Info Security

Subscribe to Info Security  feed
Updated: 56 min 47 sec ago

Euro Police Arrest Over 100 Money Mules

Wed, 11/29/2017 - 11:15
Euro Police Arrest Over 100 Money Mules

European law enforcers are celebrating after identifying hundreds of money mules and making over 100 arrests as part of a coordinated global clampdown.

During the European Money Mule Action (EMMA) which ran from November 20-24, police from 26 countries supported by Europol, Eurojust and the European Banking Federation (EBF) made 159 arrests.

In addition, cops claimed to have identified 766 money mules and conducted 409 interviews. Importantly, the operation targeted not only the mules themselves but also their organizers — 59 of whom were identified.

Money mules are recruited by cybercrime gangs to launder cash stolen in online campaigns, often lured by the promise of easy cash.

Many are unaware that they’re actually playing a vital role in the cybercrime ecosystem, with police claiming that the funds they help launder are often pumped back into organised crime — including drug dealing, human trafficking and online fraud.

In the EMMA campaign period, Europol claimed that support from 257 banks and private-sector partners uncovered 1719 money mule transactions, with total losses amounting to almost €31m (£27m, $37m).

Some 90% of these were linked to cybercrime offenses including phishing, online auction fraud, Business Email Compromise (BEC) and CEO fraud.

“EMMA3 shows how a close public-private partnership between law enforcement, judicial authorities and the banking sector is essential to effectively tackle the illegal activity of money muling. We remain fully committed to working together in the fight against money laundering and other financial crimes and to further support joint initiatives like EMMA,” noted a statement from Europol, Eurojust and the European Banking Federation.

The news comes as new stats from Cifas on Monday revealed the number of UK money mules aged 18-24 has doubled since 2013, and risen 75% from last year to this.

“Uncovering these money muling schemes and informing the public are vital to prevent criminals from taking advantage of unsuspecting individuals,” the Europol statement continued. “Legitimate companies will never ask individuals to use their bank accounts or transfer money through their accounts. Nobody should give access, or provide their bank accounts or electronic wallets, to unknown or untrusted people.’’

Categories: Cyber Risk News

Elite Oxbridge Alumni Club Reports Stolen Hard Drive

Wed, 11/29/2017 - 11:11
Elite Oxbridge Alumni Club Reports Stolen Hard Drive

Thousands of Oxbridge alumni may have had their personal details compromised after it emerged that a hard drive containing the data was stolen from the headquarters of an elite club.

The exclusive Oxford and Cambridge Club is said to have written to its 5000 members this week urging them to check for suspicious activity on their bank accounts.

The theft of the back-up hard drive from a locked room at the club’s Pall Mall HQ was discovered on November 16 and a police investigation has now been launched, with private investigators also hired.

Alongside illustrious Oxbridge alumni such as broadcaster Stephen Fry and the Astronomer Royal, Lord Rees, 100 members of staff are also thought to have been affected. As honorary members, the Prince of Wales and Duke of Edinburgh are not thought to have had their details taken

Stolen information is said to include names, home addresses, phone numbers and some bank details.

A letter sent to members, and seen by the Sunday Telegraph, had the following:

“This situation has arisen as a result of the theft of a storage disk, and not as a breach of the cybersecurity system, and although the data contained on the disk is protected by multiple layers of security and heavy password protection, we have been advised by data specialists that there is a very remote chance that information could be obtained.”

Jon Fielding, EMEA managing director at Apricorn, argued that organizations must protect sensitive data at rest like this with strong encryption as a form of insurance against the costs resulting from a subsequent breach or data leak.

"Yes, encrypted drives carry a higher cost than those that are unencrypted but just look at the cost of the breach reported here — hiring of private investigators, the workload required to notify up to 5000 individuals compromised, to offer remedy and, potentially the most costly, the involvement of the of the Information Commissioner's Office (ICO),” he continued.

“The ICO has the authority to fine organizations it deems in breach of the UK Data Protection Act up to £500,000. This figure rises markedly to the greater sum of €20m or 4% of turnover in May 2018 when the General Data Protection Regulation (GDPR) comes into effect."

Categories: Cyber Risk News

Apple Works to Fix Serious Mac Security Bug

Wed, 11/29/2017 - 10:26
Apple Works to Fix Serious Mac Security Bug

Apple has confirmed reports of a significant ‘root bug’ affecting iMacs and MacBooks upgraded to the new version of macOS High Sierra.

The flaw, discovered by Turkish developer Lemin Ergin, allows somebody access to another’s machine without the need for a password by simply entering ‘root’ as a username and hitting enter in the systems admin settings. Doing so apparently grants powerful administrator rights including being able to delete files, change passwords and add/remove system accounts.

Apple is taking the issue seriously, offering the following statement:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here:

“If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

It is not known when a patch will be released by Apple for the flaw, but with the firm working on the bug one should be expected in the coming hours. In the meantime, it’s worth bearing in mind that the vulnerability cannot be exploited remotely, so anyone targeting Macs would need physical access to a machine which would also need to be fully open and unlocked for the hack to occur.

“It wasn’t that long ago that Apple was winning the desktop security space by a large margin, primarily through the advantage of obscurity versus its Windows competition,” said Lee Munson, security researcher for “Times have changed though and we can no longer say that Macs don’t get viruses and nor can we say that they are immune to potentially very serious bugs either.”

The latest of those bugs to emerge is about as serious as it gets, he added, as the ability to gain admin rights to any machine via a few key presses poses tremendous risk to those devices, the information contained on them and the networks they connect to.

“Of course, this is all mitigated by the fact that remote access can only be gained if the bug is first leveraged through physical access to the device, so home users have very little to worry about and businesses should also be okay, as long as they are on top of access control and visitor policies.

“Even so, all Mac owners would be well advised to install the resultant patch, just as soon as it becomes available.”

Categories: Cyber Risk News

Canadian Hacker Pleads Guilty in Russia Yahoo Case

Wed, 11/29/2017 - 10:13
Canadian Hacker Pleads Guilty in Russia Yahoo Case

A 22-year-old Canadian man has pleaded guilty to compromising thousands of webmail accounts and selling the log-ins to Russian agents accused of the 2014 Yahoo breach.

Kazakhstan-born Karim Baratov is said to have been paid to hack Gmail, Yandex and other accounts on behalf of Dmitry Dokuchaev and Igor Sushchin, two officers from the Russian Federal Security Service (FSB).

The Department of Justice said they enlisted the help of FBI most-wanted cyber-criminal, Alexsey Alexseyevich Belan, to hack Yahoo in 2014, resulting in the breach of 500 million user accounts.

However, when they wanted access to accounts managed by other providers, they called in hacker-for-hire Baratov, who apparently advertised his services on Russian language sites.

Baratov admitted hacking 80 webmail accounts for the FSB and over 11,000 in total as part of this and other raids from 2010 to 2017, when he was arrested in Canada and extradited to the US.

The attacks were undertaken via a simple spearphishing tactic which directed unwitting victims to a spoofed log-in page where he harvested their account credentials.

Baratov pleaded guilty to nine counts of conspiring to violate the Computer Fraud and Abuse Act and aggravated identity theft and will be sentenced on February 20 2018 in San Francisco.

As part of the plea agreement, he has agreed to pay restitution to his victims and a fine up to $2.25m: that’s $250,000 per count.

“Where a foreign law enforcement or intelligence agency recruits, tasks, or protects criminals targeting the United States and its companies or citizens, instead of taking steps to disrupt them and hold them accountable, the United States will leverage all of its available tools to expose that agency’s conduct and arrest those responsible,” said acting assistant attorney general Dana Boente.

“Today’s plea exemplifies the department’s commitment to pursuing, arresting and bringing to justice even those hackers who work for a foreign law enforcement or intelligence organization.”

Categories: Cyber Risk News

Pentagon Exposes Top Secret Classified Info to Public Internet

Tue, 11/28/2017 - 18:08
Pentagon Exposes Top Secret Classified Info to Public Internet

In the wake of a string of data exposures originating from Pentagon intelligence-gathering agencies, critical, highly classified data belonging to the United States Army Intelligence and Security Command (INSCOM) has been found in an unsecured open database on the internet.

The UpGuard Cyber Risk Team found the data from INSCOM, a joint US Army and National Security Agency (NSA) Defense Department command tasked with gathering intelligence for US military and political leaders, exposed to anyone with an internet connection in an Amazon Web Services S3 cloud storage bucket. Unfortunately, this is just the latest exposure due to a misconfiguration—the problem has become endemic.

It said that among the downloadable assets is classified data labeled Top Secret and NOFORN—a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies. Further, the subdomain name for the S3 bucket, INSCOM, provides "little ambiguity to any bad guys seeking to determine the data’s significance," the firm pointed out.

The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System—Army (DCGS-A) as well as the platform’s cloud auxiliary, codenamed “Red Disk.” Also exposed are a virtual drive used for receiving, transmitting, and handling classified data, and private keys used for accessing distributed intelligence systems, belonging to administrators from a now-defunct third-party contractor. This cache included hashed passwords which, if still valid and cracked, could be used to further access internal systems at the Pentagon.

“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” the firm said, in a blog. “This cloud leak follows a number of previous Cyber Risk Team reports detailing Pentagon data exposures from within the US Central Command, US Pacific Command, and the National Geospatial-Intelligence Agency, a Defense Department agency tasked with acquiring and analyzing satellite imagery intelligence. Such continual and apparently accidental exposure of classified national security data to the wider internet is proof that even the most secretive corners of the IT landscape are not immune to the cyber risks befalling any enterprise operating at scale.”

There also are indications that some of the data in the bucket had been accessed and worked upon by Invertix, an external third-party vendor.

“Third-party vendor risk remains a silent killer for enterprise cyber-resilience. The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled,” UpGuard said. “Invertix has since merged into a new corporation, Altamira…If the right hand does not know what the left hand is doing, the entire body will be injured. The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike.”

The misconfiguration was discovered in late September, after which UpGuard helped the military secure the information, it said.

Threat Stack CSO Sam Bisbee told Infosecurity that infrastructure has now outpaced security, and that we will likely see more of these types of breaches in the public and private sectors, especially as holiday season infrastructure goes live.

Categories: Cyber Risk News

Holiday Season Breaches Not as Prevalent as You Might Think

Tue, 11/28/2017 - 18:03
Holiday Season Breaches Not as Prevalent as You Might Think

The holiday season is upon us, with consumers hastily laying travel plans between time spent browsing for gifts for loved ones. During this season, a few also remember that major retail breaches have long-lasting and far-reaching effects with settlements dragging into the years and occasionally costing companies up to billions of dollars. While the holiday season has a reputation for being breach high tide, it’s actually less event-filled than other times of the year.

In an analysis, BitSight categorized incidents from month-to-month within the retail and hospitality industries between 2015 and 2016. It found that events waned in November and December in each year.

“It is readily apparent that both industries exhibit a sporadic breach pattern with spikes and lulls at particular points throughout the year,” said the company, in an analysis sent to Infosecurity. “Retail experiences fewer incidents than hospitality (with a few months standing out as exceptions). What is particularly surprising is that both industries show a slight decline in security events during the holidays. It is possible that controls and security practices are stepped up as the holidays approach, or that companies are simply too busy during this season to report breaches as they occur (this might also explain spikes early in the year).”

BitSight’s examination also revealed significant differences in breach types experienced by companies in each industry. To wit: the hospitality industry outpaced retail for percentage of breaches flagged as point of sale (POS) attacks, while lagging slightly behind in all other categories. Both industries are commonly regarded as ripe targets for POS attacks due to the large amount of brick-and-mortar locations with exploitable payment terminals; however, retail saw a more uniform distribution of breach types.

The one exception to that is the Web Application Compromise vector, which makes up over 25% of the incidents observed.

“Hospitality companies would do well to take specific actions to address their risk of POS attack, such as monitoring endpoint security and ensuring data is safe behind properly configured firewalls,” BitSight concluded. “The holidays result in increased revenue for large retailers and hotel chains. This increase in business can tempt attackers and it is important for businesses in all industries to proactively mitigate risk to avoid making next year’s holiday breach report.”

Categories: Cyber Risk News

ISF: Crime-as-a-Service, Regulation Pose Top 2018 Threats

Tue, 11/28/2017 - 17:50
ISF: Crime-as-a-Service, Regulation Pose Top 2018 Threats

The Information Security Forum (ISF) has identified the top five global security threats that businesses will face in 2018: Crime-as-a-service (CaaS), the internet of things (IoT), supply chain risk, regulatory complexity and unmet board expectations.

In the coming year, the number of data breaches will grow along with the volume of compromised records, ISF predicts, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas, such as network clean-up and customer notification, as well as newer areas such as litigation involving a growing number of parties.

Angry customers will pressure governments to introduce tighter data protection legislation, bringing new and unforeseen costs. The resulting mess of international regulations will create new compliance headaches for organizations while doing little to deter attackers. Not only will the number of data breaches grow, the scale of data breaches will also grow and individuals around the world will wearily expect their personal data to be compromised. In some cases, sophisticated defenses will be circumvented by persistent criminal organizations that swiftly exploit stolen data. The significant cost of the resulting cyber-crimes will rise steeply.

 “The scope and pace of information security threats is jeopardizing the veracity and reputation of today’s most reliable organizations,” said Steve Durbin, managing director of the ISF. “In 2018, we will see increased sophistication in the threat landscape with threats being personalized to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place.”

The top five threats identified by the ISF for 2018 are not mutually exclusive and can combine to create even greater threat profiles. The most prevalent threats include:

CaaS Expands Tools and Services

ISF believes that criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide, with cryptoware in particular becoming the leading malware of choice for its threat and impact value. The resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.

IoT Adds Unmanaged Risks

Organizations will adopt IoT devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices such as smartphones and smart TVs. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection. In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life.

Supply Chain Remains the Weakest Link in Risk Management

Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised. In the coming year, ISF said that organizations must focus on the weakest spots in their supply chains. Not every security compromise can be prevented beforehand, but being proactive now means that you— and your suppliers—will be better able to react quickly and intelligently when something does happen. To address information risk in the supply chain, organizations should adopt strong, scalable and repeatable processes — obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes. This readiness may determine competitiveness, financial health, share price, or even business survival in the aftermath of a breach.

Regulation Adds to Complexity of Critical Asset Management

New regulations, such as the European Union General Data Protection Regulation (GDPR), will add another layer of complexity to the issue of critical information asset management that many organizations are already struggling with. The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives. In the longer term, organizations will benefit from the uniformity introduced by the reform. But it is not just in the area of privacy where legislation will bite.  The increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

 Unmet Board Expectations Exposed by Major Incidents

Boards will expect that their approval of increased information security budgets will have enabled the CISO and the information security function to produce immediate results. However, a fully secure organization is an unattainable goal, and many boards are unaware that making substantial improvements to information security will take time—even when the organization has the correct skills and capabilities. Consequently, the expectations of boards will quickly accelerate beyond their information security functions’ ability to deliver. Misalignment between a board’s expectations and the reality of the security function’s ability to deliver will be most cruelly exposed when a major incident occurs. Not only will the organization face substantial impact, the repercussions will also reflect badly on the individuals and collective reputations of the board members.

“These days, the stakes are higher than ever before,” Durbin said. “High-level corporate secrets and critical infrastructure are regularly under attack, and organizations of all sizes need to be aware of the significant trends that we forecast in the year to come.”

Categories: Cyber Risk News

London and Berlin are Most Exposed Cities in Europe

Tue, 11/28/2017 - 12:11
London and Berlin are Most Exposed Cities in Europe

London and Berlin have emerged as the two European cities most exposed to potential cyber-attacks, according to a new study from Trend Micro.

The security giant ran a Shodan search on over 2.7m unique IP addresses in the region to compile its latest report Exposed Cities: Western European Capitals.

It found 2.8 million exposed cyber-assets in Berlin and 2.5 million in London. These assets include webcams, routers, printers, NAS devices, web and email servers and much more.

While being exposed to the public internet doesn’t indicate these devices will definitely be compromised, it does give hackers a good chance to remotely probe them for vulnerabilities.

However, Trend Micro claimed the results were in line with expectations, as both UK and German capitals are known as tech hubs which play host to a large number of ISPs.

It had the following:

“When exposure is calculated based on per capita, places such as Amsterdam, Berlin, and Lisbon proportionally had significantly higher exposure levels than other cities. Conversely, some cities such as Paris, Athens, and Rome where we expected to see much higher per capita numbers did not have high exposure levels.”

Webcams were the most commonly exposed type of device — with 3,050 in London alone — and NAS devices came second. London also topped the UK in terms of exposed web and email services and routers.

Trend Micro cybersecurity architect, Simon Edwards, urged IT departments to focus their efforts on IoT security.

“This starts with ensuring that each connected device has a complex password. A staggering number of businesses allow passwords to remain as default, but with hackers armed with the information to crack them in seconds, these devices might as well not be password protected at all. This shouldn’t be the only form of authentication needed; businesses should adopt multi-factor authentication, with additional biometrics,” he told Infosecurity.

“IT departments also need to take into account how often a device manufacturer patches the device when making a buying decision, and ensure that they are installing software updates when they come through. Perhaps the most important is the need to educate staff on the risks that IoT brings — reinforcing the use of complex passwords, being wary of emails from unknown senders, and not handling company IP on personal devices can go a long way.”

Categories: Cyber Risk News

Thousands of FTSE 100 Corporate Log-Ins Found on Dark Web

Tue, 11/28/2017 - 11:15
Thousands of FTSE 100 Corporate Log-Ins Found on Dark Web

Over three-quarters (77%) of FTSE 100 companies are at risk of suffering a damaging cyber-attack because corporate log-ins including plain text passwords are available on the dark web, according to Anomali.

The threat intelligence firm monitored underground forums between April and July this year and found on average 218 usernames and passwords available for each FTSE 100 firm affected.

The volume of exposed log-ins has tripled since last year’s report, rising from a total of 5275 to 16,583, according to the vendor’s new report, The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures.

The banking sector was worst hit, accounting for nearly a quarter (23%) of exposed credentials.

Five of the FTSE 100 companies analyzed had more than 1000 log-ins exposed on such sites.

The problem boils down to email and password reuse, with many employees signing up to online services with their work log-ins, unaware they may be stolen from these providers, according to Anomali.

The report had this word of warning:

“Employees should be reminded of the dangers of browsing through and logging into non-corporate websites with corporate email addresses and passwords. Companies should monitor for compromised employee credentials so they can force reset accounts and gather metrics about how often employees are using their work email addresses for access to non-work-related websites.”

The report also revealed that at least 82% of FTSE 100 organizations have suspicious domain registrations made in their name — indicative of possible phishing and other malicious activity.

A total of 439 suspicious domains were found on the dark web, that’s just over four per company on average — although 13% of FTSE 100 firms had 10 or more in their name. The majority were registered in the US (38%) and China (23%).

Once again the banking sector was hardest hit, with 83 registrations.

Anomali claimed that free email services are often used during the registration process to hide the true identity of the registrant.

Categories: Cyber Risk News

Alleged Chinese Intelligence Officers Indicted by DoJ

Tue, 11/28/2017 - 10:12
Alleged Chinese Intelligence Officers Indicted by DoJ

The Department of Justice (DoJ) has indicted three Chinese nationals who allegedly worked indirectly for their government to steal hundreds of gigabytes of highly sensitive corporate data from Siemens, Moody’s Analytics and GPS firm Trimble.

In the first US government indictment of Chinese hackers since 2014, the DoJ accused Wu Yingzhuo, Dong Hao and Xia Lei each of eight counts including: conspiring to commit computer fraud and abuse, conspiring to commit trade secret theft, wire fraud and aggravated identity theft.  

Although the sentences carry a maximum jail term of over 40 years, it’s highly unlikely the US government will ever get its hands on the three. Wu and Dong are founding members of ‘security vendor’ Guangzhou Bo Yu Information Technology Company Limited (Boyusec), while Xia is an employee there.

The three are alleged to have sent spearphishing emails to victims in the targeted organizations, allowing them to gain unauthorized, persistent access to their computers. The end goal was allegedly to steal confidential corporate information.

Between December 2015 and March 2016, Wu and unnamed co-conspirators are said to have hacked Trimble to steal plans for new satellite technology designed to improve the accuracy of location data on mobile devices.

In 2014, Dong is alleged to have infiltrated the Siemens corporate network to steal log-ins from employees in preparation for a 2015 407GB raid on the firm’s energy, technology and transportation businesses.

After co-conspirators hacked a Moody’s email server in 2011 and placed a forwarding rule in a prominent employee’s account, Xia regularly accessed those forwarded emails during 2013 and 2014, to read “proprietary and confidential economic analyses, findings and opinions”, according to the DoJ indictment.

“In many instances, the co-conspirators sought to conceal their activities, location and Boyusec affiliation by using aliases in registering online accounts, intermediary computer servers known as ‘hop points’ and valid credentials stolen from victim systems,” it noted.

Although the three are named in the indictment only as Boyusec employees, the firm itself is in fact a cover for China’s fearsome Ministry of State Security (MSS), according to Recorded Future director of strategic threat development, Priscilla Moriuchi.

As such, this represents the first ever US indictments against Chinese intelligence officers as opposed to military personnel, she claimed.

“Boyusec is the MSS and their activities support China’s political, economic, diplomatic, and military goals,” she argued.

“The MSS is composed of national, provincial, and local elements. Many of these elements, especially at the provincial and local levels, include organizations with valid public missions to act as a cover for MSS intelligence operations. Some of these organizations include think tanks such as CICIR, while others include provincial-level governments and local offices. In this case, Boyusec is the cover organization for MSS cyber activities.”

A Recorded Future report from May attributed Boyusec’s work to the APT3 group. Over the years it has also targeted Hong Kong dissidents and other domestic troublemakers, the firm claimed.

It's unclear why the DoJ hasn't made the same claims as Recorded Future over Boyusec's alleged masters, although if true it would mean the trio's activity broke the terms of a US-China agreement signed in late 2015 not to engage in economic espionage against one another.

Categories: Cyber Risk News

Tailored, Targeted Ransomware Evolves

Mon, 11/27/2017 - 19:40
Tailored, Targeted Ransomware Evolves

Ransomware will become more targeted, to not only look for certain file types, but also to take aim at specific types of companies, such as legal, healthcare and tax preparers.

This evolution from the “spray-and-pray” attacks we largely see now is already underway, according to Rick McElroy, security specialist at Carbon Black.

“There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs,” he said, in a blog. “A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders.”

This specialization also means that ransomware attacks are more likely to succeed—so we can expect their frequency and severity to also increase.

The ransomware supply chain is also shifting, with as-a-service options flooding the market.

“The power to attack is no longer in the hands of a few experts, but in the hands of anyone looking to make illicit money,” said McElroy. “Ransomware can no longer be perceived as small groups of criminals performing stick ups and kidnappings; instead think of ransomware more like the consumer of a cloud service. You simply need to know how to put the pieces together. Startup CEOs no longer hire tons of IT staff or invest heavily in infrastructure. They achieve speed to market by utilizing existing services. So do cyber-criminals. The criminals are jumping right to the point of profit.”

The supply chain is straightforward, and starts with the authors who create the malicious code. These authors generally never use it themselves, he said, but instead offer it for sale for criminals to deploy. Carbon Black identified authors earning in excess of $100,000 per year through selling complete ransomware toolkits or the individual components required to run a campaign. This compares with an average annual salary of $69,000 earned by legitimate software developers.

Then there are Tier 2 providers, which, through reconnaissance, decide what machines to exploit and then sell access to them to Tier 3 criminals.

“This specialization effectively creates a turnkey offering, requiring minimal technical knowledge, and can be used by anyone with a target list,” McElroy said. “The split of revenue from the activity is agreed in advance and the provider tracks the campaign, handles payment and even delivers performance metrics, enabling future campaigns to be targeted at the most profitable victims.”

This customer service approach is growing: Carbon Black even identified helpdesk services available to support budding cyber-criminals.

“Attackers will continue to go where the money is,” McElroy said. “Right now, with ransomware, there is money to be made hand over fist. To begin to shift the economic tide, organizations should take careful inventory of their security best practices and look to implement user education programs in order to close any gaps that may exist.”

Categories: Cyber Risk News

Federal Websites Still Lack Basic Security

Mon, 11/27/2017 - 18:50
Federal Websites Still Lack Basic Security

A detailed review of hundreds of the most popular US federal websites shows that, year over year, most continue to fall short of security and technical requirements set by the federal government, as well as industry standards for web design and development.

According to the second edition of the Benchmarking US Government Websites report from the Information Technology and Innovation Foundation (ITIF), 91% of the 469 federal government websites reviewed fail at least one key performance measure, including one-third that fail on at least one important security measure.

“Despite the common acknowledgment that federal websites fall far short of federal requirements and industry standards, little progress has been made to improve and modernize them over the course of the past year,” said ITIF vice president Daniel Castro, the report’s lead author. “The Trump administration should move quickly to address these failures and ensure the federal government is providing all Americans with secure, convenient access to online government services and information.”

The report analyzed how federal websites perform in four key areas: Page-load speed, mobile-friendliness, security, and accessibility. On the security front,

Researchers took a look at compliance with basic security guidelines, such as using Secure Sockets Layer (SSL) certificates, DNSSEC implementation and using HTTPS connections to transmit sensitive information between the browser and server.

About 64% of the websites passed security tests for both SSL and DNSSEC in the report, up from 61% in the previous report in 2016. However, 36% failed at least one of these two security measures. Only 71% of all the reviewed websites passed the SSL test, and 10% lacked DNSSEC, including the House of Representatives (, the Speaker of the House of Representatives ( and the US Forest Service (

Only 8% lacked HTTPS, an improvement from 2016 when 14% of reviewed websites lacked it. Since then, the Department of Defense ( and ( have enabled HTTPS.

On the other hand, the analysis found that the International Trade Administration ( still has not enabled HTTPS, and neither has the National Defense University (, Bureau of Engraving and Printing (, the Savannah River Site (, and the Advanced Distributed Learning Initiative (, the Congressional-Executive Commission on China (, the US Chemical Safety Board (, the US Government Accountability Office (, the Speaker of the House of Representatives (, the Administrative Office of the U.S. Courts ( and the Medicare Payment Advisory Commission (

Federal websites that have shown the greatest improvement since last year in their overall scores include: (Internal Revenue Service), (Office of the Director of National Intelligence), and (U.S. Railroad Retirement Board). Each of these agencies conducted a major refresh of its website earlier this year, including updates to make the sites more mobile friendly.

 “Government websites get millions of visitors each day. As more people go online for public services and as security threats continue to evolve, it is important for federal websites to be more convenient, accessible and secure,” said ITIF research fellow Galia Nurko. “This report shows a significant amount of work left to be done to modernize federal websites and ensure that, as technology advances, federal websites improve in turn.”

Categories: Cyber Risk News

Researchers Demonstrate 'Un-Hackable' Quantum Encryption

Mon, 11/27/2017 - 18:46
Researchers Demonstrate 'Un-Hackable' Quantum Encryption

Academic researchers are taking lessons from quantum computing to create theoretically hack-proof forms of quantum data encryption.

Quantum encryption techniques may be one step closer to wide-scale use thanks to a new system developed by scientists at Duke University, The Ohio State University (OSU) and Oak Ridge National Laboratory. It’s capable of creating and distributing encryption codes at megabit-per-second rates, which is five to 10 times faster than existing methods and on par with current internet speeds when running several systems in parallel.

The researchers also demonstrated that the technique is secure from common attacks, even in the face of equipment flaws that could open up leaks.

"We are now likely to have a functioning quantum computer that might be able to start breaking the existing cryptographic codes in the near future," said Daniel Gauthier, a professor of physics at OSU. "We really need to be thinking hard now of different techniques that we could use for trying to secure the internet."

Typically, online purchases, bank transactions, medical records and other sensitive information is protected by encryption keys. Personal information sent over the web is first scrambled using one of these keys, and then unscrambled by the receiver using the same key.

For this system to work, both parties must have access to the same key, and it must be kept secret. Quantum key distribution (QKD) takes advantage of one of the fundamental properties of quantum mechanics—measuring tiny bits of matter like electrons or photons automatically changes their properties—to exchange keys in a way that immediately alerts both parties to the existence of a security breach.

Though QKD was first theorized in 1984 and implemented shortly thereafter, the technologies to support its wide-scale use are only now coming online. The research noted that companies in Europe now sell laser-based systems for QKD, and in a highly-publicized event last summer, China used a satellite to send a quantum key to two land-based stations located 1200 km apart.

The problem with many of these systems, said Nurul Taimur Islam, a graduate student in physics at Duke, is that they can only transmit keys at relatively low rates—between tens to hundreds of kilobits per second—which are too slow for most practical uses on the internet.

"At these rates, quantum-secure encryption systems cannot support some basic daily tasks, such as hosting an encrypted telephone call or video streaming," Islam said.

Like many QKD systems, Islam's key transmitter uses a weakened laser to encode information on individual photons of light. But they found a way to pack more information onto each photon, making their technique faster.

By adjusting the time at which the photon is released, and a property of the photon called the phase, their system can encode two bits of information per photon instead of one. This trick, paired with high-speed detectors developed by Clinton Cahall, graduate student in electrical and computer engineering, and Jungsang Kim, professor of electrical and computer engineering at Duke, powers their system to transmit keys five to 10 times faster than other methods.

"It was changing these additional properties of the photon that allowed us to almost double the secure key rate that we were able to obtain if we hadn't done that," said Gauthier, who began the work as a professor of physics at Duke before moving to OSU.

In a perfect world, QKD would be perfectly secure. Any attempt to hack a key exchange would leave errors on the transmission that could be easily spotted by the receiver. But real-world implementations of QKD require imperfect equipment, and these imperfections open up leaks that hackers can exploit.

The researchers carefully characterized the limitations of each piece of equipment they used. They then worked with Charles Lim, professor of electrical and computer engineering at the National University of Singapore, to incorporate these experimental flaws into the theory.

"We wanted to identify every experimental flaw in the system, and include these flaws in the theory so that we could ensure our system is secure and there is no potential side-channel attack," Islam said.

Though their transmitter requires some specialty parts, all of the components are currently available commercially. Encryption keys encoded in photons of light can be sent over existing optical fiber lines that burrow under cities, making it relatively straightforward to integrate their transmitter and receiver into the current internet infrastructure.

"All of this equipment, apart from the single-photon detectors, exist in the telecommunications industry, and with some engineering we could probably fit the entire transmitter and receiver in a box as big as a computer CPU," Islam said.

Some are taking the news with a grain of salt.

"We often encounter these new ‘hack-proof’ promises,” said Ofer Maor, director of enterprise solutions at Synopsys, via email. “While the technology does indeed sound interesting, touting a hack-proof title is dangerous and somewhat presumptuous. We have seen time and again claims for new hack-proof technology, that was shortly after hacked. Only technologies that withstood a long series of hack attempts by leading encryption experts, hackers and governments, can have a reasonable claim at that, and even that is not always the case. Moreover, even if the theory is indeed hack-proof, we have seen that in many cases, when this is implemented to become a usable commercial product, implementation flaws introduce new security weaknesses that can later be taken advantage of, ending in an embarrassing compromise to the ‘unbreakable’ theme."

Categories: Cyber Risk News

McAfee Acquires Skyhigh Networks

Mon, 11/27/2017 - 14:45
McAfee Acquires Skyhigh Networks

McAfee has announced the acquisition of Skyhigh Networks for an undisclosed amount.

The deal comes less than eight months after the company spinout from Intel to become a standalone cybersecurity business.

McAfee said the move will allow the firm and Skyhigh Networks to offer customers the most advanced cybersecurity architecture required for the future, spanning endpoint and cloud control points, linked by the security operations center with actionable threat intelligence, analytics and orchestration, and enabled by an open ecosystem.

Rajiv Gupta, CEO of Skyhigh Networks, will join the leadership team of McAfee CEO Chris Young to run McAfee’s new cloud business unit, whilst Skyhigh’s existing organizational structure will remain generally intact.

“Skyhigh Networks had the foresight five years ago to realize that cybersecurity for cloud environments could not be an impediment to, or afterthought of, cloud adoption,” Young said.

“Skyhigh’s leadership in cloud security, combined with McAfee’s security portfolio strength, will set the company apart in helping organizations operate freely and securely to reach their full potential.”

Gupta added that becoming part of McAfee is the ideal next step in realizing Skyhigh Networks’ vision of not simply making the cloud secure, but making it the most secure environment for business.

“McAfee will provide global scale to further accelerate Skyhigh’s growth, with the combined company providing leading technologies and solutions across cloud and endpoint security – categories Skyhigh and McAfee respectively helped create, and the two architectural control points for enterprise security.”

Categories: Cyber Risk News

Scarab Ransomware Uses Necurs to Spread to Millions of Inboxes

Mon, 11/27/2017 - 12:01
Scarab Ransomware Uses Necurs to Spread to Millions of Inboxes

Security researchers are warning of a major new ransomware campaign using the infamous Necurs botnet to spread via millions of spam emails.

First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by inboxes. It was sent to 12.5 million email addresses in the first four hours alone, according to Forcepoint.

The unsolicited emails in question come with the well-worn “Scanned from {printer company name}” subject line and contain a 7zip attachment with a VBScript downloader.

The download domains used in the campaign are recognizable from their use in previous Necurs-based attacks, the vendor claimed.

“Once installed [the ransomware] proceeds to encrypt files, adding the extension ‘.[].scarab’ to affected files. A ransom note with the filename ‘IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT’ is dropped within each affected directory. The misspelling of ‘support’ is present in both the modified filenames and the ransom note, and is presumably a result of the availability of email addresses on the Protonmail service,” Forcepoint explained.

“Unusually, the note does not specify the amount being demanded, instead simply stating that ‘the price depends on how fast you write to us’. This note is also automatically opened by the malware after execution.”

Although payment is required in Bitcoins, email is set as the primary communication mechanism. This was the case with NotPetya earlier in the year, but as Forcepoint explains, it can be an unreliable tactic if providers move quickly to shut the domain down. That’s why an alternative BitMessage contact is also given.

Forcepoint explained that using large botnets like Necurs can give smaller ransomware actors the global reach they need to punch above their weight.

“It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns,” it concluded.

Fortunately, despite its wide distribution, Scarab is detected by most anti-malware vendors, according to Chris Doman, security researcher at AlienVault.

“Scarab looks less sophisticated than some other ransomware like Locky, and the usage of an e-mail based ransom payment system is very simple in contrast to its wide distribution,” he added.

Categories: Cyber Risk News

Number of Young UK Money Mules Doubles Since 2013

Mon, 11/27/2017 - 10:37
Number of Young UK Money Mules Doubles Since 2013

There has been a 75% increase in the misuse of bank accounts by young people to launder criminally obtained funds, according to new stats from Cifas.

The fraud prevention service claimed to have recorded 8652 cases between January and September 2017 — a big rise over the same period last year.

So-called “money mules” allow criminals to use their bank accounts to transfer their ill-gotten gains, helping to obfuscate the trail for investigators.

Most are told to withdraw the funds and wire them internationally, receiving a small sum in return for doing so.

Many take part in such schemes unaware they are doing anything illegal, which has prompted Cifas and government body Financial Fraud Action UK (FFA UK) to kick start a new awareness raising campaign: Don’t Be Fooled.

Cifas argued that many young people are approached by cyber-criminals with what appears to be a genuine job offer and the opportunity to earn some much-needed extra cash.

However, by agreeing they could be unwittingly fuelling global terrorism, people trafficking and sexual exploitation, the non-profit warned.

Money laundering also carries a maximum jail sentence in the UK of 14 years, and those caught out by banks’ sophisticated fraud filters could find it difficult to open an account elsewhere, it added.

“This is a serious issue that not only has consequences for the money mule, but for society as a whole,” argued Cifas CEO, Simon Dukes.

“The criminals behind money mules often use the cash to fund major crime, like terrorism and people trafficking. It’s this side of money muling that we want to raise awareness of with our new film. We want to educate young people about how serious this fraud is in the hope that they will think twice before getting involved.”

Back in May New York police busted a multi-million-dollar financial fraud ring which is alleged to have lured young participants via enticing social media ads.

Categories: Cyber Risk News

Imgur Breach Exposes 1.7 Million Users

Mon, 11/27/2017 - 10:01
Imgur Breach Exposes 1.7 Million Users

Popular image-sharing site Imgur has revealed details of a data breach affecting a small percentage of its estimated 100 million monthly active users.

The firm’s COO, Roy Sehgal, confirmed that it was contacted by a researcher last Thursday about the breach of 1.7 million user accounts — which is said to have occurred back in 2014.

“The compromised account information included only email addresses and passwords. Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information (PII), so the information that was compromised did NOT include such PII,” he added.

“We are still investigating how the account information was compromised. We have always encrypted your password in our database, but it may have been cracked with brute force due to an older hashing algorithm (SHA-256) that was used at the time. We updated our algorithm to the new bcrypt algorithm last year.”

Despite the breach, Imgur has been praised for its swift handling of the incident, especially as it was contacted on the US Thanksgiving holiday last Thursday.

Impacted users were contacted by email on Friday and required to update their passwords. Sehgal advised individuals to choose strong credentials and not to reuse the same log-ins across other sites.

Aussie researcher Troy Hunt, who contacted Imgur in the first instance, described the firm’s incident response as 'exemplary'.

It’s certainly a far cry from that of Uber, which infamously revealed last week that it had tried to cover up a breach of 57 million users’ details last year by paying the hackers $100,000 to delete the stolen data.

Hunt explained that 60% of the email addresses listed were already in his haveibeenpwned database, highlighting the fact that data breaches are now the new normal.

Imgur’s revelations come after big name thefts from other US tech firms including MySpace, Yahoo and LinkedIn.

Categories: Cyber Risk News