Info Security

Subscribe to Info Security  feed
Updated: 21 min 9 sec ago

McDonald's to Use AI Voice Assistants in Drive-Thrus

Tue, 09/10/2019 - 17:43
McDonald's to Use AI Voice Assistants in Drive-Thrus

The era of having staff at McDonald's restaurants ask if you want fries with that is set to end, as the burger giant invests in AI voice-assistant technology. 

McDonald's has entered into an agreement to buy voice-based tech start-up Apprente as part of a plan to improve customer service. The Silicon Valley AI company was founded in 2017 specifically to develop a voice-based AI system for fast-food ordering in a gamble that can now be said to have definitely paid off. 

In contrast to speech-to-text systems, Apprente describes its technology as "sound-to-meaning," because instead of transcribing what a customer says and then determining meaning from the transcript, Apprente's tech goes directly from speech signals to result.

The burger corporation is hoping that the new technology will make the ordering process simpler and more accurate and allow customers to get their mitts on the restaurant's famous fast food even faster. It will certainly eliminate any slowdowns that stem from misunderstood accents. 

The purchase is being made with the primary intention of introducing voice-assistant technology at McDonald's drive-thrus, but use of the voice-based tech may be extended.

In a statement released today, a McDonald's spokesperson said: "We believe that the broader voice-based technology also has the potential to reach customers when, where, and how they want through incorporation into mobile ordering or kiosks."

Apprente's staff, which includes employees trained in machine learning and computational linguistics, will form a new internal team called McD Tech Labs, which will be integrated into the McDonald's Corporation. The team will work at McDonald's newly renovated Innovation Center near Chicago.

McDonald's statement continued: "This latest investment in advanced technology capabilities and talent builds on several key initiatives the company has introduced over the last three years to improve both the restaurant employee and customer experience, from the acquisition of Dynamic Yield, to the expansion of McDelivery, as well as the development of McDonald’s Global Mobile App, Mobile Order and Pay, indoor and outdoor digital menu boards, and self-order kiosks.  

"With this move, we’re investing in the talent and technology that will ultimately make our customer and restaurant employee experience better." 

Categories: Cyber Risk News

Rapid Rise in Monetization of IoT Attacks

Tue, 09/10/2019 - 16:43
Rapid Rise in Monetization of IoT Attacks

An investigation by Trend Micro into the dark dealings of the cyber underground has found a rapid increase in the monetization of IoT attacks.

In a report released today, the global security software company revealed that forums across Russian, Portuguese, English, Arabic, and Spanish language-based markets are all brimming with chatter of how to compromise devices and then exploit them for profit. Routers and IP cameras were the most prominently discussed devices.

Financially driven attacks were found to be most prominent in the Russian and Portuguese markets, which are also the most criminally sophisticated. In these forums, cybercriminal activity is focused on selling access to compromised devices—mainly routers, webcams, and printers—so they can be leveraged for attacks.

The greatest threat is posed to consumer IoT devices, but businesses are also at risk as hackers are increasingly wising up to the possibility of compromising connected industrial machinery to launch digital extortion attacks.

In light of their findings, researchers at Trend Micro have made four sagacious predictions that reach varying levels of doom. The first is that the move from 4G to 5G will work very much in the hackers' favor, opening up more avenues for exploitation than they've ever had before.

The second is that attacks on VR devices and cryptocurrency mining kits are going to take off big time, with more advanced threats like low-level rootkits and firmware infections on the horizon as well.

A third prophetic warning is that digital extortion attacks are going to rise as programmable logic controllers (PLCs) and HMIs are increasingly found online. Manufacturers should be cognizant that their machinery is at risk of being hijacked and their production lines halted by hackers chasing big-dollar ransoms. 

Finally, the company's team of security experts reckon that attacks on routers are going to evolve entirely as ISPs become better acquainted with tactics that take advantage of DNS settings.

“We’ve lifted the lid on the IoT threat landscape to find that cybercriminals are well on their way to creating a thriving marketplace for certain IoT-based attacks and services,” said Steve Quane, executive vice president of network defense and hybrid cloud security for Trend Micro. 

“Criminals follow the money—always," said Quane. "Enterprises must be ready to protect their Industry 4.0 environments.”

Categories: Cyber Risk News

New $1.5M Cybersecurity Center Opening in Baton Rouge

Tue, 09/10/2019 - 15:53
New $1.5M Cybersecurity Center Opening in Baton Rouge

A $1.5 million cybersecurity training and operations center is to open in Louisiana's capital city, Baton Rouge.

The center's long-term objective is to respond to cyber-attacks inflicted on government institutions, schools, and private companies in the Pelican State. However, its immediate purpose will be to support cyber-related missions at major military installations in Louisiana, including Barksdale Air Force Base’s Global Strike Command. 

The Louisiana Cyber Coordination Center will be housed in the Water Campus in the city's downtown area. Confirmed tenants so far are the Louisiana National Guard (LANG), Louisiana State University's nonprofit affiliate research company Stephenson Technologies Corp. (STC), and defense contractor Radiance Technologies

LANG will lease 11,000 square feet of space in the new center, which 40 members will use periodically for training and as a base for cybersecurity operations. 

STC and Radiance will sublease 3,000 square feet each from LANG. Each company is expected to hire at least ten new staff members from the local Louisiana talent pool of cybersecurity professionals.

“When I created the Louisiana Cybersecurity Commission in 2017, we established a goal of making Louisiana a leader in this fast-growing field," said Louisiana governor John Bel Edwards. "Our top mission is ensuring the safety of sensitive information for Louisiana’s families, our military, our schools, our health-care facilities, and our private-sector employers. We want everyone’s data and privacy to be safe and secure. So, it’s incumbent upon us to invest in cybersecurity measures that protect our citizens from damaging attacks. Establishing this facility will provide one of the greatest tools for that safety, and it will continue our mission of becoming a global cybersecurity leader.”

“This cyber center is exactly what the Louisiana National Guard and the State of Louisiana needed to facilitate the fulfillment of its cybersecurity mission," said Maj. Gen. Glenn Curtis of the Louisiana National Guard. “Over time, for those who are authorized to use this facility, this cyber center will act as the central civilian interface for coordinating cybersecurity information sharing, performing cybersecurity threat analysis, and promoting shared and real-time situational awareness between and among the public and private sectors.”

To secure the project, the State of Louisiana has agreed to provide $1.5 million through Louisiana Economic Development to build out the existing 11,000 square feet to meet strict government standards and a further $500,000 to support lease payments for up to five years. Other project partners, including the Water Campus, are investing $250,000 for facility operations.

Categories: Cyber Risk News

#GartnerSEC: How Security Leaders Can Navigate Difficult Discussions in the Enterprise

Tue, 09/10/2019 - 14:10
#GartnerSEC: How Security Leaders Can Navigate Difficult Discussions in the Enterprise

Speaking at the Gartner Security & Risk Management Summit 2019 in London Tina Nunno, distinguished VP analyst, Gartner, explored the difficulties security and risk managers can face in dealing with ‘political’ discussions in the workplace, and outlined strategies for navigating difficult conversations across a business.

Within an organization, politics and difficult conversations are “where the rubber hits the road,” Nunno said. “It’s in the face-to-face interactions where we are having some type of a conflict or we need to communicate something that’s quite difficult, and we need to survive it.”

Nunno explained that the desired outcome of any political or difficult conversation is to resolve issues constructively, establish a positive outcome for all involved and optimize the long-term relationship between the players.

To do that, Nunno outlined three paths that can be taken to navigate challenging workplace conversations, all of which build upon one another. These are de-escalation, synchronization and neutralization.

De-escalation requires you to strive to control the pace and tone of the discussion. “Creating calm and appeasement are two different things; with the first both win, and with the second both lose.”

She advised a four-step approach for mastering de-escalation in a difficult discussion, which includes Avoid, Ask, Engage and Calm.

  • Avoid: do not use language triggers to prevent escalations, including “you’re wrong,” judgement terms, past tense and use “we” instead of “I” in conversations
  • Ask: uncover agendas, both hidden and stated. “Questions are a really powerful tool” and most people are loathed to not answer a direct question
  • Engage: decide where the discussion will take place
  • Calm: manage yourself and the other person’s state of mind so you are open to one another’s point of view

The next path that can then be taken to navigate challenging conversations is synchronization, Nunno said, again using four steps: Empathize, Agree, Redirect and Align. “In synchronization, we are attempting to agree and come to a positive place.”

  • Empathize: acknowledging the feelings of the other person will accelerate the shift to thinking
  • Agree: find common ground
  • Redirect: put the other person in a more constructive direction
  • Align: success is when both parties feel good about cooperating

The third and final step that Nunno outlined is neutralization. “This is when you can use something other than reason – power – to stop the situation and move to a better place,” she said. Once more, Nunno put forward four steps to adhere to: Message, Obstruct, Agitate and Restore.

  • Message: decide which message you want to send and to whom
  • Obstruct: this requires power and a willingness to use it
  • Agitate: determine the criticality of the message and the number of people that need to hear it
  • Restore: “restoration is not simply explaining why you were right and they were wrong, restoration is accountability, dignity and moving forward together”

To conclude, Nunno shared three key pieces of advice for being an effective verbal diplomat that can resolve conflicts through conversations:

  • Select and practice a short set of discussion techniques and have them ready to deploy
  • Combine discussion techniques in a formulaic way that makes sense to you
  • Manage political discussions to optimize both your relationships and outcomes
Categories: Cyber Risk News

#GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack

Tue, 09/10/2019 - 12:21
#GartnerSEC: Maersk CISO Outlines Lessons Learned From NotPetya Attack

At the Gartner Security & Risk Management Summit 2019 in London, Andy Powell, CISO at Maersk, outlined the key lessons learned from the NotPetya malware attack the company, along with many others, suffered in 2017.

“Maersk was not alone [in being hit by NotPetya] and anybody that thinks that Maersk was the single biggest example, is wrong. There were a lot of companies bigger than Maersk suffering even worse, but they were not as transparent as Maersk,” Powell said.

Therefore, the first key lesson learned from NotPetya is that “transparency is everything,” Powell explained. “Our clients at Maersk loved us for the fact that we told them, from day one, what was going on, and we included them throughout in what we were doing.”

Another lesson learned was that “the world has changed,” Powell continued. “From a company perspective, NotPetya told us that, unless you are a government organization or a very, very highly invested-in bank, you are not going to stop a state-sponsored weapon [such as NotPetya] if it is targeted at you. We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.”

What organizations must do, is adopt a two-part strategy. “First and foremost, you need a balance of proactive and reactive [capabilities]. You need to retain the ability to manage an incident because you will assume that it will occur.” In an era when there are going to be a lot of state-sponsored weapons being used in cyber-attacks, you need to implement a reactive and proactive balance.

Powell said that organizations also need to learn and understand “the way in which our businesses are changing. The attack surface is massively changing. The old fortified front door, ‘let’s stop them there’ approach, must go. We are all digitizing and creating one-to-one relationships with our customers, which we need to protect.”

There’s also the fact that companies like Maersk rely heavily on operational technology (OT) which, if disrupted, can cost organizations millions of dollars, Powell added. So it’s about “how we protect OT – not just conventional enterprise IT – as a network that can be compromised.”

Finally, lessons must be learned about crisis management, he said. “There is no such thing as a divide between technology and business in any company anymore, particularly when it comes to cyber. You have got to operate as one.”

Categories: Cyber Risk News

#GartnerSEC: Maersk’s Adam Banks Reflects on NotPetya Response and Recovery

Tue, 09/10/2019 - 11:31
#GartnerSEC: Maersk’s Adam Banks Reflects on NotPetya Response and Recovery

Speaking in the opening keynote session of day two at the Gartner Security & Risk Management Summit 2019 in London, Adam Banks, chief technology and information officer at Maersk, reflected on the company’s response and recovery following the NotPetya attack in 2017.

Banks said that when Maersk was hit by NotPetya, the company was “not unusually weak,” and this is really important, because too often organizations feel immune to cyber-attacks because they do not consider themselves to have obvious security flaws.

However, Maersk was (and is) a company that is extremely data-centric. “Whilst we have a global flow of cargo, we equally have a global flow of information,” but because of the import/export work Maersk does, it cannot “lock up” data or create a centralized data pool and “put every form of defense around it.” The value of the data is in its distribution.

When NotPetya first hit, Maersk was unable to determine exactly what was occurring, Banks explained. It took several hours to establish the cause of the attack, and the wide-spread impact. IT services, end-user devices and applications/servers were dramatically affected. As many as 49,000 laptops were destroyed and 1200 applications were inaccessible.

“I didn’t go home for 70 days,” Banks said, as he worked tirelessly with the rest of the business to respond and recover.

“The first thing we did was to make some fairly big decisions about how to manage this. Mearsk is an asset-centric business with an asset-centric crisis management approach,” but that was not going to be effective in dealing with the global fallout of NotPetya, Banks explained. “I abandoned corporate crisis management and implemented a financial services crisis management model, because financial services normally only ever have global crises.”

In the first one to three days of the outbreak of NotPetya, Maersk:

  • Worked with Deloitte in cyber-forensics
  • Decided to be as open as possible about the incident, both internally and externally
  • Designed a new Windows build
  • Strengthened as far as possible
  • Retrieved an undamaged copy of the Active Directory

In the first four to nine days of the outbreak of NotPetya, Maersk:

  • Built 2000 laptops
  • Rebuilt the Active Directory
  • Spoke to the individual responsible for creating the NotPetya malware

From nine days onwards following the outbreak of NotPetya, Maersk:

  • Continued to work through the ever growing list of affected applications: in two weeks all global applications were restored and in four weeks all laptops were rebuilt
Categories: Cyber Risk News

More Than 99% of Threats Target Corporate Staff

Tue, 09/10/2019 - 10:43
More Than 99% of Threats Target Corporate Staff

Over 99% of cyber-threats require human interaction to work, highlighting the importance of user awareness programs and layered defenses, according to Proofpoint.

The security vendor’s 2019 Human Factor report is based on an 18-month analysis of data the firm collected across its global customer base.

It adds some concrete findings to the general trend observed by many in the industry over the past few years that attackers are increasingly targeting the “weak link” in the cybersecurity chain: corporate employees.

Specific staff members, dubbed "Very Attacked People" (VAPs), are targeted most often — perhaps because they have access to corporate funds or sensitive data, or even because they are easily discoverable by outsiders.

Some 36% of VAPs identified in the report could be found online via corporate websites, social media, publications, and other methods.

To stand the best chance of success, attackers targeting humans typically mimic legitimate email patterns: fewer than 5% are sent at weekends and the biggest number (30%+) come on Mondays.

Education, finance, and advertising/marketing were the most targeted industries, with education having one of the highest average number of VAPs across any vertical, Proofpoint claimed.

In 2018, the sector accounted for the largest number of imposter attacks, along with the engineering and automotive verticals.

Microsoft products and services accounted for nearly one in four phishing attacks in 2018, with messages focused on harvesting user credentials for lateral movement, future attacks and internal phishing.

“Cyber-criminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of threat operations for Proofpoint.

“To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”

Categories: Cyber Risk News

#GartnerSEC: 2019 Projects Should Include Incident Response, BEC and Container Security

Tue, 09/10/2019 - 10:01
#GartnerSEC: 2019 Projects Should Include Incident Response, BEC and Container Security

The need for phishing training, automated security scanning and micro-segmentation have been replaced by container security, incident response and business email compromise technology in the top ten security projects for the year.

According to Gartner distinguished VP analyst Neil MacDonald, these projects can help users “reduce risk and improve posture” but too often, “the fear of imperfection holds us back.” Speaking at the Gartner Security and Risk Management Summit in London, of the top ten projects from 2018, five remain the same, while five change. The remaining top five were:

Privileged Access Management – MacDonald recommended tying this into “trouble ticket systems” and advised adding multi-factor authentication for all admins, and put in privileged access management where there is administrator access.

CARTA-Inspired Vulnerability Management – MacDonald said that there is an admission that you will never be completely patched, so users need to patch the critical vulnerabilities that are of most risk. “I believe patching is broken and should be a priority project for this year,” he said.

Detection and Response – MacDonald recommended the use of endpoint detection and response (EDR) technologies to provide a more full detection capability, and advised investing in EDR and incident response processes. Alternatively, he said to consider using premium support and outsourcing.

Cloud Security Posture Management (CSPM) – MacDonald said that “business units are making mistakes in configuration of AWS and Azure.” For a single cloud provider, he recommended looking for native capabilities or cloud access security broker (CASB) technology. For multi-cloud use, prioritize remediation, sign 1-2 year contracts and reassess often.

CASB – The final project of the top five is CASB, which MacDonald said is “becoming a mainstream technology.” He recommended starting with cloud application discovery, favoring a multi-mode CASB (using proxy and APIs).

For the new five projects, these were:

Business Email Compromise – MacDonald said that this has been switched from anti-phishing “as it is not enough” and that BEC is not an anti-malware problem, but a “poorly-designed access problem.” He advised combining technical controls as a solution.

Dark Data Discovery – He said that this is technology to crawl data sources, understand what is sensitive and not and what should be archived. He advised implementing a “defensible deletion” or other data management strategy.

Security Incident Response – MacDonald said that services are needed to create an incident response plan, and be able to “engage it before it happens.” He advised looking for an incident response provider who understands your operations and processes.

Container Security – MacDonald said that this will happen with or without security because of developers, “and it is our job to secure them, and the good news is there are vendors doing this.” He advised integrating or automating this technology natively into your development process, and scanning for known vulnerabilities.

Security Ratings Services – The final new project involves creating a web of interconnectivity where a vendor gives a score of security posture. He said that this will allow visibility of the supply chain, and he advised making security risk services part of a comprehensive program

In conclusion, he recommended picking at least two projects: implement an intelligent, CARTA-inspired approach to vulnerability management project, and MFA for admins.

The five that were removed were:

  • Active Anti-Phishing Project
  • Application Control on Server Workloads
  • Automated Security Scanning
  • Micro-Segmentation and Flow Visibility
  • Software-Defined Perimeter

Asked why only five of the ten were changed, MacDonald acknowledged that delegates have “resource, staff and budget constraints and you cannot do all ten, so look at the list and see which affect you.”

Categories: Cyber Risk News

Mozilla to Roll-Out DNS-Over-HTTPS For Safer Browsing

Tue, 09/10/2019 - 09:14
Mozilla to Roll-Out DNS-Over-HTTPS For Safer Browsing

Mozilla has announced plans to start rolling out DNS-over-HTTPS (DoH) by default to US users from the end of September, in a bid to improve cybersecurity across the web.

The Firefox browser-maker’s senior director of engineering, Selena Deckelmann, explained in a blog post that only a small percentage of users would see the new feature at first, while the changes are monitored.

DoH should in theory make the web safer and improve user privacy by encrypting DNS query traffic so that third parties cannot eavesdrop on a user’s connection and/or redirect them to phishing/malware sites via man-in-the-middle attacks.

However, because the connection becomes encrypted, concerns have been raised that it prevents ISPs from applying content filters requested by parents to protect their children’s browsing. Similarly, enterprise admins may find it interferes with their own network configurations.

To take account of this, Deckelmann said Mozilla plans to disable DoH if it detects opt-in parental controls, and to respect enterprise configuration unless DoH is explicitly enabled.

“Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH,” she explained. “Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that.”

Kevin Bocek, VP of security strategy & threat intelligence at Venafi, broadly welcomed the move as improving online security, adding that many privacy-conscious users already employ widely available DNS encryption services.

However, he argued that criticism of DoH for weakening ISPs’ ability to filter harmful material misses a potentially more concerning issue.

“Proposals to encrypt DNS as standard would mean all traffic on browsers that use it will bypass locally held DNS nameservers, and go straight to a central server under the control of Mozilla, Google or one of its peers,” Bocek explained.

“In effect, this gives these companies control over our search information and internet activity, which in turn gives them a greater level of control over the internet itself. So while these changes are a boost for online privacy advocates, the prospect of a small number of for-profit firms having such influence is worrying.”

Categories: Cyber Risk News

Toyota Subsidiary Suffers $37m BEC Loss

Tue, 09/10/2019 - 08:41
Toyota Subsidiary Suffers $37m BEC Loss

A leading Japanese car parts manufacturer has become the latest corporate victim of Business Email Compromise (BEC), after revealing losses of four billion yen ($37.3m).

Toyota Boshoku Corporation, a subsidiary of the Toyota Group, sells seats, textile components, interior lights and other parts.

However, on August 14 its European subsidiary was duped into making a large fund transfer outside of the company, it revealed in a news release.

“Recognizing the high possibility of criminal activity, we promptly established a team comprising legal professionals, then reported the loss to local investigating authorities,” it explained. “While cooperating in all aspects of the investigation, we are devoting our utmost efforts to procedures for securing/recovering the leaked funds.”

Few other details have been released at present while the investigation is ongoing, but the company said it may need to amend its March 2020 earnings forecast if it has not been able to recover any of the funds.

Javvad Malik, security awareness advocate at KnowBe4, argued that BEC is fundamentally predicated on socially engineering the victim into making the money transfer.

“The first step should be raising awareness amongst staff of these attacks, particularly those who work in finance or have the ability to set up new payments or amend existing ones,” he added.

“Secondly, and perhaps more importantly, procedures need to be in place which prevent one user from being able to authorize or create a new payment. Rather, segregation of duties should be put in place whereby more than one user approval is needed to initiate payment, as well as having established and trusted mechanisms through which any requests can be queried.”

According to FBI figures, BEC scammers made around $1.3bn in 2018, around half of the total reported losses ascribed to cybercrime during the year.

A separate report from the US Treasury earlier this year claimed attacks on US victims alone made cyber-criminals $300m each month in 2018.

Categories: Cyber Risk News

Lufthansa Offers Biometric Boarding at Fourth US Airport

Mon, 09/09/2019 - 17:58
Lufthansa Offers Biometric Boarding at Fourth US Airport

Biometric boarding is being offered to passengers flying in and out of New York's John F. Kennedy Airport on Lufthansa.

Germany's largest airline collaborated with U.S. Customs and Border Protection (CBP) and partners at the international airport in Queens, New York, to introduce the new facial recognition technology at JFK's Terminal 1.

One-step biometric boarding, which aims to be faster and more efficient than other methods, works by matching live images captured at the airport with data supplied by the CBP.

As passengers approach self-boarding gates, their images are captured by sophisticated facial recognition cameras. These images are then securely sent to a CBP database to be matched in real-time to existing images of the passengers from previously submitted passport photos, visas, or other travel documents. 

Verification of a match is virtually instantaneous, allowing passengers to board in a matter of seconds without having to show a paper or electronic boarding pass at the gate. The success rate of the matching technology is over 99 percent.  

Amadeus, the provider of Lufthansa’s Passenger Service System known as Altéa, developed the biometric enhancement together with Lufthansa. The gate hardware was provided by Vision Box

Lufthansa first launched one-step biometric boarding at Los Angeles' LAX airport in March 2018, where the company created a stir by managing to board 350 passengers onto an A380 in roughly 20 minutes. Later in the year, the airline extended biometric boarding to MCO in Orlando, and the system was rolled out to Miami International Airport in February 2019. 

They aren't done yet. Bjoern Becker, senior director, product management ground and digital services for Lufthansa, said: "We anticipate for this technology to continue growing and to introduce it to more gateways throughout the United States.”

Last fall the International Air Transport Association forecast that the number of air passengers will reach 8.2 billion globally in 2037. Should this prediction ring true it’s likely that speedy biometric boarding will eventually become compulsory around the world. However, right now Lufthansa passengers still have a choice over how they board.

statement released by Lufthansa said: "Those who are wary of the scanners will still have the option to board traditionally with an agent. Lufthansa ensures passenger privacy by only transmitting travelers’ photos and avoids storing them in any Lufthansa database."

Categories: Cyber Risk News

ESET Discovers Backdoor Linked to Stealth Falcon Group

Mon, 09/09/2019 - 16:46
ESET Discovers Backdoor Linked to Stealth Falcon Group

Researchers at ESET have found an undocumented backdoor linked to malware used by the Stealth Falcon Group to attack individuals in the Middle East.

The infamous threat group has been launching spyware attacks against journalists, political activists, and dissidents since 2012. Individuals targeted by the group are sent an email containing a weaponized document, which delivers a PowerShell-based backdoor.

By probing into the activities of Stealth Falcon, ESET researchers discovered a previously unreported executable backdoor they have named Win32/StealthFalcon. The backdoor appears to have been created in 2015 and can be used to carry out data collection and exfiltration and to employ further malicious tools.

Compared to traditional communication, Win32/StealthFalcon talks with its command and control (C&C) server in an unusual but smart way. Instead of communicating via API functions, this particular backdoor uses the standard Windows component Background Intelligent Transfer Service (BITS). 

Choosing BITS was a savvy move by the threat group for two reasons. First, the BITS mechanism is exposed through a Component Object Model (COM), which makes it harder for a security product to detect. 

Second, BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth. It's commonly used by updaters, messengers, and other applications designed to operate in the background, meaning that it's likely to be permitted by most firewalls. That's a pretty useful design feature when you're going for stealth. 

Another feature of Win32/StealthFalcon is that it is extremely reliable. The transfer resumes automatically after being interrupted by a network outage, the user logging out, or a system reboot. 

The ESET investigation also uncovered a small number of attacks carried out with this malware in the United Arab Emirates, Saudi Arabia, and Thailand. An attack was also perpetrated in the Netherlands, where the target was a diplomatic mission of a Middle Eastern country.

Researchers found similarities between the newly discovered executable backdoor and the PowerShell script with backdoor capabilities previously attributed to the Stealth Falcon group. The evidence suggests that both backdoors are the work of the same group.

Stealth Falcon has been linked by Amnesty International’s senior technologist Claudio Guarnieri to another threat group, Project Raven, which allegedly employs former NSA operatives to attack similar targets in the Middle East.

Categories: Cyber Risk News

#GartnerSEC: Hiring Strategies Do Not Consider Future Digital Trends

Mon, 09/09/2019 - 16:00
#GartnerSEC: Hiring Strategies Do Not Consider Future Digital Trends

The majority of organizations do not have a workforce strategy in place, and are not forward-thinking in their recruitment and retaining strategies.

Speaking at the Gartner Security and Risk Management Summit in London, Gartner director analyst Sam Olyaei said that the majority of companies are “stuck” when it comes to hiring, and have no time to look into the future of emerging technologies.

Citing sources, which claim a shortage of skilled people and security staff of anywhere between three and six million people, Olyaei said that many organizations are “playing catch up” as most do not have a strategy, or career paths lined up for people. Also a lack of mentorship programs was off-putting to a number of people, with Women in Cybersecurity research citing that 78% of young women rule out a career in cybersecurity because of this.

“Most organizations look for perfect a candidate and that almost never exists,” he said, adding that there should be more opportunities for “digitally business oriented folks.”

Of those who are succeeding, Olyaei said that the insurance, banking and consumer product verticals were most successful in hiring, as well as those companies that have roles established, offer travel and conference opportunities, and training and education for certifications. 

“The roles that are in demand don’t really change” he pointed out, but he often sees roles that were unfilled six to 12 months ago and focus on traditional information security, rather than future roles. He cited the examples of:

  • Digital risk officer
  • Data security scientist
  • Security champion
  • Digital ecosystem manager
  • Chief of staff

Looking at job descriptions, Olyaei argued that while there is demand for certifications and these are “important for career progression,” if you change the wording on a job description you can capture a wide variety of people.

“It is easier to teach technical things” than more business-related issues, he said, saying that he is seeing more of a shift to descriptions talking about skills to create a strategy, and to be able to present to business leaders.

He explained that this requires a shift in the mindset of hiring, as business moves “at a faster speed; it's more agile, and about ecosystem too” and new people will want to come in and break down silos. “Don’t hire on requirements for experience, and place less emphasis on the ability of a person using Nessus on Lexus (for example,) and you can attract digital folks who have competencies,” he said.

He concluded by highlighting the digital skills to look for as:

  • Adaptability
  • Business acumen
  • Digital dexterity
  • Outcome driven
  • Collaboration/synergy 

“Develop one strategy for security and align it to the organization,” Olyaei said, adding that the “more you invest in training, the longer the staff stay.”

Categories: Cyber Risk News

Hackers Steal $4.2m from State Troopers' Pension Fund

Mon, 09/09/2019 - 15:31
Hackers Steal $4.2m from State Troopers' Pension Fund

Cyber-thieves targeting a pension fund for law enforcement officers employed by the state of Oklahoma have made off with $4.2 million.

The money was stolen from a fund of more than $1 billion set aside to pay pensions and benefits to around 1,500 retired highway troopers, park rangers, state agents, and other law enforcement officers. 

The theft occurred on August 26, 2019, when the perpetrators managed to hack into the email account of an investment manager working on behalf of the Oklahoma Law Enforcement Retirement System (OLERS) agency. A separate pension fund managed by the Oklahoma Police Pension and Retirement System (OPPRS) was not affected.

In a statement posted to their website ten days after the theft occurred, OLERS declared that "no pension benefits to members or beneficiaries have been impacted or put at risk," and that "all benefits will continue to be paid in a timely fashion as always." 

An investigation into the crime has been launched by the FBI, and attempts are being made to recover the stolen money. OLERS is extremely confident regarding the outcome of such efforts, stating on their website, "We are certain the stolen funds will be recovered."  

OLERS executive director Duane Michael told The Oklahoman newspaper on Thursday that $477,000 has been retrieved so far. 

Retired state trooper and president of OLERS Roy Rogers added that the agency’s insurance will cover the loss if the funds cannot be recovered in full. 

In a bid to prevent the re-occurrence of such a crime, employees at the agency are receiving cybersecurity training. 

The individual whose email account was compromised by hackers will remain in their position, with the agency taking the view that such incidents are now an unfortunate part of daily life. 

Rogers said of cybercrime, "It happens every day. It can happen to an individual. It can happen to a state. It can happen to a company . . . this kind of crime has just got rampant."

A similar crime took place in 2016, when hackers stole $100,000 from a Pennsylvania borough's police pension fund. And in Iowa in 2017, hackers stole the identities of more than 100 retired public employees to illegally claim their pension payments.

Categories: Cyber Risk News

#GartnerSEC: Trends and 'Mega Trends' Include Cloud, Passwords and Business Strategies

Mon, 09/09/2019 - 14:10
#GartnerSEC: Trends and 'Mega Trends' Include Cloud, Passwords and Business Strategies

Trends and 'mega trends' for 2019 and the future include cloud delivery, business strategy and communication and the continued battle with passwords as a form of authentication.

Speaking at the Gartner Security and Risk Management Summit in London, Peter Firstbrook, VP analyst at Gartner, said that the “controls of security are shifting, and the focus needs to shift to new forms of controls.”

Firstbrook said the mega trends of the next 10 years will be:

  • The skills gap is real and growing, as the reality is, it is hard to find qualified security professionals
  • Regulations and privacy concerns are not going away
  • Cloud application scale and complexity will continue to grow, as organizations move to the cloud and complexity increases with more of use of containers, APIs and virtualization
  • Attackers are showing no signs of letting up, and their “creativity” continues to increase

Firstbrook said that all of these mega trends are external “and beyond your control” and are all things that have to be accommodated for. When it comes to internal mega trends, Firstbrook said that these include: realizing that “perfect is not possible” and companies adapting to that concept when planning to detect and respond, that cloud delivery is here for security services and that communication is key, especially as we talk the language of the business and help it understand choices for resolving risks.

For the overall 2019 trends, Firstbrook identified seven major trends:

Fusion of products and services: He said that some MSSPs are now “OEM’ing” other security products, and he encouraged anyone using managed services to determine how easy those products are to use.

Cloud center of excellence: He recommended establishing a chief cloud architect to take responsibility of cloud, and invest in new tools like Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) and Cloud Access Security Broker (CASB) “and this is key going forward, and you need to invest in them now.”

Data security governance framework: To better manage data controls, Firstbook said that organizations invested in tools like data loss prevention and tokenization, but did not get the best value from them and didn’t start with business environment in mind.

Dawn of passwordless authentication: Firstbook said that organizations are now getting rid of passwords, and the Microsoft CTO has recently pledged to get rid of them. With 35% of smartphones now having some sort of biometric authentication on them, and options like tokens from Duo and Yubico, there is an alternative.

SOCs and Correlated alerts: Firstbrook said that businesses are not getting value from SOCs, and he could see EDR “become the SIEM of record.” He also said that he sees companies like Microsoft, Cisco, Fortinet and Palo Alto Networks all invest in incident response tools for their own products. “In the new SOC, think of new ways to implement,” he said.

CARTA (Continuous Adaptive Risk and Trust Assessment) Proliferates: Launched a couple of years ago by Gartner, Firstbrook said that this is accepting that you do not have perfect authentication and defenses, and acknowledging that you will get infected by an authenticated person “who are not who they say they are.” He said that this is proliferating into tools and into network intrusion software.

Risk appetite statements emerge – The final trend was for business stakeholders to create a mission statement that allows them to establish a view of risk, getting everyone to understand and agree with the team what it, and having a conversation with execs on what risks they are willing and are not willing to take.

Categories: Cyber Risk News

#GartnerSEC: Have a Future Vision to Survive in a Digital Society

Mon, 09/09/2019 - 13:00
#GartnerSEC: Have a Future Vision to Survive in a Digital Society

As the digital society evolves, security and risk management can keep up if they have a suitable vision.

Speaking at the Gartner Security and Risk Management Summit in London, Tom Scholtz, distinguished VP analyst at Gartner, said that while “digital society is evolving” it is “adding complexity to challenges.” Scholtz added that those organizations that differentiate will be those that innovate.

While he admitted that “no one has all of the answers” on how to deal with the challenging digital environment, good practices have evolved and the implications are now around: pervasive connectivity, critical context, variable trust and reputable identity in the digital era. 

Scholtz said that those companies who are succeeding are those “who have a view of where they are going” and have both adaptive governance and infrastructure.

He argued that the most important part of effective governance in the digital world is to establish the path of accountability, and to determine who is responsible for protecting resources. “It doesn’t rest with the CISO,” he said, “but it may rest with the CIO and most organizations will have a shared infrastructure and information, and if you cannot identify the business owner, the CIO becomes the proxy owner of the business.”

In order to establish governance, Scholtz said that this comes down to deciding your acceptable risk, enabling risk control and assuring control effectiveness to define your risk appetite. “This is about owning accountability,” he said. “In the digital world, focus less on policies and more on principles to guide controls and to be more effective.”

He recommended anticipating the disruptors of:

  • Blockchain
  • AI and machine learning
  • Hybrid delivery models
  • Skills shortage
  • IoT and OT
  • Quantum computing
  • Robotic process automation

“Adopt the drivers that are right for your organization, and [know] the main threats and vulnerabilities to your infrastructure,” he said. He added that if you know what your business is doing and what the CIO is doing, this will influence your vision and enable you to identify your current state. 

“At a minimum, do a vulnerability assessment and maturity assessment, and prioritize the gaps and analyze and execute on it,” he concluded.

Categories: Cyber Risk News

#GartnerSEC: How to Make Automation Decisions for Security

Mon, 09/09/2019 - 11:45
#GartnerSEC: How to Make Automation Decisions for Security

The topic of the ability to use automation techniques, and make decisions based on risk and security that are suitable for your business, opened the annual European Gartner Security and Risk Management Summit.

In a keynote address, Gartner analysts Nader Henein, David Mahdi and Katell Thielemann talked of the firms new “Automation Continuum” linear scale, which Thielemann, a VP analyst, said would help “apply automation choices.”

Opening the keynote, she said that one word to describe global forces is “uncertainty” in geo-politics, economics and business models. 

She added that “just as automation is at the heart of digital transformation,” it should be at the center of security and risk management, as it can enable access to a wide spectrum of capabilities.

Senior director analyst David Mahdi said that “automation is not binary” and security professionals should look for “augmented security” as this leverages machine learning to support decisions and take actions. “It involves humans and machines working together to improve security decision making,” he argued.

Mahdi also said that the concept of Security Orchestration, Automation and Response is “gaining traction in the market” but the “reality is products don’t have enterprise grade APIs” so he called on delegates to demand this going forward, “and unlock the opportunity as we move toward integrated automation.”

He also acknowledged the risks in automation, such as if a misconfiguration in cloud could be replicated “adding a nightmare for you and a goldmine for attackers.”

Nader Henein, senior director analyst, concluded by saying that Gartner “sees hundreds of examples where the Automation Continuum can be used to make decisions,” and that automation is especially prevalent in DevSecOps.

Thielemann said that there are “downsides of hype versus reality” and that is why it is important to make good decisions on automation and the Continuum can help.”

Categories: Cyber Risk News

Pupils Flagged as Cyber Threat to UK Schools

Mon, 09/09/2019 - 10:50
Pupils Flagged as Cyber Threat to UK Schools

Over four-fifths of UK schools have experienced at least one cybersecurity incident, with the insider threat from pupils surprisingly high, according to a new government report.

The National Cyber Security Centre (NCSC) and schools trust the London Grid for Learning (LGfL) teamed up to poll over 430 schools across the entire UK.

They found that 83% had suffered a security incident, although only a tiny 8% claimed it had been significantly disrupted by one.

Phishing was most common, with 69% of respondents claiming to have suffered an attack, while nearly a third (30%) said their school had been infected by malware.

Interestingly, over a fifth (21%) reported unauthorized use of computers, networks or servers by pupils — twice the number (11%) who claimed the same abuse of school IT systems by staff.

The report warned that such activity could put schools at risk of GDPR non-compliance, adding that schools were only aware of online leaks of confidential data in 3% of cases.

Despite the vast majority of respondents claiming to have in place best practice protections such as AV (98%), firewalls (99%), data back-ups (96%) and regular patching (95%), and 85% claiming to have a cybersecurity plan/policy, less than half (49%) said they were confident about dealing with a possible cyber-attack.

What’s more, only 45% include core IT services in their risk register and only 41% have a business continuity plan.

That’s despite nearly all schools (97%) admitting that losing access to network-connected IT services would cause considerable disruption.

There also appears to be a security gap in terms of staff cyber awareness, with just a third (35%) of respondents saying they train non-IT staff in security: 92% said they’d welcome such efforts.

“Budgets are tight, the curriculum is squeezed, and school is all about keeping children safe and providing the best-possible education. So you won’t often hear schools talking about their cyber security preparedness,” argued LGfL safeguarding & cybersecurity manager, Mark Bentley.

“Whilst it was hospitals rather than schools which suffered major disruption from the WannaCry virus, schools are just as likely as any organization to face DDoS and phishing attacks.”

Categories: Cyber Risk News

DDoS Attack Forces Wikipedia Offline

Mon, 09/09/2019 - 09:45
DDoS Attack Forces Wikipedia Offline

Wikipedia was forced offline in several countries over the weekend after a coordinated DDoS attack.

A statement from the Wikimedia Foundation on Saturday claimed the company’s Site Reliability Engineering team was working flat out to stop the attack and restore services to customers.

“As one of the world’s most popular sites, Wikipedia sometimes attracts ‘bad faith’ actors. Along with the rest of the web, we operate in an increasingly sophisticated and complex environment where threats are continuously evolving,” it said.

“Because of this, the Wikimedia communities and Wikimedia Foundation have created dedicated systems and staff to regularly monitor and address risks. If a problem occurs, we learn, we improve, and we prepare to be better for next time.”

Reports of problems with accessing the popular site started to roll in at around 19:00 BST on Friday, spiking again at around 21:00 and then again in the early hours of Saturday morning.

Judging by the comments, a wide range of countries were affected including Italy, Norway, the UK, Germany, Egypt, Belarus, Russia, Greece and Saudi Arabia.

“We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information,” noted the statement. “We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone.”

Although there has been no official follow-up statement, it appears as if the site was up and running as normal again in the UK, as of Monday morning.

Marc Wilczek, COO of Link11, argued that average attack bandwidth soared 97% year-on-year in Q2 2019, to 6.6Gbps, while peak attack volumes increased 25% to nearly 200Gbps — enough to overwhelm any online operation.

“With DDoS-for-hire services offering attacks of between 10 and 100Gbps to anyone for a modest fee, businesses that rely on their web presence need to deploy DDoS protection solutions that block attacks in the cloud, so that their critical online services can continue to operate without being disrupted,” he added.

Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!

Categories: Cyber Risk News

Monster Defends Data Leak Response

Mon, 09/09/2019 - 08:52
Monster Defends Data Leak Response

Sensitive personal data uploaded to a popular recruitment site has been found exposed on an unsecured web server after a third-party client failed to keep it secure.

Reports emerged late last week that résumés and other documents belonging to an undisclosed number of job-seekers were found unprotected on the internet by a security researcher: the latest in a long line of privacy snafus.

However, although some were identified as having been posted to Monster, the jobs site clarified that the issue was actually the fault of one of its customers.

“We alerted the customer and the customer immediately resolved the issue,” said the firm’s chief privacy officer, Michael Jones, in a statement sent to Infosecurity. “As a result of this incident, we have terminated the customer’s contract.”

He went on to explain why Monster should not be held responsible for the incident.

“We understand that people are concerned about data breaches and the discomfort they bring. For that reason, breach notifications require identifying the individuals and data that were affected, identifying the cause of the breach, and describing actions taken to prevent future breaches,” the statement continued.

“As the exposure occurred on a customer system, and involved customer data obtained from multiple sources, we were not able to identify affected individuals or affected information.”

The GDPR was designed in part to create more clarity on such issues of accountability and transparency, although it’s not clear whether any of those individuals affected were EU citizens.

“This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history and résumés/CVs on these types of sites, we should assume that organizations are going to collect them as they review and use them for job considerations,” argued Erich Kron, security awareness advocate for KnowBe4.

“Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address.”

Monster’s Jones claimed user privacy is one of the firm’s top priorities.

“To that end, Monster actively discourages candidates and job seekers from sharing information they consider sensitive,” he concluded.

It could be argued that even innocuous-seeming information on a CV or résumé could be used by crafty hackers to phish candidates for more info.

Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!

Categories: Cyber Risk News