In tests that imitated the actions of hackers by sending emails to employees with links to websites, password entry forms and attachments, 17% of the messages would have led to a compromise of the employee's workstation and, ultimately, the entire corporate infrastructure if they had been real.
In total, 3,332 messages were sent by cybersecurity firm Positive Technologies. The most effective method of social engineering turned out to be phishing emails: More than a quarter (27%) of recipients clicked the link, which led to a special website. Users often glance over or ignore the address, leaving them unaware that they are visiting a fake website.
“To make the emails more effective, attackers may combine different methods: A single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies. “Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password.”
Employees often open unknown files, click suspicious links and even correspond with attackers. In 88% of cases of such correspondence, these overly trusting employees worked outside of IT (such as accountants, lawyers and managers). One quarter of these employees were team supervisors. However, 3% of security professionals fell for the bait as well.
Furthermore, occasionally users complained that the malicious files or links would not open – in some cases trying to open the files or enter their password on the site as many as 30 to 40 times. When employees were unable to open a file right away, often they forwarded it to the IT department for assistance. This increases the risks further still, since IT staff are likely to trust their colleagues and run the "broken" file. On occasion, the recipients responded that they were not the intended recipient and instead offered the name of another person at the company.
Sending messages from fake companies is an increasingly ineffective tactic (causing only 11% of risky actions), but sending messages from the account of a real company and person increases the odds of success considerably (to 33%).
“Attackers take advantage of fear, greed, hope, excitement, or any other imaginable emotion to trick recipients into ignoring their better judgment,” the company said in its report. “The subject is often the reason that compels an employee to open a letter, click a link, or download and run a file." Subject lines carry the most risk include those that mention a firing (38%) and those that mention bonuses (25%).
Email is not the only method in the social engineering toolbox. Criminals often call employees by phone, claiming to be from technical support, and request a certain action or information from the employee. This could be a phone call early Sunday morning asking the employee to come to the office, for example. The criminal tells the irritated employee that everything can actually be fixed and there is no need to come in – as long as the employee gives his or her password over the phone.
Also, 71% of employees replied to messages on Facebook during pentesting, and 21% opened the link included in the message.
“To reduce the risk of successful social engineering attacks, it is important to hold regular trainings and test how well each employee follows security principles in practice. Whilst people are often the weakest link in your organization, businesses can benefit a lot by fostering a security-positive culture,” said Galloway.
Scammers are intercepting debit cards through the mail in order to steal the card chips as part of an elaborate fraud scheme bent on draining the bank accounts of large corporations.
According to a letter obtained by independent security researcher Brian Krebs, the US Secret Service told various banks that the crooks are swapping the chips from corporate-issued debit cards with old chips and then sending the tampered cards on to the companies. They then install the new chips on old cards, and when the company activates the card, the chip in the criminal’s possession is turned on, giving them access to business bank accounts.
The payment card sent to the company is inoperable because of the old chip, so there’s only a small window of time that the crooks can carry out their activities before the companies notice a problem.
“The reason the crooks don’t just use the debit cards when intercepting them via the mail is that they need the cards to be activated first, and presumably they lack the privileged information needed to do that. So, they change out the chip and send the card on to the legitimate account holder and then wait for it to be activated,” Krebs explained.
It’s unclear how the fraudsters are able to intercept the mail; Krebs postulated that the letter carriers or other postal employees are accomplices or that the thieves are stealing the letters directly from corporate mailboxes.
“Either way, this alert shows the extent to which some thieves will go to target high-value customers,” Krebs noted.
The European General Data Protection Regulation (GDPR) represents the biggest change to the EU’s privacy laws in almost a generation.
However, despite it being ratified two years ago, there appear to be major compliance problems ahead of the May 25 deadline.
Privacy site vpnMentor analyzed 100 websites in each EU member state using the popular MailChimp email marketing service. Any firm using this platform would have to comply with the GDPR’s strict new rules governing privacy policies, it said.
From the end of May, organizations will be required to be much more open and honest with users about how their data is collected and what it is used for, and the new policy must reflect this in clear English.
Unfortunately, just 34% of websites across the EU are compliant at present, with the figure falling to 31% in the UK.
Germany (67%), Austria (59%), Italy (51%), Cyprus (50%) and Malta (50%) topped the list of most compliant websites.
UK government research from earlier this year claimed that just 38% of businesses had even heard of the new regulation.
Fines of up to £17m, or 4% of global annual turnover, could realistically be levied by regulators for serious infractions, although the information commissioner has said that such fines won’t be the norm, and it won’t be looking to punish early on.
Malwarebytes spotted an increase in Android crypto-miners of 4000% in the first three months of 2018, contributing to total consumer detections of around 16 million by March, with businesses seeing more modest infections.
The security vendor’s Cybercrime Tactics and Techniques report for Q1 2018 revealed a similar pattern to other analysis, with crypto-jacking increasingly favored by cyber-criminals instead of ransomware.
To that end, consumer-focused ransomware was down 35% from the previous quarter to sixth spot in terms of top threats.
Crypto-mining has also hit businesses hard, with a 27% increase over Q4 2017. Although a quarterly peak of 550,000 detections in February fell well below the kind of stats seen in the consumer space, crypto-mining on organizations can have a major impact on resources, slowing down business processes, impacting productivity, increasing energy costs and damaging compliance efforts.
Infections could also lead to more serious repercussions, including information theft, ransomware and system hijacking.
“From January 1 to June 24, 2017, our sensors detected 4,894 bitcoin miners that triggered over 460,259 bitcoin-mining activities, and found that more than 20% of these miners also triggered web and network-based attacks,” claimed Trend Micro.
Despite the increase in crypto-mining activity, the number one threat for consumers remained adware, whilst in the business sphere it was spyware — although both appear to be on the wane.
Malwarebytes also noted that online scammers are looking to jump on media coverage of failed Spectre and Meltdown patches to spread malware.
There have been sightings of phishing emails spoofed to come from trusted sources with links to ‘legitimate’ patches, which in reality led only to malware.
Coinbase-themed tech support scans were also increasingly seen targeting customers’ wallet credentials, using fake Twitter accounts and blackhat SEO to lure victims in.
Twitter’s announcement at the end of March that it would be banning crypto-currency ads will help cut down on fraud in the space, but the problem of fake accounts continues to plague the company.
Russian government hackers flagged in March for targeting US critical infrastructure (CNI) are abusing a Cisco protocol known to have been vulnerable for over a year, the vendor has revealed.
The “protocol misuse” issue in Cisco’s Smart Install Client was first detailed in February 2017, when Cisco warned that it had detected parties scanning for unsecured versions of the legacy utility, which allows for speedy installation of switches.
Despite releasing tools to help firms find devices using the protocol, and attempts to abuse it, it revealed last week that 168,000 systems are still potentially exposed.
“The Cisco Smart Install protocol can be abused to modify the TFTP server setting, exfiltrate configuration files via TFTP, modify the configuration file, replace the IOS image, and set up accounts, allowing for the execution of IOS commands,” explained Cisco Talos outreach engineer, Nick Biasini.
“Although this is not a vulnerability in the classic sense, the misuse of this protocol is an attack vector that should be mitigated immediately. Throughout the end of 2017 and early 2018, Talos has observed attackers trying to scan clients using this vulnerability. Recent information has increased the urgency of this issue.”
Cisco said some of the attackers looking to abuse the protocol were nation-state Kremlin hackers linked to attacks on the US energy sector in March.
However, according to Kaspersky Lab, the campaign “is mostly targeting the Russian-speaking segment of the internet,” with attackers leaving a message that reads: “Do not mess with our elections” on affected machines.
Talos claimed to have seen a sharp increase in scanning for Cisco Smart Install Clients on or around around November 9, 2017.
As if that weren’t enough, Cisco was also forced to patch a publicly disclosed critical vulnerability in the same protocol, revealed at the end of March. It urged organizations to address both issues at the same time.
A cryptocurrency miner Trojan that goes by the name Raróg (a fire demon that originates in Slavic mythology) continues to proliferate, mining unsuspecting victim machines for Monero and other virtual currencies. Its most unusual characteristic is how cheap it is.
Palo Alto Networks’ Unit 42 researchers, which have been following Raróg for months, said that to date, there are roughly 2,500 unique samples in the wild, connecting to 161 different command-and-control (C&C) servers. The firm has confirmed more than 166,000 Raróg-related infections worldwide, mostly in the Philippines, Russia and Indonesia.
Interestingly, the Trojan comes equipped with a number of features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices and the ability to load additional dynamic-link libraries (DLLs) on the victim. In addition to coin mining, Raróg also employs a number of botnet techniques, including the ability to download and execute other malware, levying distributed denial-of-service (DDoS) attacks against others and updating the Trojan, to name a few.
Despite all this, Raróg provides an affordable way for new criminals to get into the game. Available on various Russian-speaking criminal underground sites, it sells for just $104 at today’s exchange rates.
“The Rarog malware family represents a continued trend toward the use of cryptocurrency miners and their demand on the criminal underground,” the researchers said in a blog. “While not incredibly sophisticated, Rarog provides an easy entry for many criminals into running a cryptocurrency mining botnet. The malware has remained relatively unknown for the past nine months barring a few exceptions. As the value of various cryptocurrencies continues to remain high, it is likely that we’ll continue to see additional malware families with mining functionality surface.”
More than 20% of open-source serverless applications contain critical security vulnerabilities, according to an audit by PureSec.
An evaluation of 1,000 open-source serverless projects revealed that 21% of them contained one or more critical vulnerabilities or misconfigurations, which could allow attackers to manipulate the application and perform various malicious actions. About 6% of the projects even had application secrets, such as application programming interface (API) keys or credentials, posted in their publicly accessible code repositories.
According to the audit, most vulnerabilities and weaknesses were caused by poor development practices, lack of serverless security education and the copying and pasting of insecure sample code into real-world projects.
"The results of PureSec's audit are jarring but not surprising, as organizations adjust to the unique challenges of serverless application security," said Ory Segal, PureSec CTO and co-founder. "The traditional models of application security and cloud workload protection solutions aren't effective for serverless architectures.”
Responsibility for the security of the serverless infrastructure, such as physical security, network security or operating system patches, falls on the serverless provider. The application owner, however, is still completely responsible for application logic, code, data and application-layer configurations, ensuring they are secure, hardened and able to withstand attacks.
The percentage of vulnerabilities discovered was consistent across runtime languages. With the choice of runtime ruled out as a factor, human error was left as the cause for the vulnerabilities. DotNet runtimes were the exception. Those projects experienced significantly higher levels of vulnerabilities.
“The core concept of functions-as-a-service (FaaS), or serverless functions, is to define an API for consumption,” explained Tim Mackey, technical evangelist for Black Duck. “These APIs can provide basic services intended for integration into a larger application. By decoupling the API from the core business logic, security paradigms which would normally apply to a discrete application at a higher level now need to be implemented in the API function.”
For example, a discrete user-facing application will often implement its input sanitization routines at the point of user input. The sanitized data is then freely manipulated within the application to return a result to the end user. If those internal data manipulation routines are broken out to become discrete API services, the input sanitization rules could easily be omitted when the API was refactored.
“The net result being unexpected data could be presented to the function – with correspondingly unexpected results,” Mackey added. “If that API function proves valuable to others, those new consumers may not be aware of the lack of input sanitization and the associated security risks.”
Also, the risk potentially exists in any API – regardless of whether it’s considered serverless, he added.
“Application owners should pay attention to any API they consume and assume that without independent validation any number of security issues may be present,” Mackey said. “In addition to the security nature of API execution, recent media coverage of data breaches also demonstrates that anyone consuming an API should be aware of how any data presented will be used and potentially stored.”
Big-box electronics retailer Best Buy has joined Sears, Sears subsidiary Kmart and Delta Airlines in having customer payment information exposed.
The culprit is a cybersecurity breach at third-party software provider, 7.ai, that provides online automated chat and other customer support functions. The breach affected users processed through its platform starting on 26 September 2017 last year; the issue persisted until its discovery on 12 October 2017. Yesterday it came to light that Sears, Kmart and Delta were affected. Like those companies, Best Buy is still assessing the extent of the damage.
“As best we can tell, only a small fraction of our overall online customer population could have been caught up in this 7.ai incident, whether or not they used the chat function,” Best Buy said in a statement.
As we reported, it’s unclear if additional clients are also affected, but the issue has the potential to be far reaching. The company said itself that the “world's largest and most recognizable brands are using intent-driven engagement from 7.ai to assist several hundred million visitors annually, through more than 1.5 billion conversations, most of which are automated.”
"Similar to the 2014 Home Depot and Target incidents, this cyber-attack on one part of a software supply chain had direct consequences for others down the line,” said Sammy Migues, principal scientist at Synopsys, via email. “Even if the attackers were solely targeting 7.ai, the attack had direct consequences for their downstream clients. Incidents where the initial entry point is with a third-party supplier rather than the ultimate victim are becoming all too common.”
Security experts are warning that an IoT botnet has been targeting the financial services sector with DDoS attacks, in what they believe is the first such campaign since Mirai.
The botnet, which has been linked to IoTroop/Reaper, is similar to Mirai in being comprised of a large number of unsecured home routers, TVs, DVRs, and IP cameras.
The linked malware can exploit a dozen vulnerabilities in these consumer-grade devices to hijack and conscript them, and is capable of being updated as new flaws are discovered, according to Recorded Future.
Targeted manufacturers include TP-Link, Avtech, MikroTik, Linksys, Synology and GoAhead.
IoTroop is particularly dangerous in that it was built using the flexible Lua engine, so its code can be updated on the fly, meaning existing botnets can run new attacks as soon as they’re available, the report said.
The new DDoS campaign hit three financial institutions in January, using at least 13,000 compromised devices and peaking at 30Gb/s.
The spread of device manufacturers indicates a rapidly evolving botnet which can take advantage of newly discovered vulnerabilities in IoT devices, the report claimed.
“Our analysis shows that the botnet involved in the first company attack was 80% comprised of compromised MikroTik routers, with the remaining 20% composed of various IoT devices ranging from vulnerable Apache and IIS web servers, to routers from Ubiquity, Cisco, and ZyXEL,” it added.
“We also discovered webcams, TVs, and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link, and Dahua.”
It’s not just consumer devices that are at risk of compromise here. A new study this week claimed that 2.7m UK businesses may be exposing themselves by not updating passwords or security patches on IoT endpoints.
“These attacks highlight the ongoing threat of DDoS to the financial sector from continuously evolving botnets,” said Recorded Future. “The similarity in device composition with the IoTroop/Reaper botnet suggest IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector.”
At any one time the world’s connected hospitals could be running as many as 80,000 exposed devices, putting hospital operations, data privacy and patient health at risk, according to Trend Micro.
The security giant’s latest report, Securing Connected Hospitals, claimed medical devices, databases, digital imaging systems, admin consoles, protocols, industrial controllers and systems software have significantly increased the average provider’s attack surface.
This puts them at risk of DDoS, ransomware attack and data theft. The report used the DREAD threat assessment model to find that DDoS is actually the biggest risk, followed by ransomware.
The latter has impacted hospitals worldwide, particularly NHS Trusts, which were severely affected by the WannaCry attack of 2017.
Senior threat researchers and report authors Numaan Huq and Mayra Rosario Fuentes claimed that hospital cybersecurity may be lacking because of several reasons.
These include: a lack of dedicated IT security staff, limited budget, diagnostic equipment which is outdated, and can’t be taken offline to patch and large numbers of mobile workers who need seamless access to systems.
The report also claimed that hospital supply chains are increasingly opening them up to cyber-risk, with 30% of breaches publicly reported to the US Department of Health and Human Services (HHS) in 2016 due to breaches of business associates and third-party vendors.
“Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity,” explained Huq and Fuentes.
“Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyber-attacks becomes a critical necessity.”
The number of records breached in publicly disclosed incidents fell by 25% in 2017, although leaks related to misconfigured cloud services soared, according to IBM.
The tech giant’s 2018 IBM X-Force Threat Intelligence Index reported that around 2.9 billion records were breached last year, down from a staggering four billion in 2016.
The firm claimed that cyber-criminals targeted more of their efforts during the 12 months on ransomware, which ended up costing victim organizations billions.
However, although there were fewer records stolen by cyber-thieves in 2017, more were exposed by human error relating to misconfigured cloud infrastructure, the report found.
There was a 424% jump in these incidents, which comprised 70% of compromised records tracked by IBM X-Force in 2017.
It’s debatable whether these incidents can be classed as ‘data breaches’ as in most cases there’s no evidence to suggest the information ended up in the wrong hands.
However, the security risk is obvious. Analysis from Digital Shadows released yesterday revealed 1.5 billion sensitive corporate records were exposed to the public internet through misconfigurations in the first three months of 2018 alone.
These included open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured websites and Network Attached Storage (NAS) drives.
Aside from misconfigured cloud infrastructure, users tricked by phishing attacks represented one-third of “inadvertent activity” that led to a security event in 2017, IBM said.
“Malware attacks, misconfigurations and user-driven attacks are going to continue to cause companies problems, despite the emphasis being on patching and updating operating systems and applications,” commented ESET security specialist, Mark James. “So many companies have to outsource so many services that it becomes very difficult to have complete control over the security of our data, when it’s being stored on someone else’s servers."
IT companies were the most attacked (33%) last year, followed by manufacturing (18%) and then financial services (17%), which is traditionally the most commonly targeted, according to IBM.
Customers of Sears, Sears subsidiary Kmart and Delta Airlines have had their customer payment information stolen, thanks to a cybersecurity breach at a software provider that they all use.
The firm, called 7.ai, provides online customer support services based on artificial intelligence and machine learning. The breach affected users processed through its platform starting on September 26, 2017; the issue persisted until its discovery on October 12, 2017. It is, however, just now notifying its customers; Sears said it wasn’t notified of the incident until mid-March, and Delta only found out on March 28. Other details are scant.
“The unknown factor is whether or not that information was encrypted, or how,” said Lee Munson, security researcher at Comparitech.com. “From an incident response point of view, it is a shame to learn [that] the attack has only now come to light, having occurred and been spotted last year, though we are, of course, unaware of when affected customers were notified.”
The department store said that hackers were able to access credit-card information of about 100,000 of its customers across Sears and Kmart. Delta didn’t provide numbers but characterized the number of affected users as a “small subset” of its customer base. The airline also said that personal details related to passport, government identification, security and SkyMiles information were not impacted.
It’s unclear if other clients are also affected, but the issue has the potential to be far-reaching. The company said itself that the “world's largest and most recognizable brands are using intent-driven engagement from 7.ai to assist several hundred million visitors annually, through more than 1.5 billion conversations, most of which are automated.”
The issue, unlike other payment-card breaches, doesn’t involve point-of-sale malware or a network compromise at the affected companies but rather a weak link at a partner. Third-party contractors are just a fact of today’s corporate life, meaning that businesses need to be aware of the security profile of one’s technology partners.
“It’s impossible during this day and age to keep every process and operation under one roof, which introduces a myriad of security and business risk issues that are sometimes impossible to keep track of at all times," said Manoj Asnani, VP product and design, Balbix, via email. “In the case of technology firm 7.ai, it is an extremely large responsibility to hold this kind of sensitive information, which should serve as a daily reminder that this data and the systems housing it [are] your lifeblood. Rarely do enterprises have visibility into their partners’ data security practices, yet it is assumed that their respective information will be secured at all costs. This is a big miss and opportunity for change. Whether you’re an enterprise trying to secure your data or a third party managing [personally identifiable information] for someone else, it is imperative that you proactively think across all threat vectors and prioritize monitoring, security fixes and the most stringent policies based on business criticality.”
More than 1.5 billion sensitive corporate and other files are visible on the public internet due to human error.
Analysis from security firm Digital Shadows showed legions of misconfigured Amazon Web Services S3 buckets, which is the most high-profile issue; however, these make up a fraction of the leakage, accounting for just 7% of exposed data.
The bigger problems are misconfigured network attached storage (NAS) devices, FTP servers and a host of other common tools that people use to back up, sync and share files. Old-school protocols and platforms like Server Message Block (SMB) (33% of visible files), rsync (28%) and FTP servers (26%) expose the vast majority of data.
The exposed files are a gold mine for criminals. The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files, respectively. However, consumers are also at risk from the exposure of 14,687 incidents of leaked contact information and 4,548 patient lists. In one instance, a large amount of point-of-sale terminal data, which included transactions, times, places and some credit-card data, was found to be publicly available.
Of all the data an organization seeks to control, intellectual property (IP) is among the most precious. Digital Shadows detected many occurrences of this confidential information. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered. Another example includes a document containing proprietary source code that was submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software electronic medical records (EMRs), as well as details about the copyright application.
The volume of exposed data in the study totaled 12 petabytes (12,000 terabytes). For context that's 4,000 times the size of the Panama Papers leak.
Many of the visible file caches appear to result from business partners and contractors improperly securing shared and backup copies of files. A shocking amount of security assessment and penetration tests was discovered, for instance. In addition, Digital Shadows identified consumer back-up devices that were misconfigured to be Internet-facing and inadvertently making private information public.
“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” said Rick Holland, CISO at Digital Shadows.
Worryingly, Digital Shadows found that there are numerous EU/cross-border dimensions to the data, making it a rare illustration of General Data Protection Regulation (GDPR) consequences set to hit in May, if companies do not react in time.
Holland added, “The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organization. In addition, with GDPR fast approaching, there are clear regulatory implications for any organization with EU citizen data.”
A totality – a full 100% – of web applications are vulnerable to hackers.
According to Trustwave’s 2018 Global Security Report, derived from the analysis of billions of logged security and compromise events worldwide, all apps tested displayed at least 1 vulnerability, with 11 as the median number detected per application. A majority (85.9%) of web application vulnerabilities involved session management, allowing an attacker to eavesdrop on a user session to commandeer sensitive information.
Vulnerabilities overall have seen a sharp surge, the report found. After remaining relatively level from 2008 to 2011, a marked increase in vulnerability disclosures began in 2012, with a dramatic spike in 2017. This is in part due to the doubling of internet users over the course of a decade, Trustwave pointed out: The technically savvy, including both security researchers and criminals, are now actively looking for vulnerabilities with the latter selling corresponding exploits on the dark web to make hefty profits. More vulnerabilities of course equate to greater potential for exploitations.
The report also found that web attacks are becoming more targeted, more prevalent and much more sophisticated. Many breach incidents show signs of careful preplanning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting (XSS) was involved in 40% of attack attempts, followed by SQL injection (SQLi) at 24%, path traversal at 7%, local file inclusion (LFI) at 4%, and distributed denial of service (DDoS) at 3%.
Meanwhile, even as cyber-defenders log improvements in such areas as detection times, bad actors are showing increased sophistication in malware obfuscation and social-engineering tactics.
On the malware front, although 30% of malware examined used obfuscation to avoid detection and bypass first-line defenses, 90% used persistence techniques to reload after reboot.
Social engineering, including phishing, tops methods of compromise at 55%. That’s followed by malicious insiders at 13% and remote access at 9%. This indicates that the human factor remains the greatest hurdle for corporate cybersecurity teams. CEO fraud, a social engineering scam encouraging executives to authorize fraudulent money transactions, also continues to increase.
In the good-news column, the median time between intrusion and detection for compromises discovered internally dropped from 16 days in 2016 to zero days in 2017, meaning businesses discovered the majority of breaches the same day they happened.
North America and retail lead in data breaches, although the number is slightly down from the previous year. The US, Canada and Mexico accounted for 43% of breaches, followed by the Asia Pacific region at 30%; Europe, Middle East and Africa (EMEA) at 23%; and Latin America at 4%. The retail sector suffered the most breach incidences at 16.7%, followed by the finance and insurance industry at 13.1% and hospitality at 11.9%.
“Our 2017 threat intelligence and investigations along with a retrospective view of the last 10 years has unequivocally exposed cybercriminals and their attacks are becoming more methodical and organized,” said Steve Kelley, CMO at Trustwave. “As long as cybercrime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data. Security is as much a ‘people’ issue as it is a technology issue. To stay on par with determined adversaries, organizations must have access to security experts who can think and operate like an attacker while making best use of the technologies deployed.”
The long-running Spectre patching cycle took another turn this week after Intel revealed it won’t be updating all chip models affected by the critical vulnerability after all.
The chip giant claimed it won’t be patching the second Spectre variant (CVE-2017-5715) for Core 2 processors and any first-generation products that haven’t already received microcode updates.
Affected lines include: Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale and Yorkfield.
Intel said it reached its decision “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products.”
Its reasoning is three-fold. Intel believes that most of these products are implemented in closed systems and therefore have limited exposure to the flaw, there is limited commercially available system software support and the processors’ architecture mean they cannot be practically patched.
The Spectre and Meltdown flaws published at the start of the year have caused numerous problems for manufacturers trying to provide security updates.
Microsoft was forced to release an out-of-band patch at the end of January to fix a broken Intel Spectre patch for CVE-2017-5715. However, Redmond has since found itself in difficulties with one researcher claiming last month that its Meltdown fixes left Windows 7 with an even worse flaw.
New research from ServiceNow released today highlighted the importance of prompt and effective patching.
Of the hundreds of UK security professionals polled, the majority (59%) of those that were breached in the past claimed this happened because of a vulnerability for which a patch was available. Over a third of breach victims (37%) claimed they don’t even scan for flaws.
In addition, the majority (53%) claimed that hackers are outpacing their ability to mitigate risk, by using emerging technologies like AI and machine learning.
Overall, global firms are planning a 50% increase in headcount for vulnerability response, but with significant resources already devoted to patching, ServiceNow said this isn’t the answer.
“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said Sean Convery, vice-president and general manager, ServiceNow Security and Risk. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”
The North Korean cyber-threat to the UK remains below that of Russia and China but could increase in the future, a new parliamentary Defence Committee report has claimed.
It reiterated the view that the WannaCry ransomware attack which decimated large parts of the NHS was carried out by the Kim Jong-un regime, but that the UK was not its intended target.
An estimated 19,000 operations and appointments were cancelled and 34% of NHS England Trusts affected by the May 2017 blitz, which took advantage of leaked NSA exploits to target known Windows vulnerabilities left unpatched by many organizations.
However, the report claimed that although the UK is “not on North Korea’s priority list” currently, this could change.
The Ministry of Defence made the following warning in written evidence to the committee:
“We judge North Korea to have a relatively low threshold for use of offensive cyber capabilities. For the most part, North Korean cyber-attacks have targeted South Korea. But as international sanctions tighten, the country may place more emphasis on the money-making opportunities that these capabilities afford, thereby subverting sanctions. Any actions of governments (including the UK) or corporate entities perceived by the regime to be insulting to the regime could lead to the use of offensive cyber.”
The report also asserted that third-party countries like China are partly to blame for harboring North Korean state hackers.
Former assistant chief of the Secret Intelligence Service (MI6), Nigel Inkster, told the committee that one North Korean cyber unit has an operational base in a hotel in China, which must be known to the authorities.
The Defence Committee concluded with a word of caution.
“It is likely that North Korea has already successfully attacked the UK with the WannaCry ransomware, although we agree with the government that the UK was probably not intended to be the principal target,” it said.
“Nevertheless, the WannaCry attack highlighted basic vulnerabilities in UK information technology systems. With North Korea unconcerned by who gets hurt when it lashes out, the UK will continue to be at risk from North Korean cyber-attacks.”
The fallout from the Facebook-Cambridge Analytica scandal continued this week as the social network revised up previous estimates on how many user accounts may have been affected – by over 30 million.
Facebook believes data from 87 million accounts was shared with the controversial political consultancy, breaking its terms of service at the time.
A previous estimate by whistleblower Christopher Wylie had the figure at around 50 million, made possible after a Cambridge University professor and developer of the thisisyourdigitallife app improperly shared the data with Cambridge Analytica.
Around 1.1 million of the users were UK-based; an important figure when one considers that Cambridge Analytica was employed by at least one group to target voters in the EU referendum with political ads urging them to vote ‘leave’.
It’s still not clear exactly how many Facebook accounts were used by the consultancy, which tweeted that it only received data on 30 million users.
Tripwire security researcher, Craig Young, claimed the incident should be a cautionary tale for netizens that click before reading online T&Cs when signing up to new apps.
“Unfortunately, data privacy is a lot like oral hygiene, everyone knows they should pay attention to it but in practice people tend to neglect it,” he added.
“Many Facebook users are naturally upset about this situation, but in the end the moral of the story here is that people need to be more considerate about what data they are sharing and with whom.”
The revelations were part of a move by Facebook to improve transparency and accountability in light of the scandal. The firm’s CEO Mark Zuckerberg took the rare step of hosting a press conference and Q&A with reporters, ahead of a grilling on Capitol Hill next week.
"Today, given what we know... I think we understand that we need to take a broader view of our responsibility," he said, according to the BBC.
"That we’re not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well."
In its bid to win back trust, Facebook has launched a range of new features designed to offer greater transparency to users around what apps they’re using, and more controls to protect their privacy.
Zuckerberg also promised to make “all the same controls” the firm is rolling out for the GDPR available in every part of the world.
However, the social network reportedly admitted yet another potential problem yesterday: which may have allowed hackers to scrape public profile info by abusing a feature allowing users to search for each other by typing in email addresses and phone numbers.
Half of cyber-pros believe they’re losing the war against the bad guys: 46% of those surveyed by security giant McAfee believe that in the next year they will either struggle to deal with the increase of cyber-threats or that it will be impossible to defend against them.
According to McAfee’s report, Winning the Game, this is mainly due to a lack of skills and talent. Most organizations (84%) admit it is difficult to attract cyber-professionals – and 31% say they do not actively do anything to attract new talent). Retention is an issue as well, with 52% reporting full staff turnover annually. Only a third (35%) of the pros themselves said they are extremely satisfied in their current jobs, and nearly all (89%) would consider leaving their roles if offered the right types of incentives.
This comes as organizations also report needing to increase their security staff by 24% to adequately manage cyber-threats.
“With cybersecurity breaches being the norm for organizations, we have to create a workplace that empowers cybersecurity responders to do their best work,” said Grant Bourzikas, chief information security officer at McAfee. “Consider that nearly a quarter of respondents say that to do their job well they need to increase their teams by a quarter, keeping our workforce engaged, educated and satisfied at work is critical to ensuring organizations do not increase complexity in the already high-stakes game against cybercrime.”
To solve the challenge, the report, which surveyed 300 senior security managers and 650 security professionals in public- and private-sector organizations with 500 or more employees in the US, UK, Germany, France, Singapore, Australia and Japan, concludes that companies have to prioritize automation in the security operations center (SOC). A majority of respondents (81%) believe cybersecurity would be more successful if greater automation were implemented.
Ironically, 32% of those not investing in automation say it is due to lack of in-house skills.
Businesses can also explore a new pool of potential employees – gamers – to fill the skills gap, and they can invest in employee training via gamification; a full 72% of respondents agree that hiring experienced video gamers into the IT department seems like a good idea. Nearly all (92%) respondents believe that gaming affords players experience and skills critical to cybersecurity threat hunting: logic, perseverance, an understanding of how to approach adversaries and a fresh outlook compared to traditional cybersecurity hires.
Three-quarters of senior managers say they would consider hiring a gamer even if that person had no specific cybersecurity training or experience; and more than three-quarters (78%) of respondents say the current generation entering the workforce, who have been raised playing video games, are stronger candidates for cybersecurity roles than traditional hires.
Meanwhile, gamification, the concept of applying elements of game playing to nongame activities, is growing in importance. Within organizations that hold gamification exercises like hackathons, capture the flag, red team–blue team or bug-bounty programs, 96% report seeing benefits. In fact, respondents who report they are extremely satisfied with their jobs are most likely to work for an organization that runs games or competitions multiple times per year.
More than half (57%) report that using games increases awareness and IT staff knowledge of how breaches can occur, while 43% say gamification enforces a teamwork culture needed for quick and effective cybersecurity. Further, 77% of senior managers agree that their organization would be safer if they leveraged more gamification.
About 2.7 million businesses in the UK are leaving themselves vulnerable to internet of things (IoT) hacks.
ForeScout worked with CensusWide to conduct an independent survey of 500 CIOs and IT decisionmakers to see how prepared they are for IoT cybersecurity and the results were concerning: 47% admitted to not updating default passwords on all IoT devices when they are added to corporate networks; 15% admitted to not keeping security patches up to date.
With 5.7 million registered businesses in the UK, that means nearly 2.7 million are still leaving obvious vulnerabilities in the system for bad actors to exploit.
Making matters worse, UK businesses have a blind spot when it comes to the number of devices connected to their network. Only 54% of respondents had total confidence that they have full visibility and can identify every device on their network.
The visibility challenge for business is only set to increase, with 40% of respondents stating that they are planning to increase their operational technology (OT) spend on connected devices. However, 72% IT managers are concerned about the security implications of adding additional OT devices to their company's network.
“The convergence between IT and OT is where businesses are looking to drive some major efficiency gains in 2018, but it makes the challenge of knowing exactly what devices are on your network that much harder,” explained Myles Bray, vice president of EMEA at ForeScout. “IoT has expanded the attack surface considerably for all firms, and without basic security hygiene it is easy for bad actors to gain a foothold and then move laterally on a network to reach high-value assets and cause business disruption. With GDPR just around the corner businesses need to act now.”
The Department of Homeland Security (DHS) has detected equipment that can eavesdrop on cell-phone conversations in the Washington, DC, area – and it doesn’t know who’s behind it.
According to a letter sent to Sen. Ron Wyden (D-OR) obtained by the Associated Press (AP), DHS uncovered deployed equipment known as StingRays (or IMSI catchers), which spoofs cell-phone towers. These fake base station simulators essentially dupe mobile handsets into connecting to them, which allows their operators to pinpoint user locations and, by downgrading the connection to 2G instead of encrypted 3G or 4G, spy on conversations. They can also be used to implant malware.
“IMSI catcher attacks are one of the most common and effective, though unspoken, threats in cellular cybersecurity, mostly because they are easily available and do not leave a trace on the device and traditionally cannot be blocked or adequately identified,” explained Dror Fixler, CEO of FirstPoint Mobile Guard, via email. “The hacker's continued interest in you after the initial attack has to do with what they discovered about you in those first minutes of the attack. These devices are particularly dangerous as attackers can continue the attack by implementing a man-in-the-middle attack to covertly connect the device to the cellular network, thus monitoring all of the device's data, voice, SMS, signaling and even delivering a dedicated malware attack.”
This type of equipment has been used by law enforcement for years, and its sale has been limited to public-safety uses. The detection of unauthorized gear suggests that foreign adversaries may be at work in the area to spy on US citizens and government officials.
Wyden had asked the DHS whether it found foreign governments using the devices, to which the department said it had not “validated or attributed such activity to specific entities or devices.” Other details were scant, though the DHS did say that malicious use of such equipment is a “real and growing risk.” It also admitted in a separate, unpublished letter obtained by the AP that DHS lacks the equipment and funding to detect StingRays on its own and instead partners with third parties to do so.
Fixler added that his company has uncovered unauthorized StingRays deployed on a widespread level: “In the last several weeks alone, FirstPoint has identified numerous such attacks around the world, near government agencies, in and around airports, and next to local police stations,” he said. “This means that anyone, US citizens and government officials included, are under threat of tracking by cell-phone site simulators (IMSI catchers) while traveling, and not only at home in DC.”