Info Security

Subscribe to Info Security  feed
Updated: 5 min 37 sec ago

Reports Reveal Russian Twitter Meddling in Brexit Vote

Wed, 11/15/2017 - 10:16
Reports Reveal Russian Twitter Meddling in Brexit Vote

It appears as if Russia’s attempts to undermine the political stability of rival nations extended to the EU referendum last year, after two separate reports revealed Kremlin-backed Twitter accounts sought to sway opinion ahead of the Brexit vote.

Over 150,000 accounts based in Russia posted mainly pro-Brexit content in the run-up to the infamous June 23, 2016 vote, according to research from Swansea University and the University of California, Berkeley.

Most notably, they tweeted 45,000 times about Brexit in just a 48-hour period around the vote, according to The Times.

Interestingly, the rabidly pro-Putin accounts had apparently previously tweeted in support of Russian interests in the Crimea and similar, before switching their attention to the referendum.

The paper claims a "massive number of Russian-related tweets were created a few days before the voting day, reached its peak during the voting and the result and then dropped immediately afterwards.”

Co-author, Tho Pam, reportedly added that “the main conclusion is that bots were used on purpose and had influence.”

A similar report from the University of Edinburgh identified a smaller number of Twitter accounts operated by the infamous Russian propaganda arm the Internet Research Agency (IRA), which it claims attempted to sow discord in society and destabilize politics.

It spotted 419 accounts from the 2752 suspended by Twitter in the US for interfering in the presidential election last year.

Damian Collins, chairman of the House of Commons Culture, Media and Sport Select Committee — which is investigating fake news — called on Twitter to come clean about possible interference in the June 2016 vote.

“This is information they hold and I can’t see any reason they should be delaying supplying it,” he said, according to the Guardian.

The committee has already written to Facebook for information on any paid-for activity by Russia-linked accounts around the referendum and last general election.

The narrow 'leave' vote was a huge tactical win for Putin, weakening Europe and tying the UK up in wranglings over its departure for years.

Prime Minister, Theresa May, directly criticized the Putin administration in a speech on Monday for using fake news to try and destabilize rival democratic nations.

“It is seeking to weaponize information,” she said. “Deploying its state-run media organizations to plant fake stories and photo-shopped images in an attempt to sow discord in the West and undermine our institutions.”

Categories: Cyber Risk News

Ordinypt 'Ransomware' Destroys Data Instead of Encrypting It

Tue, 11/14/2017 - 20:52
Ordinypt 'Ransomware' Destroys Data Instead of Encrypting It

A new malware called Ordinypt that targets German users is making the rounds—billing itself as ransomware. However, the code is really a wiper, with apparent twin motives of financial gain as well as disrupting business operations.

G Data security researcher Karsten Hahn found that the malware, which also goes by the name HSDFSDCrypt, is targeting German users for the moment, using emails and ransom notes that are written in flawless Deutsch. It’s being spread via responses to job ads—the emails purport to have a ZIP file with a resume and CV attached.

According to an analysis from Valthek, once opened, the malware infects a victim’s machine, making files inaccessible, and then requests 0.12 Bitcoin (around 600 EUR) for recovering them. Unbeknownst to the target, the files are actually destroyed, not encrypted, and the attackers have no code for “unlocking” them, even if victims pay up.

Interestingly, Valthek found that the malware deletes files, overwriting them with garbage strings of random letters and numbers. However, the affected files will remain in the raw hard disk untouched—leaving open the possibility (“with luck”, he said) to recovering them using a program such as Recuva. It also doesn’t destroy Shadow Volume or Restore Point files in the system, he said, so the use of a tool like Shadow Explorer could be useful in getting data back.

In both cases though, Valthek said it’s unlikely that victims will be able to recover their files in totality.

What’s also notable about the code is that while it’s effective, it’s poorly written. Valthek’s overall assessment of it is straightforward: “A stupid malware that destroy information of enterprises and innocent people and try steal money saying that is a ransomware. Bad coding style, a easy packer, only need one hour of my time to reverse it and writing this report.”

Categories: Cyber Risk News

Americans Mainly See Bitcoin as a Tool for Criminals

Tue, 11/14/2017 - 19:14
Americans Mainly See Bitcoin as a Tool for Criminals

Despite a groundswell in the use of Bitcoin and the like around the world, cryptocurrencies have a bad rep in the States: More than 25% of Americans think they’re mainly used for illegal transactions.

According to Turnerlittle.com’s analysis of findings from YouGov, which surveyed 1,000 American adults, about a third (29%) of Americans believe cryptocurrencies such as Bitcoin and Ethereum are mostly used for making illegal transactions on the Dark Web.

Bitcoin, which has seen its value rocket from a mere $0.08 in 2010 to above $6,000 over the course of this year, has arguably been associated with numerous controversies. Most recently, statistics by anti-virus provider Kaspersky Lab showed that they had so far detected 1.65 million computers in 2017 infected by malware which has installed mining software (the process by which a given cryptocurrency is generated to create new funds and accumulate favorable a profit) without the permission or knowledge of the users/owners.

Further, the report points out that cryptocurrencies have also closely been aligned to unscrupulous individuals and groups looking to avoid detection from engaging in criminal/illegal activities. This can be highlighted by the large-scale WannaCry outbreak, where ransom payments were demanded in Bitcoin after thousands of computer systems across the world were locked down by malicious ransomware.

As a result, cryptocurrency’s positive aspects are getting lost in the shuffle. For instance, cryptocurrencies have the pioneering potential to act as a global payment system which everyone can access any time and place without being restricted by traditional barriers such as having a credit history or bank account. However, with respect to what Americans thought people used cryptocurrencies for, the majority seemed unsure or unaware, as 40% stated they “don’t know”.

“The emergence of cryptocurrencies has been nothing short of extraordinary,” said Nathan Kirkwood, a financial analyst with Turnerlittle.com. “With the current value of established cryptocurrencies surging and with many more emerging, they are certainly here to stay. What’s truly going to be interesting is how cryptocurrencies evolve as they become more and more prominent. Looking ahead, if they have greater transparency and do not become subject to aggressive regulations, they have the characteristics and desirability to be adopted by a wider array of stakeholders including well-known merchants and mass consumers.”

Yet, when asked if they would be interested in using a cryptocurrency instead of US dollars, an overwhelming 64% of Americans said they would not be interested in making the switch. In fact, only 35% of Americans think there will be a wider acceptance of cryptocurrencies in the next ten years, while half (51%) firmly believe cryptocurrencies in the next 10 years won’t replace traditional currency. About a fifth (18%) contrastingly felt the opposite, with the view that cryptocurrencies will put traditional currency into extinction. Meanwhile, 37% simply have no idea.

It’s worth pointing out that awareness is quite low, so with greater education these attitudes will likely change. The research intriguingly revealed that 66% of Americans have heard of Bitcoin but just 13% of them have used it. Ethereum, the next biggest cryptocurrency after Bitcoin, was far less known, with only 24% of Americans having heard of it. Out of those aware of Ethereum, 21% said they had used it before.

“The findings from this research are fascinating,” said James Turner, managing director of Turnerlittle.com. “I think what can be taken from this research is that Americans have not yet fully grasped the full functionally of cryptocurrencies as a digital entity. It’s through no fault of their own, cryptocurrencies are only at their infancy and as they advance in their development, people will certainly have a far greater understanding of not only the multiple ways in which they work and can be used but their likely role as an alternative monetary system.”

Categories: Cyber Risk News

Fear of Insider Threats Hits an All-Time High

Tue, 11/14/2017 - 18:53
Fear of Insider Threats Hits an All-Time High

The vast majority of companies and government agencies feel vulnerable to insider threats—a fear that turns out to be justified, given that about half have experienced an insider attack in the last 12 months.

That’s according to Crowd Research Partners’ latest Insider Threat Report, which shows that a full 90% of organizations feel vulnerable to insider attacks. The main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%).

Commissioned by Cybersecurity Insiders and based on an online survey of 472 cybersecurity professionals around the globe, the research also uncovered that 52% confirmed insider attacks against their organization in the previous 12 months (typically less than 5 attacks). About a quarter (27%) of organizations say insider attacks have become more frequent.

"Insider threats are often more damaging than attacks from malicious outsiders or malware,” said Holger Schulze, CEO and founder of Cybersecurity Insiders. “That’s because they are launched by trusted insiders—both malicious insiders and negligent insiders with privileged access to sensitive data and applications.”

Accordingly, organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%) and analysis/post-breach forensics (49%). The use of user behavior monitoring is accelerating as well: A full 88% of organizations deploy some method of monitoring users, and 93% monitor access to sensitive data.

Among the respondents, the most popular technologies to deter insider threats are data loss prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy intrusion detection and prevention (IDS), log management and SIEM platforms.

Encouragingly, most organizations (86%) already have or are building an insider threat program. About 36% have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

Categories: Cyber Risk News

#ISSE17: Belgian Government Says Trust at Center of GDPR

Tue, 11/14/2017 - 13:32
#ISSE17: Belgian Government Says Trust at Center of GDPR

The focus of GDPR on compliance and sanctions are not as crucial as trust, according to the Belgian Secretary of State for Social fraud, Privacy and the North Sea.

Speaking at the ISSE 2017 conference in Brussels, just a few days after he became a member of the Federal Government of Belgium responsible for the implementation of GDPR, Philippe de Backer said that new products and services are coming online every day and people want to enjoy using them “and sometimes pay with their own personal data.” He said that privacy and security becomes more important in a digital economy, particularly if a company wants to install trust in a user: he said that trust between the user and provider should be one of the most crucial elements over the next couple of years.

“The concept of privacy is also changing here, where it was previously seen as a fundamental human right, it is also enshrined in the UN Declaration of Human Rights but also in the European Charter. Privacy is one of the main fundamental human rights,” de Backer added.

“But the cost of privacy has also enlarged and evolved into data protection, and it also has to deal with security of personal data against the improper use of data by third parties.”

De Backer acknowledged the challenge for businesses in keeping data secure whilst also wanting to work with third parties, and that was the new balance and the reason for the EU to go ahead with GDPR “to try and create this level playing field and standard of rules across the different members states and the same rights for data subjects, and the same sanction mechanism”.

He said that this was one of the missing pieces from the past, and the essential parts of the GDPR are: the protection of individual rights and enabling the free movement of data. He argued that often the focus is on compliance, sanctions and the new rules, but trust will also be crucial.

As part of the government’s efforts to be GDPR compliant, new frameworks and data protection laws were being put in place.

“For me the GDPR is a business opportunity, we have a lot of data centers and international activity here in Belgium and the data protection authority really puts some clarity and guidelines on how they see the implementation of GDPR and what the standards are that they want companies and public sectors to live up to,” he said.

“So for me it is a business opportunity to manage, know and secure your own data, but also to install your own trust so it is a process every company should go through as we are trying to create a level playing field between the private and the public sectors.” 

Categories: Cyber Risk News

#ISSE2017: Belgian Government Says Trust at Center of GDPR

Tue, 11/14/2017 - 13:32
#ISSE2017: Belgian Government Says Trust at Center of GDPR

The focus of GDPR on compliance and sanctions are not as crucial as trust, according to the Belgian Secretary of State for Social fraud, Privacy and the North Sea.

Speaking at the ISSE 2017 conference in Brussels, just a few days after he became a member of the Federal Government of Belgium responsible for the implementation of GDPR, Philippe de Backer said that new products and services are coming online every day and people want to enjoy using them “and sometimes pay with their own personal data.” He said that privacy and security becomes more important in a digital economy, particularly if a company wants to install trust in a user: he said that trust between the user and provider should be one of the most crucial elements over the next couple of years.

“The concept of privacy is also changing here, where it was previously seen as a fundamental human right, it is also enshrined in the UN Declaration of Human Rights but also in the European Charter. Privacy is one of the main fundamental human rights,” de Backer added.

“But the cost of privacy has also enlarged and evolved into data protection, and it also has to deal with security of personal data against the improper use of data by third parties.”

De Backer acknowledged the challenge for businesses in keeping data secure whilst also wanting to work with third parties, and that was the new balance and the reason for the EU to go ahead with GDPR “to try and create this level playing field and standard of rules across the different members states and the same rights for data subjects, and the same sanction mechanism”.

He said that this was one of the missing pieces from the past, and the essential parts of the GDPR are: the protection of individual rights and enabling the free movement of data. He argued that often the focus is on compliance, sanctions and the new rules, but trust will also be crucial.

As part of the government’s efforts to be GDPR compliant, new frameworks and data protection laws were being put in place.

“For me the GDPR is a business opportunity, we have a lot of data centers and international activity here in Belgium and the data protection authority really puts some clarity and guidelines on how they see the implementation of GDPR and what the standards are that they want companies and public sectors to live up to,” he said.

“So for me it is a business opportunity to manage, know and secure your own data, but also to install your own trust so it is a process every company should go through as we are trying to create a level playing field between the private and the public sectors.” 

Categories: Cyber Risk News

Governments Undermined Elections in 18 Countries Last Year

Tue, 11/14/2017 - 11:51
Governments Undermined Elections in 18 Countries Last Year

The US election was not a one-off: governments around the world sought to influence elections via misinformation on social media in at least 18 countries over the past year, according to the latest report from Freedom House.

The non-profit’s annual Freedom on the Net report makes for grim reading for those who fear the democratic process is being undermined by manipulation of sentiment on social platforms.

“The use of paid commentators and political bots to spread government propaganda was pioneered by China and Russia but has now gone global,” said Freedom House president, Michael Abramowitz. “The effects of these rapidly spreading techniques on democracy and civic activism are potentially devastating.”

In some cases, as with Russia, nation states are actively undermining the democratic process in rival countries, making it difficult for voters to choose their leaders based on factual news and authentic debate.

However, in most cases it’s done internally to preserve the status quo of an authoritarian regime.

Such tactics are also being used more generally by governments to inflate their own popularity, with paid commentators, trolls, bots, fake news sites and propaganda outlets all common tactics, according to the report.

Freedom House claims governments in 30 countries are using these tactics, up from 23 the previous year.

“Governments are now using social media to suppress dissent and advance an antidemocratic agenda,” said Sanja Kelly, director of the Freedom on the Net project. “Not only is this manipulation difficult to detect, it is more difficult to combat than other types of censorship, such as website blocking, because it’s dispersed and because of the sheer number of people and bots deployed to do it.”

The report picks out the Philippines, where the current administration has hired an army of posters to amplify support for Duterte’s bloody crackdown on drug dealers; and Turkey, where 6000 netizens have apparently been recruited to do the government’s bidding online.

Some countries, like Ukraine, have even been forced to block some services after they were infiltrated by Kremlin agents.

“The solution to manipulation and disinformation lies not in censoring websites but in teaching citizens how to detect fake news and commentary,” Kelly warned. “Democracies should ensure that the source of political advertising online is at least as transparent online as it is offline.”

China was the worst abuser of online freedoms of the 65 countries appraised globally, with Estonia and Iceland at the other end. Most countries saw a decline in their internet freedom score, including the US and UK, which currently sit in sixth and ninth place.

Categories: Cyber Risk News

Fasten Database Error Exposed One Million Customers

Tue, 11/14/2017 - 11:00
Fasten Database Error Exposed One Million Customers

A popular US ride-hailing service has become the latest firm to publicly expose customer details after researchers found data on an estimated one million users of the service and thousands of drivers.

The privacy snafu came as a result of a misconfigured Apache Hive database at Uber-like company Fasten, which had been left open for end-user access, according to the Kromtech Security Center’s Bob Diachenko.

The exposed data apparently included names, email addresses, phone numbers, links to photos, IMEI numbers, car registration and license plate details, as well as notes on drivers.

Fasten appears to have reacted quickly to the incident, taking the database offline shortly after being informed.

Head of corporate comms, Jennifer Borgan, explained that the database in question was created on October 11 but the sensitive data was uploaded by a developer several days later.

"We can confirm it was exposed for a total period of 48 hours prior to deletion”, she told Kromtech.

"We have already taken steps to update our security protocols to ensure this does not happen again. In this instance, old production data was uploaded to the test cluster by mistake. Going forward, these processes will be managed only by security engineers with specific expertise in this area."

Fasten operates in two US cities — Austin and Boston — and apparently claims that 50% of Boston’s rides-haring drivers and 90% of those in Austin use their service.

It follows a series of previous revelations from Kromtech and others about misconfigured cloud databases.

It’s believed that as many as four million Time Warner customers had their details exposed in this way, after a discovery by Kromtech back in September.

However, that pales in comparison to Tarte Cosmetics, where a misconfigured database exposed the details to ransom specialist group CRU3LTY.

Categories: Cyber Risk News

#ISSE17: SWIFT Says Customer Security Guidance is Slowly Winning Favor

Tue, 11/14/2017 - 10:45
#ISSE17: SWIFT Says Customer Security Guidance is Slowly Winning Favor

SWIFT has admitted that its guidance for customer security was not met with unanimous praise, after it launched the guidance following major attacks in 2016.

Speaking on the development of the customer security program (CSP) at ISSE 2017 in Brussels, SWIFT lead customer engineer Olivier Dazard said that ahead of the attack on SWIFT and the Bank of Bangladesh, it thought that customer security was not its problem and it was traditionally focused on its own data systems and whilst it would provide some security guidance, it would offer nothing beyond that.

“That was not sustainable, not with this incident and there were others afterwards - but we have no evidence that SWIFT was compromised,” he said. This led to the CSP program which provided customers secure tools and a list of 27 security controls which relate to existing industry standards such as PCI DSS or ISO standards.

SWIFT also wanted to provide a place where customers could compare instances. Dazard added that the 27 controls are defined into three top objectives: secure your environment, know and limit access, and detect and respond.

From the three objectives also determine the SWIFT customer security controls framework of eight points:

Dazard said that of the 27 controls that 11 are “strongly recommended to be implemented across the board.” However, when the document was published, customers were unhappy with the guidance saying “who are you to tell us what to do, you’re too prescriptive”, which caused SWIFT to step back and make sure that the objective was clear so that they know why they are recommended to be implemented.

As a result it proposed an implementation guidance, as some 'less mature' customers wanted guidance on what to do, so SWIFT still produced some guidance and asked customers to either meet controls using an alternative implementation that they proposed - but still addressing the control objective or addressing the risk, or just use the implementation guidelines that it produced.

SWIFT also added a ‘know your customer’ tool that will be mandated to all customers by the end of 2017 and as of December 2018, customers will be asked to comply with all mandatory controls using either implementation guidelines, or an alternative.

“I can see by the questions that we receive that we are slowly but surely getting there,” he concluded

Categories: Cyber Risk News

#ISSE2017: SWIFT Says Customer Security Guidance is Slowly Winning Favor

Tue, 11/14/2017 - 10:45
#ISSE2017: SWIFT Says Customer Security Guidance is Slowly Winning Favor

SWIFT has admitted that its guidance for customer security was not met with unanimous praise, after it launched the guidance following major attacks in 2016.

Speaking on the development of the customer security program (CSP) at ISSE 2017 in Brussels, SWIFT lead customer engineer Olivier Dazard said that ahead of the attack on SWIFT and the Bank of Bangladesh, it thought that customer security was not its problem and it was traditionally focused on its own data systems and whilst it would provide some security guidance, it would offer nothing beyond that.

“That was not sustainable, not with this incident and there were others afterwards - but we have no evidence that SWIFT was compromised,” he said. This led to the CSP program which provided customers secure tools and a list of 27 security controls which relate to existing industry standards such as PCI DSS or ISO standards.

SWIFT also wanted to provide a place where customers could compare instances. Dazard added that the 27 controls are defined into three top objectives: secure your environment, know and limit access, and detect and respond.

From the three objectives also determine the SWIFT customer security controls framework of eight points:

Dazard said that of the 27 controls that 11 are “strongly recommended to be implemented across the board.” However, when the document was published, customers were unhappy with the guidance saying “who are you to tell us what to do, you’re too prescriptive”, which caused SWIFT to step back and make sure that the objective was clear so that they know why they are recommended to be implemented.

As a result it proposed an implementation guidance, as some 'less mature' customers wanted guidance on what to do, so SWIFT still produced some guidance and asked customers to either meet controls using an alternative implementation that they proposed - but still addressing the control objective or addressing the risk, or just use the implementation guidelines that it produced.

SWIFT also added a ‘know your customer’ tool that will be mandated to all customers by the end of 2017 and as of December 2018, customers will be asked to comply with all mandatory controls using either implementation guidelines, or an alternative.

“I can see by the questions that we receive that we are slowly but surely getting there,” he concluded

Categories: Cyber Risk News

One-Fifth of Healthcare Organizations Still Run XP

Tue, 11/14/2017 - 10:00
One-Fifth of Healthcare Organizations Still Run XP

A quarter of healthcare IT professionals in the US and UK aren’t confident in their organization’s ability to deal with cyber-threats, despite the vast majority (85%) having increased spending over the past year, according to Infoblox.

The security vendor polled over 300 professionals working at healthcare organizations (HCOs) on both sides of the pond, to compile its latest report, Cybersecurity in healthcare: the diagnosis.

It revealed that despite a large increase in spending overall, many HCOs are struggling to cope with the volume and sophistication of modern online threats.

It doesn’t help that a fifth still have Windows XP machines running on their network, while 18% have connected medical devices running on the legacy OS.

Over a quarter (26%) said they either can’t or don’t know if they can update such systems, which is worrying considering the explosion in endpoints of late: nearly half (47%) of HCO pros surveyed manage over 5000 networked devices.

Even more concerning, a quarter said they would pay the ransom if hit by a disruptive cyber-attack, while 85% claimed to have a ‘plan’ in place if such a situation occurred.

It’s not clear exactly what these plans are, but the NHS for one was floored by the WannaCry attacks in May.

A recent National Audit Office (NAO) report revealed that over a third (34%) of Trusts and nearly 600 GP practices were affected, with an estimated 19,000 operations and appointments cancelled.

Rob Bolton, Infoblox general manager for Western Europe, argued that HCO IT professionals need to better understand what’s running on their network, keep machines updated with the latest patches, and develop the capabilities to identify malicious behavior.

“Undoubtedly, this activity won’t all be seamless, but controlled chaos is ultimately better than the significant disruption of services or the loss of sensitive data that cyber-attacks can cause,” he told Infosecurity Magazine.

“Companies also need to ensure they’re spending their cybersecurity budget strategically — firewalls, IDS, and anti-virus alone can’t defend against the plethora of increasingly sophisticated attack vectors. In addition to technologies, organizations should not neglect end-user training and awareness. Cyber-defenses that protect against these evolving threats, such as thorough DNS security and threat intelligence, will prove crucial.”

Categories: Cyber Risk News

Muslim Hacktivists Declare All-Out Cyber-War on ISIS

Mon, 11/13/2017 - 22:45
Muslim Hacktivists Declare All-Out Cyber-War on ISIS

A group of conscientious Muslim hackers is planning all-out cyber-war on ISIS.

The hacktivist group known as Di5s3nSi0N said that it will attempt to “wipe them off the internet” on November 17, which is Friday, by attacking all ISIS-related websites and servers in an offensive that it’s calling #SilenceTheSwords.

Di5s3nSi0N has already exposed an ISIS mailing list after carrying out cyberattacks against ISIS’s Amaq news agency’s website. The list has 2,000 email subscribers listed, and is no doubt of great interest to Western intelligence agencies.

The group tweeted: “Challenge complete—too easy! 2000 email subscribers hacked from Amaq... What is next?? #silencetheswords #AMAQ #opisis #IslamicState #Hacked.”

This isn’t the first time the jihadist terrorist group has been targeted with data exfiltration attempts. Last year, a USB stick containing information on 22,000 ISIS recruits, including names, addresses, telephone numbers, places of birth and sponsors into the organization, was sent to Sky News.

For its part, Di5s3nSi0N identifies as Sunni Muslim—a denomination of Islam that has often clashed with Shi’ite Muslims, including literally in Iraq and metaphorically with nations such as Iran. It refers to itself as “the steadfast youth of Ahlus Sunnah wal Jamaah.” ISIS also claims to be Sunni—a statement that angers many mainstream Sunnis (and Muslims at large).

“Daesh stained our streets and fields red from our martyrs,” the group tweeted last week. “The tears of the ummah will wash them clean. And we wash them from their internet hiding places! Our vengeance will be on 17.11.17.”

And: “Allah send the khawarij your punishment by our hands. As the arms of our brothers have made dust of you, we make history from your pixels haha.”

It also tweeted: "As your failed evil Khalifate gets wiped off the map we will wipe you off the internet. Watch this space!!!"

ISIS has made extensive use of the internet and social media as a recruitment avenue, as well as a tool for spreading propaganda and various messages of hate.

Categories: Cyber Risk News

'Highly Secure' Cloud Tool, Huddle, Exposes Private KPMG, BBC Files

Mon, 11/13/2017 - 21:53
'Highly Secure' Cloud Tool, Huddle, Exposes Private KPMG, BBC Files

The BBC has uncovered a security flaw in the Huddle office collaboration tool that exposed KPMG and BBC files to unauthorized users.

Huddle, a cloud-based tool (in use at the UK Home Office, Cabinet Office, Revenue & Customs and several branches of the NHS, the BBC reported), bills itself "the global leader in secure content collaboration”. It has fixed the flaw, it said.

The issue was found when a BBC journalist signed in to Huddle to access a shared calendar for his team. But instead of accessing the calendar, he was redirected to a KPMG account that was not his own, where he was presented with full access to private financial documents, including invoices.

When contacted with the problem, Huddle explained that during the sign-in process, the customer's device requests an authorization code. If two people are trying to sign into the same back-end server in the cloud (which Huddle uses to host multiple organizations) within 20 milliseconds of one another, they would both be issued the same authorization code, and signed in to the account of whoever the first person was in that scenario to receive the code—even if the account is at a completely different company.

In a statement, Huddle said the bug had affected "six individual user sessions between March and November this year. With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare.”

That said, Huddle also told the BBC that the same flaw led to a third party had accessed one of the BBC's Huddle accounts, for BBC Children's program Hetty Feather, but it said no documents had been opened.

"We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated," the company told the BBC. "We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologize to them unreservedly."

Bill Evans, senior director at One Identity, said that the situation gives pause on a few levels.

“It was a bug…a security flaw…from a company that bills itself as a security-minded company, stewards of sensitive and confidential information,” he said, after acknowledging its rarity. “Second, there’s KPMG.  The employees of that company were likely simply trying to be more productive.  In doing so, they may have posted confidential information to a cloud-based service provider.  I wonder if the use of that system was sanctioned by KPMG’s IT or infosec departments, or perhaps this was another example of shadow IT, where the line-of-business people took it upon themselves to find a SaaS solution to a productivity problem.”

He added, “It would be interesting to understand what type of data was on the Huddle site. Was it European citizen data? Would its existence violate the upcoming GDPR regulation? Could KPMG erase specific data elements if a citizen wanted to invoke his/her right to be forgotten?  Perhaps we’ll never know.”

Categories: Cyber Risk News

$150 Mask Fools iPhone X Facial Recognition

Mon, 11/13/2017 - 21:50
$150 Mask Fools iPhone X Facial Recognition

Researchers at Vietnamese security firm Bkav say they have broken the iPhone X Face ID facial recognition security feature, just a week after launch, with a mask they built for $150.

The mask was custom-made using 2D and 3D printers, with a silicone nose made by hand. It also used "special processing on the cheeks and around the face, where there are large skin areas, the firm said.

Face ID uses artificial intelligence to distinguish real faces from images, videos or masks, but it “learns” a face over time. Each capture hones the AI’s ability to distinguish the owner from an imposter. In a Q&A, Bkav said that it understands “how AI of Face ID works and how to bypass it,” but hasn’t given specifics of how exactly it did it—nor whether the iPhone X was “imprinted” with the mask from the beginning.

It only acknowledged that when Face ID was set up on the fooled device, “it learns from human face, just like normal.”

Other researchers and Apple itself have tried—and failed—to fool Face ID using a mask. “[Apple engineering teams] have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID,” said Apple senior vice president Phil Schiller, at the iPhone X launch event. “These are actual masks used by the engineering team to train the neural network to protect against them in Face ID. It's incredible!"

Bkav has declined to explain why its efforts succeeded where others’ did not—thus, it’s unclear how the firm did it, or how momentous the “hack” really is.

Paul Norris, senior systems engineer for EMEA at Tripwire, pointed out via email that Bkav also hasn’t said how much tweaking was necessary before it got the mask to work; if the attempt was not immediately successful, it makes the chances of a successful attack very low indeed. That’s because to use Face ID, there must be a passcode set up on the phone, which is required as additional security validation when the device has just been turned on or restarted; after five unsuccessful Face ID attempts; or if the device hasn’t been unlocked for more than 48 hours.

“Apple will disable the Face ID after five attempts, and force the user to enter a passcode, which should be secure,” Norris said. “In order to compromise Face ID authentication, the attacker would have to have a detailed map of the face of the user, create a mask that would map the exact details of the victim’s face, unlock the phone within five attempts, and do all of this within 48 hours. This seems like an unlikely sequence of events.”

And, of course, the phone itself would need to be physically stolen in the first place.

“It’s important to note that the attacks being talked about are individual bespoke attacks that must be built and executed against each victim separately,” said Terry Ray, CTO of Imperva, via email. “This is in addition to stealing the individual’s phone and getting access to it before the owner can remotely wipe the device. Is your data so valuable that someone would go to this effort? For the vast majority of us, the answer is definitely no.  However, for those few who feel they may be at threat, such a Mission Impossible-style attack might be possible.”

Bkav did say that attacks would likely be executed on high-profile targets: “FBI, CIA, country leaders, leaders of major corporations, etc. are the ones that need to know about the issue, because their devices are worth illegal unlock attempts,” it said. “Exploitation is difficult for normal users, but simple for professional ones.”

Yet, “Apple’s facial recognition was never intended to be a security measure for strong authentication,” said Josh Mayfield, director of product marketing at FireMon. “The hype around the automated log-in from staring at one’s phone was meant to give the user ease, rather than hardened security to prevent unauthorized access. The trouble with facial recognition is that too many humans have defining characteristics that cannot be dissected by a machine—we look too similar. The reason CAPTCHA is so effective is that there are subtleties that only a human eye can assess and accurately confirm.”

He added, “Strong authentication cannot be faked, gamed, or manipulated.  Apple’s facial recognition begins with the opening assumption that the user gazing at the screen is likely to be the correct user.  From there, the recognition system only seeks to confirm its assumption…never to seek to prove its assumption wrong.”

In other words, high-profile users at risk for such targeted attacks would likely not be using Face ID in the first place.

“Each person must decide which is the highest priority for them, convenience or security, and weigh the importance of each against the technology they choose to secure their personal data,” Imperva’s Ray said. “If convenience is more important, Face ID may be your choice. On the inverse, if security is your priority, until more is tested against Face ID, I’d suggest using only a passcode, all the time.”

Categories: Cyber Risk News

WikiLeaks Releases Source Code for Vault7 Tools

Mon, 11/13/2017 - 11:46
WikiLeaks Releases Source Code for Vault7 Tools

WikiLeaks began the first in a series of Vault8 releases late last week, including source code related to stolen CIA hacking tools.

The whistleblowing organization has spent the past few months drip feeding information detailing the extent and sophistication of the agency’s offensive cyberspace efforts.

Now it’s going a stage further with more information — although a brief statement claimed none of the data could actually help the cybercrime underground:

“This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.

“Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks' earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.”

Some security experts on Twitter agreed — at least based on the information that has been released thus far.

It includes source code for “Hive”, an alleged malware communications tool.

Also unveiled as part of this missive were details of an increasingly common tactic used by cyber-criminals: creating fake certificates to hide malware from security filters.

In this instance, it was revealed that the CIA had created a fake cert to appear as if it was issued by Kaspersky Lab and signed by Thawte.

WikiLeaks explained:

“In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.”

Rick McElroy, senior security strategist at Carbon Black, argued that the CIA’s creation of fake Kaspersky Lab certs “muddies the waters when it comes to the question of is Kaspersky really part of Russian intelligence.”

“They [the CIA] have shown repeatedly that they can make their operations look like other teams (Russia, China etc) which makes attribution of cyber-attacks difficult and in and of itself makes conspiracy theories run rampant,” he added.

McElroy added that the carelessness of US intelligence agencies could lead to a barrage of WannaCry-type attacks in 2018.

“From a global perspective, even countries who had inadequate offensive capabilities are now able to get up and running faster. It also helps all the nations understand how we do our operations which makes them better able to defend. It also ‘justifies’ countries like Russia doing it. After all, if the US is the leader, how can we expect others to not do it?” he argued.

“If you think the 2016 election cycle was bad, wait, because it won’t just be Russia in 2020.”

Categories: Cyber Risk News

IT Pros Expect the Worse, Claim to be ‘Prepared’ for Attack

Mon, 11/13/2017 - 11:34
IT Pros Expect the Worse, Claim to be ‘Prepared’ for Attack

A new survey from Varonis has revealed that almost half of IT pros expect their organization to suffer a major, disruptive attack in the next 12 months – though the vast majority are confident in their cybersecurity stance and believe their company is in a good defensive position.

The firm quizzed 500 IT decision makers in the UK, Germany, France and US to gauge security practices and expectations following the widely-publicized Equifax and WannaCry breaches earlier this year. 

Whilst, on the surface, the findings make for positive reading with regards to how well companies have reacted in the wake of both attacks, Varonis is quick to point out some glaring disconnects between security expectations and reality. 

For example, whilst 85% of respondents said their business had either changed or planned to change security policies and procedures in response to incidents such as WannaCry, in actuality four in 10 organizations are still failing to fully restrict access to sensitive information on a need-to-know basis.

“It is encouraging that IT professionals are understanding that it’s a matter of when, not if, their organization will be hit with a damaging cyber-attack,” said John Carlin, former assistant attorney general for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice. “However, their level of confidence when it comes to security is inconsistent with what we see in practice. The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”

Looking ahead to 2018, data theft and data loss were cited as top concerns for organizations, unsurprising considering that 25% of respondents said their company had suffered ransomware with 26% reporting the loss or theft of company data in the past two years.

“Attackers are upping their game, using more sophisticated, blended attacks like WannaCry and NotPetya that make use of multiple attack vectors,” said Varonis CMO David Gibson. “At the same time, valuable data remains vulnerable to attacks that require little to no sophistication, like disgruntled employees snooping through overly accessible folders. While it’s heartening that major security incidents are inspiring preparedness, if the past year is any indication, it is unlikely the actual security of these organizations aligns with perception.”

Categories: Cyber Risk News

Equifax Profits Sink 27% Following Breach

Mon, 11/13/2017 - 11:02
Equifax Profits Sink 27% Following Breach

Under-fire credit agency Equifax has seen profits tumble 27% year-on-year and costs spike by tens of millions during the previous quarter following a major data breach at the company revealed in September.

Third quarter profits stood at $96.3m, down over a quarter from the same period in 2016.

However, costs associated with the massive data breach earlier in the year reached $87.5m: $55.5m in “product cost”, $17.1m in professional fees and $14.9m in consumer support.

It clarified in a statement:

“Expenses include costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred.”

The bad news is not over for Equifax. The firm claimed to have incurred $4.7m in costs as a result of offering free credit file monitoring and identity theft protection to all US consumers. However, this will soon rise to between $56m and $110m, the firm claimed.

Despite the major disruption to its business, Q3 revenues went up 4% to reach $834.8m, although this was below its previous forecast of 6%-7% growth.

Equifax claimed Q4 revenue would also be down by 3%-4% thanks to the breach and subsequent costs.

The stats will be yet another reminder of the high price organizations must pay for cybersecurity failings that lead to serious data breaches.

Equifax has been widely criticized for its incident response following the breach, but the firm also admitted that a failure to patch a known web app vulnerability in its US online dispute portal.

The software flaw in Apache Struts was identified and disclosed by US CERT in early March 2017, and Equifax claimed it “was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure”.

However, the bug apparently remained unpatched until it was spotted again after the firm investigated “suspicious network traffic” in July.

Categories: Cyber Risk News

Malwarebytes Wins Legal Tussle Against Alleged PUP-Maker

Mon, 11/13/2017 - 09:56
Malwarebytes Wins Legal Tussle Against Alleged PUP-Maker

Malwarebytes is celebrating victory after a US judge ruled in its favor in a legal battle with a software company over potentially unwanted programs (PUPs).

District Judge Edward Davila dismissed Enigma Software Group’s case late last week after the firm had sued Malwarebytes for classifying two of its products as PUPs.

PUPs are often downloaded willingly by users but only because they’re linked to applications they genuinely want. PUPs often feature spyware and adware-type programs.

Enigma alleged “false advertising in violation of the Lanham Act, tortious interference with contractual relations and tortious interference with business relations” after Malwarebytes blocked its SpyHunter and RegHunter tools.

However, the anti-malware vendor secured the legal victory after arguing that its actions are protected by the immunity provisions of the Communications Decency Act based on the Ninth Circuit’s opinion in “Zango, Inc. v. Kaspersky”.

That case saw Kaspersky Lab accused of a similar infraction by adware firm Zango — a case the Russian AV vendor won.

“The reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users,” said Malwarebytes co-founder Marcin Kleczynski in a statement. “This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.”

SpyHunter is listed as an anti-spyware program for Windows PCs, however, users online complain of not being able to remove it once installed on their computers.

This isn’t the first lawsuit Engima has been involved in. It sued tech site Bleeping Computer in 2016 after it posted a negative review. Bleeping Computer sued back and eventually the two parties settled out of court.

It’s believed Enigma will appeal the California court’s decision in the Malwarebytes case.

Categories: Cyber Risk News

Google Research Finds Stolen Credentials For Sale

Fri, 11/10/2017 - 14:33
Google Research Finds Stolen Credentials For Sale

A study of dark web markets by Google has found millions of usernames and passwords that were stolen directly through attacks, and billions of usernames and passwords indirectly exposed in third-party data breaches.

The research, conducted between March 2016 and March 2017 in partnership with the University of California at Berkeley, involved creating an automated system to scan public websites and criminal forums for stolen credentials.

The researchers identified 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing and 3.3 billion credentials exposed by third-party breaches. Also, in the case of the third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password.

Also, as account reset often requires a third factor like a phone, 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.

Google said that the research has enabled it to apply security protections to prevent 67 million Google accounts from being abused.

Lisa Baergen, director at NuData Security, said: “This news affects every company, in every sector. Many people (including employees) continue to reuse usernames and passwords across many sites. Is it time for employer policies that prohibit the employee’s use of off-duty passwords for corporate email accounts, and likewise, the use of workplace emails as secondary verification for personal accounts? A leap from a user’s personal Gmail account into their workplace account sets up a scenario for new levels of successful Whale Phishing.

“The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it’s time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can’t be mimicked, such as passive biometrics. Email contains so much strategic information – it’s time to equip that ubiquitous yet critical application with the security it deserves.”

Categories: Cyber Risk News

Europol Boss Warns of 4000 Ransomware Attacks Per Day

Fri, 11/10/2017 - 11:26
Europol Boss Warns of 4000 Ransomware Attacks Per Day

Europol boss Rob Wainright has warned that ransomware attacks now number as many as 4000 per day, with cybercrime operations large and sophisticated enough to threaten critical infrastructure.

Speaking at the Web Summit conference in Lisbon, the director of the EU agency claimed the financial sector is particularly at risk from crime “conglomerations” with corporate structures, featuring specialized groups.

This has enabled a doubling or tripling of various threats on an almost annual basis, he claimed.

“What really concerns me is the sophistication of the capability, which is becoming good enough to really threaten parts of our critical infrastructure, certainly in the financial, banking sector,” Wainright told Reuters.

“The real threat comes from a sort of exponential, remorseless increase in the scale and significance of cyber-criminal capability.”

The majority of cyber-criminals Europol faces are Russian speaking, he added.

“There is this sort of cyber-criminal underworld that’s a lot bigger and smarter and adept than most people think,” Wainwright said. “And, against it, we still have generally low cyber security standards.”

The biggest recent threat to critical infrastructure came from the WannaCry and NotPetya attacks of May and June, which used NSA exploits to help spread worm-like around the world.

A recent National Audit Office (NAO) report revealed that over a third (34%) of NHS Trusts and nearly 600 GP practices were disrupted because of WannaCry — which could have been stopped with a simple Microsoft patch.

Trend Micro claimed in a recent Midyear Security Roundup that its filters blocked a staggering 82 million ransomware threats globally in the first six months of 2017.

Simon Rodway, consultant at security firm Entersekt, said the existence of criminal conglomerates has been known about in the industry for some time.

“This is one of the reasons why we believe innovation in terms of digital security solutions is crucial,” he added. “For financial institutions, implementing solutions that provide strong authentication and authorization measures can protect customers from cyber-attacks that are indeed becoming increasingly sophisticated."

Categories: Cyber Risk News

Pages