Info Security

Subscribe to Info Security  feed
Updated: 2 hours 2 min ago

Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Fri, 08/23/2019 - 09:47
Crypto Exchange bitFlyer Adds Ethereum to Buy/Sell Platform

Cryptocurrency exchange bitFlyer has announced that it is adding Ethereum (ETH) to its Buy/Sell trading platform.

BitFlyer Buy/Sell users in Europe and US will now be able to send and receive ETH while ensuring they adhere to the robust regulatory standards bitFlyer guarantees for Bitcoin (BTC) transactions.

Andy Bryant, co-head and COO, bitFlyer Europe, said: “At bitFlyer, we want to offer not just the most popular coins, but the most respected ones too, which makes ETH a logical choice to expand our service offering. Not only has ETH proved itself as a useful altcoin, particularly in relation to smart contracts, it has an incredibly strong community that surrounds it. We’re committed to offering the best customer experience whilst prioritizing security and regulatory standards, and we’re proud to say Buy/Sell now offers this capability with ETH.”

Hailey Lennon, head of legal and regulatory affairs at bitFlyer USA, explained that crypto-regulation is evolving, and bitFlyer works to ensure that everything listed on its exchange complies with the global regulatory standards. “We’re excited for today’s announcement, adding Ether to our growing portfolio of coins with NYDFS approval, and we’re looking forward to launching more coins in the coming months,” she added.

bitFlyer is the only cryptocurrency exchange to be licensed in Japan, the US and Europe combined.

Categories: Cyber Risk News

Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Fri, 08/23/2019 - 08:58
Ukrainian Nuke Plant Workers Tried to Mine Cryptocurrency

Ukrainian security service (SBU) agents have arrested several nuclear power plant employees in the country after they misguidedly tried to use their facility’s IT systems to mine for cryptocurrency.

Local media reports this week said the incident occurred on July 10 at the plant in Yuzhnoukrainsk in the south of the country.

The workers are said to have hooked up a supercomputer, which was kept air-gapped at the power plant, to the internet. In so doing, it’s claimed they unwittingly disclosed information on the physical security measures in place at the nuclear facility, which is a state secret.

The SBU officers seized unauthorized computer equipment which had been used to build a separate LAN designed to mine for cryptocurrency.

They reportedly took six Radeon RX 470 video cards, extension cords and cabling, various switches, a motherboard, a USB flash drive, a hard drive and even the metal frame on which was mounted the other items.

Equipment was also seized after separate searches were carried out at other parts of the facility, including premises used by a Ukrainian military unit stationed there.

This isn’t the first time such an incident has been discovered. In February 2018 it emerged that engineers at the Russian Federal Nuclear Center had been arrested for trying to mine Bitcoin with one of the country’s largest supercomputers.

“This is a great example of 'trust but verify',” argued Phil Neray, VP of industrial cybersecurity at CyberX. “Even with the strictest policies and regulations in the world, it's all theoretical if you aren't continuously monitoring for unusual or unauthorized activity.”

The news comes as new research from Kaspersky this week revealed human error was behind over half (52%) of cybersecurity incidents detected by the AV vendor in industrial environments last year.

Categories: Cyber Risk News

City of London Hit by One Million Cyber-Attacks Per Month

Fri, 08/23/2019 - 08:30
City of London Hit by One Million Cyber-Attacks Per Month

The City of London Corporation has suffered nearly one million cyber-attacks each month for the first quarter of 2019, according to Freedom of Information (FOI) data obtained by Centrify.

The security vendor wanted to find out more about the cyber-risks facing the local authority, which governs the part of the capital housing much of the UK’s financial center.

It found that the governing body was hit by nearly 2.8 million attacks in the first three months of the year: an average of 927,000 per month. That’s up significantly (90%) from the 489,000 per month recorded in April-December 2018.

In total, the City of London suffered 7.2 million attacks from April 2018 to March 2019, of which, the vast majority (6.9 million) were classed as spam.

The second highest category was “spoof mail,” at 244,293 attacks — presumably related to phishing attempts. There were also 17,556 detections of “top malware.”

The findings could either be interpreted as a worrying rise in attacks, or proof that detection methods are getting better.

As well as 10,000 residents, the City of London welcomes millions of annual tourists thanks to attractions like the Tower of London and hundreds of thousands of daily commuters who work in one of the world’s biggest financial hubs.

“The high volume of sensitive public information contained within the systems and databases of organisations like the City of London Corporation make it a top target for cyber-criminals. Malicious email scams such as phishing and malware attacks form a substantial part of the wider cyber threat facing councils across the country, in London and beyond,” warned Centrify VP, Andy Heather.

“With so many attacks taking place every day, it’s vital that all organizations adopt a zero trust approach to user activity, to prevent hackers gaining access to council systems using legitimate log-in details that may have been stolen or purchased on the dark web.”

In 2016 it emerged that the City was being hit by more ransomware attacks than many countries.

Categories: Cyber Risk News

Crackdown on Fake LinkedIn Profiles

Thu, 08/22/2019 - 18:53
Crackdown on Fake LinkedIn Profiles

People have been turning to LinkedIn since 2002 as a way to develop their network of business contacts. The professional social networking site has 645 million users in over 200 countries and territories around the world, who spend an average of 17 minutes on the site per month. 

While using LinkedIn may be preferable to eating stale croissants and swapping business cards at yet another networking breakfast event, it has one major downside: fake profiles.

Fake profiles are typically characterized by poor spelling and grammar, a lack of engagement, a limited number of connections and a suspicious or incomplete work history. 

It’s also not unusual for the photo in a fake profile to depict someone who, if they were really that good looking, would be making a living from modeling underwear on a beach somewhere rather than heading up a small HR team at a recruitment firm in Croydon. 

The faux profiles, which are often duplicated, are used to contact genuine professionals to fish for information such as how to get hired at a particular company. Spam of this type can be a frequent and extremely irritating problem for executives bugged daily by multiple connection requests from fake profiles.

LinkedIn is aware of the problem and has been making a concerted effort to rid the site of its pretenders.

Paul Rockwell, LinkedIn’s head of trust and safety, said: “Our teams are working to keep LinkedIn a safe place for professionals by proactively finding fake profiles then removing them and any content they share. Between January and June 2019, we took action on 21.6 million fake accounts.”

LinkedIn managed to prevent 19.5 million fake accounts from being created by automatically halting the registration process. The other 2 million fake accounts were restricted after the company paired human review with AI, machine learning and reports of fake accounts made by genuine members.  

Automation plays a key part in LinkedIn’s defense against the incoming wave of fakers. According to Rockwell, automated defenses, including AI and machine learning, prevented or took down 98% of all fake accounts. The rest were captured through manual review. 

Rockwell said: “When we stop fake accounts, we start more chances for economic opportunity."

Categories: Cyber Risk News

Fortnite Cheats Get Cheated

Thu, 08/22/2019 - 17:16
Fortnite Cheats Get Cheated

In an Aesop's fable for the digital age, Fortnite players who try to cheat are themselves being duped by ransomware disguised as a game hack.

Research conducted by cloud security specialists Cyren has found that a cheat tool claiming to improve the accuracy of a player's aim (known as an aimbot) is in reality a piece of malware designed to cause data loss. 

Roughly 250 million players of the online video game were targeted by the ransomware, which has the filename "SydneyFortniteHacks.exe" and is known as Syrk. 

Players who download Syrk in the misguided belief that they've stumbled across a sneaky way to up their game end up with a 12MB executable file. When the file is executed, the ransomware beast awakens and starts encrypting images, videos, music and documents stored on the player's computer. The encrypted files are marked with a .syrk file extension.

The unlucky player is then sent a threatening message demanding payment in return for a decryption password. The message includes an email address that the player must contact to discover how to make the payment.

The player is warned that if payment isn't received within two hours, files in their photo folder will be deleted, followed by files on their desktop. To underline the time-sensitive nature of the threat, the menacing message is unsubtly accompanied by a giant countdown clock. 

This nasty little piece of open source ransomware was built with tools readily available on the internet. And, in a doubly deceptive move, its creators built Syrk by reworking an existing piece of ransomware called Hidden-Cry. The source code for Hidden-Cry was shared on Github last year.

Fortunately, the files to decrypt the encrypted files can be found in machines infected with the ransomware. The file dh35s3h8d69s3b1k.exe – the Hidden-Cry decrypting tool – is one of the resources embedded in the main malware. 

The discovery of Syrk follows news earlier this month that Fortnite players had been targeted by malware named Baldr, also hidden in cheat hacks distributed as links via YouTube. The moral of the story is "don't cheat," but with a $30 million prize pool for the recent Fortnite World Cup, it's easy to see how players fall victim to temptation.

Categories: Cyber Risk News

Alaska is the Most Scammed State in America

Thu, 08/22/2019 - 15:53
Alaska is the Most Scammed State in America

An annual report on cybercrime by the Federal Bureau of Investigation has revealed Alaska to be the most scammed state in America for the second year running. 

With more than $450 million stolen, sunny California lost more money than any other state, but at 21.67 victims per 10,000 residents, Alaska had the highest per capita victim count.

Although more people were scammed in The Last Frontier State than in any other US state, Alaskans lost the least amount of money per person, with each victim being conned out of $2,256.30 on average. 

Across the state, the total number of people targeted by cyber-thieves was 1,606, based on the number of complaints received. Overall, the state's total losses in 2018 from internet scams was a painful $3.62 million. 

At the other end of the scale, the state with the fewest victims per capita for the second year in a row was South Dakota. The Midwestern state, known for the Black Hills into which the faces of four presidents have been carved, had just 5.3 victims per 10,000. 

Nearly $650 million was stolen from people aged 60 and over, who the report showed are the preferred prey for scammers. This age group is particularly vulnerable to confidence/relationship fraud, which occurs when scammers convince victims to send money to someone who appears to be a trustworthy person from a recognized brand, potential romantic partner or long-lost relative. 

The total losses to internet scams across the United States in 2018 exceeded $2.7 billion. 

The statistics are based on a total of 351,936 complaints received in 2018 by the FBI's Internet Crime Complaint Center (IC3). The real totals regarding the number of victims and the amount of money stolen through internet scams could potentially be much higher. 

Many of the scams were executed over social media but most of the money was stolen through the use of fake emails. Business email compromise (BEC) and Email account compromise (EAC) schemes accounted for more than $1 billion in losses. 

Matt Gorham, assistant director of the bureau’s cyber division, said: “The most prevalent crime types reported by victims were nonpayment/nondelivery, extortion and personal data breach. The top three crime types with the highest reported loss were BEC, confidence/romance fraud and nonpayment/nondelivery."

Categories: Cyber Risk News

#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

Thu, 08/22/2019 - 10:45
#GCSEResultsDay2019: Number of Students Taking Computing & ICT Exams Drops

Today, August 8, marks GCSE Results Day and shows a significant drop in the number of students taking Computing and ICT exams, with a clear gender gap also apparent.

The 2019 GCSE results indicated that 68,965 male students and 20,577 female students took Computing and ICT this year, compared to 94,587 (males) and 35,623 (females) in 2018. That represents an overall drop of 40,668 fewer students.

These figures are particularly concerning given the current skills gap that the cybersecurity industry is facing. In fact, global certification association (ISC)2 has estimated that the cybersecurity industry is suffering from a workforce shortage of 2.9 million employees

“It’s worrying to see less and less students are taking Computing and ICT subjects at GCSE, said Agata Nowakowska, AVP at Skillsoft. “Last year we saw 9000 fewer students take the exams, this year it’s 40,668 fewer. We need to take action now to turn this around.”

The digital skills gap in industry is fast expanding and already at a level that can't be filled quickly enough, Nowakowska added, and so encouraging more students to take these exams isn’t enough.

“We need to focus on getting them in and keeping them there – encouraging more students to pursue these subjects through to A-Levels, degrees and beyond. The current picture is bleak and goes much deeper than exam numbers.

“The challenge is changing the ingrained unconscious biases that say these subjects are dull, boring or just for boys. Whilst it is of course disappointing to see the gender gap continue in these subjects, what is more concerning is that these results are reflective of the lack of female role models in technology and STEM as a whole. Young girls have claimed in the past that they are put off of subjects such as Computing because they see them as ‘too difficult,’ but a large number of young women have also admitted to regretting not pursing these subjects for longer. There is an opportunity here for a paradigm shift that we are simply not taking."

Nowakowska therefore argued that the onus is on parents, teachers and business leaders to show that there is a place for girls in technology.

“There are so many programs aimed at getting girls interested in these areas, but we need to go further to challenge and eradicate the old fashioned views that are clearly still very much ingrained in the public consciousness.”

Categories: Cyber Risk News

IT Security Pros: Encryption Backdoors Are Election Hacking Risk

Thu, 08/22/2019 - 10:45
IT Security Pros: Encryption Backdoors Are Election Hacking Risk

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research.

The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr.

Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes.

Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users.

This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

Now the IT security community is arguing that backdoors would also expose countries to the threat of cyber-attacks on election infrastructure — an increasingly important issue as the 2020 Presidential election comes into view.

While 80% agreed with this sentiment, 74% said countries with government-mandated encryption backdoors are more susceptible to nation-state attacks, 72% claimed they don’t reduce the terrorist threat and 70% argued they put countries at a distinct economic disadvantage.

Last month a Senate report revealed that voting infrastructure in all 50 states was most likely compromised by Russian hackers ahead of the 2016 election. It warns that if Russia’s preferred candidate doesn’t win in 2020, it could seek to use this access to de-legitimize the result.

“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.

“On a consumer level, people want technology that prioritizes the security and privacy of their personal data. This kind of trust is priceless. Encryption backdoors would not only make us much less safe at a national level, they also clearly have the potential to inflict significant economic and political damage.”

Categories: Cyber Risk News

Over a Third of Firms Have Suffered a Cloud Attack

Thu, 08/22/2019 - 09:35
Over a Third of Firms Have Suffered a Cloud Attack

Over a third of organizations have already suffered an attack on their cloud systems, yet many are failing to eradicate potential security blind spots, according to a new poll from Outpost24.

The cyber-assessment vendor interviewed 300 attendees at this year’s Infosecurity Europe show in London in June.

It found that while 37% admitted suffering a cloud attack, over a quarter (27%) said they don’t know how quickly they could tell if their cloud data has been compromised.

This lack of visibility into cloud environments also extends to testing: 11% claimed they never run any kind of testing in the cloud, while nearly a fifth (19%) said they only do so annually.

Given these findings it’s perhaps not surprising that nearly half of respondents (42%) said they believe on-premises data is more secure than that hosted in the cloud.

Despite these misgivings, a third (34%) of businesses said that more than half of their products/apps are running in the cloud, while 15% said all their assets were.

Bob Egner, VP at Outpost24, argued that cloud environments offer major cost and scalability benefits, but security can get more complex when firms start to use multiple clouds across different providers.

“Organizations should treat their cloud assets just as they would their on-premises assets and apply all the same security principles of vulnerability and application security assessment, plus checks for cloud misconfigurations and security posture,” he added.

“It is extremely important to understand the shared responsibility model and what cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure can and cannot offer in terms of security. Ultimately the responsibility of protecting your data and cloud workloads lies with you, the organizations using cloud services.”

Cloud misconfiguration is a particular challenge, with hackers now stepping up efforts to find exposed databases via automated scans. The Cloud Security Alliance recently put this on its “egregious 11” list of top threats to cloud computing.

Categories: Cyber Risk News

IT Teams Urged Not to Prioritize Patches Using CVSS

Thu, 08/22/2019 - 08:43
IT Teams Urged Not to Prioritize Patches Using CVSS

Organizations that prioritize patch updates primarily according to compliance requirements and use the Common Vulnerability Scoring System (CVSS) struggle with their vulnerability management programs, according to new research.

Cyber risk firm Kenna Security commissioned the Cyentia Institute to analyze data from its own platform related to the patching challenges facing over 100 organizations.

Perhaps unsurprisingly it found that those with high performing vulnerability management programs tended to use specific tools to prioritize patches based on cyber-risk.

However, those that based their decisions on which vulnerabilities to prioritize based mainly on the CVSS performed worse than those organizations that simply ignored it, the report claimed.

Although the impact was less serious, there was also a correlation between using compliance requirements as a primary driver in prioritizing vulnerabilities and lower coverage rates.

“Compliance is oftentimes a necessary and important method for prioritization but using compliance as the primary remediation tactic correlated with reduction of overall coverage of high-risk vulnerabilities,” Kenna Security CTO, Ed Bellis, told Infosecurity.

“We believe using a remediation strategy that focuses on both the likelihood of the vulnerability being exploited along with the impact of the exploitation (high risk) to be the optimal approach. CVSS and some other methodologies are not a good measure of exploitation likelihood and can result in companies doing much more work or missing high risk vulnerabilities altogether.”

Elsewhere, the report found that companies which dedicate discrete teams to patch specific areas of the technology stack tend to fare better in vulnerability management. Defining service-level agreements (SLAs) for fixing vulnerabilities also improves the speed and overall performance of remediation, it claimed.

Bigger budgets correlated with an increased ability to remediate more bugs at a faster rate.

According to one vendor, over 22,000 vulnerabilities were publicly disclosed last year, a third of which received a CVSSv2 score of 7 or above.

Categories: Cyber Risk News

Companies Act to Defend Privacy of Kazakhstanis

Wed, 08/21/2019 - 19:52
Companies Act to Defend Privacy of Kazakhstanis

Google and Mozilla today took action to protect the online security and privacy of internet users in Kazakhstan following credible reports that the Kazakhstan government was intercepting internet traffic within the country.

report published on presented evidence that Kazakhstan’s internet providers were requiring users to download and install a government-issued certificate on all devices and in every browser in order to access the internet.

Once a user downloads the certificate, the government is able to intercept account information and passwords belonging to that user and can decrypt and read everything the user types and posts. This style of attack is known as a man-in-the-middle (MitM).

The HTTPS connections targeted by Kazakhstan’s government read like the list of websites an anxious parent might search when trying to track down their unruly teenager. They include Instagram, Facebook, Twitter, YouTube, Google Hangouts and Russian social network OK.RU. 

The Censored Planet reported stated that “although the interception is not yet occurring country-wide, it appears the government is both willing and potentially capable of widespread HTTPS interception in the near future.”

Browser companies Google and Mozilla deployed technical solutions within Chrome and Firefox to block the Kazakhstan government’s ability to intercept internet traffic within the country. 

Marshall Erwin, senior director of trust and security at Mozilla, said: “Protecting our users and the integrity of the web is the reason Firefox exists.” 

Speaking on behalf of Chrome, Parisa Tabriz, senior engineering director, said: “We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users’ data.”

What the Kazakhstan government lacks in subtlety when it comes to spying on the online activity of its citizens, it makes up for in persistence. 

The Kazakhstan government put in a request with Mozilla back in 2015 to have a root certificate included in the company’s trusted root store program. The request was denied when Mozilla discovered that the government intended to use the certificate to intercept users’ data. 

Undeterred, the government tried to force its citizens to manually install the certificate, but its ruse failed when organizations took legal action.  

Categories: Cyber Risk News

China is Spying on Cancer Research

Wed, 08/21/2019 - 18:37
China is Spying on Cancer Research

The healthcare industry has many ailments: financial pressures, a lack of skilled healthcare providers, uncertainties around reform and, in many cases, an increasingly unhealthy populace. But that’s not all it has to deal with.

A new report, Beyond Compliance: Cyber Threats and Healthcare, released today by intelligence-led security company FireEye has highlighted common cyber-threats to healthcare organizations. 

The report identifies cyber-espionage as being one of the top three most-common threats. Making up the triad of terror are data theft and disruptive and destructive threats. 

An interesting finding made by FireEye was the large number of healthcare-associated databases observed for sale online between October 1, 2018, and March 31, 2019. 

The databases – the majority of which could be bought for under $2,000 – contained personally identifiable information (PII) and protected health information (PHI), such as patients' ZIP codes, email addresses, driver’s licenses and health insurance details associated with healthcare institutions in the US, the UK, Canada, Australia and India. Some data sets were on sale for as little as $200.

Luke McNamara, a principle analyst at FireEye Intelligence, said: “The large number of data sets being sold and the low prices you can purchase the sets for shows how ubiquitous access to them is.”

The report acknowledged that “buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common" and predicted that this scenario was unlikely to change given the data’s "utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures.” 

Thefts of valuable research and mass records were observed being carried out by nation-states as well as by individuals. 

FireEye witnessed the deployment of multiple advanced persistent threat (APT) attack campaigns by several different countries, including China, Vietnam and Russia. China attracted special mention in the report for showing a particular interest in mining data linked to cancer research.  

Asked if China was the biggest culprit when it came to cyber-espionage, McNamara said: “I think so, from what we have seen over the years. They have shown the most concerted interest in the space. 

“There are well-known groups like APT 32 from Vietnam who targeted the UK and many one-offs, but China by far makes up most of the activity.”  

Healthcare organizations will continue to be attractive targets for cyber-criminals because of the nature and quantity of the data with which they are associated. At least with this report, they have some idea of what’s lurking in the shadows. 

McNamara said: “By putting this report out there we hope to get organizations to understand the range of threats out there.”

Categories: Cyber Risk News

Who's in Town Denies Instagram Block

Wed, 08/21/2019 - 17:21
Who's in Town Denies Instagram Block

A tracking app has hit back against recent reports that it has been blocked on social media giants Instagram and Facebook.

An article published last Tuesday on the Business Insider website reported that Facebook recently sent a cease-and-desist letter to the company behind the app Who’s in Town and took action to disable the personal Facebook account of the app’s creator Erick Barto. 

Speaking exclusively to Infosecurity Magazine, Barto confirmed that although he had received a cease-and-desist letter from legal firm Perkins Coie representing Facebook, the Who’s in Town app was still very much active. 

Barto said: “The Who’s in Town app is still up and running and statements about Facebook blocking it are untrue. 

“I had a couple of apps in the Facebook developer dashboard that were very old from 2013. They were legacy apps in my account. Facebook closed them and they closed my Facebook account and blocked my personal Instagram account.”

Asked whether What’s in Town would be complying with the cease-and-desist letter, Barto said that the company “would reply, not comply,” in an effort to start a conversation with Facebook about the safe handling of data.

The Who’s in Town app allows users to monitor the movements of people they follow on Instagram. It works by collecting geotag data shared publicly on Instagram and displaying the data in an interactive map.

Barto designed the app to highlight the amount of data people are constantly sharing online and show how easily such data can be collected and misused. With this point now made and a cease-and-desist letter from Facebook hanging over Who’s in Town’s head, you could be forgiven for thinking the outlook for the app is somewhat bleak. According to Barto, this is not the case.   

Barto said: “We want more people to know about it because in the past with other projects we have made we have had more reach. As soon as we feel we have made our point with Who’s in Town we want to propose a solution to the problem, to work with Facebook on how to use data safely.”

Asked if he was nervous about taking Facebook on, Barto said: “Not if the outcome is worth it.”

Categories: Cyber Risk News

Account Takeover Cases Hitting UK Courts Soar 57%

Wed, 08/21/2019 - 10:59
Account Takeover Cases Hitting UK Courts Soar 57%

The number of account takeover (ATO) cases going to court in the UK climbed 57% in the first half of 2019 as cybercrime continues to professionalize, according to KPMG.

The consulting giant’s biannual Fraud Barometer report has been analyzing crime trends in the UK over the past 30 years, specifically major fraud cases being heard in Crown Courts, where charges top £100,000.

It claimed hackers are using a variety of techniques to grab personal identity data which then allows them to hijack victims’ online bank and credit card accounts: across email, SMS and mobile apps.

However, the law is slowly catching up – at least when it comes to bank account takeover.

The Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956) entered into force in June, and requires banks to repay funds to customers stolen as a result of account takeover,” explained KPMG's UK head of investigations, Roy Waligora. “Whilst this is a very positive step for the customer, we all need to remain vigilant as consumers will continue to bear such costs indirectly.”

ATO is also rife across consumers’ digital lives, of course, with hackers using phishing, credential stuffing and brute forcing techniques to crack everything from email inboxes to Uber and Netflix accounts.

The report also highlighted the continued commercialization of cybercrime, facilitated by the underground economy and dark web-based partnerships.

In one case, a Tyneside man was jailed for 28 months at Newcastle Crown Court after fronting a classic tech support scam designed to trick panicked users into handing over their bank account details.

Victims lost hundreds of thousands of pounds in the international campaign, which used India-based ‘call center’ scammers.

“Although awareness or cyber-criminality has increased, with a fifth of the public believing that cybercrime is the biggest challenge facing the UK today, this hasn’t been enough to stem the tide in account takeovers,” warned Rob Norris, VP enterprise and cybersecurity at Fujitsu.

“While potential attacks are not always easy to spot, a broader education on how to detect fraudulent emails is key not just to consumers’ own finances, but their employers as well; what a consumer intentionally or not exposes themselves to at home, they are also likely to do at work. The finances of consumers and success of businesses depend on this rigorous education.”

Categories: Cyber Risk News

UK Boardrooms Falling Short on Cyber Expertise

Wed, 08/21/2019 - 09:35
UK Boardrooms Falling Short on Cyber Expertise

More than two-thirds (67%) of UK firms believe security concerns are holding back their efforts to grow through digital innovation, with many blaming a lack of engagement at a board level, according to Ernst & Young (EY).

The global consultancy polled 175 C-suite executives at UK-based organizations, split fairly evenly between business (CEO, CFO, COO etc.) and IT (CIO, CISO) roles, in order to compile its report, Cybersecurity for competitive advantages.

While 42% claimed to be behind their competitors in adoption of new technology, cloud computing and IoT topped the list of tech perceived to pose the greatest risk to the business.

Overcoming these concerns may require closer boardroom alignment and ownership of the problem.

Some 57% of business leaders and half (50%) of technology leaders cited a lack of business sponsorship as the biggest barrier to improving their organization’s cybersecurity.

However, strategic views diverged significantly after that. Most tech leaders (58%) said that giving an individual board member overall responsibility for cybersecurity would have the greatest impact, while the majority (64%) of business leaders said the biggest gains would come from making cybersecurity more of a strategic priority.

Yet unfortunately, over half (57%) of those surveyed don’t currently have a board member with direct expertise in cybersecurity and even more (67%) don’t think one is needed.

EY’s EMEIA advisory cybersecurity leader, Mike Maddison, argued that while direct security experience may not be essential, there needs to be better understanding at a board level of cyber-related risk.

“In recent years, the rate and pace of technological advances, regulatory change, cyber-attacks and data breaches have moved cybersecurity rapidly up the corporate agenda,” he added.

“Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organizations need to start thinking differently about cybersecurity. Business leaders need to make the leap from seeing cybersecurity as only a protective measure, to it also being a strategic value driver.”

Two sectors leading by example are tech, media and telecoms (TMT) and retail. TMT respondents had the highest levels of board awareness, the largest planned investments in cybersecurity and the fewest concerns around security as a barrier to tech adoption, while all retail respondents believe a “cyber-secure” brand is important for competitive advantage.

Categories: Cyber Risk News

Employee Error Behind Half of Industrial Network Incidents

Wed, 08/21/2019 - 08:35
Employee Error Behind Half of Industrial Network Incidents

Human error was behind over half (52%) of all cybersecurity incidents detected by Kaspersky in industrial environments last year.

The Russian AV vendor’s State of Industrial Cybersecurity 2019 report is compiled from interviews with 282 firms running operational and industrial control system technology (OT/ICS).

While the vast majority of firms (81%) are planning to digitalize their operational networks to drive Industry 4.0 initiatives, far fewer (57%) have allocated a cybersecurity budget, it found.

However, budget aside, there’s a worrying shortage of cybersecurity skills in these companies: respondents’ top two concerns centered around not having enough cybersecurity experts to manage industrial networks, and a general lack of security awareness among OT/ICS operators.

In nearly half of all cases (45%) an IT security employee also looks after OT/ICS security, but although the two spheres are converging, professionals on either side can have different goals and take alternative approaches to reaching them.

For example, in the OT world operators, traditionally focused on availability and physical safety, as equipment was largely isolated from the internet. As this changes, new approaches are needed.

“This year's study shows that companies are seeking to improve protection for industrial networks. However, this can only be achieved if they address the risks related to the lack of qualified staff and employee errors,” said Georgy Shebuldaev, manager at Kaspersky Industrial Cybersecurity.

“Taking a comprehensive, multi-layered approach — which combines technical protection with regular training of IT security specialists and industrial network operators — will ensure networks remain protected from threats and skills stay up-to-date.”

To illustrate the urgency of getting security right in industrial environments, a report from April revealed that 90% of critical infrastructure (CNI) providers have had their IT/OT environments damaged by a cyber-attack over the past two years.

Categories: Cyber Risk News

Users of Adult Website Exposed By Data Breach

Tue, 08/20/2019 - 18:46
Users of Adult Website Exposed By Data Breach

A website that shares adult content has caused blushes of a different kind by leaking the private data of 1.195 million global users. 

An authentication failure on the website allowed unrestricted access to a database containing user names, locations, genders, personal email addresses and even some full names. Also available were activity logs detailing what users had liked, uploaded, commented on and shared. 

Users of the website, which specializes in computer-generated pornographic animations and graphics, were left vulnerable to bullying, harassment, phishing and the threat of blackmail. It is estimated that around 20% of the user accounts were set up with fake email addresses, meaning roughly 800,000 genuine email accounts were placed at risk. 

The data leak was uncovered on August 15 by a vpnMentor research team led by cybersecurity professionals Noam Rotem and Ran Locar. The team was able to access detailed information regarding user activity on the site, including image uploads and blog posts. 

A spokesperson for vpnMentor said: "Some of these blog posts were extremely personal – including depressive or otherwise vulnerable content – and kept anonymous. Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors' identities revealed."

After being informed of the breach, it took the operators of just four days to fix the security hole. It's unknown how long the private user data may have laid exposed before the leak was caught.

A number of users in Brazil, Australia, Italy, Malaysia and Australia had signed up to Luscious using official government email addresses. Though this may come as a surprise to some people, Ed Macnair, CEO of Censornet, isn't one of them. 

Macnair said: "It sounds unlikely that people would use their professional email addresses for personal services, but in a survey we ran last year, 10% of respondents admitted to visiting adult websites from a work device or using the work internet connection."

Commenting on the Luscious data leak, he said: "This is hugely concerning as it risks exposing an entire organisation to an attack. It is therefore vital that organizations – government or otherwise – put strict measures on internet activity at work and discourage the use of work email addresses for personal services." 

Luscious users are advised to change their username and other account details to remain safe.

Categories: Cyber Risk News

Visa Announces New Payment Security Services to Prevent Fraud

Tue, 08/20/2019 - 16:55
Visa Announces New Payment Security Services to Prevent Fraud

For merchants and banks, payment fraud can lead to heavy financial losses and a serious besmirching of reputation. 

Business and financial institutions received a helping hand today when Visa announced a suite of new industry-first payment security services and capabilities to prevent and disrupt payment fraud. The new capabilities are available to Visa clients at no additional cost or signup.

Before launching the new services, Visa commissioned Forrester Consulting to study global bank account-related fraud. The report found that the most prevalent types of fraud committed were ATM “cashout attacks” that remove fraud controls put in place by financial institutions and processors to withdraw money from cash machines fraudulently and "enumeration attacks" in which automated testing of values and credentials is carried out to gain unauthorized access to information and functionality.

Rarer but more damaging were instances of card-not-present fraud, including e-commerce and phone and mail orders, which represented nearly 40% of fraud losses and operational costs. 

The approach of Visa's new service is holistic, combining preventative steps to address vulnerabilities before they are exploited with swift action when a breach does occur. 

Under the new four-pronged system that went live today, Visa Vital Signs will monitor ATM and merchant transactions, alerting financial institutions when any potentially fraudulent activity occurs in a bid to prevent cashout attacks. Malicious activity can be suspended by Visa automatically or in coordination with clients.

A second layer of defense will be provided by Visa Account Attack Intelligence, which applies deep machine learning to Visa's vast ocean of processed card-not-present transactions to identify financial institutions and merchants that hackers might target with automated testing to guess account numbers, expiration dates and security codes. 

Visa Payment Threats Lab provides a third layer of protection by creating an environment in which a client's processing, business logic and configuration settings can be tested to identify errors that could lead to vulnerabilities. 

Bringing up the rear is proprietary solution Visa eCommerce Threat Disruption, which uses sophisticated technology and investigative techniques to proactively scan the front end of e-commerce websites for payment-data-skimming malware. 

Categories: Cyber Risk News

Should Companies Block Newly Registered Domains?

Tue, 08/20/2019 - 15:22
Should Companies Block Newly Registered Domains?

Visiting a newly registered domain (NRD) is the digital equivalent of picking up a hitchhiker: it might all go smoothly but you could also end up being robbed. 

While NRDs can be created for perfectly legitimate reasons, such as hosting a new conference, they are also commonly misused by tricksters spreading malware or attempting to make a quick buck from phishing or other common scams. 

A 2018 study by Farsight Security found that on average, 9.3% of NRDs died in their first seven days, with a median lifetime of just four hours and 16 minutes. The study concluded that the vast majority of these short-lived NRDs were used for cybercrime.

General awareness that shiny new domains might pose a threat has led cautious companies to block and/or closely monitor NRDs in enterprise traffic for anywhere from the first few hours after detection up to a week. But with no comprehensive study available on the malicious usages and threats associated with NRDs, a consensus hadn't been reached on whether such actions are sensible precautions or security overkill. 

A study published today by Palo Alto Networks’ threat intelligence arm, Unit 42, indicates that the companies blocking NRDs are onto something.

Out of 1,530 top-level domains analysed by Unit 42, more than 70% turned out to be “malicious,” “suspicious” or “not safe for work.” The study found that NRDs are "often times abused by bad actors for nefarious purposes, including but not limited to C2, malware distribution, phishing, typosquatting, PUP/Adware, and spam."

According to Palo Alto Networks, the safe approach is to block access to NRDs for the first 32 days after they have been registered or have undergone a change in ownership.

A recommendation was also made to block complete top-level domains (TLDs) that are predominantly used by bad actors (the threat kind, not the cast of Hollyoaks). The study calculated the top 15 TLDs with the highest malicious rate on recent NRDs and found the worst three offenders were "to," "ki" and "nf." 

The study concludes: "We recommend blocking access to NRDs with URL Filtering. While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility."

Categories: Cyber Risk News

Facebook Adds Instagram to Data Abuse Bug Bounty Program

Tue, 08/20/2019 - 10:30
Facebook Adds Instagram to Data Abuse Bug Bounty Program

Facebook has announced an expansion to its bug bounty program covering third-party apps that abuse user data, to include the Instagram ecosystem.

First launched in 2018 in response to the Cambridge Analytica scandal, the Data Abuse Bounty program works by “incentivizing anyone to report apps collecting user data and passing it off to malicious parties to be exploited.”

If an application is found to be breaking Facebook policy in this way, it could be kicked off the platform or become the subject of legal action. Facebook may also decide to conduct a forensic audit of related systems.

Cambridge Analytica infamously used data on tens of millions of Facebook users and their friends scraped by the third-party This Is Your Digital Life app to target US voters in the 2016 Presidential election.

Since that debacle, the social network was forced to kick hundreds more third-party apps from its platform for similar abuses, including one called myPersonality which was used by four million users.

The addition of Instagram to the program reflects the importance of the platform to Facebook’s business and growing concerns over developer access to user data.

In February, it was reported that data on 14.5 million Instagram accounts was being stored online in the UK with no password protection. It was suspected that a third party could be scraping accounts for publicly accessible data, for use later in marketing campaigns.

Last year, Instagram suddenly reduced the API limit for third-party apps from 5000 to 200 calls per hour, and stopped accepting new submissions, in what was seen as an attempt to improve user privacy.

Facebook set out its vision for a radical overhaul of the company in July following a record $5bn penalty issued by the FTC in response to failings that led to the Cambridge Analytica incident.

Categories: Cyber Risk News