The perils of SIM swap fraud have been highlighted again after an undercover film crew revealed O2 and Vodafone employees apparently handing over replacement cards without carrying out proper identity checks.
Secret filming showed two Vodafone staff failing to follow strict security policies to check the identity of the person requesting the replacement SIM card in-store, according to The BBC’s Watchdog Live.
Meanwhile, O2 staff failed to check photo ID, which is policy for all monthly contract SIMs. The firm told the program that it also sends an authorization code to any Pay As You Go customers alerting them if someone is trying to use their number, but this was not received during the filming.
SIM swap fraud is sometimes used by scammers to spend large sums on premium rate numbers they run, but increasingly it can also be used to intercept two-factor authentication codes sent by banks so that customers can ‘securely’ access their accounts.
It’s made more prevalent not only if telco store employees fail to carry out the proper checks, but also thanks to the large volume of identity data on the dark web which fraudsters can use to impersonate legitimate customers.
“From a financial institution standpoint, many have already started to make the switch to mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers,” explained Will LaSala, director of security solutions at OneSpan.
“Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.”
SIM swap fraud could also come as a result of malicious insiders working with criminal gangs.
In August, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud, allowing criminals to transfer millions from his bank account.
Emails continue to be cyber-criminals' vector of choice for distributing malware and phishing, according to a report released today by Proofpoint.
The Quarterly Threat Report Q3 2018 found that the frequency of email fraud attacks and the number of individuals targeted per organization are continuing to rise. Credential-stealing banking Trojans comprised 94% of malicious payloads, and the number of malicious URLs grew, making it a more common attack vector than malicious attachments.
Emails attempting to steal corporate credentials increased over 300% between the second and third quarters of 2018.
In addition, the research indicated that social media platforms have done an excellent job of combating phishing links, resulting in a 90% decrease in attacks year-over-year. However, phishing attempts that leverage social-media-support fraud, which relies on fake customer service accounts to fool people into handing over their personal data, reached its highest level ever in September.
The report also noted that this type of angler phishing increased 486% year-over-year.
While banking Trojans made up 46% of all malicious payloads, a whopping 90% of those were Emotet and Panda Banker (also known as Zeus Panda). Emotet was consistently used in large, almost daily campaigns by an actor researchers have identified as TA542.
Though ransomware has someone dissipated, dropping 10% points from Q2 and comprising only 1% of the overall malicious messages, the report warned that it might not be forgotten just yet.
“We observed a return of ransomware, albeit at much lower levels than we saw in 2017. However, this spike appeared to be a ‘testing of the waters’ since ransomware message volumes dropped. This suggests that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale,” the report said.
In place of ransomware, attackers have shifted to downloaders and stealers, which accounted for 48% of all malicious payloads in Q3. Researchers identified three new downloaders, suggesting a trend towards the distribution of small-footprint malware that is a bit more stealthy and able to do more reconnaissance.
While there was a reduction in the number of spoofed sender identities - a significant 68% drop - an average of 27 people were targeted per attack, representing a 96% increase in target victims year over year. The report indicated that attacks continue to have success exploiting the human factor.
According to a new report published by Vectra, there is a key distinction between attacks that probe IT networks for information about critical infrastructure and those attacks that actually target industrial control systems (ICSs). The 2018 Spotlight Report on Energy and Utilities found that most cyber-attacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.
Given these findings, detecting hidden threat behaviors inside enterprise IT networks before attackers have a chance to spy, spread and steal becomes all the more critical, according to the report. Attackers are taking their time and carefully orchestrating attack campaigns so that they occur over the course of several months.
Analyzing specific attacker behaviors in recent campaigns used to steal vital ICS information, the report found that “in multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities. This involved suspicious admin and suspicious Kerberos account behaviors.”
Often lasting several months, these slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials, the study found. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyber-attack life cycle.”
The report, based on observations and data from the 2018 Black Hat Conference Edition of the Attacker Behavior Industry Report, also found that during the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads. Also in every 10,000 host devices and workloads, 314 lateral movement attack behaviors were detected. And during the final stage of the attack life cycle, the exfiltration phase, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.
Using consumer data stolen in data breaches and made available on the dark web, cyber-criminals have launched a sextortion phishing campaign, according to research from Barracuda Networks.
In this month's Threat Spotlight, researchers detail the sextortion scam in which attackers prey on victims by using stolen passwords, threatening that they have a compromising video that will be shared with the victim’s contacts unless the user pays in Bitcoin.
The campaign started in July, and Barracuda Labs said it remains ongoing. Researchers found roughly 24,000 emails reported by customers around the globe since September. The emails reportedly use the stolen password as the subject line, though some might precede it with “your password is.”
Preying on human fear, the attackers know the impact that such a subject will have at the mere suggestion that their account has been hacked. According to the research findings, the email goes on to claim that the user's computer was infected with a remote access Trojan (RAT) from a pornography website. The claim is that all of the explicit videos the user has been watching have been recorded.
“The email also claims that the user’s contacts from email and social networking have been gathered and that unless a sum of money is paid (in Bitcoin, of course), the video of the user watching porn will be sent to those contacts. We also saw examples of the attackers emailing the same address multiple times to up the scare tactics, an approach they are likely taking with most if not all of their intended victims,” wrote Jonathan Tanner in the Threat Spotlight.
Credit: Barracuda Networks
While the attacker does have a legitimate password, which researchers said was likely from a list made public in 2016 of more than 500 million leaked passwords, there is no video, nor has any infection been found on victim computers.
“Whether or not the user has visited any pornographic websites is something only they know, but given that these emails are largely targeting business emails it's unlikely they're doing so on their work computer. For obvious reasons, we didn't send out a survey asking as much, but it seems safe to assume, and thus the other claims in the email must also be false,” Tanner wrote.
Researchers have warned that the SamSam ransomware strain continues to be a major threat to organizations, with 67 targets on the receiving end of attacks this year, according to Symantec.
The security giant claimed that most targets in 2018 have been located in the US, with healthcare accounting for the largest number of attacks, around 24%.
“Why healthcare was a particular focus remains unknown,” it explained. “The attackers may believe that healthcare organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.”
At least one US government organization involved in administering elections was also hit, which is concerning news ahead of the mid-terms next week.
A small number of remaining attacks targeted organizations in Portugal, France, Australia, Ireland and Israel.
A Symantec spokesperson confirmed to Infosecurity that it was not possible to determine how many of the listed attacks were successful, as in some cases "we saw less than a handful of computers infected with SamSam tools, which could suggest failed attacks."
However, SamSam is known to be particularly dangerous as it is typically manually operated, rather than being used in fire-and-forget automated campaigns.
This means those behind it go to greater lengths to hide its activity, encrypting as many machines possible on a network before demanding the ransom.
Its highly targeted nature means attackers often first obtain account credentials on the dark web to access an organization’s remote desktop protocols, and then use tools to elevate privileges and gain domain access rights.
They’ve also been observed using legitimate Windows tools like PsExec and PSInfo to “live off the land” and hide from AV tools, as well as publicly available hacking tools like mimikatz to steal passwords to spread to other servers.
“These tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network. By making their activity appear like legitimate processes, they hope to hide in plain sight,” explained Symantec.
“For example, in one attack that took place in February 2018, more than 48 hours passed between the first evidence of intrusion and the eventual encryption of hundreds of computers in the targeted organization.”
SamSam was responsible for a major attack on the City of Atlanta earlier this year, which is slated to cost $10m to clean up, plus a Colorado Department of Transport outage which also ran into the millions.
Eurostar has forced a password reset for customers after revealing that an undisclosed number of them may have had their accounts accessed by a malicious third party.
It’s unclear whether all Eurostar customers were required to change their passwords or just those affected.
The note sent to customers warned that the train operator had detected an “unauthorized automated attempt” to log-in to some accounts between October 15 and 19.
“Please be reassured that your credit card or payment details haven’t been compromised as we never store such information on eurostar.com accounts,” it continued.
“We’d recommend that you reset your Eurostar password and check for anything unusual on your account. We’d also recommend updating your login details on other websites where you use the same password.”
Ilia Kolochenko, CEO of High-Tech Bridge, warned users to monitor incoming emails, instant messages and phone calls for suspected phishing attempts potentially using the account information accessed by the hackers.
“If personal data was stolen, it can be leveraged in eye-catching spear-phishing attacks, password reuse and identity theft scam,” he explained.
James Romer, chief security architect at SecureAuth, claimed the incident highlights how a reliance on username/password combinations can leave organizations and their customers exposed.
“The transport industry seems to be increasingly under attack from cyber-criminals, who are looking to access the vast amount of highly valuable customer data — including passport details and payment information — held within these organizations,” he added.
“Bad actors can easily purchase stolen credentials on the dark web, which can then be used to attempt to gain access to a secure network. By utilizing advanced techniques such as automation, more accounts can be easily targeted, increasing their chances of success.”
There have been more cyber-attacks against football’s organizing bodies globally and in Europe, with resulting leaks from FIFA expected to be published by the media on Friday, according to reports.
The World Cup organizer confirmed to reporters this week that it had suffered a breach in March, with the European Investigative Collaborations collective of media companies expected to go public with new revelations tomorrow, according to AP.
FIFA released a short statement claiming that it “condemns any attempts to compromise the confidentiality, integrity and availability of data in any organization using unlawful practices.”
It’s not thought that the attack was orchestrated by Russian actors as per the 2016 raid on FIFA which the US Department of Justice recently indicted seven intelligence officers for.
Instead, it’s being linked to the Football Leaks hacktivist group, which has over the past two years sought to expose corruption and illegality in the beautiful game. Its work has in the past led to revelations of tax evasion by leading players in Spain, and details of an NDA signed between Ronaldo’s lawyers and a Las Vegas woman who accused him of sexually assaulting her in 2009.
Although there are no details as yet on how FIFA was breached, European football governing body UEFA officials have been targeted in a phishing campaign, according to reports.
It’s not known if the two incidents are related and the organization hasn’t yet found any evidence of unauthorized intrusion.
Security experts used the news to reiterate the importance of anti-phishing protection, although it’s still not clear how FIFA’s hackers penetrated the organization.
“The best way organizations and individuals can help avoid future attacks is through education programs, understanding the risks and consequences of clicking unknown links and attachments is a critical defense against phishing type attacks,” explained Tripwire EMEA technical director, Paul Edon.
“Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance.”
Ross Rustici, senior director of intelligence services at Cybereason, put the incident into perspective.
“With the outcome of the bidding for the 2018, 2022, and 2026 World Cups being as contentious as they were, I'm sure football fans across the world will have some interesting gossip to read if the leaks become public,” he argued. “However, at the end of the day, that is likely all this hack is."
In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.
In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of "where we need to go," the industry needs to develop a more formalized approach that combines design and analysis methods.
“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”
To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.
“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.
Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.
The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.
In a panel focused on securing the enterprise at a conference by the same name hosted by MIT CSAIL and BT Security, moderator Michael Siegel, principal research scientist, management science at MIT Sloan School of Management, talked with panel members about whether their organizations are secure.
“Rather than going out and doing some big review, we started with red teams,” said CIO and CSO of the Commonwealth of Massachusetts, Dennis McDermitt. “That was a revelatory experience. We continue to do them over and over again. We have done eight of them now, and that has really informed our answer to the question of whether we are secure or not.”
As a practitioner and vendor in the space, Debby Briggs, CSO, NETSCOUT, said, “I’m relatively secure, but it gets back to how do you quantify that. Sometimes it’s a challenge from a security perspective when you look at people, process and technology to determine how to have one message that meets everyone’s needs.”
In response to Briggs, Siegel posed to the panel the question of how to approach quantifying whether the organization is secure with the board. "I often find myself in the boardroom,” said Kathy Orner, VP, chief risk officer at Carlson Wagonlit Travel. “The number-one thing with board of directors is to educate them. Security is new to them, and the acronyms we use are foreign to them, even something like an IP address.
“We bring in experts from the outside and inside and give them briefings. I would encourage boards to listen, to speak to the experts in their group, and to really try to understand the basics,” said Orner.
So what is the information that goes to the boards? McDermitt said the conversation needs to change. “Security is not a problem of risk transfer. Cybersecurity is akin to competition in a business. Cybersecurity is attack and defense, attack and defense, and it’s something they need to pursue actively.”
Yet some boards are having more risk-based conversations around cybersecurity. “The boards I have worked with are capable of seeing that it is a spectrum, so you can talk about how much risk are you willing to take. It’s an uncomfortable decision, but once you’ve had that conversation, it gets easier,” said Andrew Stanley, CISO, Mars.
At today’s Securing the Enterprise Cybersecurity Conference hosted by MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) and BT Security in Cambridge, MA, industry experts joined together to discuss the challenges of the changing threat landscape.
Moderator Andy Ellis, CSO, Akamai Technologies, noted that the things attackers do today are not fundamentally different from what they were doing two decades ago. Given that, Ellis asked panel members what advice they would give themselves now after their years of experience in the industry.
“I was in data analytics and usability engineering when I started out in IT,” said Michael Figueroa, executive director at the Advanced Cyber Security Center. “One of the things that was most challenging in the past that many are still struggling with is that attacks haven’t changed much, but we often think that if we don’t solve ‘that’ problem today, the sky is going to fall. History has shown us that the sky isn’t falling.
“The advice I would give myself is to keep a strategic mindset of the problem of today within a broader perspective and don’t panic.”
The panel agreed that while attackers are smart and adaptive, the attacks themselves have not really changed. “We can put up huge barriers, but attackers don’t have to overcome that barrier. They can go around,” said Dr. Hamed Okhravi, senior staff, cyber analytics and decision systems, MIT Lincoln Laboratory.
“We are just shifting one threat to another, but we need to understand how much gain we will have and how much we are shifting the landscape and the adversary, then look at whether it is the right type of shift.”
That not every single threat is a phenomenon seemed to be the pervading theme in response to the question. In large part, defenders can benefit from seeing their work as a game, Okhravi said.
FBI special agent Scott McGaunn said that he sees cybersecurity as a game as well, ”a very important game. The crime is all the same. We still have bank robberies, we still have wire fraud. We have ransomware instead of ransom.
“Human nature is the same, and the need to commit criminal acts is the same, but the distance to be able to reach out and touch someone has changed. Instead of nation-states and spies, they get online and leverage the internet,” McGaunn said.
In recalling a conversation with her colleague about the ways in which her own approaches have evolved, Jen Andre, senior director, orchestration and automation at Rapid7, said, “I remember my colleague saying, ‘Once Windows fixes all the bugs, we will all be out of work.’” The absurdity of the statement evoked laughter from the audience, but to Andre’s point, that was the thinking years ago. The advice she offered after having gained experience is not to focus on fixing things one at a time.
The US authorities have continued to step-up the pressure on China with the indictment of two intelligence officers, two insiders and six hackers, most of whom were allegedly involved in a conspiracy to steal aviation secrets.
Two intelligence officers, Zha Rong and Chai Meng, and a team of five hackers are said to have worked for the Jiangsu Province Ministry of State Security (JSSD), headquartered in Nanjing.
They allegedly took part in a five-year conspiracy beginning in January 2010 to obtain key technology used in commercial airliners in the US and Europe: namely a turbofan jet engine. A Chinese state-owned aerospace company was said to be working on a similar engine at the time for its own use.
JSSD hackers Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei and Ma Zhiqi are alleged to have conducted intrusions into suppliers that manufactured parts for the turbofan engine, including aerospace companies based in Arizona, Massachusetts and Oregon.
Their work included classic techniques such as spear-phishing, info-stealing malware and watering hole attacks. For example, LA-based gas turbine manufacturer Capstone Turbine suffered data loss and had its website seeded with malware to infect others.
However, the conspiracy went even further, with the JSSD convincing Tian Xi and Gu Gen, two insiders at the targeted French aerospace company who worked at its office in Suzhou, Jiangsu province.
Gen was the company’s head of IT and security in Suzhou, showing the alleged extent of the conspiracy. He is said to have tipped off the officers when foreign police notified the company of the existence of malware on its systems, malware that Tian had apparently installed at the direction of the JSSD.
A separate conspiracy involved Zhang Zhang-Gui and Chinese national Li Xiao, who are alleged to have used the JSSD malware developed to hack Capston Turbine to repeatedly attack a San Diego-based tech company for more than a year-and-a-half, causing thousands of dollars in damage.
Unlike the alleged MSS officer recently extradited to the US to face charges related to another conspiracy to steal aviation secrets, none of those indicted in this case are thought to be on US soil, making this more of a PR exercise.
However, given the alleged insider activity at the aerospace firm’s China office, it will be yet another compelling reason for foreign firms to start extricating key facilities from the country.
A report from CrowdStrike earlier this month identified China as the most prolific nation state threat actor during the first half of 2018.
UK lawyers are preparing a class action suit against Cathay Pacific, claiming that the firm is liable for compensation “under the relevant data protection laws.”
SPG Law, which claims to draw on some of America’s top class action lawyers, has already registered the cathaydatabreach.com domain and is inviting those affected to get in touch.
Explaining that its sister law firm in the US has already won over $1bn in compensation in similar cases, the firm claimed that passengers hit by the Cathay Pacific breach earlier this year could be in line for “significant compensation in the thousands, or possibly tens of thousands, depending on circumstances.”
“The breach is even more serious than that committed by BA in September 2018 in that Cathay Pacific customers like you have suffered from far more substantial personal data being leaked,” a statement on the site noted.
“You have a right to compensation from Cathay Pacific for this data leak in accordance with data protection laws. You can be compensated for inconvenience, distress and annoyance associated with the data leak. It is time to stand up to them and take action.”
However, there’s no mention of the GDPR on the site, despite previous reports claiming the firm had cited Article 82 of the new data protection law as key.
The Hong Kong carrier has been widely criticized for its handling of the breach, which it said affected 9.4 million customers. However, the incident's timing appears to fall before the introduction of the GDPR on May 25.
The firm is said to have first noticed suspicious activity in March but confirmed data had been accessed in early May.
Either way, the new action is another reminder of the potential legal costs for firms that suffer a major breach.
Researchers are warning that the development of cutting-edge brain implants designed to enhance key memory functions is at risk due to multiple vulnerabilities which could allow attackers to interfere.
In a piece of forward-looking threat research, Kaspersky Lab and the University of Oxford Functional Neurosurgery Group explained that development of implantable pulse generators (IPGs) or neuro-stimulators is accelerating fast. Such devices apparently target parts of the brain with electrical impulses to help treat things like Parkinson's disease, depression and obsessive–compulsive disorder.
However, both software and hardware linked to these devices is at risk, the vendor warned.
Specifically, it found one major vulnerability and several misconfigurations in an online management platform used by surgeons, which could provide hackers with access to data on treatment procedures.
Data transferred between implant, programming software and networks was found to be sent unencrypted, enabling interference by malicious third-parties. Kaspersky Lab also warned that because doctors may need quick access to implants in emergencies, they need to be fitted with a software backdoor and easy-to-guess passwords, further exposing them.
Finally, the security vendor documented insecure behavior by medical staff, such as use of default passwords.
With the first commercial IPGs potentially ready in as little as 10 years’ time, Kaspersky Lab is warning that attackers could exploit vulnerabilities to implant, erase or steal memories, or even to hold individuals to ransom by threatening to do so.
“Current vulnerabilities matter because the technology that exists today is the foundation for what will exist in the future. Although no attacks targeting neuro-stimulators have been observed in the wild, points of weakness exist that will not be hard to exploit,” explained Dmitry Galov, junior security researcher in the vendor’s Global Research and Analysis Team.
“We need to bring together healthcare professionals, the cybersecurity industry and manufacturers to investigate and mitigate all potential vulnerabilities, both the ones we see today and the ones that will emerge in the coming years.”
Laurie Pycroft, a doctoral researcher in the University of Oxford Functional Neurosurgery Group, added that what sounds like science fiction is fast becoming fact.
“Memory prostheses are only a question of time,” she added. “Collaborating to understand and address emerging risks and vulnerabilities, and doing so while this technology is still relatively new, will pay off in the future.”
A new technique to escape malware detection has been used in a malicious campaign targeting smartphones, according to The Media Trust.
In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust, revealed that the campaign involved third-party code that enabled smart malware delivery. The malware, dubbed JuiceChecker-3PC by The Media Trust's digital security and operations (DSO) team, was able to bypass scanning using Base64 and has been seen in millions of page views over the last three weeks.
After bypassing the scanning, the malware checked to see whether the user agent was mobile specific, whether the battery level ranged between 20–76% and whether the referrer was specified. If these conditions were met, the malware triggered a redirect in which the ad viewer was delivered to a malicious site.
The targets included three global demand-side platform (DSP) providers, all of which traditionally see checks for similar conditions, with the exception of the battery-level range.
“In this incident, the malware was inserted into creative posing as a legitimate ad for one of the largest department store retailers in the US. The Media Trust digital security and operations (DSO) team was able to identify the malicious code and work with the DSPs to shut down the malware sources," Bittner wrote.
“Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online."
Whether those attacks can be mitigated is questionable, though, according to a recent post on Cell Phone Security and Heads of State by Bruce Schneier. Using malware to attack the phone itself is one of two ways to eavesdrop, a technique that is favored by nation-state actors with less-sophisticated intelligence capabilities, Schneier explained.
“These attacks generally involve downloading malware onto a smartphone that then records calls, text messages, and other user activities, and forwards them to some central controller. Here, it matters which phone is being targeted,” Schneier wrote.
“Unfortunately, there's not much you can do to improve the security of your cell phone. Unlike computer networks, for which you can buy antivirus software, network firewalls, and the like, your phone is largely controlled by others. You're at the mercy of the company that makes your phone, the company that provides your cellular service, and the communications protocols developed when none of this was a problem. If one of those companies doesn't want to bother with security, you're vulnerable.
“This is why the current debate about phone privacy, with the FBI on one side wanting the ability to eavesdrop on communications and unlock devices, and users on the other side wanting secure devices, is so important.”
Based on studies and interviews with corporate board members and chief information security officers (CISOs), the Cyber Balance Sheet, published by Focal Point Data Risk and produced by the Cyentia Institute, found that boardrooms are engaging in more conversations about security.
While the talks about cyber risk are more commonplace, the C-suite and security leaders are still struggling to effectively translate security risks into an effective decision-making framework that enables the business to operate within its proper risk appetite.
Not surprisingly, the report found that many organizations lack a formal cyber-risk appetite. Years of data breach headlines increase awareness, but less than half of respondents could describe their organization’s cyber-risk appetite quantitatively. This gap revealed why leaders second-guess and struggle to effectively weigh risks of new technologies, supply chains and other change factors.
In addition, metrics reportedly muddy what matters when it comes to boardroom reporting. Security leaders continue to share statistics like “compliance status” and “security program maturity.” Despite the need for decision makers to act swiftly with regard to risks from third parties and supply chains, those topics are less frequently included in the stats shared with the board.
As a result, the report found that finding the balance of topic coverage that yields the necessary return on reporting remains a problem. To fix the metrics puzzle, boards are pressing CISOs to find new reporting metrics that spur the most strategic, valuable returns in resourcing and evolving cybersecurity.
“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national cybersecurity practice leader, in a press release.
“The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”
Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security. In a live webcast from the CSIS headquarters today, panelists discussed the results of the scorecard and what it means for election security. The panel looked at the progress made since the 2016 election and the gaps that remain.
In evaluating election security, CSIS identified four categories: campaigns, voter registration and election management systems, voting systems and election night reporting. The scorecard ranked threats by four degrees ranging from moderate to extreme.
According to the scorecard, the greatest threats exist in the ongoing attacks that target campaigns. “In 2018, cyber attacks by Russian hackers have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill,” the CSIS wrote. Of all four categories, campaigns had the highest risk, with a "severe" rating.
In part, the inconsistency of security is a contributing factor to the severe risk level. “Cybersecurity practices for political campaigns remain inconsistent, although efforts by Department of Homeland Security (DHS) and the FBI to provide cybersecurity training and support to campaigns have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the use of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections,” the scorecard said.
In the remaining three categories, the risk is serious, though the CSIS found that security in voter registration and election management systems and voting systems is improving. However, the security of election night reporting was rated as "weak."
Overall, the CSIS found that while elections in the US are vulnerable to cyber-threats, “we are not investing in strong security.” Despite the lack of investment and the continued attempts to exploit vulnerabilities in campaigns and voting systems, progress is being made.
CSIS found that 44 states participated in a DHS exercise to practice incident response plans and information sharing. In addition, all 50 states are now members of Multi-State Information Sharing & Analysis Center (MS-ISAC), and 548 state and local election organizations are members of Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
“The real risk here is around system vulnerabilities. The first step in protecting these critical systems is admitting that they are all vulnerable and looking for one tool or piece of software is not the answer," said Jon Check, senior director, cyber protection solutions, Raytheon. "While reports show that it would be extremely difficult for an adversary to change the outcome of a national election by hacking into voting machines and changing enough votes, past hacks have proven our election integrity is far from secure.
"But it’s not all doom and gloom. The more data we mine and conversations we start around election security, the more we can help solve the awareness issue. We need to build back confidence in the security of our systems, which will involve industry and government partnerships to harden voting systems and build up better network resiliency. It will take a combination of these partnerships, good cyber-hygiene and proven tools to ensure secured elections and restore our citizens faith in our electoral process.”
Over 600,000 breached corporate log-ins belonging to staff at the UK’s leading construction, architecture and property firms are available for sale on the dark web, according to RepKnight.
The cyber intelligence firm used its BreachAlert dark web monitoring tool to locate the credentials. Over 450,000 were from construction firms, 110,00 were from architecture practices and just over 47,000 were linked to property developer businesses.
A spokesperson confirmed to Infosecurity that most of these likely found their way onto the dark web via breaches of third-party sites employees had signed up to using their corporate email.
As RepKnight warned, these log-ins could be used by hackers to access a trove of sensitive corporate IP including tenders, proposals, plans and client data.
There’s also a risk that attackers could locate stores of customer data, representing a risk to GDPR compliance.
One strategy highlighted by RepKnight was for attackers to use the log-ins to covertly access the corporate email accounts of targeted individuals, selected perhaps after some LinkedIn-based research because of the role they have with the company.
They could then set-up redirects to accounts under their control. The vendor claimed to have recently discovered a client who had over 5000 emails re-directed to a malicious third-party in just a five-day period.
“With the growth in digital information sharing across the construction project lifecycle, the possibility of a data breach occurring at some stage becomes ever more real,” argued RepKnight cybersecurity analyst, Patrick Martin.
“Because of this, these firms must ensure that they have ‘high visibility’ of their data at all times and have safety measures in place to protect it — especially because most of their sensitive data often lives outside the firewall. Monitoring for cyber-attacks or data breaches inside their corporate network is no longer enough, as it is possible that a breach can happen anywhere across the entire supply chain of your business.”
The findings call to mind separate research from the firm in January this year which revealed over one million corporate email addresses belonging to 500 of the UK’s top law firms, 80% of which had an associated password.
Alongside multi-factor authentication, use of password managers and strong authentication security policies, firms can consider dark web intelligence services to scan for compromised credentials.
The value of fines issued by the Information Commissioner’s Office (ICO) has increased 24% in the year to September 30 versus the previous year, according to new data.
Law firm RPC calculated that the total cost of financial penalties issued by the UK’s data protection watchdog stood at £4.98m, up from £4m in the previous 12 months.
The average fine doubled, to £146,000, in another timely reminder for firms to ensure they pay attention to GDPR compliance.
The law firm believes the new EU-wide privacy law, introduced in May this year, will result in higher fines for large firms. However, SMEs should be spared, in the short-to-medium-term at least, and firms will not be picked deliberately by the ICO to make an example of.
RPC partner, Richard Breavington, described the hike in fines as a “wake-up call” to businesses.
“Given that there seems to be no slowdown in the number of cyber-attacks today businesses need to see how they can mitigate the risks to their customer when there is an attack,” he added.
“For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”
Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK & Ireland, argued that the ICO fine is just one aspect of data breach costs to consider.
“We must also consider the cost that a recovery, compensation claim, reputational damage or potential loss of customers can have,” she added.
“Changes in data protection legislation aim to give individuals more ownership and control over what’s happening to their personal data. The focus needs to be on the interests and rights of data subjects — employees, customers and all stakeholders: everyone you come into contact with. Their interests need to be the principal focus if companies are to avoid hefty fines.”
The stand-off between the world’s two superpowers continued this week as the US banned exports to a Chinese tech manufacturer on national security grounds.
As of October 30, Fujian Jinhua Integrated Circuit Company will be added to the Entity List because it poses a “significant risk of becoming involved in activities that are contrary to the national security interests of the United States.”
The Fujian-based DRAM maker is nearing completion of a vast $5.7bn wafer-manufacturing plant, which will help drive the Made in China 2025 strategy of self-reliance. Chips are one key area where the country's leaders believe it is too reliant on US parts at the moment.
However, Fujian Jinhua is currently locked in a legal dispute with main rival, US chip maker Micron Technology over IP theft.
The Commerce Department appeared to side with Micron in its statement, claiming that the “likely U.S.-origin technology” to be produced at the new Fujian plant would threaten “the long term economic viability of U.S. suppliers of these essential components of U.S. military systems.”
“When a foreign company engages in activity contrary to our national security interests, we will take strong action to protect our national security,” said commerce secretary, Wilbur Ross. “Placing Jinhua on the Entity List will limit its ability to threaten the supply chain for essential components in our military systems.”
In many ways the issue represents a microcosm of the overall US-China dispute, in that the former is belatedly reacting to years of state-sponsored IP theft by the latter.
However, cutting off the supply chain is unlikely to change the long-term trend — if anything it will accelerate Xi Jinping’s push for China’s total self-reliance in technology.
The move calls to mind the ban on exports slapped on ZTE after it broke sanctions on sales to Iran and then lied about it. Although temporarily lifted, that imposition could have forced the telecoms firm out of business, it was claimed at the time.
The two companies have finalized an agreement subject to Red Hat shareholder and regulatory approvals, which is expected to close in late 2019. According to IBM, the “acquisition will be free cash flow and grow margin accretive within 12 months, accelerate revenue growth and support a solid and growing dividend.” The total value is approximately $34bn, with IBM paying out $190.00 in cash per share. The deal is reportedly IBM’s largest deal ever and the third-largest in the US tech industry, said CNBC.
In an interview with CNBC, IBM CEO Ginni Rometty said, “This is all about resetting the cloud landscape, and this is to create the number-one company that will be the number-one cloud provider.” As more organizations continue to transition their workloads to the cloud, cloud providers will need to be hybrid and able to handle multi-cloud environments.
As reported by IBM and confirmed by Red Hat, Red Hat will continue to operate as a distinct unit within IBM’s hybrid cloud team. Red Hat has always been and will continue to be open source, according to Jim Whitehurst, CEO of Red Hat, who will join IBM’s senior management team. In discussing the deal, Whitehurst said that Red Hat is a neutral sell that works across all platforms. For customers, the deal is not only about maintaining choice and running across all platforms but also about being able to build unique offerings.
"Open source is the default choice for modern IT solutions, and I'm incredibly proud of the role Red Hat has played in making that a reality in the enterprise," said Whitehurst in a press release. "Joining forces with IBM will provide us with a greater level of scale, resources and capabilities to accelerate the impact of open source as the basis for digital transformation and bring Red Hat to an even wider audience – all while preserving our unique culture and unwavering commitment to open source innovation."
“Linux is now the number-one platform not just on prem. It is the number-one destination in the cloud,” Rometty said. “So now we own the platform and the destination.”