaponization could become common as poor cybersecurity could allow commercial drones to be hijacked by attackers.

Reports emerged today that the Gatwick Airport drone operator, who has still not been caught, could be an insider there.

Categories: Cyber Risk News

Attackers Spoofing Known Tech, Security Brands

Fri, 04/12/2019 - 17:23
Attackers Spoofing Known Tech, Security Brands

Researchers at GreatHorn have identified what they are calling a widespread attack in which attackers spoofed both the Microsoft brand in the display name and the Barracuda Networks brand in the return path and received headers, with the goal of stealing credentials.

The team identified an attack notable in that the return path spoofs a noreply.barracudanetworks.com return path. “The attackers crafted the received headers so that it appears to have gone through multiple “Barracuda” hops prior to sending the email via a server designed to look like a Barracuda server. Microsoft has then automatically appended legitimate received header details to the spoofed headers, making it appear that much more legitimate,” researchers wrote.

According to today’s blog post, attackers leveraged a known security flaw in Microsoft’s handling of authentication frameworks. Rather than dictating how it wants domain-based message authentication, reporting, and conformance (DMARC) failures and exceptions to be handled, “Microsoft Office 365 typically ignores those directives and, at best, treats them as spam or junk instead of quarantining or rejecting them, making it more likely for the user to interact with such spoofs.”

That a major tech company has not embraced DMARC is in line with the findings of a recent report, Tech Companies Make Progress in Anti-Phishing Protection, published by ValiMail. The report found that 90% of large tech companies are vulnerable to spoofing, yet only 49% of global technology companies are already enforcing DMARC anti-phishing technology.

“This is a good example of how attackers are adapting to user awareness and preventative technology,” said Terence Jackson, chief information security officer at Thycotic. “User education and email protection technology is needed, but we have to make sure that user training is continuous and the technology we put into place is not static but dynamic and utilizes a degree of machine learning to analyze these types of new attacks.

“Attackers are going to great lengths to obtain user credentials to access sensitive data. Hopefully GreatHorn’s customers had multifactor authentication enabled, which should have limited the scope of this attack. But as we’ve seen before, users tend to reuse passwords on multiple sites, which again highlights the need for the use of password managers and better personal cyber hygiene.”

Categories: Cyber Risk News

Mailgun Web Issues from WordPress Plugin Hack

Fri, 04/12/2019 - 15:44
Mailgun Web Issues from WordPress Plugin Hack

Email automation and delivery service Mailgun, announced that it has resolved a security incident that resulted from a massive coordinated attack against WordPress sites.

“The mailgun.com webpage began issuing redirects to sites outside of our domain. We immediately launched an incident to determine the source of the redirects and determined that a plugin for WordPress was responsible for issuing the redirects. We've disabled the plugin responsible for this issue,” the security incident notice said.

“Our applications including the Mailgun Dashboard, APIs, and customer data stored on our platform were not impacted by this issue.”

In a massive attack on WordPress sites, bad actors exploited a cross-site scripting (XSS) vulnerability in the WordPress plugin called Yuzo Related Posts plugin to inject JavaScript, redirecting visitors to various malicious tech support scams, spam ad pages, malware software updates and more.

“While unfortunate, this is not new and will be a problem that always persist,” said Chris Morales, head of security analytics at Vectra. “The best advice I can give at this time is that users need to pay careful attention to the sites they do visit at any given time and be careful what information they are providing.”

The problem with the Yuzo plugin was reportedly worsened because the web developer who discovered the vulnerability published the proof-of-concept code rather than reporting the issue to the plugin author, who posted that he will soon send an improved version of the plugin for all users.

“Vulnerabilities in WordPress plugins has been a long-standing problem. The plug-in directory is very much like the Google Play store, where vetting of apps is a major weakness,” said Chris Orr, systems engineer at Tripwire.

“Lack of notification by the plug-in developer is also an issue to contend with. It is recommended that WordPress users either automatically update the platform and their apps or pay close attention to the ones they use and how they behave and keep an eye out for vulnerabilities.”

Notification from the developer, though, was somewhat complicated by the lack of care taken to properly disclose the vulnerability, according to Oscar Tovar, application security specialist at WhiteHat Security.

“Proper, responsible vulnerability disclosures are something that should be carried with the utmost of care. The failure to do so can have widespread and serious repercussions. In this case, it was unfortunate that the zero-day was released to the public instead of the plugin author. If the author had been alerted with the vulnerability’s proof of concept, things would have played out completely differently.

“This incident can serve as a valuable example of how serious publishing a zero-day into the wild can be and hopefully prevent the same error from happening again in the future. The risks of deviating from a responsible disclosure are simply too great.”

Categories: Cyber Risk News

Matrix Compromised Through Known Jenkins Flaws

Fri, 04/12/2019 - 14:30
Matrix Compromised Through Known Jenkins Flaws

Matrix users are encouraged to change their passwords after an unauthorized actor gained access to the servers hosting Matrix.org. Those using IRC bridging are also encouraged to change their NickServ passwords.

An open network for secure, interoperable, decentralized, real-time communication over IP, Matrix is used across instant messaging, VoIP/WebRTC signaling and internet of things (IoT) communication, according to the company’s website.

On April 9, 2019, security researcher Jaikey Sarraf alerted Matrix to existing vulnerabilities in Jenkins, which Matrix said it used for continuous integration. “The version of Jenkins we were using had a vulnerability (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002) which allowed an attacker to hijack credentials (forwarded ssh keys), giving access to our production infrastructure.”

When Matrix identified that machines had been compromised, the company removed Jenkins and reportedly denied the attacker access to the compromised machines.

Matrix updated the security incident notice today, stating: “At around 5am UTC on Apr 12, the attacker used a cloudflare API key to repoint DNS for matrix.org to a defacement website (https://github.com/matrixnotorg/matrixnotorg.github.io). The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately only personal keys were rotated, enabling the defacement. We are currently double checking that all compromised secrets have been rotated.

“The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again.”

Noting that no home servers besides Matrix.org have been affected, the company said, “The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins).”

All users were logged out of Matrix.org, and “the matrix.org home server has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. Modular.im home servers have not been affected by this outage,” the security incident notice stated.

The investigation remains ongoing, but thus far there has been no evidence that large quantities of data were downloaded, though “the attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised.”

Categories: Cyber Risk News

Russia Plans to Cut Users Off From Global Internet

Fri, 04/12/2019 - 10:00
Russia Plans to Cut Users Off From Global Internet

Russian lawmakers have approved a bill which could allow the government to cut access to foreign servers, in a move critics believe could see the nation attempt to ape China’s fearsome censorship apparatus.

Passed in its second reading by an overwhelming 320 votes to 15, the legislation could become law by November 1, according to reports.

The government has claimed it could help enhance national security by helping Russia preempt any online attack or disruption from foreign powers.

Its supporters cite a US report unveiled by Donald Trump last year that blamed Russia for being a top cyber threat, giving the superpower a motive to use its offensive capabilities.

However, others believe the “sovereign internet” bill smacks more of an attempt by the authorities to try and mimic the Great Firewall — China’s censorship infrastructure which effectively cuts its 800 million netizens from the global internet, allowing only highly filtered traffic through.

This would seem to fit with concerns in the Kremlin about Russia’s over-reliance on US tech companies, which could put it at a strategic disadvantage during any geopolitical crisis. Vladimir Putin has described the internet as a “CIA project.”

“This law creates a framework whereby ISPs will be required to funnel all internet traffic in and out of the country through well-known choke points (Internet Exchanges). This would make it easier for the authorities to expand internet censorship, and isolate the nation from the global internet [during] times of conflict,” explained Ameet Naik, technical marketing director at ThousandEyes.

“However, this would also force internet traffic through sub-optimal paths, and through performance-limiting filtering gateways. This would most likely degrade the user experience for Russian users browsing sites and apps outside the country, and provide an advantage to services hosted within the country, as we’ve seen happen in China.”

Russia and China have for years been seeking to impose their alternative view of internet governance at the UN and other forums. However, critics describe ‘internet sovereignty’ as little more than a byword for censorship and oppression of online freedoms.

Categories: Cyber Risk News

England and Wales Police Get Dedicated Cybercrime Units

Fri, 04/12/2019 - 09:08
England and Wales Police Get Dedicated Cybercrime Units

Every England and Wales police force now has a dedicated cybercrime unit, thanks to a multimillion-pound government investment, it was revealed yesterday.

The announcement was made by the National Police Chief’s Council (NPCC) National Cybercrime Programme, and claimed that forces were able to access £7m in funds to fill the units with specialist officers and equipment.

Further investment by the Home Office and the National Cyber Security Programme is expected to continue into 2019/20 and 20/21.

The new units will be coordinated by the country’s Regional Organised Crime Units (ROCUs) to prevent duplication and offer support via National Cybercrime Units (NCCUs). The idea is that the new local units will form the last piece in the policing puzzle, completing a “Team Cyber UK” network of local, regional, national and international cybercrime law enforcement.

“In the past six years we have introduced a robust national and regional network of dedicated cybercrime units at national and regional level but we were still lacking a local response as part of the Team Cyber UK network,” explained chief constable Peter Goodman, the NPCC lead for cybercrime.

“Every police force now has a cybercrime unit, which will investigate and pursue offenders, help businesses and victims protect themselves from attack and work with partners to prevent vulnerable individuals from being drawn into committing cybercrime. These units will improve our response to cybercrime working closely with national and regional units. This is a great start and lays down a solid foundation for each force to build on.”

Before the initiative, less than a third (31%) of forces apparently had a dedicated cybercrime unit.

However, there will still be concerns over skills gaps among officers, reflecting a wider trend across the cybersecurity industry.

Back in 2016, then-home secretary Theresa May announced plans to bring in volunteers to help regular officers on cybercrime cases. The following year a thinktank called for the creation of a digital academy to train specialist cyber-police officers. However, neither plan seems to have got beyond the ideas stage.

“Police forces around the UK have struggled when it comes to investigating the tidal wave of cyber offences reported to Action Fraud since it formed,” argued Eset cybersecurity specialist, Jake Moore.

“An injection of money couldn’t come at a better time, as cyber offences become harder to detect and deter. I imagine much of this money will be put into offering prevention advice around the country to people most at risk, as to small and medium businesses with livelihoods on the line, prevention is better than cure.”

Categories: Cyber Risk News

EU Citizens’ Hit by UK Government Data Leak

Fri, 04/12/2019 - 08:45
EU Citizens’ Hit by UK Government Data Leak

The Home Office is in the dock again after a second privacy blunder in as many days led to the accidental disclosure of hundreds of emails.

The ‘administrative error’ apparently occurred when an official used the “cc” instead of “bcc” field when sending out an email to 240 EU citizens requesting settled status after Brexit.

The email was sent on Sunday to applicants who had encountered difficulties, asking them to resubmit their information, according to the BBC.

The government department was then forced to send another email requesting that the recipients delete the offending missive.

“In communicating with a small group of applicants, an administrative error was made which meant other applicants' email addresses could be seen,” a reported Home Office statement noted.

“As soon as the error was identified, we apologized personally to the 240 applicants affected and have improved our systems and procedures to stop this occurring again.”

The news emerged just two days after a similar incident in which the Home Office exposed 500 private email addresses to others.

It related to individuals who had enrolled in a compensation scheme for the so-called “Windrush generation” — UK citizens from Commonwealth countries whom the government has mistreated under Theresa May’s "hostile environment" immigration policy as home secretary.

The EU settlement scheme has already been on the receiving end of strong criticism by groups who claim it is unnecessarily bureaucratic and has been beset by technical difficulties.

The government’s mistakes could mean it is in breach of the GDPR, known in the UK as the Data Protection Act 2018.

“GDPR mandates that users handling personal data must be trained on how to handle it appropriately to protect the privacy and confidentiality of that information,” argued Proofpoint’s EMEA cybersecurity strategist, Adenike Cosgrove.

“Companies rolling out cybersecurity awareness and training programs should ensure that employees are trained not just on potential technical threats, but are also educated on how to handle sensitive information, particularly Personally Identifiable Information (PII). By leveraging technical controls and making data privacy a business priority, organizations can reduce the likelihood of data exposure.”

Categories: Cyber Risk News

#ISCWest2019: The Future of Stadium Security

Thu, 04/11/2019 - 18:05
#ISCWest2019: The Future of Stadium Security

Kicking off the second day of the ISC West 2019 conference in Las Vegas, keynote speaker Russ Butler, VP of security for the San Francisco 49ers and Levi’s Stadium, talked about the evolution of the ever-changing stadium security landscape in his talk, “Stadium Security: As It Was, Where It Is and Where It Is Going.”

Butler has been planning and executing notable events with the NFL for six years, including Super Bowl 50, but his career began with London's Metropolitan Police in the 1980s.

To give context to his role, Butler took a stroll down memory lane, citing three significant events at stadiums in Europe where accidents resulted in dozens of fatalities. During that same time, though, stadiums in the US remained a much more settled environment, Butler said.

“Clearly the NFL is the most valuable sports league in the US, but it is also a microcosm of American culture, which makes it vulnerable to the attention of nefarious actors,”

Stadium security changed in the aftermath of September 11, 2001, notably the defining moment when everything changed. “The NFL was very quick to respond, to implement innovations and begin to consolidate and drive security change,” Butler said.

The federal government also reacted, instructing what qualified as anti-terrorism technology, according to Butler, in Best Practices Stadium Security (BPSS). The BPSS was then followed by the Department of Homeland Security’s Safety Act of 2002.

Levi's Stadium has a safety act designation, which was awarded in June 2016, though it was backdated to 2014. “It’s a very broad program but an indication of where security is going,” Butler said. “We will continue to innovate and collaborate with government and seek various security solutions to provide an environment in which the highest levels of safety can be delivered.”

Though stadiums alone can’t ensure that high level of safety, particularly when it comes to drones, because legislation poses challenges. “The legislative situation we have makes it incredibly challenging from a mitigation standpoint to do anything other than track and monitor,” Butler said. “It’s unfortunate that right now the legislative issues that exist mean that we simply don’t have active mitigation measures.”

Without the ability to differentiate between friend or foe, stadiums can do little to strengthen defenses against malicious actors in the sky. While most drones are hobby fliers, the ability to respond to drone threats is something the industry needs to address.

Categories: Cyber Risk News

#ISCWest2019: Challenges of AI in Physical Security

Thu, 04/11/2019 - 13:46
#ISCWest2019: Challenges of AI in Physical Security

As more enterprise technologies and security solutions tout the use of artificial intelligence (AI) and machine learning, panelists at the 2019 ISC West conference in Las Vegas asked where the physical security industry is in its overall acceptance, trust in and implementation of AI solutions.

Industry experts discussed what the near-term future of AI looks like in the security industry while recognizing almost unanimously that the promises of AI have not yet been met. All agreed, though, that in the future of AI will be very useful in physical security.

The four person panel, led by Scott Dunn, senior director of business development, solutions and services, Axis Communications AB addressed some misconceptions about AI and its application in video analytics.

“The way the algorithms and technology is deployed and leverages GPUs and accelerator technology is dramatically different than what it was,” said Ken Mills, general manager of IoT, surveillance and security at Dell EMC.

Included in the discussion were the results from an SIA MegaTrends survey, which asked approximately 1,000 security professionals about the ways in which they could benefit from using AI. More than half (51%) of respondents said that it would enhance the features, functions and performance of their products, while 36% believed AI would optimize internal business operations or free up workers to be more creative about automated tasks. In addition, 35% of respondents felt the use of AI would help them make better decisions.

As for the panelists, Jeff Hanagriff, public safety liaison/technology coordinator for the City of Houston, said that in its infancy AI could not keep up with the demands of public safety. “I’m dealing with decision-makers that used to send a firefighter to respond, but now they want to see in the command center, they want to see the camera to see what is going on, so it is helping them to make better decisions.”

AI has also benefited the New York Police Department (NYPD), according to Michael Joy, senior offering manager, IDEMIA National Security Solutions. There are lots of things that generate alerts, and AI helps to compile all of the data collected from the 18,000 cameras across the city. “No one can look at that; it’s not feasible to even try.”

Though when it comes to relying solely on AI to make decisions, Joy said, “we are not there yet.”

Categories: Cyber Risk News

#ISCWest2019: Biometrics Are Going Mainstream

Thu, 04/11/2019 - 13:40
#ISCWest2019: Biometrics Are Going Mainstream

As the physical security industry confronts the challenges of convergence, the use of biometrics will help to secure workstations, virtual desktops, turnstiles, front doors, mobile devices and more, according to a panel of industry experts at the 2019 ISC West conference in Las Vegas.

“They all need to be secured while keeping convenience and efficiency front and center,” said Peter O’Neill, president of FindBiometrics and Mobile ID World, divisions of Topickz Inc.

“To solve the united physical and information security puzzle – and it is a puzzle – we need strong, irrefutable identity technology. Key cards and tokens, passwords and USBs, they don’t cut it anymore. Not only do they present security vulnerabilities and administrative strain, keys are lost, stolen and shared."

It’s well known that compromised passwords have led to some of the largest data breaches on record, and with the prevalence of account takeover attacks (ATOs), weak and reused passwords continue to pose threats to physical and enterprise security.

“Face, finger, voice, iris, behavioral and other types of biometrics are versatile identity technologies that enhance security and privacy,” O’Neill said.

According to the panelists, passwords are increasingly ineffective, which has paved a path for biometrics to be used in enterprises and governments. According to panelist Robert Mungovan, vice president and general manager at Aware, Inc., “Biometrics is going mainstream, and it is going that way through mobile phones. The convergence of physical security and data security is going to happen through mobile phones.”

One question that often comes up when talking about biometrics, according to Rob Douglas, founder and CEO of BioConnect, is which biometric will win. “What we realized is that there is never going to be an answer to that question, but rather, how do you create a world where you can consume all of them? Where you can consume any type of biometric on any type of device, and plug it into a platform that your enterprise can consume.”

Categories: Cyber Risk News

Pages