Info Security

Subscribe to Info Security  feed
Updated: 2 hours 33 min ago

Cyber Security Challenge UK Appoints New CEO

Thu, 01/11/2018 - 11:53
Cyber Security Challenge UK Appoints New CEO

Cyber Security Challenge UK today announced the appointment of a new chief executive following the death of former CEO Stephanie Daman, who passed away in June last year after a long battle with cancer.

Colin Lobley, who came through a thorough selection process of over 70 candidates, will now take up the role, joining from DXC Technology’s (formerly Hewlett Packard Enterprise), Security Services division where he was general manager, UK, Ireland, Middle East. Lobley will bring with him expertise in working with both public and private sector organizations.

“There are lots of exciting possibilities to diversify and expand this national initiative, so we can enhance the positive impact we have on the UK’s cyber resilience,” he said. “It would be fantastic if we could achieve such a utopian vision as having eradicated all security weaknesses in the cyber world...but realistically, if I go home every day knowing I have done something, directly or indirectly, to encourage people into the field of cyber, to enhance the knowledge of those in or entering the field, or to educate someone about cybersecurity and start to close those gaps; I'll be happy.”

That’s exactly why I am delighted to be joining the fantastic, passionate team at Cyber Security Challenge UK, Lobley added, helping to make a real difference and building upon the wonderful efforts of the late Stephanie Daman.

“I fully believe that the UK cyber industry can go from strength to strength to become ever more prominent on the world stage,” he continued. “But to achieve this, it is essential that we nurture new talent, so we can meet the evolving market demands.”

Dr Robert Nowill, chairman of Cyber Security Challenge UK, said: “With his background, Colin fits the role very well as we forge the way ahead for our organization; developing our offering further whilst scaling up what we do to seek out as much new talent and staying as inclusive as possible. The Board and I also are extremely grateful for the work Nigel Harrison has done as Acting CEO for much of last year. We are pleased that Nigel continues as an Executive Director of The Challenge to help drive this exciting future.”

Categories: Cyber Risk News

Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

Thu, 01/11/2018 - 10:20
Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

An Ohio computer programmer has been indicted for a 13-year malware campaign during which he stole sensitive personal data (PII), eavesdropped on conversations and even produced child pornography.

Phillip Durachinsky, 28, of North Royalton, Ohio, is facing 16 counts of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography and aggravated identity theft.

He’s said to have developed the malware known as Fruitfly, which allowed him to remotely access and control victim machines, although it’s not clear how he installed the malware.

This allegedly allowed him to steal reams of sensitive PII including online credentials, tax records, medical records, photographs, banking records and internet searches.

He’s also accused of taking screenshots, logging keystrokes and recording audio/video via the victim machines’ webcams and microphones.

This allegedly allowed Durachinsky to watch and listen to victims without their knowledge. The malware also alerted him when users typed in words associated with pornography, according to the Department of Justice.

The indictment claims he saved millions of images and kept detailed notes of what he saw.

Durachinsky is not only accused of snooping on home users. The DoJ claimed he also installed Fruitfly on computers in private enterprises, schools, a police department and even the government, including one machine at a subsidiary of the US Department of Energy.

“Durachinsky is alleged to have utilized his sophisticated cyber skills with ill intent, compromising numerous systems and individual computers,” said special agent in charge Stephen Anthony.

“The FBI would like to commend the compromised entities that brought this to the attention of law enforcement authorities. It is this kind of collaboration that has enabled authorities to bring this cyber hacker to justice.”

The case answers many questions raised by security researchers when they first discovered Fruitfly, with some even claiming it could be the work of a nation state.

Categories: Cyber Risk News

Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

Thu, 01/11/2018 - 10:20
Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

An Ohio computer programmer has been indicted for a 13-year malware campaign during which he stole sensitive personal data (PII), eavesdropped on conversations and even produced child pornography.

Phillip Durachinsky, 28, of North Royalton, Ohio, is facing 16 counts of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography and aggravated identity theft.

He’s said to have developed the malware known as Fruitfly, which allowed him to remotely access and control victim machines, although it’s not clear how he installed the malware.

This allegedly allowed him to steal reams of sensitive PII including online credentials, tax records, medical records, photographs, banking records and internet searches.

He’s also accused of taking screenshots, logging keystrokes and recording audio/video via the victim machines’ webcams and microphones.

This allegedly allowed Durachinsky to watch and listen to victims without their knowledge. The malware also alerted him when users typed in words associated with pornography, according to the Department of Justice.

The indictment claims he saved millions of images and kept detailed notes of what he saw.

Durachinsky is not only accused of snooping on home users. The DoJ claimed he also installed Fruitfly on computers in private enterprises, schools, a police department and even the government, including one machine at a subsidiary of the US Department of Energy.

“Durachinsky is alleged to have utilized his sophisticated cyber skills with ill intent, compromising numerous systems and individual computers,” said special agent in charge Stephen Anthony.

“The FBI would like to commend the compromised entities that brought this to the attention of law enforcement authorities. It is this kind of collaboration that has enabled authorities to bring this cyber hacker to justice.”

The case answers many questions raised by security researchers when they first discovered Fruitfly, with some even claiming it could be the work of a nation state.

Categories: Cyber Risk News

Equifax Would Have Paid $1.5bn Under New US Breach Laws

Thu, 01/11/2018 - 09:46
Equifax Would Have Paid $1.5bn Under New US Breach Laws

Senators have proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach.

The Data Breach Prevention and Compensation Act is designed to make the big CRAs more accountable, following a damaging breach at Equifax last year which affected 145.5m Americans and 700,000 Brits.

The act would establish an Office of Cybersecurity at regulator the FTC which would have responsibility for annual inspections and supervision of security-related issues.

Most notably, it would impose mandatory financial penalties starting at $100 for every customer who has one piece of personally identifiable information (PII) compromised, with $50 per additional piece of PII. Half of the money collected would be used to compensate the victims.

These fines could rise even higher if there’s evidence of inadequate cybersecurity or delayed breach reporting.

Under the new legislation, Equifax would have been forced to pay an estimated $1.5bn fine following its September 2017 breach, according to senator Elizabeth Warren.

"The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," she said in a statement.

"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into people’s pockets and help stop these kinds of breaches from happening again."

Although the US led the way globally with mandatory breach reporting laws a few years back, it is the EU GDPR which now sets the standard. Under the new data protection regulation, Equifax would likely have seen significant fines, due to the number of UK consumers affected.

Consumer and security groups appear to support the legislation.

“This bill establishes much-needed protections for data security for the credit bureaus,” said National Consumer Law Center staff attorney, Chi Chi Wu.

“It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust.”

Categories: Cyber Risk News

Equifax Would Have Paid $1.5bn Under New US Breach Laws

Thu, 01/11/2018 - 09:46
Equifax Would Have Paid $1.5bn Under New US Breach Laws

Senators have proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach.

The Data Breach Prevention and Compensation Act is designed to make the big CRAs more accountable, following a damaging breach at Equifax last year which affected 145.5m Americans and 700,000 Brits.

The act would establish an Office of Cybersecurity at regulator the FTC which would have responsibility for annual inspections and supervision of security-related issues.

Most notably, it would impose mandatory financial penalties starting at $100 for every customer who has one piece of personally identifiable information (PII) compromised, with $50 per additional piece of PII. Half of the money collected would be used to compensate the victims.

These fines could rise even higher if there’s evidence of inadequate cybersecurity or delayed breach reporting.

Under the new legislation, Equifax would have been forced to pay an estimated $1.5bn fine following its September 2017 breach, according to senator Elizabeth Warren.

"The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," she said in a statement.

"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into people’s pockets and help stop these kinds of breaches from happening again."

Although the US led the way globally with mandatory breach reporting laws a few years back, it is the EU GDPR which now sets the standard. Under the new data protection regulation, Equifax would likely have seen significant fines, due to the number of UK consumers affected.

Consumer and security groups appear to support the legislation.

“This bill establishes much-needed protections for data security for the credit bureaus,” said National Consumer Law Center staff attorney, Chi Chi Wu.

“It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust.”

Categories: Cyber Risk News

Bad Botnet Growth Skyrockets in 2017

Wed, 01/10/2018 - 19:00
Bad Botnet Growth Skyrockets in 2017

Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.

According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.

Of course, not all botnets are bad bots; but Spamhaus's Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.

The reality of the situation is probably much worse: The statistics exclude botnet controllers that are hosted on anonymization networks like Tor.

Botnet C&C controllers are used by cybercriminals to send out spam and ransomware, launch distributed denial of service (DDoS) attacks, commit e-banking fraud or click fraud or mine cryptocurrencies such as Bitcoin and Monero. With the rise of the internet of things (IoT)–enslaved class of devices, such as smart thermostats, webcams or network attached storage devices (NAS), controller palettes have continued to get more diverse – and numerous.

In fact, the number of IoT botnet controllers alone more than doubled from 393 in 2016 to 943 in 2017.

“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.”

This will likely correspond with an uptick in DDoS attacks.

"The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever."

The report also uncovered that, looking at the geographic location of the botnet controllers, the top botnet hosting country is the US, followed by Russia. Also, when it comes to the kinds of malware associated with the botnet controllers, the Pony downloader topped the list, with 1,015 associated C&Cs. Generic IoT malware came in second; and the Loki credential stealer/banking Trojan took third place with 933 C&Cs.

Interestingly, while Locky and TorrentLocker where omnipresent in 2016, these two ransomware families did not make it into the top 20 in 2017. They have been replaced by the Cerber ransomware, which claimed the No. 7 spot, with 293 C&Cs.

Categories: Cyber Risk News

Bad Botnet Growth Skyrockets in 2017

Wed, 01/10/2018 - 19:00
Bad Botnet Growth Skyrockets in 2017

Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.

According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.

Of course, not all botnets are bad bots; but Spamhaus's Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.

The reality of the situation is probably much worse: The statistics exclude botnet controllers that are hosted on anonymization networks like Tor.

Botnet C&C controllers are used by cybercriminals to send out spam and ransomware, launch distributed denial of service (DDoS) attacks, commit e-banking fraud or click fraud or mine cryptocurrencies such as Bitcoin and Monero. With the rise of the internet of things (IoT)–enslaved class of devices, such as smart thermostats, webcams or network attached storage devices (NAS), controller palettes have continued to get more diverse – and numerous.

In fact, the number of IoT botnet controllers alone more than doubled from 393 in 2016 to 943 in 2017.

“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.”

This will likely correspond with an uptick in DDoS attacks.

"The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever."

The report also uncovered that, looking at the geographic location of the botnet controllers, the top botnet hosting country is the US, followed by Russia. Also, when it comes to the kinds of malware associated with the botnet controllers, the Pony downloader topped the list, with 1,015 associated C&Cs. Generic IoT malware came in second; and the Loki credential stealer/banking Trojan took third place with 933 C&Cs.

Interestingly, while Locky and TorrentLocker where omnipresent in 2016, these two ransomware families did not make it into the top 20 in 2017. They have been replaced by the Cerber ransomware, which claimed the No. 7 spot, with 293 C&Cs.

Categories: Cyber Risk News

CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Wed, 01/10/2018 - 18:30
CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Surreptitious crypto-mining using unsuspecting victims’ computers has become a rapidly proliferating phenomenon – and now it has collided with coffee shop Wi-Fi hijacking.

A software developer known as Arnau Code has developed a proof-of-concept for a man-in-the-middle (MiTM) attack, for use in coffee shops and other places where legions of students and teleworkers take advantage of free Wi-Fi. It shows how the bad guys can gain access not just to one victim’s CPU resources to mine for virtual currency but to all of the compute power connected to that particular Wi-Fi network, all at once.

“Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack in a different way,” the developer explained in a blog, with the disclaimer that his research is “strictly for academic purposes.”

He added, “The goal of this article, is to explain how can be done the attack of MITM...to inject some javascript in the html pages, to force all the devices connected to a WiFi network to be mining a cryptocurrency for the attacker.”

Appropriately named CoffeeMiner, the script allows for an autonomous attack on the Wi-Fi network to do just that. It’s the result of a multistep – but not challenging, according to Code – process.

First, CoffeeMiner intercepts the traffic flowing back and forth between the users and the router by setting up a virtual gateway. Then, using the “mitmproxy” software tool, CoffeeMiner injects a line of JavaScript code into the HTML pages that coffee shop denizens are visiting. The code in turn connects to a simple HTTP server running on an attacker machine, which then serves up the Coinhive crypto-miner to victims. Coinhive, which allows visited websites to mine for the Monero cryptocurrency, has gained notoriety, thanks to cybercriminals abusing it.

“CoinHive miner makes sense when user stays in a website for mid- [to] long term sessions,” the developer said. “So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense. In our case, as we will inject the crypto miner into each one of the HTML pages that victims request, [so we] will have long term sessions to calculate hashes to mine Monero.”

Once created as a fully formed weapon, CoffeeMiner runs autonomously, as a sort of set-it-and-forget-it moneymaker.

Code also offered helpful suggestions for maximizing CoffeeMiner’s potential, including using a powerful Wi-Fi antenna, “to reach better all the physical zone,” and adding a piece of code, “sslstrip,” to make sure the injection will also work with websites that the user can request over HTTPS.

As far as protecting oneself against such an attack, which has the potential to slow victim machines down so far as to be virtually unusable, Scott Petry, CEO and co-founder of Authentic8, compared it to taking basic flu-season precautions.

“We don't even touch public doorknobs without a paper towel or a squirt of Purell,” he said via email. “Why on Earth would anyone freely connect to a public Wi-Fi network? There's no surprise in this story – it’s how the internet works. The surprise is that people are still exposing themselves to these exploits. Someday soon we'll look back in shock on how careless we were on the internet.”

Categories: Cyber Risk News

CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Wed, 01/10/2018 - 18:30
CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Surreptitious crypto-mining using unsuspecting victims’ computers has become a rapidly proliferating phenomenon – and now it has collided with coffee shop Wi-Fi hijacking.

A software developer known as Arnau Code has developed a proof-of-concept for a man-in-the-middle (MiTM) attack, for use in coffee shops and other places where legions of students and teleworkers take advantage of free Wi-Fi. It shows how the bad guys can gain access not just to one victim’s CPU resources to mine for virtual currency but to all of the compute power connected to that particular Wi-Fi network, all at once.

“Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack in a different way,” the developer explained in a blog, with the disclaimer that his research is “strictly for academic purposes.”

He added, “The goal of this article, is to explain how can be done the attack of MITM...to inject some javascript in the html pages, to force all the devices connected to a WiFi network to be mining a cryptocurrency for the attacker.”

Appropriately named CoffeeMiner, the script allows for an autonomous attack on the Wi-Fi network to do just that. It’s the result of a multistep – but not challenging, according to Code – process.

First, CoffeeMiner intercepts the traffic flowing back and forth between the users and the router by setting up a virtual gateway. Then, using the “mitmproxy” software tool, CoffeeMiner injects a line of JavaScript code into the HTML pages that coffee shop denizens are visiting. The code in turn connects to a simple HTTP server running on an attacker machine, which then serves up the Coinhive crypto-miner to victims. Coinhive, which allows visited websites to mine for the Monero cryptocurrency, has gained notoriety, thanks to cybercriminals abusing it.

“CoinHive miner makes sense when user stays in a website for mid- [to] long term sessions,” the developer said. “So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense. In our case, as we will inject the crypto miner into each one of the HTML pages that victims request, [so we] will have long term sessions to calculate hashes to mine Monero.”

Once created as a fully formed weapon, CoffeeMiner runs autonomously, as a sort of set-it-and-forget-it moneymaker.

Code also offered helpful suggestions for maximizing CoffeeMiner’s potential, including using a powerful Wi-Fi antenna, “to reach better all the physical zone,” and adding a piece of code, “sslstrip,” to make sure the injection will also work with websites that the user can request over HTTPS.

As far as protecting oneself against such an attack, which has the potential to slow victim machines down so far as to be virtually unusable, Scott Petry, CEO and co-founder of Authentic8, compared it to taking basic flu-season precautions.

“We don't even touch public doorknobs without a paper towel or a squirt of Purell,” he said via email. “Why on Earth would anyone freely connect to a public Wi-Fi network? There's no surprise in this story – it’s how the internet works. The surprise is that people are still exposing themselves to these exploits. Someday soon we'll look back in shock on how careless we were on the internet.”

Categories: Cyber Risk News

As Cloud Looms, Security Tops IT Resilience Investment

Wed, 01/10/2018 - 17:18
As Cloud Looms, Security Tops IT Resilience Investment

When it comes to investments in IT resilience, cybersecurity initiatives top the to-do list for most IT departments, as cloud leads the way as the No. 1 threat concern.

According to Syncsort’s 2018 State of Resilience report, which surveyed 5,632 IT professionals globally, ongoing, high-profile hacking attacks, data breaches, disruptive natural disasters and escalating storage and data accessibility needs are top concerns for most businesses. Overall, security is the top initiative that most companies will pursue in the next 24 months (49%). The majority of professionals chose virus protection (71%), malware protection (67%), patch management (53%), and intrusion detection and prevention (IDP, 52%) as their top organizational investments in security today.

IT pros see cloud as the top security challenge: The report found that IT leaders are entrusting critical applications to the cloud, but with concerns. About 43% identify it as their top security challenge for the coming year.

“Certainly, the shared resource pools and always-on features of cloud have introduced the possibility of new security breaches – including data loss, weak identity management, insecure APIs, denial of service attacks, account hijacking and advanced persistent attacks, which infiltrate systems over a period of time,” the firm said in the report. 

The second greatest perceived challenge for IT departments is the increasing sophistication of attacks (37%). “Cunning criminals have sharpened their craft, conducting exploratory raids over months, invading systems, hiding their tracks, and deploying malware that can fool customers with bogus messages or extract and steal valuable data – the lifeblood of most companies.”

Ransomware meanwhile appeared as the No. 3 challenge confronting respondents, though Syncsort’s analysis was dubious as to the actual impact: “IT professionals are naturally aware of this phenomenon, as a result of worldwide media coverage. Yet, a considerable majority of professionals in this study had never been attacked by ransomware or were not aware that they had been; a miniscule number had paid to get data back, as mentioned in a subsequent section of this report. It remains to be seen whether ransomware is the flavor of the moment or will be a recurring trend.”

Despite these concerns, internal security audits are infrequent, the report found. Nearly two-thirds of companies perform security audits on their systems, but the most common schedule was to do it on an annual basis (39%). Another 10% of respondents audit every two years or more, which, given an ever-changing IT environment, could expose a company to risk.

The report also found that data sharing is seen as critical but challenging. About half (53%) of companies surveyed have multiple databases and share data to improve business intelligence, largely through scripting (42%), followed by backup/restore/snapshot processes and FTP/SCP/file transfer (38% each). The average company uses two different methods, adding to the complexity. In turn, this bolsters security concerns.

“IT leaders are under immense pressure to provide an enterprise infrastructure that can sustain severe threats and secure vital information while enabling data accessibility and business intelligence,” said Terry Plath, vice president, Global Services, Syncsort. “Business resilience requires the right mix of planning and technology, and this survey did a thorough job of uncovering how businesses are tackling this increasingly complex and multi-faceted challenge.”

Categories: Cyber Risk News

As Cloud Looms, Security Tops IT Resilience Investment

Wed, 01/10/2018 - 17:18
As Cloud Looms, Security Tops IT Resilience Investment

When it comes to investments in IT resilience, cybersecurity initiatives top the to-do list for most IT departments, as cloud leads the way as the No. 1 threat concern.

According to Syncsort’s 2018 State of Resilience report, which surveyed 5,632 IT professionals globally, ongoing, high-profile hacking attacks, data breaches, disruptive natural disasters and escalating storage and data accessibility needs are top concerns for most businesses. Overall, security is the top initiative that most companies will pursue in the next 24 months (49%). The majority of professionals chose virus protection (71%), malware protection (67%), patch management (53%), and intrusion detection and prevention (IDP, 52%) as their top organizational investments in security today.

IT pros see cloud as the top security challenge: The report found that IT leaders are entrusting critical applications to the cloud, but with concerns. About 43% identify it as their top security challenge for the coming year.

“Certainly, the shared resource pools and always-on features of cloud have introduced the possibility of new security breaches – including data loss, weak identity management, insecure APIs, denial of service attacks, account hijacking and advanced persistent attacks, which infiltrate systems over a period of time,” the firm said in the report. 

The second greatest perceived challenge for IT departments is the increasing sophistication of attacks (37%). “Cunning criminals have sharpened their craft, conducting exploratory raids over months, invading systems, hiding their tracks, and deploying malware that can fool customers with bogus messages or extract and steal valuable data – the lifeblood of most companies.”

Ransomware meanwhile appeared as the No. 3 challenge confronting respondents, though Syncsort’s analysis was dubious as to the actual impact: “IT professionals are naturally aware of this phenomenon, as a result of worldwide media coverage. Yet, a considerable majority of professionals in this study had never been attacked by ransomware or were not aware that they had been; a miniscule number had paid to get data back, as mentioned in a subsequent section of this report. It remains to be seen whether ransomware is the flavor of the moment or will be a recurring trend.”

Despite these concerns, internal security audits are infrequent, the report found. Nearly two-thirds of companies perform security audits on their systems, but the most common schedule was to do it on an annual basis (39%). Another 10% of respondents audit every two years or more, which, given an ever-changing IT environment, could expose a company to risk.

The report also found that data sharing is seen as critical but challenging. About half (53%) of companies surveyed have multiple databases and share data to improve business intelligence, largely through scripting (42%), followed by backup/restore/snapshot processes and FTP/SCP/file transfer (38% each). The average company uses two different methods, adding to the complexity. In turn, this bolsters security concerns.

“IT leaders are under immense pressure to provide an enterprise infrastructure that can sustain severe threats and secure vital information while enabling data accessibility and business intelligence,” said Terry Plath, vice president, Global Services, Syncsort. “Business resilience requires the right mix of planning and technology, and this survey did a thorough job of uncovering how businesses are tackling this increasingly complex and multi-faceted challenge.”

Categories: Cyber Risk News

Carphone Warehouse Breach Results in £400K Fine

Wed, 01/10/2018 - 12:04
Carphone Warehouse Breach Results in £400K Fine

The Carphone Warehouse has become the latest UK firm to be slapped with a massive ICO fine after a 2015 data breach compromised the personal information of millions of customers.

The electronics and mobile phone retailer, owned by Dixons Carphone, was fined £400,000 by the ICO after failing to adequately secure its systems. Hackers accessed data on over three million customers including names, addresses, phone numbers, dates of birth and marital status.

Some 18,000 customers had historical payment details accessed, while 1000 employees had data including name, phone numbers, postcode and car registration exposed to the hackers.

The attackers are said to have accessed the data by using valid log-ins for out-of-date WordPress software.

The ICO claimed Carphone Warehouse failed to delete historical data from its records, carry out routine security testing or keep software up-to-date.

“A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said information commissioner, Elizabeth Denham, in a statement.

“Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

She added that companies need to put in place layered security to help mitigate growing online threats.

The firm may have been saved from a bigger fine by taking steps to fix some of the problems identified, and because the data has not yet resulted in any identity fraud.

The fine puts Carphone Warehouse up there with TalkTalk in terms of the largest ever penalties levied.

The ISP was slapped with a £400,000 penalty after a 2015 breach but then received a further £100,000 for a separate issue relating to data access by a third-party supplier.

Carphone Warehouse would most likely have been hit with an even bigger fine had the incident occurred after May 25, when the GDPR comes into force. It will give the ICO and other regulators around Europe the power to fine organizations up to 4% of global annual turnover, or £17m.

Categories: Cyber Risk News

Patch Tuesday: More Work for Admins with 56 Flaws to Fix

Wed, 01/10/2018 - 11:19
Patch Tuesday: More Work for Admins with 56 Flaws to Fix

Microsoft heaped more work on IT administrators this week with a Patch Tuesday update round that will bring the total CVEs addressed in January to 55, including four public disclosures and one zero-day vulnerability.

The zero-day (CVE-2018-0802) is an Office vulnerability which could allow a remote attacker to take control of an affected system.

“The attacker in this case, could create a specially crafted file or host specially crafted content on a compromised website or user contributed content on a website,” explained Ivanti director of product management, Chris Goettl. “A user opening these specially crafted files would allow the exploit to run giving the attacker equal rights to the system as the current user.”

The issue could also be mitigated by users running with fewer privileges, he said.

A previously unseen public disclosure (CVE-2018-0819) relates to the Mailsploit vulnerability in Outlook for Mac and could apparently allow an attacker to circumvent email anti-spoofing mechanisms like DMARC.

The remaining three public disclosures were published last week and relate to the Meltdown and Spectre chip issues.

The former is fixed with code changes to the kernel and the latter two flaws via firmware updates, so OS and firmware updates must be installed to fully mitigate these attack methods, according to Goettl.

However, admins have been warned to thoroughly test these updates as reports suggest there could be varying degrees of performance degradation, as well as possible BSOD due to compatibility issues with third-party AV tools.

Microsoft has also halted the deployment of patches for some AMD systems after some users reported their devices got into an “unbootable state.”

Qualys director of product management, Jimmy Graham, claimed that after Spectre and Meltdown patches, the focus for workstation environments should be on fixing Outlook vulnerability CVE-2018-0793 and Word flaw CVE-2018-0794.

Also this month, Adobe released a Priority 2 update for Flash Player (APSB18-01), which fixes out-of-bounds read bug CVE-2018-4871.

Apple released iOS 11.2.2 yesterday as well as a macOS High Sierra 10.13.2 update to help mitigate issues relating to the Spectre chip flaws.

Categories: Cyber Risk News

FBI Boss: We Don’t Want Backdoors, but We Do Want Access to Encrypted Devices

Wed, 01/10/2018 - 10:26
FBI Boss: We Don’t Want Backdoors, but We Do Want Access to Encrypted Devices

The FBI has nearly 7800 devices it can’t access because of encryption, according to its director, who repeated calls yesterday for tech providers to find a solution to the issue that doesn’t involve creating backdoors.

In a speech to the International Conference on Cyber Security, Wray claimed the Feds were unable to access 7775 encrypted devices last year — far higher than the 6900 figure touted in October.

He argued this was fast becoming an “urgent public safety issue” which would only get worse over time unless US technology companies engineer a “responsible” solution.

“We’re not looking for a ‘back door’ – which I understand to mean some type of secret, insecure means of access,” he said. “What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.”

However, experts have argued that the only way to give the FBI what it’s asking for is indeed engineering a de facto backdoor.

This would put the privacy and security of hundreds of millions of devices potentially at risk if it fell into the wrong hands, and could even be abused by over-reaching law enforcers, whilst putting pressure on providers like Apple to do the same in countries with poor human rights records, the argument goes.

Whilst admitting a possible solution “isn’t so clear-cut,” Wray’s main line of argument was that US companies lead the world in innovation, so they should be able to find a way to allow law enforcers limited access to devices for which they have a warrant, without breaking security for law-abiding users.

He also claimed that US tech firms are already acceding to requests for customer data by foreign governments, although crucially didn’t go as far as to claim firms like Apple had broken their own encryption to do so.

“The FBI supports information security measures, including strong encryption,” said Wray. “But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe.”

The news comes as researchers unveiled a new end-to-end encrypted group chat protocol, dubbed Asynchronous Ratcheting Tree (ART).

Facebook and Oxford University teamed up on the project, which overcomes inadequacies in current solutions where if one member of the group is hacked then all conversations can be accessed.

This latest innovation in encrypted messaging is unlikely to go down well with law enforcers on either side of the Atlantic.

Categories: Cyber Risk News

Reddit Users Lose Bitcoin Tips After Third-Party Breach

Tue, 01/09/2018 - 20:10
Reddit Users Lose Bitcoin Tips After Third-Party Breach

Reddit has confirmed that one of its email providers, Mailgun, has been breached, resulting in the hacks of user profiles and their linked cryptocurrency accounts.

Attackers infiltrated Reddit accounts using password reset emails sent via the third-party vendor. Several Redditors also reported that their Bitcoin Cash tip accounts had been emptied out.

Despite the alarming details, Reddit urged the public to maintain perspective, noting that the attackers “did not have access to either Reddit’s systems or to a Redditor’s email account,” adding that the number of confirmed impacted users is less than 20 so far.

“On 12/31, Reddit received several reports regarding password reset emails that were initiated and completed without the account owners’ requests,” Reddit explained in a post. “We have been working to investigate the issue and coordinating with Mailgun, a third-party vendor we’ve been using to send some of our account emails including password reset emails,” it continued. “A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails….We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again.”

Mailgun, for its part, said that it has identified the attack vector—an employee’s compromised email account—and has patched the issue.

“On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact,” Mailgun CTO Josh Odom wrote in a post. “We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application.”

He added that the attack affected less than 1% of Mailgun’s entire customer base.

Categories: Cyber Risk News

(ISC)² Names Infrastructure and Security Director

Tue, 01/09/2018 - 19:40
(ISC)² Names Infrastructure and Security Director

Nonprofit cybersecurity certification organization (ISC)² has appointed Bruce Beam as director of infrastructure and security.

Beam, who has more than 20 years of experience leading IT/ICT and security teams for large enterprises and the US Navy, will oversee all aspects of (ISC)²’s global IT/ICT and cybersecurity operations.

“Bruce is a strategic technology leader with a proven track record of strengthening enterprise security posture, building collaborative teams and enabling more efficient business processes,” said Wesley Simpson, COO at (ISC)². “As an (ISC)² member, Bruce personally understands what our community of cybersecurity professionals need and what they expect from us. Under his leadership, we will continue our infrastructure modernization projects and dramatically improve service levels for all members.”

Beam was most recently senior director of information security and infrastructure for IT services provider CoreSite, where he led a team responsible for information security, network administration, systems management and help desk, providing operational solutions to clients in government, civil defense, public safety, intelligence, infrastructure management, energy, navigation technology and more.

With the US Navy, he served as IT director for the Naval Mine and Anti-Submarine Warfare (ASW) Center Detachment at Norfolk,and as chief security officer for the Naval Oceanography ASW Center.

“(ISC)² is the premier cybersecurity organization in the world,” Beam said. “I share the organization’s passion and commitment to certify and educate cybersecurity professionals. The Certified Information Systems Security Professional (CISSP) is the calling card for all information security professionals, and it is a great privilege to be a part of the team working so diligently to inspire a safe and secure cyber-world.” 

Beam holds the CISSP and Certified Information Security Manager (CISM) certifications. He earned a master’s degree in information technology/information assurance from the University of Maryland University College, a bachelor’s degree in computer information systems from Jacksonville University and a bachelor’s degree in trade, technical and industrial education from Valdosta State University.

Categories: Cyber Risk News

India Exposes Personal Info for 1 Billion Citizens

Tue, 01/09/2018 - 18:33
India Exposes Personal Info for 1 Billion Citizens

A vast majority of Indian citizens—more than a billion people—are potentially affected by the exposure of the country’s biometric database.

An Indian newspaper reporter uncovered the issue as part of an investigative effort into the security of the Unique Identification Authority of India (UIDAI), which serves as the issuing authority for Aadhaar cards. These voluntary cards have a 12-digit unique identification number, strengthened by a fingerprint and iris scan of the recipient. The cards are used for authentication with several state-owned entities and departments, including those responsible for subsidies and the national health service, as well as public sector banks and other organizations, such as the Life Insurance Corporation of India. UIDAI has repeatedly touted the security of the system.

During the course of the investigation, The Tribune of India was able to obtain administrator-level credentials for accessing the entirety of the database for just $8.

“[We] ‘purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far,” the paper explained. “It took just Rs 500 [around $8], paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI..., including name, address, postal code (PIN), photo, phone number and email.”

The Tribune team also paid an additional $5 to gain access to the ability to print facsimiles of specific Aadhaar cards, after entering the Aadhaar number of any individual.

UIDAI publicly downplayed the issue, saying it contained “mere demographic” details—and no biometric data—so the fake cards would be of limited use in most cases.

Even so, a government official told the Times of India that UIDAI has restricted the access of about 5,000 official administrators for the Aadhaar portal as it overhauls its system, indicating that the 'service' that the Tribune bought was just one of these officials’ log-ins that had been stolen. Previously, any administrator had unfettered access to the demographics of anyone in the system. To shut down the problem, Aadhar access going forward will be authenticated by the fingerprint of the Aadhaar holder and the data available will be restricted to that one person.

Meanwhile, the reporter that broke the story has been slapped with a criminal complaint.

“We are alarmed that…the agency is even planning to prosecute the reporter who exposed the danger to privacy that all Indian citizens face,” said Marty Kamden, CMO of NordVPN, via email. “It’s a brutal violation of freedom of speech and those who defend it. Also, diminishing the scale of this breach shows that Indians really cannot trust their government with their data.”

He added that these kinds of personal details can be used for a variety of criminal activities.

“The data can be used for phishing attacks or to blackmail the victims of the breach,” Kamden said. “When this happens to over a billion people, it can cause complete chaos. It seems that Indian government is not particularly concerned about this violation of privacy of all citizens, so our advice is to encourage Indians to take their online privacy into their own hands.”

Sanjay Beri, CEO and founder of security company Netskope, had a similar take: “Regardless of whether the Indian government is correct and no biometric information was included in the database accessed by The Tribune of India, the opportunity for fraud stemming from this incident is immense. Sure, criminals may not be able to create exact duplicates of an individual’s Aadhaar ID card, but they still have all the data necessary to conduct highly targeted phishing attacks and other identity fraud. With the Aadhaar numbers, addresses, phone numbers, emails and photos of over a billion individuals, hackers could easily imitate the agency in order to convince unsuspecting citizens to turn over additional data—like their banking information.”

Categories: Cyber Risk News

Cloud Workloads at Risk from Security, Management & Compliance Failures

Tue, 01/09/2018 - 14:30
Cloud Workloads at Risk from Security, Management & Compliance Failures

New research from WinMagic has revealed that security, management and compliance challenges are affecting the benefits businesses get from using the cloud within their infrastructures.

The firm polled 1029 IT decision makers in the UK, Germany and US and discovered that whilst 98% of respondents use the cloud, 33% admitted that data residing there is only partially encrypted. What’s more, 39% said they do not have unbroken audit trails across virtual machines in the cloud, something that can leave them exposed to risks. Unsurprising then that 58% said security was their top concern on future workloads in the cloud, whilst protecting sensitive data from unauthorized access (55%) came in second.

WinMagic’s research also revealed confusion as to compliance of data stored in the cloud. A worryingly low 39% felt they were ultimately responsible for this, with 20% believing responsibility rests solely with the cloud service provider and the same percentage thinking they were covered by their cloud service provider’s SLA. This confusion is particularly concerning given the fact that GDPR will come into force in little over five months.

“The stakes for companies were already high, with data breaches increasing in frequency and scale,” said Mark Hickman, chief operating officer at WinMagic. “EU GDPR reinforces the care that must be taken with data. The simple fact is that businesses must get the controls in place to manage their data, including taking the strategic decision that anything they would not want to see in the public domain, must be encrypted.”

Finally, cloud adoption is taking its toll on the majority of IT enterprise teams, with over half spending more time on management tasks than ever before and needing to use more management tools to get jobs done.

“At its heart, using heterogeneous cloud environments is making it harder for businesses to manage security and compliance, leaving staff firefighting rather than focusing on new projects that will benefit their businesses,” Hickman added.

Categories: Cyber Risk News

Tories left Red-Faced After HTTPS Gaffe

Tue, 01/09/2018 - 12:05
Tories left Red-Faced After HTTPS Gaffe

UK Prime Minister, Theresa May, saw her major Cabinet reshuffle overshadowed yesterday after the governing Conservative Party seemingly allowed its SSL certificate to expire.

Visitors to the Tory Party’s website were greeted with browser-based warnings such as: “Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).”

The security alert was the result of a basic IT admin error: allowing the political party’s SSL certificate to expire so that it could no longer guarantee a secure HTTPS connection for users.

HTTPS is fast becoming the de facto standard for websites, thanks in part to tools such as Let’s Encrypt and HTTPS Everywhere, which allow web managers to switch to the more secure protocol for free.

The percentage of web pages loaded by Firefox using HTTPS stood at over two-thirds (67%) as of January 2018 — that’s over 63 million active certificates.

The UK government issued an order in autumn 2016 mandating all departments switch to the more secure protocol from October 1 that year.

However, cyber-criminals have also been making use of such tools to help hide malware from security filters. A report from 2016 claimed that almost half of all cyber-attacks in the preceding 12 months made use of malware hidden in encrypted traffic.

The Conservative Party’s IT-related woes didn’t end with the HTTPS gaffe yesterday: it was left further embarrassed after an official tweet was posted congratulating new chairman, Chris Grayling.

There was just one problem with the tweet: Grayling wasn’t appointed the party’s new chairman at all, that job went to former immigration minister Brandon Lewis.

The tweet was swiftly deleted, and the party's SSL certificate has now been renewed.

However, the mistake didn’t go unnoticed on Twitter, where eagle-eyed commentators voiced their views.

This post from journalist Solomon Hughes is typical:

“Conservative Website is down because they forgot to do an IT update. Because they didn't update, the Conservative Party can't communicate.”

Categories: Cyber Risk News

VTech to Pay $650K to Settle Kids’ Privacy Case

Tue, 01/09/2018 - 10:43
VTech to Pay $650K to Settle Kids’ Privacy Case

The US Federal Trade Commission (FTC) revealed on Monday that connected toymaker VTech has agreed to pay a civil penalty of $650,000 to settle a privacy lawsuit.

The FTC claimed the Hong Kong-headquartered firm collected the personal information of hundreds of thousands of children without providing a direct notice to parents, obtaining their consent or properly securing said data.

Firms are required to notify and obtain consent from parents of children under 13 when collecting such data in America, according to the Children’s Online Privacy Protection Act.

VTech is said to have collected personal info from parents on its Learning Lodge Navigator online platform, which featured the Kid Connect app, and the now defunct Planet VTech gaming and chat platform.

Parents were required to give PII including their name and email address as well as their children’s name, date of birth and gender. Info was also collected from children when they played Kid Connect.

As of November 2015, around three million US children were registered with Learning Lodge and 630,000 with Kid Connect, while 130,000 kids had Planet VTech accounts set up, the FTC revealed.

VTech failed to adequately protect this highly sensitive PII: there was no IPS/IDS to notify of unauthorized intrusions and the firm apparently broke the law after lying in its privacy policy. It claimed most PII submitted would be encrypted, when in fact none of it was.

This security fail was to come back to bite VTech in November 2015 after an “unauthorized party” accessed customer data — apparently after exploiting a simple SQL injection flaw.

The firm angered customers months later when it changed its Terms & Conditions in an apparent attempt to shift liability for future incidents onto its customers.

The FTC statement concluded:

“In addition to the monetary settlement, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.”

Categories: Cyber Risk News

Pages