Info Security

Subscribe to Info Security  feed
Updated: 1 hour 2 min ago

Hamas Uses Fake Dating Apps to Infiltrate Israeli Military

Wed, 07/04/2018 - 11:35
Hamas Uses Fake Dating Apps to Infiltrate Israeli Military

Hamas has been accused of running a sophisticated spyware operation designed to trick Israeli Defense Force (IDF) soldiers into downloading malicious apps.

Hundreds of IDF troops have been contacted by alleged fake profiles on social networking sites in what the military is dubbing Operation Broken Heart.

After building up a rapport with the soldier on WhatsApp, the ‘woman’ in question then typically sends them a link to download a convincing looking but malicious app.

These included dating apps with names like GlanceLove and ones featuring goals and live scores from the World Cup, such as Golden Cup.

One suspicious-looking profile which nevertheless had an Israeli number attached, belonged to a ‘Lina Kramer’ and was discovered in January. Those behind the campaign often try to cover up broken Hebrew by saying they’re immigrants, the IDF claimed

“Not long after the first attacker approached us, we’d already begun receiving dozens of reports from soldiers about suspicious figures and apps on social networks,” said ‘Colonel A,’ head of the IDF Information Security Department.

“Upon investigating the reports, we uncovered hostile infrastructure that Hamas tried to use to keep in contact with IDF soldiers and tempt them to download apps that were harmful, and use the soldiers to extract classified information."

The apps are said to be loaded with Trojan malware capable of switching on the mic and camera, accessing photos, phone numbers and email addresses of soldiers operating near the Palestinian border, and even gathering info on military bases.

The IT security department of the Israeli military has updated its guidance for soldiers in light of Broken Heart and is reportedly also sending fake messages to soldiers in a bid to raise awareness of the dangers of clicking on links from virtual strangers.

Categories: Cyber Risk News

Iranian Attackers Spoof Security Site for Phishing Lure

Wed, 07/04/2018 - 10:42
Iranian Attackers Spoof Security Site for Phishing Lure

An Iranian APT group has been spotted building a phishing site, using a cybersecurity company which outed it as a lure.

Charming Kitten has been in operation since 2014 and its activities were laid bare in a December report by Israeli security vendor Clearsky Security.

The firm claimed to have found more than 85 IP addresses, 240 malicious domains, hundreds of hosts, multiple fake entities and potentially thousands of victims linked to the group.

In a series of tweets this week, the firm said it had discovered the same group building a phishing site designed to capitalize on interest in the vendor’s findings.

“The fake website is clearskysecurity\.net (the real website is ). They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services,” it said.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them.”

One of the fake pages even displayed content of a previously outed Charming Kitten campaign, according to the firm.

The group is just one of a growing list of Iranian APT groups most likely backed by the government. These include APT34, observed most recently by FireEye back in December targeting governments in the Middle East.

Also notable is the CopyKittens group uncovered by Clearsky and Trend Micro. Dating back to 2013 it’s focused on stealing data from Western and Middle Eastern government, defense and academic organizations via custom and commercial tools. 

Categories: Cyber Risk News

Gmail Privacy Fears Emerge Over Third-Party Apps

Wed, 07/04/2018 - 10:15
Gmail Privacy Fears Emerge Over Third-Party Apps

Google is at the center of a new privacy storm after it was revealed that third-party app developers can read the content of Gmail users’ emails.

This “dirty secret,” as one source described it to the Wall Street Journal, affects users who choose to link their Gmail accounts to third-party applications for things like travel or shopping. 

In so doing they’re asked to grant permissions for the app to "Read, send, delete and manage your email." 

However, many users may not be aware that human eyes are perusing their personal emails as well as computer algorithms.  

The report claimed that in the case of marketing app Return Path, employees of the company read around 8000 Gmail users’ emails to help develop the app. Email management app developer Edison Software also allowed its employees to read "thousands" of emails to hone the Smart Reply feature.

For its part, Google claimed to have strictly vetted those firms allowed access to users’ emails and said users are asked explicitly for their permission to do so, consistent with its policies.

However, when it comes to third-party apps, user privacy has become a major issue following the Cambridge Analytica scandal in which the details of 87m Facebook users were sold by an app developer for use in targeted political advertising. 

The social network changed a policy in 2015 which allowed third party developers to access the data of app users’ friends.

Evgeny Chereshnev, CEO of privacy firm Biolink.Tech, claimed that the GDPR demands organizations improve awareness among users around how their data is being used.

“This type of access is going to going to continue, and people need to be aware that every time they connect to, or install, a third-party application on their mobile device, they are giving rights to those applications – often without even thinking about it,” he added.

“These applications gain access to users’ contacts, information about the user of the phone as well as things like GPS location, so this needs to be taken very seriously.”

Categories: Cyber Risk News

Bug Unblocks Friends for 800,000+ Facebook Users

Tue, 07/03/2018 - 13:42
Bug Unblocks Friends for 800,000+ Facebook Users

Facebook users might have seen information in their news feeds from users that had blocked them because a bug was reportedly unblocking people, the company announced yesterday.

On 2 July, Facebook started notifying more than 800,000 of its users that a bug in Facebook and Messenger had unblocked some users that had previously been blocked. Active between 29 May and 5 June, the bug did not allow a blocked user to see content within certain privacy permissions. However, if the post were public or visible to friends of friends, the blocked person could have seen the information. Users whose privacy setting were set to "friends only" when sharing content would not have had any posts revealed to a blocked friend. 

Facebook apologized for what happened and explained that the bug did not reinstate any blocked persons. The company also noted that “83% of people affected by the bug had only one person they had blocked temporarily unblocked.” The issue has been fixed, and users were encouraged to check their blocked list to make sure that their desired settings were as they should be.

It’s been a tough 2018 for Facebook, who recently announced that it had indeed continued to share data with 61 hardware and software makers even after CEO Mark Zuckerberg testified that the practice of sharing data with third parties ended in 2015.

In the wee hours of Friday 29 June, Facebook submitted 747 pages worth of answers to the questions posed by the Senate and House Committees on 10-11 April. Of the 2,000 questions asked, many related to the scraping of data from third parties brought to light by the Cambridge Analytica scandal.

“We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. So, we’re taking additional steps to put people more in control of their privacy,” Facebook wrote.

Categories: Cyber Risk News

Concern Mounts for SS7, Diameter Vulnerability

Tue, 07/03/2018 - 13:08
Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today's 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.   

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.  

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.

Categories: Cyber Risk News

Fourth Circuit Defines Standing in Data Breach Cases

Tue, 07/03/2018 - 12:34
Fourth Circuit Defines Standing in Data Breach Cases

Whether it’s news of Adidas, Ticketmaster or Typeform, the headlines have been littered with stories of yet another company hacked, which is why the United States Court of Appeals for the Fourth Circuit has weighed in on the issue of standing and the definition of the threat of future injury in data breach litigation.

Article III, Section 2, Clause 1 of the U.S. Constitution requires that that plaintiffs suffered an injury and that the injury is fairly traceable to the challenged conduct. The injuries, according to the American Bar Association, must be actual or certainly impending. 

In the case of Hutton v. National Board of Examiners in Optometry (NBEO), filed 12 June 2018, “The court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred.”

Several cases have come before the court, and Beck v. McDonald from 2017 is one of particular importance to the Fourth Circuit's upholding of the Hutton ruling. In Beck, the court ruled that the plaintiffs did not have standing in the alleged “threat of future injury." The court’s position on the 2017 ruling was guided by the fact that laptops that contained personal information were stolen, but the information was not misused.

The difference found by the Fourth Circuit in Hutton is that the plaintiffs “noticed that credit card accounts were fraudulently opened in their names, which required knowledge of their Social Security numbers and dates of birth.” The NBEO never acknowledged a security breach, but the plaintiffs – who had fraudulent credit card accounts opened using their stolen information – made the case that the company was the only commonality among them; thus, their information had not been adequately protected by the NBEO.

While the NBEO filed to dismiss the case, arguing that no actual harm had been inflicted, “The court emphasized, unlike in Beck, plaintiffs were 'concretely injured' as credit card accounts were open without their knowledge or approval, qualifying as misuse, even if fraudulent charges were yet to occur.”

The floodgates for lawsuits have been opened, and it doesn’t appear that the river will dry up any time soon. With more plaintiffs filing claims that they were harmed after their personal information was compromised, the courts are trying to understand and define the actual and potential future harm that can result from unauthorized exposure.

Because of the ambiguity in determining the risk of future harm or the likelihood of misuse of stolen information versus actual harm, the circuit courts have disagreed on the issue of standing with Article III when ruling on data breach cases.

“Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a 'risk of future harm' exists,” wrote the National Law Review

Categories: Cyber Risk News

NHS Developer Error Leads to Data Leak

Tue, 07/03/2018 - 10:15
NHS Developer Error Leads to Data Leak

A data leak at the NHS affecting 150,000 patients has been blamed on a software developer error.

The issue revolves around so-called Type-2 opt-outs, which patients can request when they don’t want their personal information to be used for anything other than their own care.

Some 150,000 of these objections recorded in GP practices between March 2015 and June 2018 were not sent to NHS Digital by outsourcing software developer TPP’s systems.

The error is only a minor one as the data was ultimately used in clinical audit and research, which is designed in any case to help improve patient care across the NHS, according to a statement by the parliamentary under-secretary of state for health, Jackie Doyle-Price.

“NHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld,” she explained.

“There is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissioner’s Office and the National Data Guardian for Health and Care aware.”

Type-2 objections have now been replaced by a national data opt-out designed to simplify the registering of an objection to wider data sharing.

However, the incident is the latest in a long-line of data leaks and breaches stemming from third-party mistakes.

Incidents at PageUp, Typeform, and Inbenta Technologies have all had a major impact on client organization’s and their customers in the past couple of months.

Mike Smart, EMEA security strategist at Forcepoint, argued that developers must integrate multiple layers of protection into their products, especially with the requirements of the GDPR front-of-mind.

“It’s a clear indicator that relying too heavily on software will cause these mistakes to happen in the future,” he added. “We can’t afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live.”

Categories: Cyber Risk News

US to Ban China Mobile on Security Concerns

Tue, 07/03/2018 - 09:51
US to Ban China Mobile on Security Concerns

The Trump administration has told the Federal Communications Commission (FCC) to block China Mobile from entering the US telecoms market on national security grounds.

The state-backed telco has been tied up for seven years on an application for a Section 214 license to offer international voice traffic from the US to foreign countries, according to the Commerce Department’s National Telecommunications and Information Administration (NTIA).

However, it has been decided that granting such a license to a carrier funded by Beijing would present “unacceptable national security and law enforcement risks.”

“After significant engagement with China Mobile, concerns about increased risks to US law enforcement and national security interests were unable to be resolved,” said David Redl, assistant secretary for communications and information, in a statement.

“Therefore, the Executive Branch of the US government, through the National Telecommunications and Information Administration pursuant to its statutory responsibility to coordinate the presentation of views of the Executive Branch to the FCC, recommends that the FCC deny China Mobile’s Section 214 license request.”

China Mobile is the world’s largest mobile phone operator with nearly 900 subscribers, but the vast majority are located within the Middle Kingdom, where it makes most of its money.

That’s why this snub will not have the kind of impact on the firm that the recent sanctions against ZTE threatened.

However, it’s yet another sign of the growing technology Cold War developing between the world’s two superpowers.

A Trump-fuelled trade war continued with promises on Friday of further tariffs on $34bn worth of Chinese goods, which Beijing said it would respond in kind to.

In the meantime, Huawei continues to be investigated for possible sanctions violations which could also see it penalized by the US authorities.

The hard line approach by the Trump administration also threatens to force an acceleration in Xi Jinping’s plans to become completely self-sufficient in the production of core technologies like processors.

Categories: Cyber Risk News

Whitbread Sounds Breach Alarm After PageUp Incident

Tue, 07/03/2018 - 09:13
Whitbread Sounds Breach Alarm After PageUp Incident

Whitbread is the latest big-name company to have been affected by a breach at a popular third-party recruitment platform provider, it has emerged.

The UK hotel and coffee shop operator has admitted that some current and prospective employees’ data may have been compromised, thanks to an incident last month at Australian supplier PageUp.

An email sent by Whitbread to those potentially affected claimed that data handed to the company during the recruitment process “may have been accessed and could potentially (in combination with other information) be used for identity theft,” according to the Irish Times.

Whitbread isn’t disclosing how many people may have been affected, although it has roughly 50,000 staff in the UK, and owns brands including Costa Coffee and Premier Inn.

According to PageUp, the details stolen in a cyber-attack revealed last month included name, email address, physical address, telephone number, gender, date of birth and employment details, more than enough to craft convincing follow-on phishing emails.

Passwords were hashed using bcrypt and salted by the Aussie provider, but Whitebread is still advising individuals to change them if they shared the same credential across other sites.

The firm has also suspended its use of the third-party recruitment platform for now.

David Kennerley, director of threat research at cybersecurity company Webroot, argued the case highlights the need for companies to vet their supply chains more rigorously.

“The fact that information like date of births and even maiden names have been stolen along with email addresses gives cyber-criminals all that they need to successfully monetize the hack, from phishing attacks to identity theft,” he added.

“Businesses of all sizes need to prioritize the security of critical and personal information, as you’re never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch, but also that any third party dealing with sensitive data or accessing your network does so in the right way too.”

That’s especially true in the new GDPR era, where both data processors and suppliers have an equal responsibility to keep customer/employee personal data secure.

Categories: Cyber Risk News

Facial Recognition IDs Capital Gazette Shooter

Mon, 07/02/2018 - 14:09
Facial Recognition IDs Capital Gazette Shooter

Though controversial and riddled with problems of a high false positive rate, facial recognition software led to a big win for police in Annapolis, Maryland, after a mass shooting at the Capital Gazette left five journalists dead and others wounded when a gunman attacked the newsroom.

After police took the suspected gunman into custody, a fingerprint database returned no results. The man reportedly had no identification on his person and refused to speak to investigators. According to the Washington Post, investigators ran his photo in Maryland’s facial recognition database, the Maryland Image Repository System (MIRS), and the system returned a match.

Unlike other cases, the Annapolis case resulted in great success and reportedly saved time as investigators tried to both identify a suspect and determine whether there were additional culprits. Anne Arundel County police chief Tim Altomare confirmed that they identified the suspect with help from other investigative techniques using facial recognition technology and confirmed there are no other suspects.

A 2013 effort to mitigate the problem of uncooperative suspects, who provide little or inaccurate information about their identities, awarded a grant to the Automated Regional Justice Information System (ARJIS), a consortium of 82 local, state and federal law enforcement agencies. Thus began their work to develop query systems to be used by law enforcement agencies based on facial recognition.

At the time, facial recognition was a fairly new concept. Originally, the ARJIS database contained over 1, 300,000 booking photos from San Diego County and more than 93,000 images from the booking system of the Chula Vista Police Department. According to the Electronic Frontier Foundation, use has increased rapidly without meaningful oversight.

Despite the debates over the accuracy of the technology, a former lieutenant commander with the New York City Police Department’s cold case squad told the Washington Post that this case will likely embolden advocates of the technology and bring attention to the technology from law enforcement agencies. 

“The facial recognition system performed as designed,” said Stephen T. Moyer, secretary of Maryland’s Department of Public Safety and Correctional Services (DPSCS), in a statement. “It has been and continues to be a valuable tool for fighting crime in our state.”

Categories: Cyber Risk News

SAP Risk Not Understood by C-Level

Mon, 07/02/2018 - 13:00
SAP Risk Not Understood by C-Level

A new survey of executives and IT and security professionals found that far fewer executives are extremely concerned about SAP security, a stat that could be detrimental to developing sound cybersecurity strategies, according to ERP Maestro.

Given that enterprise resource planning (ERP) systems process so much transactional data and are often targets for attacks, Americas' SAP Users' Group (ASUG) conducted a May survey of C-level executives and IT and security professionals. Sponsored by ERP Maestro, the survey included responses from customers using both cloud and on-premise SAP solutions. SAP remains the dominant core ERP system used among ASUG members, and it is used to process 77% of the world’s transaction revenue.

The survey showed a sizable gap between executives and other professional groups in their perception of SAP security risks. The most substantial disparity exists between executives and those directly responsible for IT and security.

Only 25% of executives said that they were extremely concerned about security. That number is in stark contrast to the 80% of IT and security respondents whose concern level is in the range of very or extremely concerned.

“Dedicated security professionals understand the nuances of security and see it as a significant challenge. They likely have a more accurate assessment of their environment,” the report wrote. “The lack of concern among executive-level employees may indicate that more education is needed among this cohort to help increase understanding of the potential risks and insider threats.”

According to the survey, 82% of respondents said their systems have only minor vulnerabilities, while only 5% rated their systems as impenetrable and 8% did not know how to classify their systems. Additionally, of the respondents, one-third do not have a defined cybersecurity strategy.

“One of our biggest challenges, and also an objective in the work we do with SAP customers, is bridging the divide between executives and IT/security teams so that they are all on the same page when it comes to understanding their level of risk,” said Britta Simms, IBM's lead for Global Center of Competency SAP Security.

“That joint knowledge is crucial in forming comprehensive strategies and getting buy-in across the organization for the best prevention plans and tools. It’s also a competitive advantage.”

Categories: Cyber Risk News