Info Security

Subscribe to Info Security  feed
Updated: 43 min 1 sec ago

Ireland Hit by Pedophile Sextortion Email Scam

Thu, 09/12/2019 - 17:29
Ireland Hit by Pedophile Sextortion Email Scam

Residents of Ireland are being targeted by an aggressive email sextortion scam that accuses recipients of being pedophiles before threatening to expose them as such unless a ransom is paid. 

The scam was highlighted yesterday by the Irish arm of IT security company ESET, which posted a warning on its website. ESET Ireland registered several complaints related to the illegal extortion scam.

Victims were sent emails with the subject lines "I know you are a pedophile . . ." and "What the **** are you doing, pedophile?" from someone claiming to be an internet security specialist affiliated with the Anonymous group. 

The sender of the email claimed to have installed spyware on the victim's computer that they purported to have used to record the victim watching illegal pornographic videos featuring young teens.

Victims were told that four video files in which they were captured masturbating to illegal porn were in the possession of the hacker, who threatened to send them out to everyone in the victim's address book unless a Bitcoin ransom of 5,000 GBP was paid.

In a bid to blackmail their victims into paying up, the scammers wrote: "I was observing you for quite some time, and what I have collected here is overwhelming. I know about your sexual preferences and your interest in young bodies. I have secured 4 video files clearly showing how you masturbate (captured from your camera) to young teenagers (captured from your internet browser). Glued together is a pretty overwhelming evidence that you are a pedophile."

Predicting that people who receive the sextortion emails may contact the police, the scammers wrote: "Don’t even think about going to police. If you try, I will immediately know it and I will send them your masturbation videos, pedo."

While sextortion scams that weaponize shame are nothing new, American software company Symantec says cyber-attacks of this type are plentiful and on the rise. From January through May of 2019, Symantec blocked almost 289 million of these emails from landing in the inboxes of potential victims. Of these, about 30% were sent during a 17-day period around Valentine's Day. 

ESET Ireland recommends that anyone who has received these emails does not reply and marks them as spam. If the emails contain any identifiable personal info, recipients are advised to report them to the police.

Categories: Cyber Risk News

A Third of Security Pros Have Skipped Cyber-Safety Checks to Launch Products Faster

Thu, 09/12/2019 - 16:15
A Third of Security Pros Have Skipped Cyber-Safety Checks to Launch Products Faster

survey of 300 security professionals has found that 34% admit to bypassing security checks to bring products to market faster.  

The research was carried out by cyber assessment company Outpost24, which questioned attendees at the Infosecurity Europe Conference held in London in June of this year. 

Worryingly, 64% of the security professionals surveyed were of the opinion that their customers could be affected by data breaches as a direct result of unpatched vulnerabilities in their organizations' products and applications. 

Asked if the products their company is happy to sell to the public would stand up well under penetration testing, 29% of respondents said either that they weren't sure or that they didn't believe their organization’s products and applications would fare well if tested. 

According to the survey results, an alarming number of organizations have the same attitude toward security testing as many people have toward flossing their teeth—they know they should do it, but rarely bother. 

Despite 92% of security professionals agreeing that it is important to carry out security testing on new products and applications, 39% of them said that their organizations didn't introduce security testing from the beginning of the product or application lifecycle. 

Bob Egner, VP at Outpost24, said: "Our study shows that even despite continuous warnings, organizations today are still leaving their customers at risk because of a failure to address security vulnerabilities in products before they are introduced to market. If organizations are not addressing these security vulnerabilities, they are taking a huge gamble and abusing customer trust."

Egner foresees a bleak future for companies whose greed blocks them from adequately checking for vulnerabilities in their products and resolving identified weaknesses before products are launched. 

He said: “Negligence towards security will eventually lead to disastrous outcomes for technology and application vendors and their customers. There should be no excuses today, especially when security is such a big issue and so many breaches, which have happened up and down the technology stack, are well publicized.”

Egner advised organizations to save their reputations and be more considerate of their customers by unearthing software vulnerabilities in products and applications before they go on sale, using a combination of penetration testing and automated application scanning.

Categories: Cyber Risk News

UNICEF Leaks Personal Data of 8000 Online Learners

Thu, 09/12/2019 - 15:27
UNICEF Leaks Personal Data of 8000 Online Learners

The United Nations (UN) children’s agency UNICEF has apologized after inadvertently leaking the personal data of users of its online learning platform, Agora.

The leak occurred on August 26, when 20,000 Agora users were accidentally emailed a spreadsheet containing the personal information of 8,253 people enrolled in a course about childhood immunization.

Among the information accidentally leaked were names, email addresses, duty stations, gender, organization, name of supervisor, and contract type. 

A staff member unwittingly triggered the leak after running a report. The incident was detected by UNICEF the day after the email was sent out, and their response was swift and effective. 

In an email about the leak sent to Devex, UNICEF’s media chief Najwa Mekki wrote: “Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring.”

After discovering the leak, UNICEF sent an apologetic email to Agora users. The message included an appeal for recipients to permanently delete the email containing the leaked data, erase any data downloaded, and then empty the recycle bin. 

Plans are said to be in motion for UNICEF to carry out an internal assessment and review of the incident. 

Learning portal Agora is free to access and open to UNICEF staff, partners, and the general public. Part of the mandatory staff training program on Agora is an information security awareness course that teaches "concepts and solutions for data protection, use of UNICEF’s information assets and best practices for cyber security at work and at home." 

Commenting on the incident, senior director of security research at Tripwire Lamar Bailey said: "You can have the all the industry-leading security controls in place, but nothing stops human error.  

“Training employees is often overlooked, or the investment is not as high as it needs to be. Employee security training is always a tough area. The training programs can be too simplistic, and this causes people to ignore them or blow them off.”  

Categories: Cyber Risk News

Google Searches Reveal the 15-Year Decline of AV

Thu, 09/12/2019 - 11:00
Google Searches Reveal the 15-Year Decline of AV

The past 15 years has seen huge changes in the cybersecurity-related search terms internet users are deploying to find out more about the industry, with anti-virus supplanted by emerging next-gen solutions, according to new data from RedScan.

Taking its cue from Google’s Year in Search report, the security vendor decided to analyze the past decade-and-a-half of search data to understand how trends have evolved over time.

Internet searches for “anti-virus” and “network security” have declined significantly over that time, as has interest in the main AV brands. At the same time, there’s been a surge of interest in terms such as “SIEM,” “Cloud Computing,” “Mobile Device Management” and “BYOD.”

Interestingly, searches for “passwords” have declined rapidly since 2004, although terms such as “two-factor authentication” and “multi-factor authentication” have not risen significantly over the same time period.

“It’s a bit concerning that searches for passwords are in such a steep decline. Good password hygiene is essential, and people are often really bad at setting unique passwords,” the report noted.

As for the threat landscape itself, searches for “keyloggers” declined sharply from around 2004 onwards, while “phishing,” “ransomware” and “DDoS” have remained pretty consistent. Spikes in searches for DDoS coincided with the major Mirai botnet attack on Dyn in 2016 and for ransomware with the WannaCry attack of 2017.

In 2004, “Spyware” and “adware” were far more popular search terms than “malware,” although the trend has now been reversed. “Cryptojacking” also spiked sharply from around 2017 while searches for “GDPR” understandably rocketed shortly before its introduction in early 2018.

As for the future, Google search term analysis indicates the rising popularity of “threat hunting,” “IoT security,” “AI and security” and “zero trust security.”

"Cybersecurity has changed remarkably over the past 15 years and Google’s search data is a great measure of this,” said Andy Kays, technical director at Redscan.

“As businesses embrace digital transformation, their security strategy must evolve accordingly. Our data shows that interest in traditional preventative tools is declining in favor of next-generation technologies that offer enhanced threat detection and response capabilities.”

Categories: Cyber Risk News

Over Half of UK Firms Still Not GDPR Compliant

Thu, 09/12/2019 - 09:30
Over Half of UK Firms Still Not GDPR Compliant

Over half of UK businesses aren’t compliant with the GDPR more than 15 months after its introduction, despite many reporting data security incidents to the ICO, according to new research from Egress.

The security vendor polled 250 “GDPR decision-makers” from companies of all sizes and sectors to compile its new report, GDPR compliance: where are we now?

Some 52% said they were not fully compliant with the EU-wide data protection regulation, with over a third (35%) claiming compliance had dropped down the priority list over the past year. That’s concerning given that GDPR compliance cannot be achieved via a one-off tick box exercise but requires continual attention.

Just 6% said the recent ICO fines issued to BA and Marriott raised the profile of GDPR again within the business.

Although 42% of respondents rated their firm as “mostly compliant,” it’s unclear which elements were still lacking. Data breach threats can come from anywhere and it only takes a small oversight for a potentially serious incident to occur.

Bearing this out, over a third of respondents (37%) reported at least one incident to the ICO in the past 12 months. According to Egress-obtained FOI information, 60% of security-related personal data breach incidents reported to the watchdog in the first six months of 2019 were caused by human error.

Mid-sized companies are either most exposed to data security incidents or most alert to respond, the findings seem to indicate.

Over half (53%) of mid-size companies (250-999 employees) reported data breaches to the ICO in the past 12 months, compared with 36% of small companies (1-249 staff) and only 23% of enterprises (1000+ employees), according to the report.

“Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR. The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’,” argued Egress CEO, Tony Pepper.

“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organizations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organizations cannot risk compliance complacency.”

He added that any technology solutions brought in need to tackle the underlying problem of human error, by mapping employee behavior to block phishing attacks, and prevent misdirected emails and attaching the wrong documents.

“Reliance on people to follow processes and protect data is only going to get organizations so far: people are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information,” Pepper said.

Categories: Cyber Risk News

Wikipedia Gets $2.5m Donation to Boost Cybersecurity

Thu, 09/12/2019 - 08:38
Wikipedia Gets $2.5m Donation to Boost Cybersecurity

The Wikimedia Foundation has received a $2.5m donation to boost its cybersecurity efforts following a major DDoS attack that left Wikipedia unavailable across much of the world last weekend.

The non-profit relies on charitable donations and volunteers to keep the online encyclopedia and other “free knowledge” projects running.

So it was relieved at the major cash injection, which came from Craigslist founder-turned-philanthropist Craig Newmark.

“Wikipedia’s continued success as a top-10 website that has hundreds of millions of users makes it a target for vandalism, hacking, and other cybersecurity threats that harm the free knowledge movement and community,” said John Bennett, director of security at the Wikimedia Foundation.

“That’s why we are working proactively to combat problems before they arise. This investment will allow us to further expand our security programs to identify current and future threats, create effective countermeasures, and improve our overall security controls.”

The non-profit didn’t go into much more detail about which areas of its security stack the money would help to fund, although application security, risk management and incident response were all highlighted.

It would also be safe to assume that some funds would be diverted into better DDoS mitigation, given the attack last weekend which started on Friday evening UK time and led to disruption for most of Europe and the Middle East.

Under his Craig Newmark Philanthropies organization, Newmark has donated millions to fund journalism and combat fake news, improve voter protection and help address the gender disparity in IT. As part of these efforts he’s sent nearly $2m the way of the Wikimedia Foundation.

“As disinformation and other security threats continue to jeopardize the integrity of our democracy, we must invest in systems that protect the services that work so hard to get accurate and trustworthy information in front of the public,” said Newmark.

“That’s why I eagerly continue to support the Wikimedia Foundation and its projects — like Wikipedia, the place where facts go to live.”

Categories: Cyber Risk News

Calls to Bring Back Role That Was Scrapped by Departing U.S. Security Advisor

Wed, 09/11/2019 - 17:57
Calls to Bring Back Role That Was Scrapped by Departing U.S. Security Advisor

Chris Kennedy, former leader of cybersecurity operations programs for the U.S. Department of the Treasury and the U.S. Marine Corp, has called for the reinstatement of the cybersecurity coordinator role on the National Security Council.

The position was scrapped last year by the then U.S. national security advisor John Bolton, who tendered his resignation yesterday. Bolton is the third national security advisor to exit the White House since President Donald Trump took office in January 2017. Trump claimed yesterday on Twitter to have asked Bolton to step down.

"The removal of the position in May 2018 mystified myself and others within the cybersecurity industry," said Kennedy, who is now CISO and vice president of customer success at AttackIQ. "The elimination of the role did not make sense considering the importance of cybersecurity in the protection of our nation." 

Kennedy, who is a former Marine Corps officer and Operation Iraqi Freedom veteran, believes the importance of cybersecurity to American national security hasn't been fully realized, leaving the United States vulnerable to attack. 

He said: "I still do not think we as a nation understand our dependence on technology, the risks we assume every day, and the capabilities of nation-state backed threat actors. Risks of being attacked grow every day as enterprises continue to adopt more technology to augment their business.

"The world runs on technology today, and that presents one of the most significant risks to the nation⁠—logistics that feed and supply our nation, critical infrastructure that enables our way of life, and technology platforms across all industries that enable businesses to conduct their mission are all cybersecurity implications. To not have a focal point focusing on that risk is exceptionally worrisome since a major cyber-attack would have catastrophic implications."

The need for a cybersecurity coordinator operating at a national level was echoed by Joseph Carson, chief security scientist at Thycotic, who said: "The elimination of the cybersecurity coordinator position removed accountability and responsibility. This was a step in the wrong direction. 

"Without a cybersecurity coordinator, it has been as if there is no one is driving the White House on protecting citizens from cyberattacks.”   

Dan Tuchler, CMO at SecurityFirst, believes Bolton's decision to scrap the cybersecurity coordinator role made the U.S. more vulnerable to cyber-attacks. 

He said: "John Bolton greatly damaged our ability to focus on these threats by removing the position of cybersecurity coordinator. It’s hard to imagine his replacement being worse, but it’s also unlikely in this political climate that the replacement will restore the cybersecurity position."

With the proviso that he "didn't want to be alarmist," Tuchler added, "Let’s hope the situation is corrected before something terrible happens." 

Categories: Cyber Risk News

Program to Land Neurodiverse Adults Government Cybersecurity Jobs Wins Prize

Wed, 09/11/2019 - 16:47
Program to Land Neurodiverse Adults Government Cybersecurity Jobs Wins Prize

A pilot program that aims to find neurodiverse adults cybersecurity jobs with the federal government has won the Government Effectiveness Advanced Research (GEAR) Center challenge.

The program was created by a collaboration between George Mason University, Mercyhurst University, Rochester Institute of Technology, University of Maryland, Drexel University, SAPSpecialisterne, the DXC Dandelion Program, and the MITRE Corporation, which led the effort. 

Neurodiversity in Cybersecurity was one of three grand prize winners, each of which was awarded a $300,000 federal grant. The proposal urges the creation of a workforce program to help the federal government identify, train, and promote candidates who are neurodiverse.  

Neurodiversity as a term covers a wide range of conditions, including dyspraxia, dyslexia, attention deficit hyperactivity disorder, dyscalculia, autistic spectrum disorders, and Tourette's syndrome.

Key features of the program are management and co-worker training and the creation of career and social development programs to prepare candidates.

“Attracting and retaining technical talent, especially those with cybersecurity skills, is a key management challenge for the U.S. government, states and the private sector, as well,” said James Cook, MITRE vice president for strategic engagement and partnerships. “MITRE and its partners developed an approach to activate an untapped talent pool that leverages leading practices and tools that have been adopted by the private sector and non-governmental organizations to tackle this persistent problem. We look forward to partnering with a government agency to pilot the program.”

A government agency partner is yet to be confirmed; however, MITRE has every reason to believe that the project will prove successful once it's up and running. Earlier this year, the nonprofit launched a company-wide initiative to mainstream neurodiversity hiring and employment practices with a focus on positions in cybersecurity. Two college co-ops have recently been hired through this program, which MITRE has said it will continue to scale. 

"Cybersecurity is a role-oriented discipline requiring logic, curiosity, ability to solve problems and find patterns through micro-focused attention,” said Tara Cunningham, CEO, Specialisterne, which specializes in neurodiverse tech hiring and is one of the pilot’s partners. “Although autistic and other neurodiverse people are strong across all disciplines, for many, cybersecurity is a natural fit."

The Office of Management and Budget (OMB) and General Service Administration’s (GSA) GEAR Center competition challenges problem solvers from the public, academia, and industry to build cross-sector, multidisciplinary teams to demonstrate the potential of the GEAR Center. Winning entries by two other collaborative teams focused on government use of evidence and data.

Categories: Cyber Risk News

New Platform Aims to Keep Kids Safe Online

Wed, 09/11/2019 - 15:16
New Platform Aims to Keep Kids Safe Online

A new platform designed to keep young people safe while browsing the internet was launched today by Slovakian cybersecurity company ESET.

Safer Kids Online was developed in consultation with cybersecurity experts and a child psychologist. The multilingual platform offers guidance and advice to children, teens, and parents on how to stay safe online. 

Users can learn the key warning signs that a child is being hounded by cyber-bullies and discover ways to prevent children from becoming the victims of online sexual predators. The platform will also feature advice on how to build a child's awareness of the potential dangers involved in online activities they may perceive to be risk-free, such as posting selfies online and 'checking in' via geolocation services.

A friendly and respectful tone has been used to create the platform's educational resources, which include vlogs and in-depth articles aimed at parents, and comics and prize competitions that appeal to children.

Creators of the platform have been careful not to make the internet sound like a scary place—that would hardly be great for business—but in a statement released today they underlined how aware they are of the risks posed to children who venture online. 

The statement said: "According to the Cyberbullying Research Centre, 34% of 12- to 17-year-olds in the U.S. have experienced cyberbullying, while UK children’s charity the NSPCC recently revealed that police recorded 9,000 child sexual offenses with an online element between 2017 and 2018."

Natália Rasavacová, Safer Kids Online Guru at ESET, believes the new platform will fill a gap often unintentionally left by parents and schools. 

She said: “The digital age has brought boundless opportunities for progression around the world, but dangers are also present and alive. Children particularly can face risks, and we know that parents and schools, even with the best intentions, don’t always have the knowledge of how to protect their kids in the digital sphere." 

The need for online safety guidance for children is clear, as every third person on the internet is a child. However, the platform is likely to be good news for ESET as well as for young internet users and their parents since visitors are gently directed to advice on guardian software, such as ESET Parental Control for Android.

Categories: Cyber Risk News

#GartnerSEC: Reuse Procedures From IAM in PAM Implementations

Wed, 09/11/2019 - 15:00
#GartnerSEC: Reuse Procedures From IAM in PAM Implementations

Implementing identity and access management (IAM) can lend several procedures for the roll out of privileged access management (PAM).

Speaking at the Gartner Security and Risk Management Summit in London, Alan Radford, technical director of One Identity, and a representative from a European IT service provider, who was speaking off the record, discussed the implementation of PAM at the company, which they said came after finding more developers had access to customer data “and with 500 IT admins we want to know what is going on, and who has what privilege and when and how they are using them.”

The speaker said that when choosing what to implement, it is important to know whether you are going to choose IAM or PAM, as there are benefits to both “and it makes sense for you to do IAM first and procedures can then follow on PAM.” 

Radford asked, if someone has neither PAM or IAM, can PAM be a stand-alone technology? The speaker that while PAM is not a stand-alone technology, “by having systems in place and accountability decentralized, in a sector where we are regularly audited internally and by the FCA” the technology enabled them to document its activities and controls.

They also said that “segregation of duties is a key element in IAM” as a developer should not be able to push a project into production, “but may be allowed in an incident to fix stuff” and that requires knowledge on how segregation of duties is implemented.

Looking at provisioning users, the speaker said that the IAM process should be easy to join, switch parameters and enroll users, and switch back. “You’re not introducing a new system, it’s a new project.”

They recommended figuring out what information you can use from IAM into your PAM integration “and figure out what you have under the hood in the company, and know who is responsible.”

Speaking to Infosecurity, the speaker said that you have to be aware that you’re not introducing a system, you’re introducing procedures, and you will hit the organization with a new system of working, “and this is a way of getting out of the project paradigm.”

The speaker said it is not like shifting from Outlook on-premise to Office 365, this is moving from something you were not doing to something you are. “That is not a project, that is introducing new ways of working and procedures that need to be followed, it is an ongoing thing, so you need to think about having a team to support that,” they said.

Asked if he sees a lot of the IAM and PAM procedures not being re-used, Radford said that you “cannot achieve true governance without encompassing all of your privileged access and all of your end user access, and understanding what the difference is between the two for your company.”

Categories: Cyber Risk News

#GartnerSEC: Questions Your Board Will Ask About Security

Wed, 09/11/2019 - 12:15
#GartnerSEC: Questions Your Board Will Ask About Security

Speaking at the Gartner Security and Risk Management Summit in London, Gartner director analyst Sam Olyaei said that the topic of “questions on security and risk that you must be prepared to answer at your board meetings” was one of the most popular subjects.

He said that the company was getting around 100 enquires a year seven years ago on this subject, and now that number is over 700 a year. Pointing at Gartner research from 2016, which said that by 2020 “100% of large enterprises will be asked to report to their boards of directors on cybersecurity at least annually,” he said that we’re getting close to that number, as 2018 research showed that 91% of billion dollar companies had briefed the board on their cybersecurity program at least once in the last year.

Olyaei said that this shows the “cultural disconnect between security and the business” and that the business has “expectations for security and risk that we cannot manage.” Olyaei added that it is not enough to say that we are creating an impact, but security practitioners have to show evidence, data and examples of what they are doing.

Olyaei argued that most security leaders feel that the board is monitoring risk, and feel that the board understands the risks and monitors them on a regular basis, “but we find most board members are not that confident in their security leaders to manage risks on their behalf.” 

He said: “We feel that in a couple of years, your performance as security and risk leaders will be on demonstrating value at enterprise risk level.” This is because the board care about three things:

  • Revenue/mission and operating income
  • Future cost avoidance and immediate decrease in operating expenses
  • Risk, including regulatory and compliance, especially brand and reputation

“Most board questions are based on the maturity of the organization,” he said, explaining that a new board will be unfamiliar with compliance requirements, and ask “trade off questions” that security practitioners “would call stupid questions.” The questions are as follows:

The trade off – Questions like “are we secure?” and “can we prevent this from happening?”

The risk – What is an appropriate risk? accounts for 80% of questions, Olyaei said. Boards also want to know what keeps security practitioners up at night.

The performance – Boards want to know about return on investment and see benchmarks, and want to know what other companies are doing, spending and how many staff they have. 

The threat landscape – “A lot of board members listen to webcasts and sit on other boards, and ask about an incident at company X, or an increase in ransomware attacks, and a lot of the time the board wants to ask legitimate questions as they are concerned about threats,” he said.

The incident – Olyaei said that security has moved to a phase of “if, rather than when,” and security practitioners should be prepared to talk and answer at board level about issues around security incidents. “When an incident happens, the first action of a board member is to panic,” he said. “Provide details on impact and keep at a point where you don’t dwell on the past.”

Olyaei concluded by saying that there will likely be more questions in the future, and encouraged delegates to know the make up of the board and any security leaders involved. He said that the typical “wave” of questions are as follows:

  • Why is security so expensive?
  • Are we secure and compliant?
  • Why can’t security move faster?
  • Why can’t we have competitive advantage from security?
  • Why can’t we be a digital company?
Categories: Cyber Risk News

Security Makes Remote Working Too Difficult, Say Users

Wed, 09/11/2019 - 11:01
Security Makes Remote Working Too Difficult, Say Users

Organizations are failing to adequately support secure remote working practices, according to new research from digital services provider Capita.

Despite the undoubted productivity benefits stemming from more flexible working practices, only half (52%) of the 2000 UK knowledge workers Capita surveyed said BYOD was an option for them. Even fewer, just 14%, said they were encouraged to use their own device.

The vast majority of employees (92%) said they believe it’s the organization’s job to secure remote working, yet over two-fifths (42%) claimed current security policies make it difficult to do their job.

Capita IT & Networks’ head of workspace and collaboration, Ian Hart, told Infosecurity that there continues to be a conflict between user expectations and the reality of what employers provide for remote working.

“While the technology to meet these cultural working expectations is available and has been used to deliver flexible services to consumers for a number of years, a lot of organizations are still struggling to modernize their own internal IT services,” he argued.

“For many, partial adoption of cloud services while maintaining existing older IT platforms has created more problems for both end users and those managing the service.”

By failing to completely modernize their IT systems and give staff access to their preferred technologies, enterprises aren’t able to become user centric, Hart explained.

“Naturally, CIOs cannot allow unfettered access to corporate systems, but they also must ensure they are not acting as a blocker to employees’ productivity,” he added.

“By providing employees with a single robust user identity, organizations can protect all the services that sit behind it and remove the reliance on a specific trusted device or connection to access corporate services. In addition, by replacing traditional desktops and applications with a more user-centric and modern IT environment, organizations can have better control over the sensitive material they need to protect, while, allowing employees to work more flexibly and safely from any location.”

Categories: Cyber Risk News

Microsoft Fixes Two Zero-Days in September Patch Update

Wed, 09/11/2019 - 09:40
Microsoft Fixes Two Zero-Days in September Patch Update

Microsoft patched 79 unique CVEs in this month’s security update round, including two zero-days and three vulnerabilities in Windows which had been publicly disclosed.

The two zero-day vulnerabilities are both elevation-of-privilege flaws: CVE-2019-1215 is in the Winsock component while CVE-2019-1214 exists in the Windows Log Common File System driver.

Microsoft also fixed a quartet of critical bugs in its Remote Desktop Client: CVE-2019-0787CVE-2019-0788CVE-2019-1290, and CVE-2019-1291. According to Qualys senior director Jimmy Graham, “to exploit these vulnerabilities an attacker would need to get a user to connect to a malicious or compromised RDP server.”

Recorded Future intelligence analyst Allan Liska flagged CVE-2019-1257 for immediate attention. This remote code execution vulnerability affects SharePoint Server 2019, SharePoint Enterprise Server 2016 and SharePoint Foundation 2010 and 2013.

He warned that attackers are often quick to exploit SharePoint bugs.

“SharePoint is a common target for attackers not only because of the sensitivity of the information often contained on SharePoint servers, but because they tend to provide full access to victim networks,” Liska added. “The vulnerability stems from the fact that certain versions of SharePoint do not properly check the source markup of an application package. An attacker can create a specially crafted application package and upload it to the SharePoint server and use the package to execute arbitrary code.”

It was a pretty light patch load for Adobe this month: the firm fixed just two critical vulnerabilities in its Flash Player, which should nevertheless be prioritized on workstations, experts warned.

Ivanti’s director of security solutions, Chris Goettl, explained that Microsoft released service stack updates for all operating systems yesterday, as part of ongoing adjustments to the software update process.

Although service stack updates are rated critical they don’t actually resolve any immediate software flaws, he said.

“They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle,” Goettle continued.

“This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied.”

He urged system admins to start testing these as soon as possible and have them in place before November.

Categories: Cyber Risk News

Global Cops Bust 281 Alleged BEC Scammers

Wed, 09/11/2019 - 08:40
Global Cops Bust 281 Alleged BEC Scammers

An international law enforcement operation has led to the arrest of 281 individuals on charges linked to Business Email Compromise (BEC) and the seizure of nearly $3.7m.

The “Operation reWired” initiative was coordinated by the US Department of Justice (DoJ), Department of Homeland Security, US Treasury, the Postal Inspection Service and the Department of State along with law enforcers in nine other countries.

The vast majority of arrests came in Nigeria (167), although 74 individuals were placed behind bars in the US, 18 in Turkey and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia and the UK.

Prosecutors claimed to have made arrests in connection with both corporate BEC scams and attempts to part individuals with their cash, especially the elderly.

Operation reWired began in May this year with arrests, money mule warning letters and asset seizures and repatriations.

Among the cases listed by the DoJ were those of Kenneth Ninalowo, 40, of Chicago, Illinois who is alleged to have laundered over $1.5m of proceeds from BEC scams, including a community college and an energy company which were tricked into sending $5m to fraudulent bank accounts.

Also arrested were Nigerian nationals, Emmanuel Igomu, 35, of Atlanta, Georgia, and Jude Balogun, 29, of San Francisco, who are alleged to have received funds connected to a $3.5m BEC scam that defrauded a Georgia-based health care provider.

In addition, Cyril Ashu, 34, of Austell, Georgia; Ifeanyi Eke, 32, of Sandy Springs, Georgia; Joshua Ikejimba, 24, of Houston, Texas and Chinedu Ironuah, 32, of Houston, Texas were charged in connection with a $10m BEC operation that impacted hundreds of victims in the US.

It’s unclear whether any of the arrests made impacted the notorious London Blue gang, whose prodigious exploits have been tracked and revealed by security firm Agari over the past year.

BEC is now a big money maker. Symantec reckons over 400 companies are being targeted each day, whilst the FBI estimates that $1.3bn was lost to the scams last year.

Categories: Cyber Risk News

McDonald's to Use AI Voice Assistants in Drive-Thrus

Tue, 09/10/2019 - 17:43
McDonald's to Use AI Voice Assistants in Drive-Thrus

The era of having staff at McDonald's restaurants ask if you want fries with that is set to end, as the burger giant invests in AI voice-assistant technology. 

McDonald's has entered into an agreement to buy voice-based tech start-up Apprente as part of a plan to improve customer service. The Silicon Valley AI company was founded in 2017 specifically to develop a voice-based AI system for fast-food ordering in a gamble that can now be said to have definitely paid off. 

In contrast to speech-to-text systems, Apprente describes its technology as "sound-to-meaning," because instead of transcribing what a customer says and then determining meaning from the transcript, Apprente's tech goes directly from speech signals to result.

The burger corporation is hoping that the new technology will make the ordering process simpler and more accurate and allow customers to get their mitts on the restaurant's famous fast food even faster. It will certainly eliminate any slowdowns that stem from misunderstood accents. 

The purchase is being made with the primary intention of introducing voice-assistant technology at McDonald's drive-thrus, but use of the voice-based tech may be extended.

In a statement released today, a McDonald's spokesperson said: "We believe that the broader voice-based technology also has the potential to reach customers when, where, and how they want through incorporation into mobile ordering or kiosks."

Apprente's staff, which includes employees trained in machine learning and computational linguistics, will form a new internal team called McD Tech Labs, which will be integrated into the McDonald's Corporation. The team will work at McDonald's newly renovated Innovation Center near Chicago.

McDonald's statement continued: "This latest investment in advanced technology capabilities and talent builds on several key initiatives the company has introduced over the last three years to improve both the restaurant employee and customer experience, from the acquisition of Dynamic Yield, to the expansion of McDelivery, as well as the development of McDonald’s Global Mobile App, Mobile Order and Pay, indoor and outdoor digital menu boards, and self-order kiosks.  

"With this move, we’re investing in the talent and technology that will ultimately make our customer and restaurant employee experience better." 

Categories: Cyber Risk News

Rapid Rise in Monetization of IoT Attacks

Tue, 09/10/2019 - 16:43
Rapid Rise in Monetization of IoT Attacks

An investigation by Trend Micro into the dark dealings of the cyber underground has found a rapid increase in the monetization of IoT attacks.

In a report released today, the global security software company revealed that forums across Russian, Portuguese, English, Arabic, and Spanish language-based markets are all brimming with chatter of how to compromise devices and then exploit them for profit. Routers and IP cameras were the most prominently discussed devices.

Financially driven attacks were found to be most prominent in the Russian and Portuguese markets, which are also the most criminally sophisticated. In these forums, cybercriminal activity is focused on selling access to compromised devices—mainly routers, webcams, and printers—so they can be leveraged for attacks.

The greatest threat is posed to consumer IoT devices, but businesses are also at risk as hackers are increasingly wising up to the possibility of compromising connected industrial machinery to launch digital extortion attacks.

In light of their findings, researchers at Trend Micro have made four sagacious predictions that reach varying levels of doom. The first is that the move from 4G to 5G will work very much in the hackers' favor, opening up more avenues for exploitation than they've ever had before.

The second is that attacks on VR devices and cryptocurrency mining kits are going to take off big time, with more advanced threats like low-level rootkits and firmware infections on the horizon as well.

A third prophetic warning is that digital extortion attacks are going to rise as programmable logic controllers (PLCs) and HMIs are increasingly found online. Manufacturers should be cognizant that their machinery is at risk of being hijacked and their production lines halted by hackers chasing big-dollar ransoms. 

Finally, the company's team of security experts reckon that attacks on routers are going to evolve entirely as ISPs become better acquainted with tactics that take advantage of DNS settings.

“We’ve lifted the lid on the IoT threat landscape to find that cybercriminals are well on their way to creating a thriving marketplace for certain IoT-based attacks and services,” said Steve Quane, executive vice president of network defense and hybrid cloud security for Trend Micro. 

“Criminals follow the money—always," said Quane. "Enterprises must be ready to protect their Industry 4.0 environments.”

Categories: Cyber Risk News

New $1.5M Cybersecurity Center Opening in Baton Rouge

Tue, 09/10/2019 - 15:53
New $1.5M Cybersecurity Center Opening in Baton Rouge

A $1.5 million cybersecurity training and operations center is to open in Louisiana's capital city, Baton Rouge.

The center's long-term objective is to respond to cyber-attacks inflicted on government institutions, schools, and private companies in the Pelican State. However, its immediate purpose will be to support cyber-related missions at major military installations in Louisiana, including Barksdale Air Force Base’s Global Strike Command. 

The Louisiana Cyber Coordination Center will be housed in the Water Campus in the city's downtown area. Confirmed tenants so far are the Louisiana National Guard (LANG), Louisiana State University's nonprofit affiliate research company Stephenson Technologies Corp. (STC), and defense contractor Radiance Technologies

LANG will lease 11,000 square feet of space in the new center, which 40 members will use periodically for training and as a base for cybersecurity operations. 

STC and Radiance will sublease 3,000 square feet each from LANG. Each company is expected to hire at least ten new staff members from the local Louisiana talent pool of cybersecurity professionals.

“When I created the Louisiana Cybersecurity Commission in 2017, we established a goal of making Louisiana a leader in this fast-growing field," said Louisiana governor John Bel Edwards. "Our top mission is ensuring the safety of sensitive information for Louisiana’s families, our military, our schools, our health-care facilities, and our private-sector employers. We want everyone’s data and privacy to be safe and secure. So, it’s incumbent upon us to invest in cybersecurity measures that protect our citizens from damaging attacks. Establishing this facility will provide one of the greatest tools for that safety, and it will continue our mission of becoming a global cybersecurity leader.”

“This cyber center is exactly what the Louisiana National Guard and the State of Louisiana needed to facilitate the fulfillment of its cybersecurity mission," said Maj. Gen. Glenn Curtis of the Louisiana National Guard. “Over time, for those who are authorized to use this facility, this cyber center will act as the central civilian interface for coordinating cybersecurity information sharing, performing cybersecurity threat analysis, and promoting shared and real-time situational awareness between and among the public and private sectors.”

To secure the project, the State of Louisiana has agreed to provide $1.5 million through Louisiana Economic Development to build out the existing 11,000 square feet to meet strict government standards and a further $500,000 to support lease payments for up to five years. Other project partners, including the Water Campus, are investing $250,000 for facility operations.

Categories: Cyber Risk News

#GartnerSEC: How Security Leaders Can Navigate Difficult Discussions in the Enterprise

Tue, 09/10/2019 - 14:10
#GartnerSEC: How Security Leaders Can Navigate Difficult Discussions in the Enterprise

Speaking at the Gartner Security & Risk Management Summit 2019 in London Tina Nunno, distinguished VP analyst, Gartner, explored the difficulties security and risk managers can face in dealing with ‘political’ discussions in the workplace, and outlined strategies for navigating difficult conversations across a business.

Within an organization, politics and difficult conversations are “where the rubber hits the road,” Nunno said. “It’s in the face-to-face interactions where we are having some type of a conflict or we need to communicate something that’s quite difficult, and we need to survive it.”

Nunno explained that the desired outcome of any political or difficult conversation is to resolve issues constructively, establish a positive outcome for all involved and optimize the long-term relationship between the players.

To do that, Nunno outlined three paths that can be taken to navigate challenging workplace conversations, all of which build upon one another. These are de-escalation, synchronization and neutralization.

De-escalation requires you to strive to control the pace and tone of the discussion. “Creating calm and appeasement are two different things; with the first both win, and with the second both lose.”

She advised a four-step approach for mastering de-escalation in a difficult discussion, which includes Avoid, Ask, Engage and Calm.

  • Avoid: do not use language triggers to prevent escalations, including “you’re wrong,” judgement terms, past tense and use “we” instead of “I” in conversations
  • Ask: uncover agendas, both hidden and stated. “Questions are a really powerful tool” and most people are loathed to not answer a direct question
  • Engage: decide where the discussion will take place
  • Calm: manage yourself and the other person’s state of mind so you are open to one another’s point of view

The next path that can then be taken to navigate challenging conversations is synchronization, Nunno said, again using four steps: Empathize, Agree, Redirect and Align. “In synchronization, we are attempting to agree and come to a positive place.”

  • Empathize: acknowledging the feelings of the other person will accelerate the shift to thinking
  • Agree: find common ground
  • Redirect: put the other person in a more constructive direction
  • Align: success is when both parties feel good about cooperating

The third and final step that Nunno outlined is neutralization. “This is when you can use something other than reason – power – to stop the situation and move to a better place,” she said. Once more, Nunno put forward four steps to adhere to: Message, Obstruct, Agitate and Restore.

  • Message: decide which message you want to send and to whom
  • Obstruct: this requires power and a willingness to use it
  • Agitate: determine the criticality of the message and the number of people that need to hear it
  • Restore: “restoration is not simply explaining why you were right and they were wrong, restoration is accountability, dignity and moving forward together”

To conclude, Nunno shared three key pieces of advice for being an effective verbal diplomat that can resolve conflicts through conversations:

  • Select and practice a short set of discussion techniques and have them ready to deploy
  • Combine discussion techniques in a formulaic way that makes sense to you
  • Manage political discussions to optimize both your relationships and outcomes
Categories: Cyber Risk News

#GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack

Tue, 09/10/2019 - 12:21
#GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack

At the Gartner Security & Risk Management Summit 2019 in London, Andy Powell, CISO at Maersk, outlined the key lessons learned from the NotPetya malware attack the company, along with many others, suffered in 2017.

“Maersk was not alone [in being hit by NotPetya] and anybody that thinks that Maersk was the single biggest example, is wrong. There were a lot of companies bigger than Maersk suffering even worse, but they were not as transparent as Maersk,” Powell said.

Therefore, the first key lesson learned from NotPetya is that “transparency is everything,” Powell explained. “Our clients at Maersk loved us for the fact that we told them, from day one, what was going on, and we included them throughout in what we were doing.”

Another lesson learned was that “the world has changed,” Powell continued. “From a company perspective, NotPetya told us that, unless you are a government organization or a very, very highly invested-in bank, you are not going to stop a state-sponsored weapon [such as NotPetya] if it is targeted at you. We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.”

What organizations must do, is adopt a two-part strategy. “First and foremost, you need a balance of proactive and reactive [capabilities]. You need to retain the ability to manage an incident because you will assume that it will occur.” In an era when there are going to be a lot of state-sponsored weapons being used in cyber-attacks, you need to implement a reactive and proactive balance.

Powell said that organizations also need to learn and understand “the way in which our businesses are changing. The attack surface is massively changing. The old fortified front door, ‘let’s stop them there’ approach, must go. We are all digitizing and creating one-to-one relationships with our customers, which we need to protect.”

There’s also the fact that companies like Maersk rely heavily on operational technology (OT) which, if disrupted, can cost organizations millions of dollars, Powell added. So it’s about “how we protect OT – not just conventional enterprise IT – as a network that can be compromised.”

Finally, lessons must be learned about crisis management, he said. “There is no such thing as a divide between technology and business in any company anymore, particularly when it comes to cyber. You have got to operate as one.”

Categories: Cyber Risk News

#GartnerSEC: Maersk’s Adam Banks Reflects on NotPetya Response and Recovery

Tue, 09/10/2019 - 11:31
#GartnerSEC: Maersk’s Adam Banks Reflects on NotPetya Response and Recovery

Speaking in the opening keynote session of day two at the Gartner Security & Risk Management Summit 2019 in London, Adam Banks, chief technology and information officer at Maersk, reflected on the company’s response and recovery following the NotPetya attack in 2017.

Banks said that when Maersk was hit by NotPetya, the company was “not unusually weak,” and this is really important, because too often organizations feel immune to cyber-attacks because they do not consider themselves to have obvious security flaws.

However, Maersk was (and is) a company that is extremely data-centric. “Whilst we have a global flow of cargo, we equally have a global flow of information,” but because of the import/export work Maersk does, it cannot “lock up” data or create a centralized data pool and “put every form of defense around it.” The value of the data is in its distribution.

When NotPetya first hit, Maersk was unable to determine exactly what was occurring, Banks explained. It took several hours to establish the cause of the attack, and the wide-spread impact. IT services, end-user devices and applications/servers were dramatically affected. As many as 49,000 laptops were destroyed and 1200 applications were inaccessible.

“I didn’t go home for 70 days,” Banks said, as he worked tirelessly with the rest of the business to respond and recover.

“The first thing we did was to make some fairly big decisions about how to manage this. Mearsk is an asset-centric business with an asset-centric crisis management approach,” but that was not going to be effective in dealing with the global fallout of NotPetya, Banks explained. “I abandoned corporate crisis management and implemented a financial services crisis management model, because financial services normally only ever have global crises.”

In the first one to three days of the outbreak of NotPetya, Maersk:

  • Worked with Deloitte in cyber-forensics
  • Decided to be as open as possible about the incident, both internally and externally
  • Designed a new Windows build
  • Strengthened as far as possible
  • Retrieved an undamaged copy of the Active Directory

In the first four to nine days of the outbreak of NotPetya, Maersk:

  • Built 2000 laptops
  • Rebuilt the Active Directory
  • Spoke to the individual responsible for creating the NotPetya malware

From nine days onwards following the outbreak of NotPetya, Maersk:

  • Continued to work through the ever growing list of affected applications: in two weeks all global applications were restored and in four weeks all laptops were rebuilt
Categories: Cyber Risk News