Info Security

Subscribe to Info Security  feed
Updated: 2 hours 20 min ago

#CLOUDSEC2017: 'Our Job Has Never Been More Important', Says Jane Frankland

Tue, 09/05/2017 - 10:05
#CLOUDSEC2017: 'Our Job Has Never Been More Important', Says Jane Frankland

“Never before has there been a time when our job was so important as it is now.”

These were the words of Jane Frankland, cybersecurity speaker, writer and entrepreneur, speaking in the opening session of CLOUDSEC 2017 in central London today.

Frankland said that business is transforming, the world is becoming much more connected and technology is rapidly advancing with speed and agility becoming the new currency.

“Just think about what we [security pros] do. We secure the world. We protect it, and we secure our future. We ensure the confidentiality, integrity and availability of information. We protect people, businesses and countries from cybercrime, criminals and terrorists.

“Just acknowledge for one second the importance of the job you do, because it’s not very often that we do that. Imagine what the world would look like without us”, Franklin added.

Every day security professionals wake up to encounter a new threat actor without a face, she said, and everyday we’re reminded just how smart and creative (even collaborative) cyber-criminals are, and how they can operate beyond any boundaries, laws or regulations.

“Every day we are definitely outnumbered and outgunned,” Frankland admitted, “but every day we wake up and show up to our jobs and we are hopeful and we are optimistic, because we know that we are not defeated. We know that by adapting and changing, and learning how to give to gain rather than to lose; to think more creatively; to collaborate and communicate better, we actually have a chance.”

It’s our job to be able to detect attacks, respond to them and recover from them in as timely a manner as possible with a minimum impact to the business, Franklin concluded. “It’s also our job to collaborate with key stakeholders and make them understand why this matters to them and not just to us.”

Categories: Cyber Risk News

Four Million Time Warner Customers Caught in Privacy Snafu

Tue, 09/05/2017 - 09:21
Four Million Time Warner Customers Caught in Privacy Snafu

Over four million Time Warner Cable (TWC) customers may have had their personal details exposed after news emerged of yet another cloud-based database misconfiguration.

TWC partner and global communications provider BroadSoft appears to be the culprit this time around after two AWS S3 buckets were found to have been configured to allow public access.

That mistake effectively exposed 600GB of sensitive data to the public internet, according to Bob Diachenko, chief communications officer at security vendor Kromtech.

“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” he explained.

“Not only could they access the documents but any ‘Authenticated Users’ could have downloaded the data from the URL or using other applications. With no security in place just a simple anonymous login would work.”

Although the researchers discovered “thousands and thousands [of] records and reports” belonging to BroadSoft clients, TWC appears to have been the most prominent firm affected.

“For example ‘User Profile Dump, 07-07-2017’ text file contains more than 4 million records, spanning the time period 11-26-2010 - 07-07-2017, with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more,” said Diachenko. “Other databases also have billing addresses, phone numbers etc. for hundreds of thousands of TWC customers.”

It’s not just user information that has been compromised: Kromtech confirmed that BroadSoft also leaked internal credentials which could have allowed hackers to access key systems, potentially exposing even more data.

A few days after the discovery, Kromtech sent a note to one of the BroadSoft engineers in Bangalore whose email details were found in the repository.

Although the individual in question denied the company’s involvement, the repository in question was apparently made secure almost immediately. The second one was secured again after a notification email was sent.

The news comes at around the same time as a similar privacy snafu at US private security firm TigerSwan, blamed on a third-party recruitment partner, which exposed the CVs and job applications of thousands of military vets, many with top secret government clearance.

Jeff Hill, director of product management at Prevalent, argued the cases show that data threats often come from insiders rather than shadowy hackers.

"The Broadsoft episode underscores the relevance of the age-old aphorism 'never attribute to malice that which can be reasonably explained by stupidity’,” he added.

“Visibility into your vendors’ controls via a comprehensive third party risk management program provides insight into not just the controls and technologies that prevent or mitigate attacks by the bad guys, but also the procedures and policies that are meant to prevent untrained or careless employees acting innocently to inadvertently expose sensitive data in the vendors’ custody.”

Categories: Cyber Risk News

Non-Profit Calls for UK-Ireland Cyber Task Force

Mon, 09/04/2017 - 10:38
Non-Profit Calls for UK-Ireland Cyber Task Force

The UK and Ireland need to form a joint cyber-task force to deal with the growing online threat to both nations in a post-Brexit world, a leading industry non-profit has claimed.

Paul Dwyer, president of the International Cyber Threat Task Force (ICCTF), argued over the weekend that current Brexit negotiations are failing to address security concerns on both sides.

“There are concerns from the business and cybersecurity communities about the implications Brexit will have on existing cybersecurity, privacy and data-protection laws,” he said, according to the Irish Times.

“Many Irish and UK businesses don’t want to bet on the negotiations between the EU and the UK going well.”

It’s unclear exactly which challenges Dwyer is referring to, although the UK has already signaled its intent to implement the EU GDPR in domestic law via the Digital Protection Bill, and to also transpose the NIS Directive into domestic legislation.

“The group would deal with the specific challenges arising from the new EU cyber legislation, Brexit and work with governments in order to protect businesses in Ireland and the UK,” Dwyer said.

“The overwhelming array of sophisticated cyber-attack techniques and the sheer amount of cyber-criminals combined with a potential legal impotency post-Brexit is a real concern for many businesses. What we need is for Ireland to take the lead on this and work with the UK to establish a joint cyber-task force to deal with these issues post-Brexit.”

There are concerns that post-Brexit Britain will be more at risk from cyber-threats as the NCA, GCHQ and other bodies will share less information with their European counterparts.

It’s also been claimed that it could get harder for the cybersecurity industry in the UK to recruit the brightest and best talent from the continent, which is especially concerning given the parlous state of the jobs market already.

An AlienVault survey of over 300 IT professionals at Infosecurity Europe this year found that 38% fear leaving the EU could make the UK more vulnerable to cyber-attacks.

Categories: Cyber Risk News

Thousands of Military Vets’ Details Exposed in S3 Privacy Snafu

Mon, 09/04/2017 - 09:50
Thousands of Military Vets’ Details Exposed in S3 Privacy Snafu

A database containing the personal details of thousands of US military vets, including some with top secret government security clearance, has been exposed to the public internet, UpGuard has revealed.

The security vendor’s director of cyber risk research, Chris Vickery, discovered the files in a misconfigured AWS S3 data storage bucket located at the subdomain 'tigerswanresumes'.

TigerSwan is a North Carolina-based private security firm which hires former servicemen and women, law enforcers and the like.

Most worryingly, despite being contacted by UpGuard about the privacy snafu, the firm failed to secure the details for another month, meaning they remained exposed to the public internet, according to cyber resilience analyst, Dan O’Sullivan.

The firm told UpGuard that the error was originally made by a third-party recruitment partner, which accounts for the large numbers of CVs and job application documents.

“The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses,” explained O’Sullivan.

“Many, however, also list more sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers. Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with US forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details.”

In total, the researchers found 9402 highly sensitive documents inside a folder marked 'Resumes', including information on four Iraqi and four Afghan nationals who worked for US and Coalition forces in their respective countries.

The discovery highlights an increasingly common and highly preventable insider threat which betrays a lack of training and major internal process failures.

In July, Verizon admitted a similar error when data on at least six million customers was exposed in a misconfigured S3 bucket by third party partner Nice Systems.

Categories: Cyber Risk News

Instagram Hackers May Have Details on Six Million Users

Mon, 09/04/2017 - 09:12
Instagram Hackers May Have Details on Six Million Users

Hackers are claiming to have obtained the personal details of as many as six million Instagram users, including those of celebrities including Emma Watson, Leonardo Di Caprio and David Beckham.

The cyber-criminals are believed to have exploited a bug in the popular photo service’s mobile API which exposed email addresses, phone and other profile information.

Although that vulnerability has now been patched, the hackers still have the stolen info and reportedly launched a look-up service – Doxagram – where users can search a database of over six million users for $10 per search.

That’s significantly more than at first thought, and could include the details of regular as well as celebrity 'verified status' users.

However, Doxagram was down at the time of writing, and reports have emerged that Instagram has been registering similar domains, presumably to prevent its admins from switching it to a new location.

Instagram co-founder and CTO, Mike Krieger, confirmed the incident on Friday, claiming that no passwords were taken in the online raid and urging users be on the lookout for follow-on phishing and vishing attempts.

“We quickly fixed the bug, and have been working with law enforcement on the matter,” he added. “Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts.”

UK-based cybersecurity vendor RepKnight, claimed to have identified 500 celebrities whose details were stolen in the attack, including Emilia Clark, Harry Styles, Taylor Swift, Adele, Beyoncé and Ronaldinho.

“The attack just goes to show the growing threat of the dark web. If you’ve been hacked and someone’s posted your contact details on a site that Google cannot reach, you’re highly unlikely to ever understand the severity of that hack,” it said.

“Everyone is at risk of the dark web these days — not just A-list celebrities.”

Categories: Cyber Risk News

GitLab Vulns Could Lead to Session Hijacking

Fri, 09/01/2017 - 17:21
GitLab Vulns Could Lead to Session Hijacking

During a recent pen test of GitLab, Imperva researchers were surprised to come across a vulnerability that leaves users exposed to session hijacking attacks.

The vulnerability stems from the type of session tokens used by GitLab. According to Imperva, the tokens are troublesome because: They are short, making them susceptible to brute-force attacks; they are persistent, meaning they never expire; and they lack role-based access control, meaning a simple copy/paste of the token grants access to every actionable item on the GitLab platform, eg, user dashboards, account information, individual projects and website code.

Session hijacking is a serious threat to online users’ privacy, money and identity; it involves the interception of session tokens that identify individual users logged into a website. An attacker can use a hijacked token to access a user’s account, make illegal purchases, change login credentials and access credit-card details, among other things.

In this case, the vulnerability can have wide-ranging consequences, given that GitLab is a widely used SaaS provider that focuses on developer-related issues, including Git repository management, issue tracking and code review.

Methods for stealing session tokens include: Man in the middle (MITM) attacks, in which forged authentication keys are used to pass off a connection as secure; brute force attacks, in which a botnet executes millions of requests using random session IDs until an authorized token is found; and SQL injections, in which malicious SQL code is used to access sensitive data, Imperva noted in an analysis.

GitLab has already taken steps to minimize the exposure of private tokens, and has introduced role-based security controls to minimize the access a compromised token would provide. Additionally, GitLab is replacing private tokens with RSS tokens for fetching RSS feeds to avoid exposing session IDs; and is gradually phasing out private tokens altogether.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Categories: Cyber Risk News

MacEwan University Defrauded Out of $11.8mn in Phishing Attack

Fri, 09/01/2017 - 16:27
MacEwan University Defrauded Out of $11.8mn in Phishing Attack

MacEwan University in Edmonton, Alberta has been defrauded of $11.8 million, thanks to a phishing attack.

The university uncovered the issue on Aug. 23.

A member or members of the university’s staff fell for a classic business email compromise gambit (BEC) after receiving a request to purportedly change the electronic banking information on file for one of the university’s major vendors. Believing the email to be legitimate, the staff made that change without verifying the veracity of the sender, resulting in a transfer of funds into a bank account controlled by the bad actors.

“There is never a good time for something like this to happen,” said university spokesman David Beharry, in a statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”

Immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds. It was able to track down more than $11.4 million of the stolen money, found to be in bank accounts in Canada and Hong Kong, the university said. Those funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover them; the status of the balance of the funds remains unknown.

Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate security units of the banks involved with the e-transfers are working to resolve the criminal aspect of the case. 

The university has conducted an interim audit of business processes, and said that controls were put in place to prevent further incidents.

“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the university said.

William MacArthur, threat researcher, RiskIQ, told us that having those controls—or at the very least, employee training on social engineering—would have made a big difference.

“These campaigns replicate apps used by these companies in their day to day operations, or spoof the email addresses of employees to trick employees into divulging highly sensitive and confidential information,” he said. “These attacks go after those who are the traditionally less security savvy folks in HR and finance departments. These people must be alerted to the dangers of phishing, and make sure they are verifying the authenticity of every single email asking for sensitive information—that means researching the purported company online and picking up the phone and calling if necessary.”

He also warned that phishing comes in many forms.

“It’s like a constant game of chess, except they have more pieces and always on the offensive,” he said. “They also evolve to keep up with the changes happening in everyday life. How we work and communicate, and the channels on which we do so, are always changing—as are the way we use sensitive personal and financial data. Phishing has spread beyond the inbox to mobile apps, social media, and instant messaging platforms (basically, anything that connects people) and replicate exactly the apps we trust with sensitive data every day to fool people.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Categories: Cyber Risk News

Juniper to Acquire Cyphort

Fri, 09/01/2017 - 16:25
Juniper to Acquire Cyphort

Juniper Networks said that it plans to acquire start-up cybersecurity firm Cyphort, to shore up its own cyber-portfolio—including its virtualized security offerings.

Santa Clara-based Cyphort offers advanced threat detection, analytics and mitigation, which will be integrated with Juniper’s Sky advanced threat protection (ATP) product line. Juniper said that customers can expect improved performance, an increased range of supported file types and additional threat detection capabilities (e.g., on- and off-premises support, cloud email, analytics and improved malware detection).

It complements traditional security information and event management (SIEM) platforms, but Cyphort’s technology also rests on a combination of behavioral analytics and machine-learning that can work across virtual infrastructure and cloud environments. As such, it will complement Juniper’s Software-Defined Secure Network portfolio. It offers NGFW as-a-service combined with real-time threat intelligence, aggregated into a common, cloud-based service that offers dynamic distribution of updated policies and remediation countermeasures.

“As cloud-based ATP is becoming a critical feature of next-generation firewalls (NGFW), Juniper intends to be a leader in the NGFW space as it’s critical to our Software-Defined Secure Network vision,” said Kevin Hutchins, Juniper’s senior vice president of strategy, in a blog.

The acquisition is expected to close within the next month. Terms of the deal were not disclosed, but Cyphort has drawn $53.7 million to date in venture capital, across four rounds.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Categories: Cyber Risk News

HackerOne Expects $100m Paid Out in Bounties by 2020

Fri, 09/01/2017 - 10:34
HackerOne Expects $100m Paid Out in Bounties by 2020

Popular bug bounty platform HackerOne is aiming to generate $100m in payments to ethical hackers for vulnerabilities they find and disclose through the site by 2020.

CEO Marten Mickos claimed in a blog post that the platform has already helped over 100,000 hackers to find and fix 50,000 vulnerabilities, resulting in pay-outs of more than $20m.

This so-called 'hacker-powered security' can help root out the bugs typically not found by automated tools and can end up saving the organization in question in the long-run – given the expense associated with hiring an outside auditing firm.

That’s part of the reason why even the US Department of Defense last year joined up and has been running various programs including Hack the PentagonHack the Army and Hack the Air Force.

Most recently, Tor announced its own program with HackerOne in recognition of the millions of political dissidents, journalists and others around the world who rely on it to keep their browsing private.

In an example of some of the riches on offer for ethical hackers, Facebook announced in July that it is increasing the size of its Internet Defense Prize to $1m, while Microsoft launched a new Windows Bounty Program with a top pay-out of $250,000.

“Just a few years ago, bug bounty programs were the privilege of few cloud-based companies. The hackers powering them counted in the thousands, and rewards were modest. Today we stand here 100,000 hackers strong, with 50,000 vulnerabilities eradicated and $20 million in rewards distributed to the heroes of hacker-powered security,” explained Mickos.

“Soon we will have 1 million hackers, 200,000 vulnerabilities found and fixed, and $100 million paid out in rewards. The savings thanks to avoidance of data breaches will be on the order of $10 billion. This is huge, and it’s just the beginning.”

Categories: Cyber Risk News

Foreign Firms Should Fear New Chinese Cyber-Law: Report

Fri, 09/01/2017 - 10:01
Foreign Firms Should Fear New Chinese Cyber-Law: Report

China’s new Cybersecurity Law (CSL) could expose Western firms and their customers to significant new security risks if the state chooses to launch ‘national security’ investigations, demanding IP and source code, according to a new report.

In it, threat intelligence firm Recorded Future claims foreign multi-nationals operating in China will be faced with a stark choice: comply with the law’s “onerous, vague, and broad new legal requirements” or be denied access to the huge mainland China market.

It argues that the new law gives sweeping new powers to the China Information Technology Evaluation Center (CNITSEC), part of fearsome spy agency the Ministry of State Security, which is said to be home to threat group APT3.

CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments” and may use bugs found in such tests in its intelligence gathering, the report claims, citing a US State Department cable.

This makes it highly likely that if CNITSEC were asked to investigate any foreign firm for national security reasons, it could handover the resulting intelligence to the MSS for use in state-sponsored cyber-attacks, Recorded Future claims.

That means elevated risk to the investigated company’s own machines and networks, its products and services, and its customers and users around the world.

Such firms could also find themselves on the end of a public relations backlash in Europe and North America, and could be deemed too risky for use by governments there as a result, the report continues.

“Most products and services utilized in China will not be wholly unique from their global counterparts, raising the risk that vulnerabilities discovered by the MSS could be utilized to exploit international users of these machines, networks, products, and services,” the report notes.

Cloud providers are at greatest risk because they could be defined as “critical information infrastructure” and therefore subject to more checks, it claims.

However, any company defined as a 'network operator' could come under investigation. This term could cover financial institutions, cybersecurity providers or indeed any enterprise that has a website and provides network services, the report suggests.

“It is important for companies to note the imprecision and breadth of the CSL as well as the 2015 National Security Law, because both contain vague language that can be invoked by Chinese authorities to compel national security reviews, data sharing with government authorities, and even inspections into proprietary technology or intellectual property,” the report warns.

Categories: Cyber Risk News

Crypto-Ransomware Targets 20 Million Inboxes

Fri, 09/01/2017 - 09:19
Crypto-Ransomware Targets 20 Million Inboxes

Security researchers are warning of another major crypto-ransomware campaign which has so far been observed attacking 20 million user inboxes.

The threat, discovered in the second half of this week, arrives as many similar ransomware attacks do in the form of an unsolicited email.

The email itself is spoofed to appear to come from a legitimate source and the attachment name and number is included in the subject line and body of the message, for example: “Emailing: Payment_201708-6165”.

“This attachment is a JavaScript file in a 7zip archive that the Barracuda ATP Dynamic Analysis Layer identifies as a ‘file-encryption/ransomware’ type virus,” explained Barracuda Networks lead platform architect, Eugene Weiss.

He added that the best course of action is to have in place dedicated email security which will block the attack before it even arrives in the network.

The alert is just the latest in a long line of large-scale ransomware threats which have dominated 2017 so far.

In fact, Symantec reckons this year is set to top 2016 in terms of volume of infections.

It claimed to have observed 319,000 already during the first half of 2017, with 470,000 blocked during the whole of last year.

Also this week the latest variant of Locky resurfaced in 23 million emails sent out within a 24-hour period, according to AppRiver.

The email subject lines were kept deliberately vague, featuring words and phrases like “please print”, “documents”, and “photo”.

They feature a ZIP attachment containing a Visual Basic Script (VBS) file that if clicked will begin a Locky download.

Victims are required to pay an eye-watering $2150 (BTC 0.5) to ‘regain’ access to their files.

Also this week, it emerged that NHS Lanarkshire was forced to cancel operations over the bank holiday weekend in the UK after it was hit by Bitpaymer ransomware.

The same Trust was badly affected by WannaCry earlier in the year, highlighting the continued challenges facing NHS IT leaders in keeping systems resilient.

Categories: Cyber Risk News

OurMine Takes Down WikiLeaks—Again

Thu, 08/31/2017 - 18:10
OurMine Takes Down WikiLeaks—Again

OurMine, the hacking group that claims to just really care about their victims’ security profiles, is back, after apparently hacking WikiLeaks.

WikiLeaks’ website was defaced this morning, with the homepage at WikiLeaks.org displaying a message that indicated that its efforts in this case were not altruistic (even in a lip-service kind of way): “Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

According to the Verge, some visitors saw the message while others didn’t; and some got a message announcing that WikiLeaks’ account has been suspended entirely. As of this writing, the website was back in business, with its usual front-page links to Vault 7, its trove of hacking tools.

In any event, this seems to be the latest entry in the ongoing spat between OurMine and Anonymous.

OurMine has made a name for itself by breaking into bigwigs’ social media accounts, including Google CEO Sundar Pichai, Facebook founder Mark Zuckerberg and Uber CEO Travis Kalanick. Its efforts, it said, are meant to alert users to the security flaws in their habits and systems. It has also targeted organizations, including the New York Times and Buzzfeed, and in December of 2015 it took down WikiLeaks.

Anonymous, a longtime Julian Assange and WikiLeaks supporter, promptly doxed OurMine after that incident, claiming to publish personal info about the group. While the information was taken down, OurMine claimed that Anonymous continued to harass its members. In retaliation, in July 2016, OurMine DDoSsed WikiLeaks, successfully knocking the website offline for a few hours.

And now, this: In Thursday’s homepage message, OurMine added: “Anonymous, remember when you tried to dox us with fake information for attacking wikileaks [sic]?” the message continues. “There we go! One group beat you all! #WikileaksHack lets get it trending on twitter [sic]!”

OurMine could be ramping up activities again; earlier in August it kicked HBO while the premium network was down and reeling from its extortionist harassers, taking over the company’s Twitter and Facebook accounts.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

“Hi, Our?Mi?ne are here, we are just testing your security, HBO team please contact us to upgrade the security – ourmine .org -> Contact,” it posted.

Categories: Cyber Risk News

Nottinghamshire County Council Exposes Elderly, Disabled PII for 5 Years

Thu, 08/31/2017 - 17:54
Nottinghamshire County Council Exposes Elderly, Disabled PII for 5 Years

The Nottinghamshire County Council in the UK has been fined £70,000 by the Information Commissioner’s Office for leaving vulnerable people’s personal information exposed online for five years.

The UK’s Data Protection Act requires organizations to take appropriate measures to keep personal data secure, especially when dealing with sensitive information. But the council in this case posted very personal information on elderly and disabled people in an online directory, which was left open to anyone on the internet thanks to a lack of basic security or access restrictions—not even a username or password.

The council had launched its Home Care Allocation System (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user, in July 2011. When the breach was reported in June 2016, the HCAS system contained a directory of 81 service users. In total, the data of 3,000 people had been posted in the five years the system was online.

The data exposed included people’s gender, addresses and post codes, personal care needs and requirements such as the number of home visits per day, and whether they had been or were still in hospital. Although the service user's names were not included, a determined person would be able to identify them.

The situation was discovered when a random person stumbled across the data (and was able to access it with no need to log in) while using a search engine. This member of the pubic alerted the ICO out of concern that the information could be used by criminals to target vulnerable people or their homes – especially as it even revealed whether or not they were still in hospital.

“This was a serious and prolonged breach of the law,” said ICO head of enforcement Steve Eckersley. “For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”

He added, “Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organizations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

The ICO has not been shy of assigning fines of late; in July for instance it slapped Moneysupermarket.com with an £80,000 fine after it was found guilty of sending millions of nuisance emails to customers.

Categories: Cyber Risk News

Cyber-squatters Target Luxury Brands from Fendi to Prada

Thu, 08/31/2017 - 17:49
Cyber-squatters Target Luxury Brands from Fendi to Prada

Fan of Fendi? Lover of Louboutin? Gaga for Gucci? Be careful, as there are more than 500 websites out here that are actively tricking web users into thinking they’re legitimate luxury fashion websites.

DomainTools has uncovered a widespread trend of cyber-squatters targeting global haute couture brands, with 538 registered domains using the trademarked names of eight of the world’s leading fashion houses.

Cyber-squatting is the practice of purchasing domains with the intent of stealing internet traffic from a well-known brand or individual. The firm analyzed domains mimicking Cartier, Givenchy, Louis Vuitton, Burberry, Hermes, Chanel, Prada and Gucci and found hundreds with close-but-no-cigar web addresses. Examples include givenchy[.]com, burberryyuk[.]com, cartierwatches[.]me, hermes-bag[.]us and more.

These domains are often used in phishing email campaigns and various other kinds of scams, including pay-per-click ads, for-profit survey sites and social media scams to trick customers into handing over personal details and money for a product.

 “The ease of creating a domain is great for the average person looking to start their own website, but it is a never-ending nuisance for brands that have to monitor for domain squatters,” said Tim Helming, director of product management at DomainTools. “The bigger and more lucrative your brand, the more of a target you become for cyber-criminals.”

To avoid falling for a spoofed website, consumers should look for obvious red flags, like misspellings and extra letters in the names, and domains that have COM-[text] in them, like www.starbucks.com-latte[.]us. DomainTools advises that surfers should also look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com. Also, for linked text, users can verify that the address is what it purports to be by hovering over it and examining the pop-up text.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

Categories: Cyber Risk News

UK Firms on GDPR Hiring Spree but Gaps Persist

Thu, 08/31/2017 - 10:49
UK Firms on GDPR Hiring Spree but Gaps Persist

Only two-thirds of UK firms are set to hire new permanent employees to deal with EU data protection laws coming next year, as several new reports reveal ongoing gaps in compliance.

Recruiter Robert Half polled 400 UK directors to find 66% were planning to bring in permanent and 64% temporary staff.

It claimed demand for permanent project managers (33%), business analysts (26%) and data protection officers (26%) will increase.

However, the requirement for a DPO is mandatory in the new EU General Data Protection Regulation (GDPR) and could incur a maximum fine of €10m or up to 2% of global annual turnover.

In addition, just six of the top 20 biggest social media, software, financial technology and internet companies with EU operations contacted by the FT said they had already appointed a board member responsible for data protection.

Ideally a DPO or similar should already be in place to help co-ordinate compliance efforts ahead of the May 2018 deadline.

In fact, a quarter (28%) of large UK enterprises have yet to start, or have barely started, compliance efforts, with even fewer (22%) identifying as fully prepared, according to a CA poll of over 100 firms with 5000 employees.

Steve Durbin, managing director of the Information Security Forum (ISF), argued that the GDPR is the “greatest shake-up in privacy legislation that we have seen”, and will need organizations – especially in the tech sector – to invest in additional skills.

"It requires organizations to provide individuals with access to their personal data and then allow them to request that the data be corrected, moved to another service provider, or deleted altogether,” he added.

“This is key for the tech industry; regardless of potential cost, they must match the efforts of other industries to ensure the needs and wishes of its consumers are met."

There is an extra burden particularly on cloud service providers (CSPs), which have not previously been covered by data protection laws.

However, the new GDPR applies both to the data controllers that collect personal data on EU citizens, and the “processors” – including the CSPs – which service these companies.

Categories: Cyber Risk News

Instagram Flaw Exposes Stars’ Phone Numbers & Email Addresses

Thu, 08/31/2017 - 10:24
Instagram Flaw Exposes Stars’ Phone Numbers & Email Addresses

Social networking site Instagram has revealed a flaw in its systems which exposed a number of celebrities’ phone numbers and email addresses to cyber-attackers.

As reported by the BBC, the Facebook-owned photo-sharing service, used by some 700 million people around the globe, believed that “one or more” attackers had targeted high-profile celebrities in an attempt to access their contact information. Instagram stated it has already got in touch with verified members to make them aware of the incident and fixed the bug in its application programming interface.

It is also believed that no passwords had been stolen, but users are advised to be on the lookout for unusual or suspicious activity on their accounts.

“High-profile Instagram users can breathe a small sigh of relief after the Facebook-owned social network yesterday revealed that no passwords had been swiped in the recent breach of the photo-sharing site,” said Lee Munson, security researcher at Comparitech.com. “They’ll need to catch their breath quickly though as other sensitive information has fallen into the hands of those responsible for the hack.”

With telephone numbers and email addresses out in the wild, he added, superstars and Z-list celebrities alike will need to be on their guard in the coming weeks as the attackers may use those contact details for other nefarious purposes. “To be on the safe side, rich and famous Instagram users should probably change their login credentials anyway, remembering to make their passwords complex and unique to each online account they have.”

The more individuals allow access to their data through social media, like Instagram, the more avenues there are for attackers to try, added Mark James, security specialist at ESET

“It’s good to remember that social media sites view people merely as a source of income. They are only concerned with the security of your data to the extent that the law requires. This is why it is critical for users to take responsibility of their own security.”

Categories: Cyber Risk News

Ransomware Infections on Course to Top 2016 Figures

Thu, 08/31/2017 - 09:56
Ransomware Infections on Course to Top 2016 Figures

The volume of ransomware attacks this year looks set to outstrip even 2016 figures, with organizations increasingly bearing the brunt of infections, according to new figures from Symantec.

The security giant claimed that it has seen 319,000 infections already during the first half of the year.

If attacks continue at the same rate, it will be a significant increase on the 470,000 infections the company blocked during the whole of last year.

The WannaCry and ‘Petya’ campaigns of May and June respectively have done much to drive up infection rates and could be a worrying sign of things to come, especially for organizations, according to Symantec’s Dick O’Brien.

“The impact of WannaCry and Petya makes it quite likely that more attackers will attempt to replicate the tactics used by deploying ransomware as a worm. The propagation mechanisms employed by both ransomware families enabled the threats to spread quickly across an entire computer network. Many consumer computers are not connected to a network, unlike those found in organizations,” he explained.

“While WannaCry and Petya also did have the ability to spread across the internet to other vulnerable computers, this means of transmission again largely affected other organizations. Most home internet routers would have blocked infection attempts involving the EternalBlue exploit.”

This is partly why ransomware infections of organizations have spiked in recent months. In 2015 and 2016 businesses accounted for around 29% to 30% of infections, versus 42% in the first half of 2017, according to Symantec.

On the plus side, although ransomware demands more than tripled during 2016, from an average of $294 to $1077, this year has seen them level out at $544; although this is per machine so costs could soon add up for businesses.

Symantec recommended businesses keep systems up-to-date and patched at all times, delete suspicious looking emails, protect systems with multi-layered defense and back-up key data.

Categories: Cyber Risk News

Half of Global Firms Failing on PCI Compliance

Thu, 08/31/2017 - 09:25
Half of Global Firms Failing on PCI Compliance

Nearly half of global organizations aren’t maintaining compliance with payment card security standard PCI DSS from one year to the next, according to new stats from Verizon.

The consultancy conducted interviews with financial services, IT services, hospitality and retail organizations to compile its 2017 Verizon Payment Security Report.

Although for the first time over half (55%) were fully compliant at their interim validation, that still leaves nearly half which weren’t.

Hospitality businesses were the worst offenders, with only 43% achieving full PCI DSS compliance, followed by retail (50%) and financial services (59%).

What’s more, on average 13% of key controls were missing, up from 12% last year and significantly increasing their chances of a breach.

Gabriel Leperlier, head of continental Europe advisory services at Verizon, argued that a lack of ongoing knowledge and skills in organizations is affecting their ability to stay compliant.

“Often a project is started, compliance achieved and simply not maintained as the employee with the PCI skill-set leaves the company; then compliance declines and the program has to be restarted all over again. Or alternatively we see unskilled professionals being tasked with maintaining compliance with the PCI standard but they do not have the basic knowledge to achieve this goal,” he told Infosecurity.

“Ongoing training and employee awareness are essential. These must be aligned with the changing aspects of the business and the requirements of the standard.” 

These skills shortages can also lead many firms to look at PCI DSS in isolation, rather than in terms of "control lifecycle management", Leperlier added.

He recommended organizations consolidate controls to make them easier to manage, invest in developing in-house expertise, apply a balanced approach that’s robust and resilient, automate as much as possible and to understand the performance of each control is interlinked.

“If there is a problem at the top, this will impact the performance of the controls at the bottom. It is essential to understand this in order to achieve and maintain an effective and sustainable data protection program,” he concluded.

Categories: Cyber Risk News

Locky Ransomware Rears its Head in Big August Campaigns

Wed, 08/30/2017 - 19:50
Locky Ransomware Rears its Head in Big August Campaigns

The Locky ransomware is continuing its resurgence, with a second wave of new but related attacks that build on a variant uncovered in early August.

A few weeks ago, Locky changed its encryption extension to .lukitus, which means "locked" in Finnish. That variant is still impossible to decrypt, according to Heimdal Security, and was seen to be part of a set of malicious spam waves that are hitting users one after the other.

A fresh late August campaign uses what Comodo Labs has dubbed the IKARUSdilapidated version of Locky, which still has the .lukitus extension. It spreads using a botnet of zombie computers responsible for coordinating a phishing attack.

There have so far been two waves in the attack. In the first, emails appeared to be from an organization’s scanner/printer (or other legitimate source). When successful, it encrypted the victims’ computers and demanded a bitcoin ransom.

“As many employees today scan original documents at the company scanner printer and email them to themselves and others, this malware-laden email will look very innocent,” said Comodo, in an analysis sent to Infosecurity. “The sophistication here includes even matching the scanner/printer model number to make it look more common as the Sharp MX2600N is one of the most popular models of business scanner/printers in the market.”

The second wave consisted of a French-language email purportedly from the French post office, featuring a subject including the term “FACTURE”).

“In contrast to the initial 2017 IKARUSdilapidated Locky campaign which distributed malware with the .diablo extension and a script that is a Visual Basic Script (and has a ".vbs" extension), both new attacks have interesting variations to fool users with social engineering, and to fool security administrators and their machine learning algorithms and signature-based tools,” Comodo said.

It’s clear that Locky is back, after laying low for a few months (with some exceptions). In the initial August campaign, AppRiver said that it saw more than 23 million messages sent within a 24-hour period, making it one of the largest malware campaigns seen in the latter half of 2017.

Categories: Cyber Risk News

Jimmy Nukebot Explodes on the Scene, Transforming NeutrinoPOS

Wed, 08/30/2017 - 18:09
Jimmy Nukebot Explodes on the Scene, Transforming NeutrinoPOS

The NeutrinoPOS banking trojan, a constantly evolving malware thanks to its source code having been posted online last spring, has a new form, ominously dubbed Jimmy Nukebot.

Interestingly, it’s no longer in the banking business. Rather, it’s designed to help bad actors do so much more.

“The authors seriously rewrote the trojan—the main body was restructured, the functions were moved to the modules,” explained Kaspersky Lab researcher Sergey Yunakovsky, in an analysis. “The trojan has completely lost the functionality for stealing bank-card data from the memory of an infected device; now, its task is limited solely to receiving modules from a remote node and installing them into the system.”

Those modules contain the payloads, which notably include web injects (which can perform functions similar to those in NeutrinoPOS, like taking screenshots, setting up proxy servers and so on); and a large number of updates for the main module in various droppers.

Mounir Hahad, senior director of Cyphort Labs, noted that if it goes undetected, this new variant of NeutrinoPOS will be able to act as a backdoor into the organization. “[That means] allowing monitoring of user actions and exfiltration of any data the bad actors can lay their hands on,” he said, via email. “Given that it can install newly downloaded modules at will, the sky is the limit as to what it can be commandeered to do.”

Another payload is a miner that extracts the virtual Monero currency (XMR) using compromised machines.

Of interest is the trajectory that Jimmy Nukebot demonstrates for malware: This spring, the author of the NukeBot banking Trojan published the source code of his creation, resulting in this latest iteration some months later (it has probably been active since early July).

“It is an excellent example of what can be done with the source code of a quality trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source,” said Yunakovsky.

Josh Mayfield, platform specialist, Immediate Insight at FireMon, told us that the modification affords the trojan an opportunity to learn versus instantly executing malicious behavior (e.g. data theft)—which is a significant development.

“This is the quintessential algorithmic process pairing of explore and exploit,” he said. “Computational models have these pair running simultaneously to maximize effects and outcomes. We humans have this function in our neural system as well. Every time you’re deciding what to have for dinner, you are computing – exploring options, exploiting the knowledge to maximize the outcome. Jimmy is doing the same thing…This function allows Jimmy to gather information, be self-referential, and run through what it has explored for later use and exploitation.”

He added that historically, the attacker community would take advantage of widely applicable weaknesses and immediately went to exploitation. Jimmy on the other hand takes note of the information it receives from a given specified target and tailors its payload to that specific environment.

“End user education is a critical in the evolving landscape of trojans like Jimmy,” said Mayfield. “The average person is not going to be as well-informed about the threats or problems they face. It is important to make users aware that these things exist, they can cause damage and simple measures can be taken. End users do not readily see the need for things like two-factor authentication, regular password resets, password complexity standards and so on. Awareness of just how dangerous the world can be, can help them to take their medicine.”

Categories: Cyber Risk News

Pages