Info Security

Subscribe to Info Security  feed
Updated: 2 hours 27 min ago

New UK Fraud Rules Set to Empower Victims

Thu, 01/31/2019 - 09:54
New UK Fraud Rules Set to Empower Victims

New rules come into force in the UK today designed to provide consumers with stronger powers of redress in the event they fall victim to authorized push payment (APP) fraud.

Regulator the Financial Conduct Authority (FCA) has mandated that fraud victims can now complain to the bank that receives funds sent in error to a scammer, as well as their own bank.

Both banks have to receive the complaint, with the consumer able to escalate their case to the Financial Ombudsman Service (FOS) if they’re not happy.

APP fraud occurs when an account holder is tricked into making a payment to another account, such as in BEC or CEO fraud.

There are two main types: with malicious payee fraud the victim authorizes a payment for what they believe to be legitimate purposes, but it’s actually a scam; while in malicious redirection the victim intends to pay a legitimate payee but the fraudster directs them to pay a third party instead.

APP fraud losses jumped 44% between the first half of 2017 and the same period last year to reach £145m in the first six months of 2018, according to UK Finance.

The banking group argued last year that the government should levy a payments tax to create a fund which could be used by the industry to compensate the growing number of victims.

The FOS has claimed in the past that a common strategy of the banks in APP disputes — to blame the customer — is increasingly difficult to do given the sophistication of scams.

A new voluntary code is being drawn up for the industry, which should also clarify when lenders are liable to pay up.

These will include a duty of care placed on the part of the banks, including processes to confirm the name on the destination bank account.

“This industry collaboration is key to tackling fraud and improving outcomes for consumers and businesses alike,” argued Equifax head of ID & fraud, Keith McGill.  

“These new [APP] rules will directly benefit consumers falling victim to this type of fraud by giving them stronger redress with the recipient bank or building society being used by the fraudster, in addition to their own.”

Categories: Cyber Risk News

Third-Party Breaches Plague Multiple Industries

Wed, 01/30/2019 - 17:01
Third-Party Breaches Plague Multiple Industries

From January 25 to 28, 2019, multiple organizations, including Discover Financial Services, Verity Medical Foundation, Verity Health Systems and Allen Chern LLP, have made routine filings in accordance with California state law, reporting cybersecurity incidents that may or may not be data breaches, according to the office of the Attorney General (AG).  

The AG’s website notes, “In some cases the organization that sent the notice is not the one that experienced the breach,” and each of the companies that have filed in the past five days has asserted the information was compromised as a result of some unauthorized activity of a third-party vendor.

“Discover was not breached in this incident and our information and data systems were not compromised. This incident was the result of a merchant data compromise, and not the result of any action by Discover or an intrusion of our customer information systems,” a Discover spokesperson wrote in an email.

“We re-issued cards out of an abundance of caution for our cardholders. Our notices to all customers state that 'this breach did not involve Discover card systems.'”

According to Colin Bastable, CEO of Lucy Security, third parties are the CISO’s Achilles' heel. “It appears to be a classic case of a third party’s failure to protect Discover Card customer data. Discover is not going to feel it, but the buck has stopped somewhere down their food chain.”

Health records and payment card data are some of the most highly sought-after data for sale on the dark web, and “these kind of breaches create a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer was actually the target of a breach or a merchant in the network,” said Felix Rosbach, product manager at comforte AG.

“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data-centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.”

Still, enterprises continue to trust that their data is secure when put in the hands of its partners, often without having done a thorough review of the security practices of their downline vendors.

“Until the market adopts a more sophisticated approach to third-party cyber-risk management that provides visibility at scale and with cost efficiency, these incidents will continue to occur frequently," said Fred Kneip, CEO, CyberGRX.

Categories: Cyber Risk News

65 Fortune 100s Downloaded Flawed Apache Struts

Wed, 01/30/2019 - 16:45
65 Fortune 100s Downloaded Flawed Apache Struts

Despite Apache Struts releasing multiple updates to its software in the nearly two years since the Equifax breach, Sonatype published research which found that between July and December 2018, two-thirds of the Fortune 100 companies downloaded the same vulnerable version of Apache Struts that was used in the infamous Equifax breach, according to an email from Sonatype.

“According to our analysis of The Central Repository (defacto repository of Java components used by all the popular Java build tools as the source of the components by default), over last 6 months of 2018 – we saw 65 of the Fortune Global 100 have downloaded vulnerable versions of Struts,” a spokesperson wrote.

“Beyond Struts, this problem of electively consuming known vulnerable open source components is a large issue that extends across all industries.  In 2018, Sonatype (Central report again) and npm reported that 12.1% of Java open source components and 51% of JavaScript npm packages downloaded had known vulnerabilities. Equifax is actually now leading the charge and taking action to manage their software supply chains. While Equifax has changed, too many others haven't learned their lesson; it's clear that the cost of inaction, is massive,” according to the spokesperson.

“The scope of companies that are still using CVE-2017-5638 demonstrates the importance of vulnerability identification. A researcher in our Crowd of ethical hackers identified CVE-2017-5638 months before the Equifax breach and submitted that information to one of our customers, a major worldwide financial services company. As a result, the customer remediated the vulnerability before a bad actor could take advantage of it,” said Ashish Gupta, CEO of Bugcrowd.

Vulnerability disclosures are intended to raise awareness and help to mitigate risks. After the Equifax breach, it was expected that more companies would have taken security seriously.  

“We found the same vulnerability in major credit company’s environment several months before the Equifax breach and help prioritize and remediate the issue well before the company faced any reputational or financial risk from this vulnerability,” Gupta said.

“Since then we have worked with our researchers and other customers to further protect themselves from the Struts vulnerability successfully. If you haven’t already done so, anyone with Apache Struts in their environment should patch immediately. The best protection against such a breach is a layered defense-in-depth approach, a strong SDL (security development lifecycle) for all application development including a bug bounty. The security research community wants to help organizations find and fix these issues.”

Categories: Cyber Risk News

Digital Growth Exposes Firms to Complexity and Threats

Wed, 01/30/2019 - 11:23
Digital Growth Exposes Firms to Complexity and Threats

Digital transformation is exposing organizations to greater IT complexity and cyber-risk, according to new global research from Thales eSecurity.

The security vendor polled 1200 execs with responsibility for IT and data security in nine countries around the world to compile its 2019 Thales Data Threat Report.

It found that over a third (39%) class themselves as belonging to one of the two most advanced digital transformation categories defined by report author IDC. This means they’re either “aggressively disrupting” markets or embedding digital into the enterprise to become more agile.

Nearly all (97%) admitted they will use sensitive data in these emerging technologies. This is a major risk, given that traditional corporate network perimeters are a thing of the past as more fluid cloud and mobile technologies dominate.

It’s also a concern given that these new digital platforms can add greater complexity, according to the vendor. For example, 40% of firms polled are using multiple cloud platforms across SaaS, PaaS and IaaS models.

Respondents also claimed “complexity” was the number one perceived barrier to implementing data security.

It’s perhaps not surprising that 86% of the IT executives surveyed admitted their organization is vulnerable to data security threats, with over a third (34%) claiming they’re “very” or “extremely” at risk.

These aren’t theoretical risks: 60% of respondents claimed to have been breached in the past, including 34% in the past year.

Despite the risks, less than 30% currently use encryption, despite it being one of only two technologies named explicitly in the GDPR.

Organizations are splitting their efforts between different layers of the IT environment, spending on average 36% of their time on networks, 34% on data, and 30% on application security.

The report also warned that only half of global firms expect to see an increase in their IT security budgets.

“Our research shows that no organization is immune from data security threats and, in fact, we found that the most sophisticated organizations are more likely to indicate that they have experienced a data security breach,” argued IDC research VP, Frank Dickson.

“This trend is consistent no matter how we define the sophistication of the audience: those who are spending more on IT security, those for whom data security is a larger portion of their security budget, or those who are further along in their digital transformation journey.”

Categories: Cyber Risk News

Global Ransomware Attack Could Cost $193 Billion

Wed, 01/30/2019 - 10:35
Global Ransomware Attack Could Cost $193 Billion

A major global ransomware attack could cost organizations an estimated $193bn, with those in the US worst affected, according to a new cyber-risk report.

Bashe attack: Global infection by contagious malware, was produced by the Singapore-based Cyber Risk Management (CyRiM) project, of which Lloyd’s of London and other insurers are founding members.

It paints a scenario not unlike WannaCry or NotPetya, in which a ransomware ‘worm’ goes global, causing untold damage.

The report’s hypothetical attack begins with a malicious email directed at one organization, which is opened, triggering the ransomware download. The malware then spreads itself to connected networks and forwards itself to all contacts.

The report estimates that as many as 600,000 businesses globally could be affected by such an attack, with the resulting financial damage hitting anywhere between $85bn and $193bn.

In the most severe scenario, US organizations lose $89bn, European firms suffer $76bn in losses and those in Asia escape relatively lightly with a $19bn hit.

In this scenario, retail and healthcare (both $25bn) would be the worst affected industries, with payment system disruption crippling commerce and lengthy delays in recovery due to infection of legacy healthcare IT systems.

Manufacturing is the next most impacted sector, suffering $24bn in losses thanks to encryption of production equipment and inventory management systems. This will also have a major knock-on impact for the supply chain, the report claimed.

With a staggering 86% of total economic losses currently uninsured, organizations could be on the hook for $166bn if such an attack hit home, the report concluded.

Ed Macnair, CEO of CensorNet, argued that with the right email security, most organizations could mitigate the risk of a global threat on this scale.

“This research has been based on a phishing attack and the kind of spread they are talking about would be prevented if just a couple of companies had email security in place. The chances are many more than that do,” he claimed.

“Cyber insurance is a good idea to have, but without preventative tools in place it’s the same as insuring your home contents and leaving the door unlocked. It’s there as a back-up and, if you do everything right, shouldn’t be needed.”

Categories: Cyber Risk News

Global Police Close Notorious Online Marketplace

Wed, 01/30/2019 - 09:53
Global Police Close Notorious Online Marketplace

Europol and the FBI are celebrating this week after announcing the takedown of a notorious marketplace for breached server credentials.

The xDedic site was first revealed back in 2016 when Kaspersky Lab was tipped off by a European ISP. The security vendor claimed it provided a platform for the trade of log-ins to as many as 70,000 corporate and government servers, starting at just $6.

Users could search for servers by various criteria including price, OS and geographic location. Affected organizations including hospitals, governments, law firms, universities and many more.

With control of these organizations' servers, cyber-criminals could launch DDoS, click fraud, crypto-mining and other attacks. It’s claimed that xDedic enabled over $68m in fraud, with those behind the marketplace are said to have made a commission on each sale.

Last year, police in Belgium and Ukraine, backed by Europol, signed a Joint Investigative Team agreement. Together with the FBI, they tracked down and last week seized the servers used by xDedic’s administrators, while Ukrainian police announced key arrests.

The German Bundeskriminalamt provided assistance also helped with the server seizures, while in the US, the FBI was aided by the Immigration and Customs Enforcement’s Homeland Security Investigations and the Florida Department of Law Enforcement, alongside the Department of Justice’s Office of International Affairs and the Criminal Division’s Computer Crime and Intellectual Property Section.

While the news is a welcome reminder of the success that can come from co-ordinated law enforcement work, it would be wise not to overstate its significance, according to Hi-Tech Bridge CEO, Ilia Kolochenko.

"Unfortunately, this is just a drop in the ocean of the stolen data market. Other similar markets and platforms of different sizes exist, including more discreet ones where one can buy virtually anything including access to breached law enforcement systems and stolen data. Worse, cyber-criminals will certainly learn a lesson and move their data and servers to other jurisdictions immune to justice,” he argued.

“We should treat the root cause of skyrocketing cybercrime – growing economic inequality and global poverty. Otherwise, while we dig up standalone trees, a dark forest will grow behind. Hopefully, the seized data will shed some light on previously unknown data breaches and help to investigate them." 

Categories: Cyber Risk News

Largest DDoS Attack Sent Over 500 Million Packets per Second

Wed, 01/30/2019 - 08:00
Largest DDoS Attack Sent Over 500 Million Packets per Second

A distributed denial-of-service (DDoS) attack discovered by Imperva had unleashed more than 500 million packets per second (Mpps), which is believed to be the largest packets-per-second (PPS) attack on record.

According to research released today, last year’s DDoS attack on GitHub rang in at 1.35 terabits per second, making it the largest DDoS attack ever at the time. According to Imperva, though, the ability to mitigate a DDoS attack has more to do with the number of packets directed at a network than it does with the amount of bandwidth.

“Packets per second is the true measure of the attack intensity, and that is what is difficult to block and recover from,” researchers wrote. “When it comes to DDoS protection, bandwidth is not everything. The most demanding attacks are high-volume PPS attacks, because with more packets to process, you need more network hardware and other resources to mitigate them.”

Attacks with greater PPS are actually more difficult to handle for businesses than large-scale attacks, so cyber-criminals are deploying attacks as small as 10 Gbps with great success. Akamai researchers came to the same conclusion when they took a look back at the DDoS trends of 2018.

“When people think of DDoS attacks, they focus on the outliers, the massive Terabit attacks that generate headlines. But the smaller, more focused attacks can do just as much damage. More importantly, these smaller attacks are actually more common than their larger-scaled counterparts,” said a January 28 Akamai blog post.

In fact, the packets sent in the attacks that were analyzed totaled more than four times the volume of packets sent at GitHub last year, resulting in a depletion of network resources, which researchers say is easy to achieve.

A DDoS attack can be launched within a matter of minutes...and overwhelm the vast majority of websites or enterprise networks,” researchers wrote.

In the DDoS attacks Imperva analyzed, “it was the 500 million packets-per-second torrent directed at our customer – the highest volume ever recorded – that made it so intense, and the real challenge to overcome.”

Categories: Cyber Risk News

Info-Stealing FormBook Returns in New Campaign

Tue, 01/29/2019 - 18:15
Info-Stealing FormBook Returns in New Campaign

A file-hosting service registered within the last week is being used to spread information-stealing malware in another FormBook campaign, currently attacking retail and hospitality businesses both within and outside of the US, according to Deep Instinct.

Though FormBook has been around since approximately 2016, this newest version is being discussed and shared in underground hacking forums as a recommended service for hosting and serving malware. In a blog post, researchers wrote, “As with many information stealing and credential harvesting malware, FormBook’s infection chain starts with a phishing Email containing a malicious attachment, which is usually an Office document or a PDF file.”

The campaign uses rich text format (RTF) documents and leverages recent Word vulnerabilities as droppers, likely because these are often missed by typical security solutions, according to Deep Instinct. Once the payload is dropped and executed, it will copy itself, then proceed to scan the system for stored passwords in browsers and various other applications before sending the stolen information back.

In addition, the malware takes a screenshot of the victim’s desktop, along with monitoring all browsers for user-typed passwords, stealing those as well. It will also act as a keylogger and maintain a log of the user’s keystrokes.

“This time around, [FormBook] is using a new malware-friendly file hosting services, which seems to be quickly gaining popularity among other threat actors. We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available,” researchers wrote.

FormBook’s low price is attractive, in particular because there’s pretty big bang for your buck, according to underground hacking forums. The malware combines sophisticated evasion capabilities with its powerful credential harvesting mechanism, making it attractive to attackers. All of the droppers and payloads discovered in the research are listed among the indicators of compromise (IoCs).

Categories: Cyber Risk News

Attackers Exploit Zero-Day in WordPress Plugin

Tue, 01/29/2019 - 16:55
Attackers Exploit Zero-Day in WordPress Plugin

After being abandoned by its creator, WordPress plugin Total Donations is reportedly being compromised by attackers who are leveraging a zero-day exploit, according to Wordfence.  

Researchers confirmed that malicious actors are able to gain administrative access to affected WordPress sites via the CVE-2019-6703 vulnerabilities in all versions of the plugin, including 2.0.5.

“Total Donations was suspended from the CodeCanyon marketplace in late 2017 following a lack of support from the developers, so it had been disabled for over a year when it showed up on my radar. Because of the severity of the issues present in the plugin and the fact that no patch is likely to come, it is our recommendation that site owners delete Total Donations from their sites entirely," Wordfence's Mikey Veenstra wrote in an email. 

"WordPress is typical of many popular platforms where businesses only control a small portion of the code they rely upon,” said Satya Gupta, CTO and co-founder, Virsec. "Ensuring that there is no unpatched or vulnerable code in this stack is nearly impossible. While it’s always a good idea to heed these alerts and disable or patch vulnerable code wherever possible, businesses need application defenses that protect sensitive processes, even if there are underlying flaws."

In this particular case, it doesn’t appear as though a patch is possible, given that the developers can’t be reached, according to Wordfence. “There currently do not appear to be any legitimate means of acquiring the latest version of Total Donations. The plugin’s homepage currently displays a Coming Soon page, featuring a mockup image of a new website. The upload path of this image implies the site has been in this state since May 2018."

While some plugin marketplaces continue to offer Total Donations for purchase, Evanto Market lists the plugin as no longer available.

A large open developer community presents different pros and cons, and the ability for developers to abandon products is a huge problem with tools like WordPress and others, Gupta said. Developers can create lots of useful plugins to solve specific problems, “but if there isn’t a commitment to long-term support, many of these tools become liabilities. Any time you change a plugin it can cause unintended disruption and problems. Many businesses end up staying with unsupported tools until they actually break to avoid these headaches."

Categories: Cyber Risk News

Group FaceTime Disabled While Apple Works on Fix

Tue, 01/29/2019 - 16:37
Group FaceTime Disabled While Apple Works on Fix

A flaw in Apple’s FaceTime app allows users to spy on each other, which has resulted in a Twitter-storm of tweets encouraging iPhone users to disable FaceTime while Apple works on a fix.

Infosecurity contacted Apple, but the company has not responded with comment. According to Apple’s system status page, FaceTime is experiencing an ongoing issue, which one Twitter user demonstrated in a live video. The vulnerability reportedly is impacting OS devices running iOS 12.1 or later, which began on January 28, 2019, at 10:16 pm. As a result, the group FaceTime feature is temporarily unavailable.

Additionally, given the widespread popularity of Apple’s iPhone, New York’s governor, Andrew Cuomo, has issued a consumer alert warning the public that the vulnerability allows other users to receive audio from the device being called, even before the call is answered. 

"The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk," Governor Cuomo said in the alert. "In New York, we take consumer rights very seriously and I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes. In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release the fix without delay."

To disable FaceTime, go to settings, and scroll down to FaceTime. Click on the slide to the app off (the slide will no longer be green).

“This bug illustrates the privacy issues caused by surrounding ourselves with devices containing cameras and microphones. Phones, tablets, laptops, smart TVs, and smart speakers contain microphones that can be listening to you at any point,” said Amit Sethi, senior principal consultant at Synopsys.

“If the software on the devices is not malicious and doesn’t contain bugs like this, the microphones should only be on at times you expect. While security controls like permissions and app store reviews are in place, these are not perfect. The problem is that users don’t know when these devices are listening, as most modern devices don’t have an indicator like a LED that turns on whenever the camera and/or microphone is on.

"This is simply the price we pay for the convenience and features that these Internet-connected devices provide. If you need to be 100% certain that you aren’t being recorded, don’t have any Internet-connected devices with microphones or cameras around.”

Categories: Cyber Risk News

UK Government Pledges Security Skills and R&D Funding

Tue, 01/29/2019 - 11:04
UK Government Pledges Security Skills and R&D Funding

The UK government has pledged more money to address the IT security skills crisis and improve hardware and IoT security, although details on the latter are vague.

An announcement made on Data Protection Day yesterday claimed the UK plans to be a world leader in “designing out” cyber-threats, by funding R&D into more secure-by-design hardware and chips.

The £70m investment will be made through the Industrial Strategy Challenge Fund and backed by further investment from industry, although there were no further details.

An additional £30m will be made available for the Ensuring the Security of Digital Technology at the Periphery program, to improve IoT security.

“We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cybersecurity is built into the design of products,” said digital minister, Margot James.

“This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks.”

The announcement was greeted with skepticism in some quarters.

“The announcement that the UK will become a leader in cybersecurity resulting from a small investment in research is highly unlikely as hardware and research alone is not going to solve cybersecurity threats,” argued Joseph Carson, chief security scientist at Thycotic.

“The solution to reducing cybersecurity threats is a balance between both technology and people. If we are really going to reduce the threats then it needs to start with an investment in education along with a strong investment in technology that is simple, easy to use and does not require highly skilled workforce to use it.”

The government also pledged £500,000 as part of the next round of the Cyber Skills Immediate Impact Fund.

The money is designed to help improve diversity and reduce skills shortfalls in the information security sector.

Projects set to receive the funding include Crucial Academy, which aims to retrain veterans: focusing on women, neurodiverse and BAME individuals. Also on the list are the QA: Cyber Software Academy for Women and BluescreenIT’s HACKED program, which helps to train candidates with special needs, from disadvantaged backgrounds, and those classed as neurodiverse.

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK, welcomed the pledge for more funding.

“With cyber-criminals becoming more creative and savvy in their approach to cyber-attacks, a cybersecurity team which lacks diversity is more likely to leave a company vulnerable to attacks,” she argued.

“Different groups of people bring a variety of ideas and ways of thinking, which means that a more diverse and inclusive cybersecurity team will be key in facilitating a broader range of ideas and perspectives about how to prevent an attack from taking place.”

Categories: Cyber Risk News

US Turns Up Heat on Huawei with 23-Count Indictments

Tue, 01/29/2019 - 10:33
US Turns Up Heat on Huawei with 23-Count Indictments

The US Department of Justice has unsealed charges against Huawei and its CFO covering separate alleged conspiracies to break sanctions on Iran and to steal trade secrets from T-Mobile USA.

The charges were widely expected, but will do nothing to warm relations between the world’s superpowers at a time of growing tension over trade and cyber-espionage.

The first, 13-count indictment charges Huawei, affiliates Huawei Device USA and Skycom, and CFO Meng Wanzhou, also the daughter of founder Ren Zhengfei.

She is charged with bank fraud, wire fraud, and conspiracies to commit bank and wire fraud, while Huawei and Skycom are charged with: bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, violations of the International Emergency Economic Powers Act (IEEPA) and conspiracy to violate IEEPA, and conspiracy to commit money laundering.

Prosecutors allege that the company had been lying about its relationship with a company in Iran (Skycom) since 2007, claiming that it was not a Huawei affiliate. It’s also alleged that as part of this deception, Meng made a presentation to an executive of one of Huawei’s major banking partners repeatedly making the false claims.

It’s alleged that one bank cleared over $100m worth of Skycom-related transactions through the US between 2010 and 2014.

The lies are said to have extended to Huawei providing false information to Congress on its activities in Iran and obstructing justice last year by moving witnesses with knowledge of the affair back to China, as well as “concealing and destroying” evidence.

The second, 10-count indictment charges Huawei with a conspiracy to steal trade secrets, attempted theft of trade secrets, seven counts of wire fraud, and one count of obstruction of justice.

It relates to an attempt to steal IP from then-partner T-Mobile related to its phone-testing robot “Tappy.” Engineers are said to have violated non-disclosure agreements by taking photos of the equipment and in one case stealing a piece of the device during a tour of the T-Mobile lab.

When T-Mobile threatened to sue, Huawei is said to have produced a report falsely claiming the theft was the work of “rogue actors” inside the company.

However, the indictment alleges that this was actually a long-running, company-wide effort that began in 2012. Prosecutors claim to have an internal company announcement that the firm offered bonuses to employees able to steal info from other companies, to be submitted via an encrypted email address.

A federal jury has already sided with T-Mobile in a 2017 civil case.

The rhetoric in the statements provided by the US side reflect the geopolitical nature of the cases.

“These charges lay bare Huawei’s alleged blatant disregard for the laws of our country and standard global business practices,” said FBI director Christopher Wray. “Companies like Huawei pose a dual threat to both our economic and national security, and the magnitude of these charges make clear just how seriously the FBI takes this threat.”

Huawei has denied the allegations.

Categories: Cyber Risk News

Global Police Crack Down on Webstresser Customers

Tue, 01/29/2019 - 10:02
Global Police Crack Down on Webstresser Customers

Europol has detailed how law enforcers across the globe are tracking down customers of notorious DDoS-as-a-service site

The site was taken down in April 2018 as part of Operation Power OFF, but that gave police a trove of information on its 151,000 registered users. It’s claimed the marketplace helped customers launch over four million attacks for as little as €15 a month.

Countries taking action against DDoS are: Belgium, Croatia, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Lithuania, Portugal, Romania, Slovenia, Sweden, Australia, Colombia, Serbia, Switzerland, Norway and the US.

The UK’s National Crime Agency is leading the way, having seized 60 devices in raids and readying action against 250 users of the site, Europol claimed.

In the Netherlands, the authorities are taking a more progressive approach, offering first-time offenders the opportunity to take part in a "Hack_Right" project to prevent them getting into more serious crime.

Elsewhere, the FBI last December disrupted other DDoS-for-hire sites including Downthem and Quantum Stresser, whilst Romanian police have identified the administrators of two smaller DDoS sites, seizing evidence including info on their customers.

Darren Anstee, CTO for security at Netscout, argued that it’s all too easy for malcontents to launch DDoS attacks via stressor and booter services like webstresser, and welcomed the concerted police action.

“This is exactly the kind of action that is needed, as it will dissuade others from simply ‘clicking the button’ to launch an attack — with no consideration of the consequence of that attack,” he added. 

“It should be noted however that this will only dissuade some from using these kinds of services, criminal behavior will persist, and DDoS attacks will continue. Every organization needs to take responsibility for ensuring the availability of their online services is adequately protected.”

Businesses should invest in the right people, process and technology to mitigate the DDoS threat, he added.

Categories: Cyber Risk News

Fileless Infection Steals Creds with Bank Trojan

Mon, 01/28/2019 - 18:01
Fileless Infection Steals Creds with Bank Trojan

A new variant of the password-stealing Ursnif bank Trojan has been found in the wild delivering fileless infections while remaining undetected, according to Cisco Talos Intelligence.

In a blog post, researchers wrote that the banking Trojan employs "fileless persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”

Researchers received an alert containing a malicious VBA macro coming from a Microsoft Word document that asked users to enable macros. Once enabled, PowerShell is executed and then another PowerShell command downloads the Ursnif malware.

Registry data is then created for the next stage of execution in which the command executes PowerShell using Windows Management Instrumentation Command-line (WMIC). Among the APIs imported from kernel32 were GetCurrentProcess, VirtualAllocEx, GetCurrentThreadID, QueueUserAPC, OpenThread and SleepEx, according to the blog.

Though researchers identified a list of files dropped, they also noted, “Filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, it's likely a Ursnif infection.”

An extensive list of malicious documents and C2 server domains were also listed among the indicators of compromise.

"This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.

“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure."

Categories: Cyber Risk News

Illinois Supreme Court Upholds Consumer Privacy Rights

Mon, 01/28/2019 - 17:02
Illinois Supreme Court Upholds Consumer Privacy Rights

In a landmark ruling of the Rosenbach v. Six Flags Entertainment Corp. case, the Illinois Supreme Court on January 25, 2019, decided to hold that consumers can sue for violations of their privacy under the state’s biometric privacy law, a decision that will likely have broad impact and open the door for consumers to file more lawsuits, according to Justin Kay, a partner at Drinker Biddle & Reath.

The case concerned a 14-year-old boy who visited a Six Flags park on a school field trip. Before receiving his season pass and gaining access to the park, the boy was asked to scan his thumb into a biometric data capture system. In her complaint, the mother of the boy said neither she nor her son were informed of the purpose and length of term for which his fingerprint had been collected. Because neither of them had signed a release for the taking of the biometric information, the suit claimed that Six Flags was in violation of the state of Illinois’ Biometric Privacy Information Act.

“The issue for the court to decide in Rosenbach was whether the Illinois Biometric Information Privacy Act would be a 'gotcha' statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics,” said Kay. “With their ruling today, it is.”

The court concluded, “We hold that the questions of law certified by the circuit court must be answered in the affirmative. Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. The judgment of the appellate court is therefore reversed, and the cause is remanded to the circuit court for further proceedings.”

As a result of the ruling, Kay predicts there will be a push for an amendment to the statute. “Efforts were made several years ago to amend the statute after the first spate of lawsuits against tech companies like Facebook related to facial recognition software, but those efforts failed. Last February, bills were again introduced in both the Illinois House and Senate to rein in the scope of the Illinois law, but they did not advance.

“Just as the Illinois statute served as a model for many of those proposals and was cited by legislators, the Supreme Court’s interpretation here is likely to have an impact on how those laws are drafted.”

Categories: Cyber Risk News

Password Reuse Likely Cause of Dailymotion Attack

Mon, 01/28/2019 - 16:30
Password Reuse Likely Cause of Dailymotion Attack

Complying with General Data Privacy Regulations (GDPR), video-sharing platform Dailymotion disclosed to France's Commission Nationale de l'Informatique et des Libertés (CNIL) on Friday that it suffered a credential-stuffing attack.

“The attack consists in 'guessing' the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion,” the disclosure said.

According to the disclosure, the attack was detected by the company's technical team and as of the January 25 announcement was still ongoing. Infosecurity contacted Dailymotion, and a company spokesperson said, “We consider that the attack has now stopped. We are not making further comment or discussing specific details, for obvious reasons.”

Given the rise of information-stealing malware, passwords and personally identifiable information are almost guaranteed to be exposed in increasingly sophisticated and frequent data breaches, according to Scott Clements, CEO, OneSpan.

“It’s more important than ever to secure and protect the entire digital customer journey, and the data captured within, by taking a layered approach to security. This helps capture and analyze multiple complementary authentication factors and correlational data to establish trusted identities, devices and transactions. This is how we help our global banking customers – by making it harder for cyber-criminals to capture data and commit fraud.”

Still, many consumers have yet to start using multi-factor authentication (MFA) to log into websites. Instead, they are more often than not reusing a few static passwords across multiple websites, said Michael Magrath, director, global regulations and standards, OneSpan.

“Given the vast number of password-related breaches over the past few years, the convenient yet insecure reuse of static passwords exposes individuals to the credential-stuffing attack used in this case.  Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy.”

Categories: Cyber Risk News

Most IT Pros Share and Reuse Passwords: Report

Mon, 01/28/2019 - 13:00
Most IT Pros Share and Reuse Passwords: Report

Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according to a new study published on the EU’s Data Protection Day.

Also known as Data Privacy Day in North America, the awareness-raising event was originally slated for January 28 13 years ago as this was the date that the Council of Europe’s data protection convention (Convention 108) was opened to signature.

However, while most of the respondents to Yubico’s study — who were IT and information security pros in the US, UK, Germany and France — said they were increasingly concerned about privacy, bad habits persist.

Some 69% admitted they had shared passwords with colleagues, and over half (51%) reuse an average of five passwords across business and personal accounts. Over half (55%) don’t use two-factor authentication at work and 67% do not use it for personal accounts.

These findings are especially concerning given that IT professionals should theoretically be leading by example in organizations and society at large by following best practices in security and privacy. They also hold the keys to privileged corporate accounts and so represent a major target for hackers.

Even more concerning is the fact that 51% of those polled said they’d suffered a phishing attack at home and 44% at work, but over half (57%) of these claimed it didn’t affect their password behavior.

Thanks to the GDPR, consumers and organizations around the world are becoming more privacy-aware. Google was recently fined €50m in France in the first major investigation by regulators, with experts predicting many more will follow for both privacy and security infractions.

Aside from the 'stick' of regulatory fines, the likes of the ICO are hoping that the 'carrot' of improved transparency, operational efficiency, competitive differentiation and security, will encourage organizations to get compliant.

A Cisco study of over 3000 global security and privacy professionals released last week claimed that only 37% of GDPR-ready companies experienced a data breach costing more than $500,000, versus 64% of the least GDPR-ready firms.

In addition, those investing in GDPR compliance experienced shorter delays due to privacy concerns in selling to existing customers: 3.4 weeks as opposed to 5.4 weeks for the least GDPR-ready organizations.

UK firms were among the leaders globally, with 69% claiming to be GDPR-ready, compared to just 42% in China and 45% percent in Japan.

Categories: Cyber Risk News

ICO Warns UK to Prepare for Brexit "No Deal" Data Flows

Mon, 01/28/2019 - 11:59
ICO Warns UK to Prepare for Brexit "No Deal" Data Flows

The UK’s privacy regulator has warned businesses to prepare now for a potential Brexit 'no deal,' claiming they may have to put in place standard contractual clauses to ensure unhindered data flows.

With Theresa May’s government still refusing to rule out the prospect of allowing the country to exit the EU without a deal, businesses should get to planning their response, argued information commissioner, Elizabeth Denham.

Although London will allow personal data flowing from the UK to European Economic Area (EEA) countries unhindered, the same will not be true of data coming into the UK, meaning businesses should start by mapping data flows.

“You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’,” said Denham.

“It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.”

Even companies transferring data to and from parent organizations in Europe will need to put in place additional measures, with standard contractual clauses mentioned several times in the blog post.

“There are many mechanisms companies can use to legitimize the transfer of personal data with the EEA and standard contractual clauses is one of those. We have produced an online tool to help organisations put contract terms in place providing the lawful basis for the data transfers. Companies that need to act would also benefit from Leaving the EU - six steps to take guidance for more information,” said Denham.

“You know your organization best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.”

Companies expecting an “adequacy” decision to be made on exit day to ensure unhindered data flows will also be disappointed, said Denham.

Negotiations to secure this will take “many months” and can only begin once the UK has left the EU, so alternative arrangements like standard contractual clauses will need to be put in place in the meantime.

The complexity, extra cost and effort required for firms to replace existing rules and frameworks is a microcosm of the Brexit process in general, which one former WTO boss described as being “as difficult as removing an egg from an omelette.”

Categories: Cyber Risk News

White Hat Ball 2019 Raises £193,000 for NSPCC’s Childline Service

Mon, 01/28/2019 - 11:30
White Hat Ball 2019 Raises £193,000 for NSPCC’s Childline Service

A staggering 193,000 was raised for counselling service Childline at the White Hat Ball last Friday, January 25.

The annual fundraising event, organized by a committee of dedicated volunteers from the information security sector and now in its 14th year, was held at London’s Lancaster Hotel. The evening was hosted by TV presenter, writer and musical artist Nick Knowles and included speeches from Childline founder Dame Esther Rantzen and White Hat Ball committee members.

Guests enjoyed a champagne reception, three-course dinner followed by live music and dancing and various fundraising activities including a raffle, silent and live auctions.

Childline was founded in 1986 and is a free, private and confidential service for anyone under 19 in the UK, providing trained support for young people dealing with a wide range of issues. In 2006, Childline became part of the NSPCC.

“Each year the White Hat Ball raises a fantastic amount of money for Childline, a cause we are incredibly passionate about,” said chairman of this year’s White Hat Ball committee, Mark Logsdon. “Thanks to all of those involved in making it happen, our sponsors and those who attended, donated and gave so generously.”

“I’m extremely proud to be part of an industry which has made such a difference to so many children and young people over the past 14 years.”

Childline president, Dame Esther Rantzen DBE, added: “At Childline we’ve become more aware of the dangers of the online world and it’s wonderful to have the support of an industry which is determined to help keep the internet safe.

“The money the information security and risk industry have raised will help us be there for more young people, some of whom are in desperate need of our help.”

Categories: Cyber Risk News

Taxpayers Demand HMRC Deletes Voice IDs

Mon, 01/28/2019 - 09:54
Taxpayers Demand HMRC Deletes Voice IDs

Over 160,000 UK taxpayers have demanded that the HMRC delete biometric voice recordings collected without their informed consent.

Big Brother Watch has been running a campaign into the tax office’s use of a voice identification system, first launched in 2017.

Having captured biometric data on millions of taxpayers, the system is now linked to “one of the largest known state-held voice databases in the world,” the group claimed.

However, this has come at the expense of user privacy.

The group revealed last year that when individuals called HMRC’s tax credits and self-assessment helplines they were automatically required to create a voice print.

The opt-out option was not immediately obvious — the only way users could follow this route was apparently by saying “no” three times.

The ICO is now investigating whether HMRC broke the GDPR by failing to obtain explicit consent from users, that is “freely given, specific, informed and unambiguous.”

“It is down to the ICO to take robust action and show that the government isn’t above the law,” Big Brother Watch said in a statement.

In the meantime, large numbers of taxpayers are exercising their right to erasure under the new data protection law.

The HMRC is also said to have changed the system so as to offer callers a clear opt-out should they wish.

However, over seven million users are currently enrolled in the scheme, which the tax office claims is a quick and easy way to authenticate and access accounts over the phone.

“All our data is stored securely and customers can opt out of Voice ID or delete their records any time they want,” it said.

The news was released, appropriately enough, ahead of the EU’s Data Protection Day today, an event designed to raise awareness of privacy issues among users and businesses.

Categories: Cyber Risk News