Info Security

Subscribe to Info Security  feed
Updated: 2 hours 9 min ago

Imperva Breach Hits Cloud Customers

Wed, 08/28/2019 - 09:30
Imperva Breach Hits Cloud Customers

Security vendor Imperva has revealed an “incident” which exposed sensitive data on some of its customers including API keys and SSL certificates.

The California-headquartered firm, which provides application and data security to thousands of enterprise customers around the world, explained what had happened in a brief blog.

CEO Chris Hylen said that Imperva was notified about the incident around a week ago.

“On August 20 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” he added.

“Elements of our Incapsula customer database through September 15, 2017 were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys; customer-provided SSL certificates.”

As one would expect from a security vendor, Imperva has notified the relevant regulatory authorities and customers and is working with a forensic expert to find out what happened. It has also implemented forced password rotations and 90-day expirations in the Cloud WAF product.

Hylen also recommended affected customers change their user account passwords for Cloud WAF, enable Single Sign On and two-factor authentication, reset API keys and generate/upload a new SSL certificate.

Chris Morales, head of security analytics at Vectra, described the loss of SSL certs and API access as concerning, because “secure web gateways, firewalls, intrusion detection and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform deep packet inspection (DPI).

“As a security vendor, I know our own industry must practice the same vigilance we preach,” he added. “Even then, we must assume a breach can occur and be prepared to respond before information is stolen that can impact our clients.”

Categories: Cyber Risk News

US Government Flags 2020 Election Ransomware Threat

Wed, 08/28/2019 - 08:29
US Government Flags 2020 Election Ransomware Threat

The US government is looking to bolster protection for voter registration databases ahead of the 2020 Presidential election, fearing state-sponsored ransomware attacks, according to reports.

An unnamed official told Reuters that dynamic lists of eligible voters are a “high risk” for attack as they’re one of the few pieces of election infrastructure regularly connected to the internet.

They were also probed by Russian hackers en masse in the years preceding the previous election.

A Senate report out last month claimed that Kremlin hackers had most likely infiltrated voting systems in all 50 states but that local state officials were not sufficiently pre-warned or given the resources needed to deal with sophisticated attacks.

It warned that if Russia’s preferred candidate fails to prevail in 2020, hackers could seek to de-legitimize the result.

Election officials are concerned that ransomware could be spread to lock down the vital lists which are used to check eligibility of voters. As these are regularly updated throughout the year, incomplete lists could disenfranchise potentially large numbers of voters, casting doubt on the result of the poll.

Ransomware has been used by Russia before, in the NotPetya attack of June 2017 in which Ukrainian government institutions were targeted. That particular strain wasn’t technically ransomware at all, however, as victims had no chance to get their data back.

“Recent history has shown that state and county governments and those who support them are targets for ransomware attacks,” Christopher Krebs, director of the Cybersecurity Infrastructure Security Agency (CISA), told Reuters. “That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks.”

The news comes after months of successful ransomware attacks on US cities, including Baltimore, Atlanta, several in Florida and most recently 23 local government entities in Texas.

Categories: Cyber Risk News

New Threat Group Targets Middle East

Tue, 08/27/2019 - 17:43
New Threat Group Targets Middle East

A new threat group has been observed targeting oil and gas companies in the Middle East.

Researchers from SecureWorks' Counter Threat Unit (CTU) believe the group, which they have dubbed LYCEUM, may have been active as early as April 2018. The focus of the group appears to be obtaining and expanding access within a targeted network. 

The threat group's activities have also been observed by researchers at Dragos, who named the group HEXANE. 

Domain registrations suggest that a campaign by the group in mid-2018 focused on South African targets, possibly in the telecommunications sector. In May 2019, a campaign was launched against oil and gas organizations in the Middle East. 

The group attacks by accessing company user accounts via a process called password spraying in which a list of the most common passwords is thrown at a large number of accounts in a brute-force attack. Once an account has been compromised, the group uses it to send spear-phishing emails with malicious Excel attachments to other users within the company.

When an unsuspecting user clicks on the Excel attachment, DanBot malware is deployed, which the attackers can use to execute arbitrary commands via cmd.exe and to upload and download files.

A common theme used by the new threat group to carry out its campaigns has been "security best practice," with one attachment containing "the 25 worst passwords of 2017."

Asked if the choice of theme signaled that the team behind LYCEUM has a strong sense of irony, Rafe Pilling, information security researcher at SecureWorks, said: "It certainly seems that way. Based on our experience I would assess that they are choosing a decoy document that is relevant to their target for that particular spear-phishing campaign."

Researchers have been unable to pinpoint where attacks from this new group originated, but its style did ring a bell.

Pilling said: "It was intriguing to discover a new group with a similar style to established Iranian threat groups but otherwise no distinguishing technical characteristics that allow it to be linked to previously documented activity."

What makes the new group unique is its use of the DanBot malware family and the associated DanDrop malicious macro for delivery.  

Pilling said: "DanBot appears relatively immature and under active development. However, the threat actor tradecraft seems a little more mature and suggests some prior experience. This mismatch is interesting. We’re considering the possibility that this is a new toolkit being used by a splinter of an existing threat group or a threat actor that has prior experience compromising large organizations."

Categories: Cyber Risk News

One in Four Security Pros Would Steal Company Info to Bag Better Job

Tue, 08/27/2019 - 16:50
One in Four Security Pros Would Steal Company Info to Bag Better Job

A workplace behavior survey by Gurucul has found that a quarter of IT security professionals would steal information from their company if doing so might help further their career.

The survey was conducted at the 2019 Blackhat USA Conference in the form of a questionnaire. When asked "Would you take company information to help you apply for a more senior role at a competitor?" 24% of the 476 respondents answered yes. 

Interestingly, the respondents who admitted that they would steal company information were happy to do so on the mere promise that it might help their career progression. Perhaps a higher number of respondents would have said yes if the proposed theft was guaranteed to give them a leg up on the career ladder. 

Despite one in four respondents apparently one step away from making off with company data, the department in their company that those surveyed considered to be most at risk from fraud was the finance department. 

The survey also asked respondents about their internet use and found that 44% of respondents spend at least an hour a day at work surfing the web for non-work-related activities. More than a quarter (28%) spend at least two hours a day visiting sites that aren’t related to their jobs.

Which sites are IT security professionals visiting on the sly while at work? Social media tops the list at 32%. More than 10% people admitted to looking for a new job while at work, while 19% said they explored possible vacations.

Asked to consider external threats, 76% of respondents said they had tightened up third-party access to their systems in light of recent third-party breaches. The third-party vendors that respondents most expected to find in the library with the lead pipe along with a blushing Miss Scarlet were managed service providers (MSPs). 

The survey found 34% of respondents were most concerned about third-party access by MSPs, while 30% had a similarly bad feeling about developers. 

Commenting on how close an eye companies should keep on their employees, Saryu Nayyar, CEO of Gurucul, said: “Companies should draw the line at monitoring activity and access logs, not people. Identify threats with behavior-based security analytics. Don’t try to watch what every person is doing at all times to root out the malicious insiders. True threats will surface with the right technology, and users won’t feel like it’s 'Big Brother' if it’s analytics – just a bunch of numbers!"

Categories: Cyber Risk News

UK Gov Launches £30m 5G Competition

Tue, 08/27/2019 - 15:27
UK Gov Launches £30m 5G Competition

The UK government has launched a nation-wide funding competition for projects designed to bring 5G to the British countryside. 

The Rural Connected Communities competition will fund up to 10 different 5G research and development projects to run over the course of two years as part of the 5G Testbeds and Trials Programme. The competition is open to applications from groups from across the UK and is expected to attract consortia built from a mixture of academia and organizations in the public, private and third sectors. 

Judges are looking for projects that will trial innovative use cases and technical solutions to build the business case for investment in rural connectivity. Projects are expected to explore the capabilities of 5G to benefit rural communities and help demonstrate demand for 5G technologies from a variety of economic sectors and rural communities for 5G technologies.

Winning projects will be brought to life using £30m of funding supplied by the Department for Culture, Media and Sport (DCMS). This hefty chunk of change will come from the £200m of investment allocated to the 5G Testbeds and Trials Programme from the National Productivity Investment Fund (NPIF).

Digital secretary Nicky Morgan said: “In modern Britain people expect to be connected wherever they are. And so, we’re committed to securing widespread mobile coverage and must make sure we have the right planning laws to give the UK the best infrastructure to stay ahead.”

Entrants have until midday on October 25, 2019, to submit their applications. Shortlisted applicants will be notified by November 14 and invited for an interview. Applicants whose projects are given the green light will hear the good news by the end of December 2019. As Christmas presents go, that certainly beats the vest your gran gave you last year. 

A free-to-attend competition briefing event is being held at The Carriageworks in Leeds on September 12, 2019. 

5G offers mobile speeds 10 to 20 times faster than previous generations, making its potential impact on rural areas where signal is historically poor, significant. It remains to be seen whether rural communities will welcome the installation of the taller mobile phone masts needed to support the new technology. 

Categories: Cyber Risk News

#OSSummit: Linux Continues to Pay the Price for CPU Hardware Vulnerabilities

Tue, 08/27/2019 - 13:10
#OSSummit: Linux Continues to Pay the Price for CPU Hardware Vulnerabilities

More than a year and a half ago, the world first learned of the Spectre and Meltdown attacks impacting Intel and other CPU vendors. The flood of somewhat related CPU hardware issues has continued since then as operating systems developers, including Linux kernel developers, have raced to keep pace with patching.

In a keynote at the Open Source Summit in San Diego, California on August 22, Greg Kroah-Hartman, who maintains the stable Linux kernel, outlined the many new CPU hardware security challenges that Linux developers have faced in the past year, that extend far beyond just the original Spectre and Meltdown issues.

Back in May 2019, researchers disclosed the MDS set of vulnerabilities impacting Intel and other CPU vendors. The MDS vulnerabilities include multiple specific issues carrying names such as RIDL, Fallout and Zombieload. Kroah-Hartman explained that the MDS issues are yet another class of Spectre and Meltdown related vulnerability found in CPUs.

“All these issues exploit how processors see in the future, so in order to go faster, you have to guess what’s going to happen next,” he explained.

With the MDS vulnerabilities, Kroah-Hartman said that an attacker could potentially read what someone else already did with a CPU and also cross virtual machine boundaries.

“With cloud computing, you’re running untrusted things on different virtual machines and you don’t know who else is running on your machine,” he warned. “This can be a real issue. I can read data from somebody else and somebody else can read your data, and that’s not a good thing.”

More recently, on August 7, researchers disclosed the SWAPGS flaw impacting Intel CPUs. Kroah-Hartman explained that Intel has documented in its patents how speculative execution works. Researchers and academics reading the patents have been going through the specification and have been able to find flaws, which is how SWAPGS was discovered.

“So now you have all these professors out there reading patents, there’s going to be more,” Kroah-Hartman said about CPU vulnerabilities.

From a Linux perspective, Kroah-Hartman said that in order to mitigate the various CPU vulnerabilities, the Linux kernel has had to do more work, flushing memory buffers to reduce risk among other activities. The additional controls that have been in place to mitigate the issues have also had a performance impact on Linux, that varies based on workload. Kroah-Hartman noted that the mitigations have led to a 15% performance impact for his workloads, which include reading email and building new Linux kernels.

With the MDS and SWAPGS issues, he commented that Intel has generally been pretty good about alerting Linux distributions, which is in stark contrast to the original Spectre and Meltdown issues, where communication was less than ideal. With the proper communication, Linux kernel developers are now able to get fixes into the kernel for Intel CPU security issues quickly, but it also mean that users need to stay on top of patching.

Kroah-Hartman said that, on average, there are 22 patches per day made to the stable Linux kernel branch, with all the patches being known bug fixes.

“The kernel community’s mantra is: a bug is a bug, is a bug,” he said. “We fix it, we push it out and we go.”

It's not always immediately clear whether a given bug fix is a security issue or not. He noted that there have been circumstances where it wasn’t known until months after a patch was integrated into Linux that it was in fact a security issue. Going a step further, Kroah-Hartman said that users should not rely on whether an issue has a Common Vulnerabilities and Exposures (CVE) identifier or not. A CVE is commonly associated to known vulnerabilities, but that’s not always a good indicator, according to Kroah-Hartman. He noted that only a small fraction of vulnerabilities in fact get unique CVE identifiers.

“The goal of the kernel is to paper over the bugs in hardware and make it look like a unified system to users,” he said. “The problem is when the hardware has bugs that breaks the model of how we thought things worked and you can’t really fix it, and we have to do things to work around this problem.”

Categories: Cyber Risk News

Apple Fixes Jailbreak Bug For the Second Time

Tue, 08/27/2019 - 11:00
Apple Fixes Jailbreak Bug For the Second Time

Apple has released a new iOS security update designed to fix a jailbreak bug which it previously addressed and then accidentally rolled back.

The flaw itself, CVE-2019-8605, is a use-after-free vulnerability credited to Ned Williamson working on the Google Project Zero team.

The flaw, which could allow an attacker to execute arbitrary code with system privileges, was first reported to Apple by Williamson back in March. Some Apple users were apparently exploiting it to jailbreak their devices in order to run unsanctioned software on their kit.

Apple subsequently patched the bug with its 12.3 iOS version in May. However, earlier this month it unwittingly reintroduced the issue with version 12.4.

Security researcher Pwn20wnd released a free public jailbreak tool exploiting the issue.

Now the problem has been fixed for the second time thanks to the 12.4.1 update released by Apple on Monday. The Cupertino giant even thanked Pwn20wnd “for their assistance” in its update.

The patch doesn’t just mitigate the risk of users jailbreaking their iPhones and iPads. The vulnerability could also theoretically have been exploited by hackers to steal data from victims’ devices.   

Public jailbreaks are pretty rare, given that the community usually tries to keep any details secret so Apple doesn’t catch wind.

However, a Chinese security researcher in January released details of a remote jailbreak for iOS 12 on the iPhone X.

Alongside iOS 12.4.1, Apple released tvOS 12.4.1, watchOS 5.3.1 and macOS Mojave 10.14.6.

Categories: Cyber Risk News

#OSSummit: Don’t Ignore GitHub Security Alerts

Tue, 08/27/2019 - 09:45
#OSSummit: Don’t Ignore GitHub Security Alerts

How can an organization know if an open source project it builds with third-party libraries has known vulnerabilities? If the organization has its’ code on GitHub, there is an integrated alerting system, but understanding how to work with those alerts might not seem as obvious as you might think.

In a session at the Open Source Summit in San Diego, California on August 22, Gil Yehuda, senior director, open source and technology strategy at Verizon Media, outlined the security challenges and opportunities facing organizations that build open source projects on GitHub.

GitHub has become the defacto primary place to share code for many organizations engaged in open source, including Verizon Media. Yehuda explained that Verizon Media is a conglomerate, which is effectively made up of what had been Yahoo and AOL and includes many different online media properties. Across all those properties, Verizon Media has started over 330 open source projects, ranging from screwdriver, which is a continuous delivery technology, to Denali design, which is a user interface design language for open source projects.

The Open Source Program Office (OSPO), which Yehuda leads, is an effort to provide a programmatic approach to how Verizon Media handles open source. It’s an effort that involves legal compliance issues as well as ongoing project maintenance, which is where security comes into play.

“When we publish code and put it on GitHub and that code has a dependency on something and that something has a vulnerability, should we care?” Yehuda asked the audience. “The license says there is only limited warranty.”

Yehuda added that just because code is on GitHub, it doesn’t necessarily mean that the code does anything useful. That said, he noted that Verizon Media wants to build its’ open source program and establish a positive reputation, and that if someone decided to use their code, there is a certain confidence that that code isn’t garbage.

“We believe that OSPOs need to care about security in published code,” Yehuda emphasized.

With GitHub, getting notified of security vulnerabilities in project code is an integrated capability with the security alerts. The maintainer for a project will get an alert from GitHub whenever a code library is used that has known security vulnerabilities. Yehuda added that in many cases fixing the security issue is just a matter of upgrading to the latest version of a software library release.

However, a challenge that Yehuda pointed out, is not for individual projects, but rather for managing many projects at scale. He noted that it’s great that a project maintainer gets an alert and is diligent about fixing the issue, but what happens if the individual maintainer just ignores the alert and doesn't fix the issue?

To help solve that poblem, Verizon Media started a project called GitHub Security Alerts Workflow, which aims to help automate the reporting and alerting for security alerts at scale, in an integrated approach with the Jira issue tracking software platform. Yehuda said that the basic idea is to enable enterprise workflows for the security alerts.

With the workflow model, Yehuda suggested that if, for example, there was a project that was not being actively updated for security issues, the project could be labelled as such to warn users of potential risks.

“Maybe we need to change the project status to archive, and then change the read me on the project saying, this was once an awesome project, but our maintainers are not maintaining it now,” Yehuda argued. “If you want to be a maintainer and make it better let us know, but until such time that happens, buyer beware.”

The fact that an open source project can be identified by GitHub alerts as having a known vulnerability should not be seen as a weakness, but rather a strength, in Yehuda’s view. He noted that the real question isn’t whether open source is more or less secure than proprietary software.

“Open source has the potential to be more secure than closed source software because more people have access to the code, so you have more people who are able to fix it,” Yehuda said.

Categories: Cyber Risk News

Over 50,000 UK SMEs Could Collapse Following Cyber-Attack

Tue, 08/27/2019 - 09:06
Over 50,000 UK SMEs Could Collapse Following Cyber-Attack

Tens of thousands of UK SMEs could collapse following a serious cyber-incident which impacts their ability to trade, according to new research from Gallagher.

The insurance and risk management giant polled 1120 senior decision makers from UK firms with up to 250 employees, in order to better understand the cyber-threat.

It found that 1.4 million businesses were hit by major attacks last year, costing them a combined £8.8bn. Nearly a quarter (24%) of firms were affected by one of these “crisis” incidents — a 5% increase on the previous year.

Although the average cost of attacks to the affected business was around £6400, 17% of responding SMEs said they were forced to spend £10,000 or more, while nearly one in 10 (9%) paid out in excess of £20,000.

However, the impact of an attack could be far more serious than being forced to pay a few thousand pounds in related costs.

A quarter of SMEs (23%) told Gallagher they’d survive for less than a month if a crisis meant they were unable to trade. The insurer estimated that 57,000 UK SMEs could be at risk of collapse this year if hit by such an attack.

Paul Bassett, managing director of crisis management at Gallagher, argued that the heavily service-oriented UK economy, where 99% of private sector firms are SMEs, is dangerously exposed to cyber-attacks and data breaches.

“Alongside regularly reviewing their crisis preparedness, response plans and forms of protection, such as insurance, it is critical UK SMEs also assess their ability to survive in the event of a major crisis incident when the risk of serious disruption and protracted recovery process is very real,” he added.

“The cost of a crisis is by no means the only consideration. Duration is key — especially with a quarter of UK SMEs admitting they could survive for less than a month if unable to trade following an incident. For companies with tight margins and limited working capital, even a relatively short-term denial of access to premises or systems paralysis could be a crippling, possibly fatal, blow.”

Alongside thoroughly tested incident response plans, small businesses need access to emergency funds, 24/7 crisis response consultants, post-incident counselling and business recovery advice, Bassett claimed.

The most common type of “crisis” experienced by UK SMEs last year was cyber-attack, data breach or cyber-extortion incident, accounting for 15% of all events.

A report from insurer Hiscox earlier this year revealed a sharp increase in reported cyber-attacks year-on-year among small firms (from 33% to 47%) and medium-sized businesses (36% to 63%) across Europe and the US.

Categories: Cyber Risk News

Police Seize £1m From UK Hacker

Tue, 08/27/2019 - 08:41
Police Seize £1m From UK Hacker

A Kent man sentenced last year to a decade behind bars for cybercrime and drugs offenses has been forced to hand over nearly £1m in cryptocurrency.

Grant West, 27, of Ashcroft Caravan Park, Sheerness, did not contest the confiscation order, served at London’s Southwark Crown Court on Friday.

The digital currency, which has a value today of £922,978.14, will now be sold by the authorities and used to compensate the victims of West’s cybercrime exploits.

He’s said to have launched cyber-attacks on over 100 companies around the world, phishing their customers for financial data which he would then sell on the dark web, generating profits in cryptocurrency.

One of these firms was Just Eat: West apparently targeted 165,000 customers in a phishing campaign that lasted from July-December 2015, costing the firm an estimated £200,000.

In his quest for lucrative personal data belonging to customers, West is also said to have attacked the websites of 17 organizations including Sainsbury’s, Nectar, Groupon,, Ladbrokes, Coral Betting, Uber and Argos.

West was finally arrested in dramatic style after officers tracked his girlfriend’s laptop IP address and boarded the train he was travelling on. That laptop apparently contained the financial details of 100,000 victims.

A search of his home revealed an SD card containing 78 million usernames and passwords as well as 63,000 credit and debit card details.

Known by the online moniker ‘Courvoisier,’ West also sold cannabis online and how-to guides for budding hackers.

“The [Metropolitan Police Service] MPS is committed to ensuring that individuals who are committing criminality on the Dark Web are identified, prosecuted and their criminal assets are seized,” said detective chief inspector Kirsty Goldsmith, head of the Met’s Cyber Crime Unit.

“I wish to thank our partners within the MPS and in both public and private industry who have all assisted with this investigation which was incredibly complex and lengthy. I am very proud of my team for bringing this offender to justice and ensuring we have secured this order.”

Categories: Cyber Risk News

#OSSummit: Seven Properties of Highly Secure IoT

Tue, 08/27/2019 - 08:00
#OSSummit: Seven Properties of Highly Secure IoT

Connected devices, commonly referred to as the Internet of Things (IoT), potentially represent a large risk to the safety and security of the internet as a whole, if not properly secured.

That was the key message that David Tarditi, principal software engineer lead for Microsoft Azure Sphere, conveyed during a session at the Open Source Summit in San Diego, California on August 22. Tarditi’s message wasn’t all doom and gloom either, as he outlined seven key properties that can be leveraged by manufacturers and users alike, to help sure IoT devices.

While there are risks from IoT devices, Tarditi noted that lessons have been learned in recent years by Microsoft and others about how to improve security. Fundamentally, he said that all code has bugs and it’s also likely that any given device can and will be hacked eventually, but that doesn't mean that all IoT needs to be insecure.

“Security is foundational, you have to build it in from the beginning,” Tarditi said. “Trying to bolt security on as an afterthought isn’t going to work.”

In Microsoft’s experience, there are seven key properties of highly secure IoT devices, with the first item being having a hardware root of trust. Tarditi said that it’s a good idea to have hardware that can provide the ability to protect a device's identity.

“So in practice, what this means is that on your hardware you want unforgeable cryptographic keys that are generated and protected by the hardware,” he explained. “You also want the hardware to secure software booting.”

Tarditi added that having a secure boot involves the use of some form of boot ROM that ensures that the operating system loads as expected without interference or potential malware. Once a user or vendor has ensured that the operating system software loader is secure than it is possible to ensure the integrity of everything else that loads on a given system, as it enables a foundation for a hardware root of trust.

Defense in Depth is the second key attribute for securing IoT, which basically means that there is more than one security control or mechanism that is responsible for keeping a device secure. The third key attribute identified by Microsoft is having a small trusted computing base.

“It’s pretty simple, less code equals fewer bugs,” Tarditi said. “You want to reduce the attack surface and make it harder for attackers to get in.”

Having dynamic compartments was the fourth key attribute outlined by Tarditi. He noted that compartmentalizing software also helps to limit the reach and impact of any single security breach.

A primary weakness on many IoT devices are passwords. Tarditi said that often it’s hard to get consumers to change the default password for IoT devices and even when they do, passwords are easily stolen by attackers. That leads to the fifth key property, which is to use certificate-based authentication, to help mitigate and even remove the risk of passwords. Tarditi said that with a hardware root of trust, it's possible to know if a device is in a good state when it is booted. A trusted authority can be setup which communicates with the hardware root of trust to validate a given device and then issue a certificate to enable access to services.

The sixth key property of highly secure IoT devices is to have some form of integrated failure reporting. Tarditi said that failure reporting is all about having the ability to gather reports from devices to be able to detect potential flaws and attacks.

Finally, the seventh key property is something that Microsoft refers to as, renewable security.

“You need to be able to update the device to address security threats,” Tarditi said. “You need to have cloud infrastructure that allows you to update device and you also need to have the technical ability to prevent a rollback attack.”

In a rollback attack, an attacker seeks to 'rollback' or revert a device update in order to exploit a known vulnerability. Overall, Tarditi emphasized that IoT security is only as good as the weakest link and it can often be challenging to get it right.

“Device security is like a stool that requires three legs, if you remove any one of those legs, you’ll end up on the floor,” he said.

Categories: Cyber Risk News

Hostinger Breach Prompts Reset of All User Passwords

Mon, 08/26/2019 - 16:28
Hostinger Breach Prompts Reset of All User Passwords

A data breach at web hosting company Hostinger has prompted the company to reset the passwords of all its customers. 

Hostinger, which operates from Kaunas, Lithuania, reset the passwords of 29 million customers in 178 countries as a precautionary security measure after the breach was detected on August 22, 2019. 

An intruder gained access to the company's internal system API, triggering an alert to be sent to Hostinger. The server broken into contained an authorization token, which was used to obtain further access and escalate privileges to Hostinger's RESTful API server, which was used to query information relating to clients and their accounts.

No financial information was accessed during the attack, but a database that contained hashed passwords, email addresses and client usernames was compromised. Up to 14 million accounts may have been affected.   

Hostinger encrypts client passwords by using a one-way mathematical function that changes whatever password a client has picked into a random sequence of characters. 

Customers of the web hosting company have been advised to pick strong passwords that are not in use anywhere else and to be wary of any unsolicited communications asking for personal information. 

To increase the security of client data, Hostinger has ditched the hashing algorithm SHA-1 in favor of using SHA-2, which is tougher for hackers to crack.  

The incident has been reported under Europe's General Data Protection Regulation. 

In a statement released on its blog, Hostinger said: "Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our Clients, including mandatory password reset for our Clients and systems within all of our infrastructure.

"Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities."

Hostinger assured clients that their financial data was safe. Since payments for Hostinger services are made through authorized and certified third-party payment providers, the company does not store card details or any other sensitive financial information on its servers.

Categories: Cyber Risk News

Astronaut Accused of Committing Cybercrime in Space

Mon, 08/26/2019 - 15:31
Astronaut Accused of Committing Cybercrime in Space

NASA is reportedly investigating claims that one of its astronauts has become the first person to commit a crime while in space. 

U.S. Army Astronaut Lt. Col. Anne McClain allegedly accessed a bank account belonging to her estranged wife, Summer Worden, while on active duty at the International Space Station. 

A complaint was filed by Worden with the Federal Trade Commission (FTC) in relation to the alleged case of identity theft. A second complaint was then filed by Worden's parents with NASA's Office of Inspector General. 

No allegations have been made against McClain regarding the movement or removal of any funds from Worden's account. 

McClain and Worden, who filed for divorce in 2018 after four years of marriage, are currently in dispute over the custody of their 6-year-old son. It is alleged that McClain told NASA investigators that she logged into her estranged wife's bank account to check that it contained enough money to ensure the former couple's son was being adequately provided for. 

NASA has yet to respond to the allegations against McClain, stating only that "NASA does not comment on personal or personnel matters." 

In a statement, NASA described McClain as "one of NASA's top astronauts," who "did a great job on her most recent NASA mission aboard the International Space Station."

Rusty Hardin, McClain's lawyer, told The New York Times that McClain is coopering fully with the investigation and “strenuously denies that she did anything improper."

Addressing the allegations on Twitter, McClain posted the following message: "There’s unequivocally no truth to these claims. We’ve been going through a painful, personal separation that’s now unfortunately in the media. I appreciate the outpouring of support and will reserve comment until after the investigation. I have total confidence in the IG process."

McClain boarded the International Space Station in December 2018 and spent six months there in preparation for NASA's first women-only spacewalk. The spacewalk, which McClain was due to perform with fellow astronaut Christina H. Koch, was cancelled in March 2019 after NASA couldn’t provide both women with spacesuits that fit. 

Before joining NASA's astronaut corps in 2013, McClain was a helicopter pilot in the army and flew 216 combat missions in Iraq. McClain later served as battalion operations manager and Kiowa helicopter instructor pilot at Fort Rucker, Alabama. 

Categories: Cyber Risk News

Over Half of Social Media Logins Are Fraudulent

Mon, 08/26/2019 - 14:27
Over Half of Social Media Logins Are Fraudulent

Social media sites like Facebook and Instagram have long been repositories for fake posts skillfully manipulated to present a rose-tinted version of users' lives to the digital world. 

A report released today by fraud remediators Arkose Labs revealed that it isn't just the content on social media that's giving off the foul reek of fakery. The Fraud & Abuse Report found that 53% of all logins on social media sites are fraudulent. 

The report, which analyzed more than 1.2 billion transactions made between April 1, 2019, and June 30, 2019, found that 11% of all online transactions, including account registrations, logins and payments, were actually cyber-attacks. 

Attacks were found to originate globally, in both wealthy countries and developing economies. The majority of fraud attacks came from the US, Russia, the Philippines, the UK and Indonesia. 

Interestingly, the attack mix varied across industries, with some spheres more likely to suffer human-driven cyber-attacks, while others were chiefly targeted by bots. 

The technology industry stood out as heavily targeted by human click-farms and sweatshops, with almost 43% of attacks driven by humans. However, it was the retail industry that saw the highest proportion of human culprits, with a 50/50 split between attacks driven by humans and bot-led assaults.

Cyber-criminals were found to use a two-pronged approach, sending humans to work on a target after large-scale automated attacks by bots proved unsuccessful.

Commenting on the report's findings, the VP of strategy at Arkose Labs, Vanita Pandey, said: "The sophistication of the bot attacks is increasing, and the merchant is getting bombarded with attacks from bots and humans at the same time.

"These criminals have unlimited technology and identities are widely available; the only limited resource is humans to hire to do the attacks."

Shockingly, 46% of all payment transactions for travel were found to be fraudulent, as were almost 10% of all login attempts on travel sites. 

Seasonality played a role in the results for the financial services industry, with a peak in the volume of attacks observed during high-traffic periods, like the US tax season. 

Indicating that peaks in the volume of attacks may be useful in helping to identify future breaches, Pandey stated: "We saw an increase in the number of attacks in what we later realized was the lead up to a big breach announcement."

Categories: Cyber Risk News

Malicious Android App Makes Double Debut On Google Play

Fri, 08/23/2019 - 17:41
Malicious Android App Makes Double Debut On Google Play

Open-source Android spyware has appeared twice on Google Play.

Research conducted by ESET discovered the first known instance of spyware based on the open-source espionage tool AhMyth lurking within a radio app available on Google Play. The app in question is Radio Balouch, detected as Android/Spy.Agent.AOX.

On the surface Radio Balouch functions as an internet radio app dedicated to playing the music of the Baloch people, who inhabit Iran, Afghanistan and Pakistan. However, an investigation led by ESET researcher Lukas Stefanko found that the app had been created as a way to spy on people who downloaded it. 

While listeners were enthralled by the sounds of the suroz and the benju, the spyware hidden in the app went to work stealing contact information and harvesting files stored on the devices affected.  

ESET sent a report to Google detailing its discovery. Google's security team removed the malicious Radio Balouch app within 24 hours, but 10 days later it had been re-posted on Google Play by the original developer.

Stefanko said: “We also detected and reported the second instance of this malware, which was then swiftly removed. However, the fact that Google let the same developer post this evident malware to the store repeatedly is disturbing." 

The Radio Balouch app first appeared on Google Play on July 2. It returned on July 13 and was again swiftly removed. The app was installed by over 100 people each time it was posted on Google Play. 

Radio Balouch may be the first app containing open-source Android spyware to make it onto Google Play, but it's unlikely to be the last. Judging from how easily the app returned to Google Play after being removed, Google may wish to put in place some more stringent security measures. 

“Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may soon appear on Google Play,” said Stefanko. 

Radio Balouch may have ended its brief fling with Google Play, but it is still available on alternative app stores. 

ESET stated: "It has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response.” 

Categories: Cyber Risk News

US Makes 80 Arrests Over $46 Million Online Fraud

Fri, 08/23/2019 - 16:32
US Makes 80 Arrests Over $46 Million Online Fraud

US authorities have charged 80 members of a Nigerian-based crime ring in connection with online scams designed to swindle victims around the world out of $46 million.

A 145-page indictment lists 252 charges against the 80 suspects, who are mostly Nigerian nationals. Charges of aggravated identity theft, conspiracy to launder money and conspiracy to commit fraud have been brought against all of the accused.

Speaking at a press conference held earlier today, US attorney Nick Hanna described the fraud as "one of the largest cases of its kind in US history."

Nigerian-born Valentine Iro and Chukwudi Christogunus Igbokwe were named as co-conspirators who allegedly worked alongside people in Nigeria and in the US to dupe victims into transferring money overseas. 

Iro and Igbokwe, who were arrested in the US, are accused of fraudulently getting their mitts on $6 million as part of a larger conspiracy intended to bag a cool $46 million.  
The internet scams at the center of this case promised victims romance or riches in return for financial assistance. 

The case began when a single bank account aroused the suspicions of the FBI back in 2016. The investigation expanded to include numerous victims around the world.

One woman in Japan fell victim to the scammers after becoming a digital pen pal on an international social network. The woman, who is referred to in court papers as F.K., was fooled into thinking she had found love with a US Army captain stationed in Syria. 

Over the course of a fictitious 10-month online romance, F.K. sent daily messages to Cpt. Terry Garcia and $200,000 to help him smuggle diamonds out of the country. Neither Garcia nor the stash of diamonds turned out to be real.

F.K. was left heartbroken and virtually bankrupt after borrowing money from her friends, her sister and even her ex-husband.

F.K. and other victims in this case were tricked by sophisticated versions of the Nigerian prince scam, also known as the 419 scam after the criminal code used for fraud in Nigeria. 

Despite being almost as old as email, 419 scams are effective because they exploit vulnerabilities in humans. And they are likely to remain so unless technology can find a bug fix for greed or love.

Categories: Cyber Risk News

#OSSUMMIT: Confidential Computing Consortium Takes Shape to Enable Secure Collaboration

Fri, 08/23/2019 - 14:40
#OSSUMMIT: Confidential Computing Consortium Takes Shape to Enable Secure Collaboration

At the Open Source Summit in San Diego, California on August 21, the Linux Foundation announced the formation of the Confidential Computing Consortium. Confidential computing is an approach using encrypted data that enables organizations to share and collaborate, while still maintaining privacy. Among the initial backers of the effort are Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.

“The context of confidential computing is that we can actually use the data encrypted while programs are working on it,” John Gossman, distinguished engineer at Microsoft, said during a keynote presentation announcing the new effort.

Initially there are three projects that are part of the Confidential Computing Consortium, with an expectation that more will be added over time. Microsoft has contributed its Open Enclave SDK, Red Hat is contributing the Enarx project for Trusted Execution Environments and Intel is contributing its Software Guard Extensions (SGX) software development kit.

Lorie Wigle, general manager, platform security product management at Intel, explained that Intel has had a capability built into some of its processors called software guard which essentially provides a hardware-based capability for protecting an area of memory.

“You can think of it as a trusted execution environment,” she said. “In that trusted execution environment, the hardware protection is there for both the data as well as the code.”

Wigle noted that as there is a move toward increasing use of artificial intelligence, people care about the privacy of data, but are also interested in protecting their own proprietary algorithms as well, since a lot of the time, that’s where the intellectual property resides.

While Inte’s SGX is a hardware level item, Microsoft’s Open Enclave SDK is designed to make it easier for users to get up and running with confidential computing. Gossman emphasized that the Open Enclave effort is all about making confidential computing accessible.

“This is middleware; it provides application portability and makes it easier to write applications that run across different devices and even into the cloud,” Gossman said.

The promise of confidential computing is already finding multiple use cases, according to Wigle. She said that, for example, collaboration is already happening with healthcare data, where sensitive data can be shared safely in a way that is helping to potentially unlock new innovations.

“We live in a world where a lot of times convenience and privacy are at tension with each other and this is a capability that has a promise of letting us have it all,” Wigle said. “However, we do need to cooperate with others to make that happen.”

Gossman explained that fundamentally what confidential computing can enable is transactions and collaboration between multiple parties that don’t necessarily entirely trust each other, yet still want to work with each other.

The overall promise of confidential computing could potentially be transformational in ways that aren’t yet known, which is one of the reasons why the Linux Foundation has helped to facilitate the creation of the new consortium.

“We're really excited about this effort,” said Jim Zemlin, executive director of the Linux Foundation. “We do think this is something that can improve security and privacy for all of us.”

Categories: Cyber Risk News

Did Denmark Make the Wrong Call on Location Data?

Fri, 08/23/2019 - 14:08
Did Denmark Make the Wrong Call on Location Data?

Danish authorities are reviewing 10,700 court cases over concerns that cellphone location-tracking data given as evidence may have been flawed. 

Concerns were raised after police discovered a glitch in an IT system used to convert data supplied by phone companies into evidence that can be used to place a suspect at a crime scene. The error caused data to be omitted during the conversion process, giving police an incomplete picture of where a cellphone had been taken.

The identified error was fixed in March, but a second problem emerged that could potentially place an innocent person at the scene of a crime. It transpired that some cellphone tracking data had linked phones to the wrong cellphone towers.

How decisive the flawed data may have been in determining the 10,700 verdicts affected is currently unknown. The court cases now under review date back to 2012. 

On Monday Denmark's director of public prosecutions, Jan Reckendorff, announced a two-month ban on the use of cellphone data in criminal cases while the large-scale review of verdicts is carried out. 

Speaking to the country's state broadcaster, Reckendorff said: “We cannot live with incorrect information sending people to prison.”

A steerage group has been established by the country's minister for justice to monitor the review process and assess any legal ramifications caused by the flawed data. Should it arise that flawed cellphone data has put innocent Danes behind bars, a device originally intended to connect people will have instead separated them from everyday society in the most definitive terms.

After review, a report on each case will be sent to the court and to the case's defense lawyer. Cases in which the flawed data is found to have had a significant impact on the verdict will be retried. 

Head of the Danish Bar and Law Society's criminal law committee, Karoline Normann, told The New York Times that prior to the discovery of the bugs, the accuracy of cellphone data hadn't been called into question. 

Normann said that going forward, lawyers will have to take into consideration that “evidence that may appear objective and technical doesn’t necessarily equal high-evidence value.”

Categories: Cyber Risk News

VMware Plans $2.1bn Carbon Black Acquisition

Fri, 08/23/2019 - 11:45
VMware Plans $2.1bn Carbon Black Acquisition

Carbon Black has announced a definitive agreement to merge with VMware, with the virtualization company paying around $2.1bn for the endpoint protection vendor.

With a view to create a “highly differentiated, intrinsic security cloud,” the deal will see VMware be better positioned to better protect enterprise workloads and clients through Big Data, behavioral analytics and AI.

“By bringing Carbon Black into the VMware family, we are now taking a huge step forward in security and delivering an enterprise-grade platform to administer and protect workloads, applications and networks,” said Pat Gelsinger, CEO, VMware.

The combination of Carbon Black’s solutions with VMware’s security offerings, including AppDefense, Workspace ONE, NSX and SecureState, will create a modern security cloud platform for any application, running on any cloud, on any device, the company said. “This combined offering will provide customers advanced threat detection and in-depth application behavior insight to stop sophisticated attacks and accelerate responses,” a statement read.  

Patrick Morley, CEO of Carbon Black, said in a blog post that this was “a massive opportunity” as there is an “opportunity here for Carbon Black to truly disrupt the security industry — and ultimately help more customers stay safe from cyber-attacks.”

Morley added: “VMware has a vision to create a modern security platform for any app, running on any cloud, delivered to any device – essentially, to build security into the fabric of the compute stack. Carbon Black’s cloud-native platform, our ability to see and stop attackers by leveraging the power of our rich data and behavioral analytics, and our deep cybersecurity expertise are all truly differentiating. As a result, VMware approached Carbon Black to deliver on this vision.

“Our product strategy stays the same. Our roadmap stays the same. Our customer support stays the same. The entire product portfolio, cloud and on-premises, is included in the merger – now backed by the extensive global footprint and GTM resources from VMware. In fact, the plan is to invest more aggressively in Carbon Black and leverage our combined strengths to accelerate our growth and execute our vision for our customers.”

Carbon Black will exist as an independent business unit within VMware, and become VMware’s Security Business Unit. Launched in 2007 as Bit9, the company was known as Bit9 & Carbon Black after it acquired Carbon Black in February 2014, and officially assumed the company name Carbon Black in February 2016.

Categories: Cyber Risk News

South Korea Exits Japanese Intel-Sharing Agreement

Fri, 08/23/2019 - 10:40
South Korea Exits Japanese Intel-Sharing Agreement

The South Korean government has said it will end a crucial intelligence-sharing arrangement with Japan, as a trade dispute between the two wartime foes deepens.

Kim You-geun, deputy director of the presidential National Security Council, said the move was a response to Tokyo’s decision to remove South Korea’s fast-track export status earlier this month.

“Under this situation, we have determined that it would not serve our national interest to maintain an agreement we signed with the aim of exchanging military information which is sensitive to security,” he reportedly told a news conference.

The General Security of Military Information Agreement (GSOMIA) was due for automatic renewal on Saturday. It enables the two Asian giants to directly share vital intelligence on North Korea’s nuclear and missile program.

In response, Japanese defense minister, Takeshi Iwaya has criticized Seoul for conflating trade and security matters.

“North Korea’s repeated missile tests threaten national security and cooperating between Japan and South Korea and with the US is crucial,” he’s reported to have said. “We strongly urge them to make a wise decision.”

Bilateral relations between the countries started to deteriorate after a South Korean court ruled last year that Japanese companies like Mitsubishi must pay compensation for their use of forced labor during Japan’s occupation of the country from 1910-45.

Japan seemed to respond by placing restrictions on the materials needed by South Korean chip-makers like Samsung to build semiconductors. Seoul came back tit-for-tat by removing Japan from a whitelist of trusted trade partners.

Commentators have argued that the spat has worrying echoes of American policy under the Trump administration: more focused on country first at the expense of vital security partnerships on the world stage.

The news could not come at a worse time, given the growing might of China in the region and its burgeoning military alliance with Russia, as well as the continued threat from North Korea.

There is an increasingly cyber-focused dimension to military alliances and warfare today. In 2017, NATO confirmed it was establishing cyber as a legitimate military domain in light of the North Korean WannaCry and Russia NotPetya attacks.

Categories: Cyber Risk News