Info Security

Subscribe to Info Security  feed
Updated: 2 hours 38 min ago

Ransomware Revenue Earning Does Not Match Infection Decline

Wed, 02/20/2019 - 14:01
Ransomware Revenue Earning Does Not Match Infection Decline

There has been a decline in ransomware infections, but that does not mean that earned revenue has reduced for cyber-criminals.

According to the third instalment of the Check Point 2019 Security Report, threat actors are increasingly targeting public cloud and mobile deployments as they are determined to be the weakest and least protected points in an organization’s IT infrastructure. The research found that 18% of organizations globally had a cloud security incident in the past year; the most common incidents were data leaks/breaches, account hijacks and malware infections.

Also, 30% of IT professionals still think security is the responsibility of the cloud service provider.

Speaking at the launch of the report at the Check Point Experience conference in Vienna, Maya Horowitz, director of threat intelligence and research at Check Point, said that the first part of the research highlighted the rise of email-based attacks over web-based, and this was because of the reduction of exploitable vulnerabilities and more use of exploit kits.

Orli Gan, head of products and threat prevention at Check Point, added that 98% of attacks are aiming to earn money and cryptocurrency. “This is the first thing attackers go for and we expect this not to change going forward,” she said.

Gan also stated that ransomware revenue has stayed at the same level, and rather than sending mass emails campaigns, attackers in 2018 were targeting businesses as they were more likely to pay and the ransom request was dramatically higher.

Speaking to Infosecurity, Yaniv Balmas, group manager of security research at Check Point, said that we are seeing several cases of ransomware attacks on specific targets. “I wouldn’t say this is affecting all ransomware, but maybe two to three big families are doing this, but there is some shift in the trend happening now,” he said.

“Ransomware took us a bit of time to adjust to, and there are very good technologies which can practically prevent these sort of attacks, but perhaps the guys behind this ransomware are opportunistic and trying to make as much money as they can.”

Asked if he felt that there was more use of banking trojans with ransomware declining, as detected in recent research by Proofpoint, Balmas said that there had been a lot of change in the way banking trojans worked in the last five years, as today “they are doing everything: stealing credentials, injecting into your browser, but they are mainly delivering other malware.” He speculated that banking trojans may be a sideway to make some money, but they are more of a distribution network.

Infosecurity’s Online Summit will take place on March 26-27, with live sessions including “The Death of Ransomware: Long Live Other Malware” and “The Persistence of Legacy Systems.” Registration is now open, and CPE credits are offered for the 14 sessions across the two days.

Categories: Cyber Risk News

Half of UK Firms Admit to Unknown Network Devices

Wed, 02/20/2019 - 11:11
Half of UK Firms Admit to Unknown Network Devices

Almost three million UK businesses could be exposing themselves to cyber-threats by having unknown devices on their network, according to new Forescout research.

The security vendor polled over 500 IT decision makers in the UK to better understand their exposure to IoT threats.

It found that half (49%) of respondents have unknown third-party devices on their networks. That represents over 2.8 million businesses at official 2018 levels. The figure is up slightly in percentage terms on the vendor’s April 2018 findings, although it could represent as many as 110,000 extra firms using the same extrapolation.

The findings come despite a vast majority of IT decision makers (85%) admitting that a lack of visibility and control of devices on their network poses a security risk.

These challenges are only set to increase as enterprises witness an explosion of IoT endpoints. Gartner predicts that there will be over 20 billion connected things in use worldwide by 2020, with business spend representing nearly half of the total, at over $1.4tn.

According to Forescout, 69% of organizations say they now have over 1000 smart devices, whilst a fifth (19%) claim they run more than 10,000 IoT devices on their network.

Over half (58%) of those it spoke to for this research agreed that by centralizing management and oversight of IT and OT, they can eradicate the dangerous security blind spots that convergence of the two functions is creating.

However, this can be easier said than done, with cultural and other barriers often getting in the way. That might account for why just half (49%) of responding IT leaders claimed to have followed such an approach.

Unfortunately, IoT security is still not being given the attention it deserves in many organizations: sometimes because devices are brought in without the knowledge of the IT department.

A Trend Micro poll of 1150 global IT and security decision-makers last year found that 43% regard IoT security as an afterthought, and only 38% get security teams involved in the implementation process for new projects.

Categories: Cyber Risk News

Microsoft: Russians Hacking Again Ahead of Euro Elections

Wed, 02/20/2019 - 10:33
Microsoft: Russians Hacking Again Ahead of Euro Elections

Russian state hackers are targeting NGOs, think tanks and other government-linked organizations ahead of the European Parliament elections in spring, according to Microsoft.

The tech giant said it had observed 104 accounts in Belgium, France, Germany, Poland, Romania and Serbia come under fire from Fancy Bear (APT28, Strontium). This is the group blamed for the 2016 attacks on the Democratic National Committee (DNC) which many believe helped Donald Trump to power.

The attackers are using classic spear-phishing techniques to try and gain access to employee credentials and deliver malware, said Microsoft corporate VP, Tom Burt.

“These attacks are not limited to campaigns themselves but often extend to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy and that are often in contact with government officials,” he added.

“The attacks we’ve seen recently, coupled with others we discussed last year, suggest an ongoing effort to target democratic organizations. They validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”

Some of the organizations targeted in this latest campaign include the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund.

To help non-profits and other organizations which may not have the resources to defend themselves from state-level attacks, Microsoft is offering its AccountGuard service across Europe, free to Office 365 customers.

It helps protect corporate and personal email accounts and offers best practice security guidance on email and network security, according to Burt.

Last week former NATO secretary-general, Anders Fogh Rasmussen, warned of a major Kremlin effort to disrupt the upcoming European elections to spread disinformation and undermine confidence in the democratic process.

He joined 14 current and former leaders in calling for those running in the election to pledge not to spread fake news or use stolen data in their campaigns, and to train staff in cybersecurity, among other things.

Categories: Cyber Risk News

Swedish Privacy Snafu Affected More Companies

Wed, 02/20/2019 - 10:09
Swedish Privacy Snafu Affected More Companies

A major Swedish privacy leak revealed this week is even worse than at first thought, with several other companies and over 100 additional servers exposed, according to new findings.

Security vendor Outpost24 investigated service provider Applion, sister company to Voice Integrate Nordic AB, which hosts data for the affected firms on its web servers.

In the original case, the NAS storage unit at nas.applion was found to have exposed 2.7 million patient calls to a medical hotline stored on behalf of Swedish healthcare contractor MediCall.

However, Outpost24 posted a screenshot showing that this same exposed web server also hosted data from other firms including Swedish telephony firm iTell and patient transportation service provider Prebus.

The server itself, Apache 2.4.7, is also several years old and riddled with vulnerabilities.

In total, Applion had around 120 servers exposed to the public internet with no password protection, according to Outpost24.

Martin Jartelius, CSO of Outpost24, argued that the firm appears to have paid scant regard to best practice security.

“Looking at the breach, it is not only due to [lax] security, but a complete lack of any form of protection. The same company also exposed other outdated and very weakly protected services to internet, some so outdated a modern system would not even be able to connect to them,” he said.

“When looking at the company’s [Apache] server, you can see the system has been exposed for a long period of time. The device is a NAS device, and rather outdated on software. Other examples include unencrypted administration of an exposed router, exposed log management solutions and much more."

Reports emerged this week that around 170,000 hours of calls to Sweden’s 1177 Healthcare Guide (Vårdguiden) service dating back to 2013 had been exposed by MediCall. Some of these calls included saved phone numbers and mentioned social security numbers.

The initial web server issue has apparently now been remedied, but it’s unclear whether the additional 120 exposed servers Outpost24 discovered have been protected.

Categories: Cyber Risk News

Domain Squatting a Problem for Many Media Outlets

Wed, 02/20/2019 - 09:00
Domain Squatting a Problem for Many Media Outlets

Malicious actors might be using spoofed media domains to disseminate disinformation campaigns, according to results from the latest State of the Domain research published by DomainTools.

In looking at some of the most popular media outlets in the US, including The New York Times, USA Today, CSO, The Washington Post and Krebs on Security, researchers found that many of the domains are susceptible to domain-squatting and spoofed domains that can be used malicious campaigns.

Alarmingly, researchers said they discovered almost 200 fraudulent domains nearly identical to the legitimate domain names of the different publications. By re-purposing what were once valid internet sites, the fake domains appear more legitimate. Attackers hang out, or squat, on these old domains, buying time as they go largely undetected. Flying under the radar while squatting enables them to work out any inconsistencies with their attack infrastructure, according to the report.

Using the tactics of spoofing on domains and typosquatting, the campaigns can then carry out phishing attacks in order to steal personally identifiable information or even deliver malware to a device.

“Phishing carried out by typosquatting domain campaigns are particularly worrisome as they allow for seemingly trusted websites, with legitimate SSL certificates, to trick internet users into a false sense of security,” said Corin Imai, senior security adviser, DomainTools, in a press release.

“As distrust of traditional media continues to grow, and individuals continue to consume social networks as trusted news sources, protecting the public from disinformation campaigns has become pertinent to the democratic process,” said Imai.

“Our research underscores the need for media outlets to leverage cyber-threat intelligence and maintain vigilance over efforts to undermine their credibility. Further, educational campaigns that raise awareness about these issues will continue to be necessary in mitigating risks that come with malicious activity targeted at legitimate media sources.”

Included in the report is a list of some fraudulent domains with a high risk score, indicating the domains share proximity to malicious infrastructure. Some of these fake domains include:

  • nytimesofficial[.]com

  • usatosday[.]com

  • washinqtonpost[.]com

  • bistonglobe[.]com

  • krebsonsecurity[.]org

  • chicagotribunesnews[.]com

  • newsdag[.]com

  • cosonline[.]cn

  • nydaiylnews[.]com

Categories: Cyber Risk News

Criminals Weaponize Open Source Tools, Target IoT

Wed, 02/20/2019 - 09:00
Criminals Weaponize Open Source Tools, Target IoT

Cyber-criminals have grown more sophisticated in their unyielding attempts to compromise internet of things (IoT) devices, according to Fortinet’s Global Threat Landscape Report.

The latest quarterly report indicates the changing vicissitudes of the threat landscape, with the exploit index reaching an all-time high in the Q4 2018, just after experiencing a decline in nefarious internet activity toward the end of the previous quarter. The report also found that the convergence of the cyber and physical worlds has opened the door for new types of attacks, as malicious actors are manipulating open source malware tools.

While open source tools have their benefits, they can also be weaponized when put in the wrong hands. “Because these resources are available to anyone, attackers new and old are using them for nefarious activities, which is contributing to the growth of malware threats. Some of these freely available malware tools can be weaponized very easily,” researchers wrote.

In addition, cyber-criminals put forth a lot of effort in exploiting vulnerabilities in IoT devices. According to the survey, the number of exploits per firm rose to 10%. “At the same time, botnets became more complex and harder to detect,” researchers wrote.

Data analysis of the quarter’s activity also reflected that the time for infection of botnets increased by 15%. Botnet attacks are particularly problematic as they are able to communicate with remote malicious hosts once they infect a system.

“The age of cy-phy – the convergence of cybersecurity things and physical spaces – is here. Although the appeal of this convergence to our digital economy is almost sci-fi in terms of imagination, unfortunately the cybersecurity risks are very real,” said Phil Quade, chief information security officer, Fortinet.

“Cyber-criminals are closely watching and developing exploits that target this emerging digital convergence. Fundamental elements of cybersecurity, including visibility, automation and agile segmentation, are more critical than ever to enable us to thrive in our cy-phy digital future and to protect us against the malicious activities of our cyber adversaries.”

Categories: Cyber Risk News

Palo Alto SOARs into Agreement with Demisto

Tue, 02/19/2019 - 19:57
Palo Alto SOARs into Agreement with Demisto

A definitive acquisition agreement between Palo Alto Networks and Demisto, announced today, is expected to close during the fiscal third quarter for Palo Alto Networks. The acquisition of Demisto will be finalized for a total purchase price of $560 million, according to a press release.

The total purchase, to be paid in cash and stock, is subject to adjustment, and the final deal is contingent upon customary closing conditions, including satisfactory regulatory approvals.

Demisto will bring its strength in the security orchestration, automation and response (SOAR) space to Palo Alto Networks’ existing cybersecurity offerings. By adding in the use of AI and machine learning, Palo Alto Networks will be able to automate significant parts of the customer’s security operations.

For current Demisto customers and partners, the products will continue to be available after the deal closes.

Commenting on how the acquisition of Demisto will accelerate Palo Alto Networks Application Framework strategy, Nikesh Arora, chairman and CEO of Palo Alto Networks, said, “We are delighted to welcome Demisto into the Palo Alto Networks family. Coupled with our Application Framework, Demisto will help us strengthen our commitment to security teams by delivering a platform that provides higher levels of integration, automation, and innovation to prevent successful cyber-attacks."

Automation has been a key focus for Demisto, “because we believe that relying on people alone to combat threats will fail against the scale of today's attacks,” said Slavik Markovich, CEO of Demisto. "Palo Alto Networks' strategy resonates with our own vision, and we have found a like-minded team that shares our conviction that the future of security is all about automation and AI. We're thrilled to be joining them to help make it a reality."

The acquisition will enable Palo Alto Networks to deliver more immediate threat prevention and response for security teams.  

Categories: Cyber Risk News

Web Application Security Poses Greatest Risk

Tue, 02/19/2019 - 16:18
Web Application Security Poses Greatest Risk

The majority of vulnerabilities in 2018 were associated with network vulnerabilities, while less than 20% were associated with web applications and APIs, according to the fourth annual Vulnerability Stats Report from Edgescan.

When it comes to breaches, though, web application security remains the area of greatest risk. “The percentage of high and critical risks combined, compared to all discovered risks is still high at 19.2% for public internet-facing (external) applications and 24.9% for non-public or internal applications,” the report said.

The report looked at vulnerability metrics from known common vulnerabilities and exposures (CVEs) and found that the rate of known vulnerabilities being exploited in the wild remains high, particularly with cross-site scripting (XSS). XSS, both reflected and stored, accounted for 14.69% of web (layer 7) vulnerabilities in 2018. One issue of great concern with layer 7 vulnerabilities is that “it takes time to fix vulnerabilities, and it can be difficult to avoid repeating the same mistakes,” said Eoin Keary, founder, Edgescan.

Another worrisome layer 7 vulnerability was in SQL injection, which represented nearly 6% of all web vulnerabilities. These database attacks have the potential to be devastating, because they can easily be used to exploit entire systems and the average time to fix a vulnerability discovered in the application layer is 77.5 days.

While 2018 saw many breaches, the study found that there is no sign of the level of global breaches slowing down in 2019. “The high-risk density score of 24.3% for internal-facing applications is worrisome given many studies cite the 'insider threat' as a significant issue,” the study said.

Insider threats posed risks to infrastructure security in 2018, with nearly half (44.7%) of the most common infrastructure vulnerabilities resulting from TLS and SLS versions and misconfiguration issues.

Among the top threats in public internet facing systems, “33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems). Systems running PHP and Apache also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems,” the report said.

Categories: Cyber Risk News

Student Data Exposed at Stanford University

Tue, 02/19/2019 - 15:38
Student Data Exposed at Stanford University

The private data of students at Stanford University was exposed after someone changed a numeric ID in a URL that had been distributed to students who requested access to review their own files, according to The Stanford Daily.

In total, 93 students have been notified that their privacy was compromised. According to the report, a university student made a Family Educational Rights and Privacy Act (FERPA) request to view their admissions documents, not at all unusual.

A Stanford student reportedly found the vulnerability in a third-party system called NolijWeb, a content management system that the university has used to host scanned files since 2009.

The process starts with a users submitting a FERPA request. Then students are directed to a “Student Admission Documents” link on Stanford’s information portal. Once in the portal, users are directed to NolijWeb, where they must enter their personal student IDs in order to search for their personal documents.

These scanned documents include sensitive personal information such as Social Security numbers, home addresses, ethnicity and personal essays, along with citizen and criminal statuses.

“When a user views one of their files, the browser performs a network request. However, a student may use tools like Google Chrome’s 'Inspect Element' – commonly used by programmers to debug websites – to view that network request’s URL and modify it to give them access to another student’s files,” The Stanford Daily wrote.

“Because URLs and files are linked through numeric IDs, the NolijWeb vulnerability did not allow students to retrieve documents by name nor by any other identifying information. Instead, incrementing file ID numbers in URLs allowed access to arbitrary students’ files.”

News of the exposed data was not reported until Stanford University was able to secure a breach, and the individual who disclosed the vulnerability did so on condition of anonymity so that the student would not face legal consequences.

That the student data was accessed by making a change to a numeric IDs in a URL suggests that the number in question was sequential (not random) and therefore could easily be guessed, according to privacy advocate Paul Bischoff of Comparitech.

“The fact that these records were not better secured is a failure of Stanford's IT staff to properly vet third-party software NolijWeb. Students whose records were accessed were put at a high risk of identity theft and fraud. The contents of the files included Social Security numbers, so anyone affected by the breach should immediately place a credit alert on their credit report.”

Categories: Cyber Risk News

#CPX360: Attackers Are Delighted by the Expanding Attack Surface

Tue, 02/19/2019 - 15:20
#CPX360: Attackers Are Delighted by the Expanding Attack Surface

Ethical hackers have to “pretend and think like a criminal” as attackers think in the opposite way that a defender thinks. 

Speaking at Check Point Experience in Vienna, ethical hacker and Cygenta co-founder Freaky Clown (FC) said that he is driven by trust issues, and stated he “trusts nothing unless I understand it fully, and I untrust everything to the nth degree, and then I trust it.”

FC pointed to security companies, saying you “cannot trust them to create secure software” and referenced cross-site scripting vulnerabilities, which have been present for the past 20 years. “It's really important to ensure every part of your security works together. You can spend millions, but if it does not work together you won’t have security in your building and hackers will find that flaw and use time and resources to get in,” he said.

With more and more devices connected, FC added that the scale of attacks has changed and while the future sees more integration of AI and machine learning, the introduction of driverless cars “is fascinating to me [as a hacker].”

However, he concluded by pointing out that there are too many negatives in cybersecurity, and asked “should we give up and go home?”

He said: “We’ve been doing this for 20 years and it is not working and it's looking more and more bleak. Not quite, we have talked about how generational threats have progressed, and we’ve flipped it at Cygenta.” This followed the introduction of a line of milestones, which Cygenta co-founder Dr Jessica Barker first displayed in her keynote at BSides Scotland last year. 

FC said: “We are winning this, but it is a bit slow.”

Categories: Cyber Risk News

Europe Intros Global IoT Security Standard

Tue, 02/19/2019 - 13:05
Europe Intros Global IoT Security Standard

Experts have welcomed the introduction of a new globally applicable European standard designed to drive improvements in baseline security for consumer-grade IoT products.

Introduced today by the European Telecommunications Standards Institute (ETSI), the standard will hopefully encourage manufacturers to improve built-in privacy and security protections whilst providing consumers with a way of differentiating between products on the market.

The ETSI TS 103 645 standard came from a UK government proposal based on a code of practice it introduced last year. It also comes a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.

Among the requirements for IoT manufacturers keen to gain accreditation with the ETSI standard include implementation of a vulnerability disclosure policy and prohibition of any universal default passwords.

However, ETSI director-general, Luis Jorge Romero, clarified that the specification “was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.”

Ollie Whitehouse, global CTO at NCC Group, welcomed the UK’s leadership role in helping to make the European standard a reality.

“We have long held the view that some market failures can only be addressed through the right regulatory frameworks and incentives. It is welcome that ETSI’s standard reflects how the adoption of its principles can help organizations achieve compliance with global regulatory regimes, from GDPR and cybersecurity certification in Europe to the IoT Cyber Security Improvement Act in the US,” he added.

“As global standardization moves ahead, manufacturers in every country need to understand that an international supply chain is no longer an excuse to ignore good security practice. Manufacturers around the world should take the right steps now to build an appropriate level of security into their products.”

Categories: Cyber Risk News

Europe Intros Global IoT Security Standard

Tue, 02/19/2019 - 13:05
Europe Intros Global IoT Security Standard

Experts have welcomed the introduction of a new globally applicable European standard designed to drive improvements in baseline security for consumer-grade IoT products.

Introduced today by the European Telecommunications Standards Institute (ETSI), the standard will hopefully encourage manufacturers to improve built-in privacy and security protections whilst providing consumers with a way of differentiating between products on the market.

The ETSI TS 103 645 standard and its TS 103 645 specification came from a UK government proposal based on a code of practice it introduced last year. It also comes a year after the British Standards Institution (BSI) introduced a kitemark for consumer and business-grade IoT devices.

Among the requirements for IoT manufacturers keen to gain accreditation with the ETSI standard include implementation of a vulnerability disclosure policy and prohibition of any universal default passwords.

However, ETSI director-general, Luis Jorge Romero, clarified that the specification “was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products.”

Ollie Whitehouse, global CTO at NCC Group, welcomed the UK’s leadership role in helping to make the European standard a reality.

“We have long held the view that some market failures can only be addressed through the right regulatory frameworks and incentives. It is welcome that ETSI’s standard reflects how the adoption of its principles can help organizations achieve compliance with global regulatory regimes, from GDPR and cybersecurity certification in Europe to the IoT Cyber Security Improvement Act in the US,” he added.

“As global standardization moves ahead, manufacturers in every country need to understand that an international supply chain is no longer an excuse to ignore good security practice. Manufacturers around the world should take the right steps now to build an appropriate level of security into their products.”

Categories: Cyber Risk News

#CPX360: Prepare for Next Generation of Attacks with Prevention Focus

Tue, 02/19/2019 - 12:31
#CPX360: Prepare for Next Generation of Attacks with Prevention Focus

Speaking at the Check Point Experience conference in Vienna, Check Point founder and CEO Gil Shwed reflected on the first 25 years of the company, saying it had “come a long way” in protecting the internet.

Shwed said that the company's first few years were spent “trying to convince people on the power of the internet and I'm glad we insisted and stayed the course and took Check Point to where it is” as while the internet was “something only geeks knew about” 25 years ago, now it is the fabric that connects the entire world.

Looking at some detection statistics, Shwed said that in 2018 Check Point blocked over 100 million unknown attacks, and its Threatcloud managed security service monitored 86 billion indicators of compromise per day. However, Shwed added that statistics show that companies are spending 11% more on security, and the results were worse.

Shwed highlighted three challenges for security:

  1. Too much focus on a detection mentality, as “we cannot deal with detection, as if you detect it is already too late.” He argued that “the heart of security” is fighting with millions of bots, and “we cannot run as fast and chase automatic bots” so we need a prevention mentality
  2. Five generations of attacks: virus, networks, applications, payload and now “gen five” which involves targeted and large scale attacks using multi-vector methods with technology which is “commercial and government grade.” Shwed said that most people are still only really prepared for the second and third attack generations (network and application attacks)
  3. Too much complexity. Shwed pointed at 16 common attack vectors and 26 technology categories. “Next year there will be 10 new vectors and three more technologies,” he said, adding that this will mean that the complexity will double in the next few years and to solve it, “you will need to be super sophisticated and smarter than Einstein.”

This led Shwed to determine that security needs to be “turned upside down,” and this has led to new Check Point strategies around embedded open source security, as in the next generation of security there will be a major growth in the number of assets used.

“We are moving into the next generation of cyber-attack to generation six, and we need to address one to five and six, and the key ingredient is to simplify and consolidate cybersecurity and fill the holes,” he said.

“What we build today must be ready for the next wave of attacks, and [we must] build architectures to stay ahead and be ahead of attackers.”

Categories: Cyber Risk News

Russian State Hackers Take Minutes to Move Laterally

Tue, 02/19/2019 - 11:06
Russian State Hackers Take Minutes to Move Laterally

There was a major rise in Chinese state-sponsored cyber-activity in 2018 while Russian actors were by far the most operationally effective, according to the latest report from CrowdStrike.

The security vendor’s 2019 Global Threat Report tracked the relatively new metric of “breakout time” which measures how quickly a hacker manages lateral movement following an initial incursion. In so doing, CrowdStrike believes IT teams will be better able to understand how quickly they need to respond to and contain threats.

The vendor noted an average breakout time across all intrusions and threat actors of 4 hours 37 minutes. However, this varied considerably, with cyber-criminals averaging 9 hours 42 mins at one end but Russian state hackers doing the same job in just 18 minutes.

Next fastest were North Korean actors with an average breakout time of 2 hours 20 minutes.

China topped the list of most targeted intrusions, with a particular focus in 2018 on upstream telecoms companies as a way of compromising government targets in Asia.

“This report’s findings on adversary tradecraft and speed reflect what many defenders already know: We are in a veritable ‘arms race’ for cyber superiority. However, there are some important differences between an arms race in the cyber sphere versus the physical world: in cyberspace, any player can potentially become a superpower,” explained CrowdStrike CEO, George Kurtz, in a blog post.

“The capital costs are alarmingly low, compared to funding a physical war machine. Even some of the world’s most impoverished regions proved their ability to make a global impact through cyber campaigns in 2018 — and this is one genie that is not going back in the bottle.”

Another major trend highlighted in the report is the use of targeted techniques by financially motivated cyber-criminals to spread ransomware.

These so-called “big game hunting” tactics are primarily aimed at large enterprises and are used to spread families such as SamSam and Ryuk.

Cybercrime group Boss Spider, which CrowdStrike has pegged for SamSam raids, has accrued $6.7m to date as a result of these targeted tactics, which can include “well-tested reconnaissance, delivery and lateral movement TTPs.”

The intelligence is yet more confirmation that ransomware remains a major threat to organizations. Back in September 2018, Europol warned that it is currently the biggest malware threat to businesses worldwide and would be a major risk for many years.

Categories: Cyber Risk News

Sweden’s Patient Hotline in Major Privacy Snafu

Tue, 02/19/2019 - 10:26
Sweden’s Patient Hotline in Major Privacy Snafu

Millions of highly sensitive audio files linked to a Swedish healthcare hotline have been left exposed online for several years, in what could be a major breach of the GDPR.

The 2.7 million files in question amount to 170,000 hours of calls, dating back to 2013 and left on an open Apache web server with no password protection, according to local reports.

The calls, recorded for quality assurance purposes, detail highly sensitive information on illnesses and, in some cases, social security numbers, as well as saved phone numbers for around 57,000 callers.

The 1177 Healthcare Guide (Vårdguiden) service is run by government contractor MedHelp, which sings the praises of the service on its website. It appears to have outsourced the operation of the service to MediCall, a Thai-based but Swedish-owned company, which used cloud-based call system Biz 2.0 from Voice Integrate Nordic AB.

When informed of the privacy snafu, the CEO of MediCall, Davide Nyblom, refused to believe that the incident had occurred, although Voice Integrate Nordic boss, Tommy Ekström, was more concerned.

"This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened,” he’s quoted as saying.

Inera, the agency which co-ordinates digital projects for the Swedish regions and is responsible for the 1177 brand, sought to distance itself from the issue.

“A safety [issue] has been discovered and remedied by the subcontractor who has been engaged in the three regions that do not use Inera's telephony and journal systems: Stockholm, Värmland and Sörmland. Inera does not have agreements with the relevant subcontractor,” it said in a statement.

“Inera takes this very seriously and works with the three affected regions and subcontractors to analyze the problem and ensure that it is rectified.”

Experts were quick to speculate about a GDPR investigation.

“This is the exact kind of system for which the GDPR should matter and why privacy needs to be taken seriously,” argued Outpost24 CSO, Martin Jartelius. “Furthermore, it is so upsetting to note that someone who takes the right and obligation to record our most private conversations have both a legal and ethical responsibility to keep this data safe — and they failed. Not because of an advanced attack, but for lack of even trying.”

Adam Brown, manager of security solutions at Synopsys, added that security misconfigurations like this continue to be a major threat to firms.

“To avoid these kinds of issues, firms must have policy and process to continually monitor the security of production systems, and any findings from that process must be addressed and not simply left as a growing bug pile,” he added.

“Article 32 of the GDPR states that organizations must implement secure processing, taking into account the state of the art. It doesn’t look like the data processor has a defensible position in this case."

Categories: Cyber Risk News

Australian PM Blames “Sophisticated State Actor” for Parliament Hack

Mon, 02/18/2019 - 16:01
Australian PM Blames “Sophisticated State Actor” for Parliament Hack

Australian Prime Minister Scott Morrison has blamed a “sophisticated state actor” for the recent attempt to hack the parliament’s computer network.

On February 8 news broke of the malicious activity which resulted in password resets for government workers.

Speaking today, PM Morrison said that there was “no evidence of electoral interference” and that steps were being taken to “ensure the integrity of our electoral system” – however he did not comment on which country was behind the attack.

“I have instructed the Australian Cyber Security Center to be ready to provide any political party or electoral body in Australia with immediate support, including making their technical experts available,” he added.

David Emm, principal security researcher, Kaspersky Lab, said: “Cyber-attacks on political parties are almost becoming commonplace – especially in the run up to elections. In an atmosphere of increased suspicion of the cyber-capabilities of different nations, the focus very often becomes intent on identifying the attacker.

“The news that all the main political parties in Australia were breached has shown that attackers will try to achieve their aims by compromising multiple routes – proving more than ever the importance of working together to ensure maximum protection from malicious actors, across geographical and political boundaries.”

High-Tech Bridge’s CEO Ilia Kolochenko added:“Powerful nation states have the requisite technology and other resources to cover up their attacks and operate in stealth mode. In light of incomplete or blurred visibility across many governmental IT systems, networks where virtually no single machine is up-to-date, alongside shadow and legacy applications, and a global cybersecurity skills shortage – it is unfortunately not that complicated for cyber-criminals to remain unnoticed.”

Categories: Cyber Risk News

Chinese Surveillance Database Exposes Millions of IDs

Mon, 02/18/2019 - 11:51
Chinese Surveillance Database Exposes Millions of IDs

Security researchers have spotted a mass data leak from an unsecured database which exposed the personal details of over 2.5 million surveilled Chinese residents.

SenseNets Technology uses AI-powered technology in facial recognition cameras to record the movements of millions of minority Uighurs in the western province of Xinjiang, according to reports.

China has come under increasing international criticism for its treatment of the Muslim minority group, sending hundreds of thousands to ‘re-education camps’ in the desert.

Dutch researcher, Victor Gevers, made the revelations in a series of tweets late last week. The database in question exposed names, ID card numbers, birth dates, location data, employer and more on the tracked individuals.

“There is this company in China named SenseNets. They make artificial intelligence-based security software systems for face recognition, crowd analysis, and personal verification. And their business IP and millions of records of people tracking data is fully accessible to anyone, he explained.

“This database contains over 2,565,724 records of people with personal information like ID card number (issue & expire date, sex, nation, address, birthday, passphoto, employer and which locations with trackers they have passed in the last 24 hours which is about 6,680,348 records.”

The latter are said to have tracked individuals to specific locations such as mosques, hotels and internet cafes.

The original database was left exposed without any authentication needed. So far, the firm’s attempts to mitigate the privacy leak have faltered.

“Dear operators of SenseNets. It's a good thing you starting update that crappy Windows Server 2012 (which is pirated btw). But you switched off the firewall exposing your MongoDB and MySQL server AGAIN,” tweeted Gevers over the weekend.

He also cautioned that while such “advanced traffic monitoring” systems were by and large blocked to users outside of China, the same is not true of those inside the Great Firewall.

“With a Chinese proxy, they are accessible and open,” said Gevers, who works for non-profit the GDI Foundation. “In the last 17 days, over 86 million 'objects' were tracked. In January 386 million.”

The privacy snafu has shone a light on the scale of China’s authoritarian surveillance apparatus. Already a world leader in online censorship, under Xi Jinping the state is now extending its power to snoop into the lives of those deemed a security risk.

Felix Rosbach, product manager at comforte AG, described the incident as like 1984 “but with an even worse twist.”

“Sometimes personally identifiable information sits in silos and hackers only get access to a small amount of data which hold not that much of a value. But with the use of unique identifiers, like national identity card numbers, it is possible to combine datasets of multiple breaches. This enables hackers to use complex identity profiles of customers,” he warned.

“The most important thing organizations can do to protect identity information is to pseudonymize it. This ensures that personal data is protected whenever a breach happens and is even more important for IDs like PANs, social security numbers or national identity cards numbers."

Categories: Cyber Risk News

UK Spooks Give Green Light to Huawei

Mon, 02/18/2019 - 11:01
UK Spooks Give Green Light to Huawei

There was finally a bit of good news for Huawei today after UK spies effectively gave the green light for the beleaguered Chinese firm to supply the nation’s 5G infrastructure.

GCHQ’s National Cyber Security Centre (NCSC) has reportedly decided that any risks posed by the Shenzhen giant can be managed, putting it add odds with its Five Eyes counterparts.

Australia, the US and New Zealand have all effectively banned the firm from supplying key infrastructure to build their national 5G networks while Canada is currently assessing the situation.

The fear is that the firm could be instructed by Beijing under local laws to assist in any possible intelligence operation in the future. It has also come under fire for alleged IP theft and breaking US sanctions on Iran — with Washington firing out a series of indictments last month.

However, the UK has always had a more nuanced approach to Huawei, having allowed the firm to compete for contracts as long as its kit can be assessed by GCHQ operatives in the Huawei Cyber Security Evaluation Centre (HCSEC).

This is despite that same centre highlighting significant shortcomings in the firm’s processes last year that “exposed new risks in UK telecoms networks,” meaning it has “only limited assurance” that Huawei equipment poses no threat to national security.

These issues will cost Huawei an estimated $2bn to mitigate over the coming years.

There’s also a chance that, even after the NCSC’s recommendation, the government could decide to align with its Western intelligence allies and order network operators to use equipment from other providers.

A DCMS review into the industry is set to report back in a month or two.

Huawei has consistently argued that it is not a security risk, and that it has instead merely been the victim of an escalating geopolitical dispute between the US and China.

Categories: Cyber Risk News

MPs Repeat Calls for Russian Brexit Meddling Probe

Mon, 02/18/2019 - 10:24
MPs Repeat Calls for Russian Brexit Meddling Probe

MPs have repeated their calls for tech companies to be more heavily regulated to combat disinformation online, and for the government to investigate Russian meddling in the EU referendum.

The long-awaited final report into ‘fake news’ from the Digital, Culture, Media and Sport Committee was released yesterday, with some harsh words for Facebook and plenty of recommendations for the government.

Among other things, it recommended that a previously announced 2% tax on social media companies operating in the UK be used to fund regulator the Information Commissioner’s Office (ICO).

It also called for a compulsory Code of Ethics for social platforms overseen by an independent regulator, and legal liability for tech firms to take down any harmful or illegal content on their sites.

There were also wider calls for electoral law in the UK to be reformed to help improve transparency and regulation of online political advertising.

"We are open to meaningful regulation and support the committee's recommendation for electoral law reform,” Facebook said in response. “But we're not waiting. We have already made substantial changes so that every political ad on Facebook has to be authorized, state who is paying for it and then is stored in a searchable archive for seven years. No other channel for political advertising is as transparent and offers the tools that we do."

Another major part of the committee report was devoted to foreign influence in the UK political process. It’s something being investigated by special counsel Robert Mueller in the US, but so far campaigners have been frustrated by Theresa May’s reticence in launching any kind of formal investigation.

“We repeat our call to the government to make a statement about how many investigations are currently being carried out into Russian interference in UK politics,” the report concluded.

“We further recommend that the government launches an independent investigation into past elections — including the UK election of 2017, the UK referendum of 2016, and the Scottish referendum of 2014 — to explore what actually happened with regard to foreign influence, disinformation, funding, voter manipulation, and the sharing of data, so that appropriate changes to the law can be made and lessons can be learnt for future elections and referenda.”

The report also called for a total ban on foreign donations in UK elections.

Leave.EU is currently the subject of a criminal investigation by the National Crime Agency (NCA), referred by the Electoral Commission, after suspicions that Brexit backer Aaron Banks was not the source of a multi-million pound donation as he has claimed.

His firm Eldon Insurance, and Leave.EU, were fined £120,000 earlier this month by the ICO for serious data protection failings related to their use of voter data.

Categories: Cyber Risk News

Dating App Says Stolen Data Was Sold on Dark Web

Fri, 02/15/2019 - 16:18
Dating App Says Stolen Data Was Sold on Dark Web

In the aftermath of multiple reports that millions of stolen records were dumped on the dark web, the dating app Coffee Meets Bagel confirmed that the accounts of approximately six million users were compromised in a breach, according to a Coffee Meets Bagel (CMB) spokesperson.

The company also said that the stolen data was indeed part of the trove of records that were sold by a malicious actor on the dark web marketplace, Dream Market. A Dubsmash spokesperson wrote that on February 8, 2019, the company learned of a data security incident that involved the sale of stolen user information.

In an email sent to Infosecurity, the spokesperson wrote, “With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible – regardless of what calendar date it fell on – about what happened and what we are doing about it.

“We can confirm that approximately six million users were impacted. Beyond emails and names, no other CMB user information was compromised. This was part of a larger breach affecting 620 million accounts that got leaked across 16 companies.”

After the dark web vendor removed the first round of listings that were up for sale and noted, “All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next round of breaches coming soon.”

Dream Market vendor profile

Infosecurity also received confirmation from Dubsmash that the company learned of a data security incident that involved the sale of stolen user information on February 8, 2019.

“Dubsmash also launched an investigation and engaged independent, third-party cybersecurity experts to provide assistance. The investigation is ongoing. Dubsmash responded by notifying the potentially affected users and providing information to assist them.

“Dubsmash takes the security of all user information very seriously and is taking steps to prevent similar events from occurring in the future. We are continuing to strengthen security measures to ensure our networks and systems are secure,” says Dubsmash’s president, Suchit Dash. “We deeply regret any issues or concerns this incident may have caused our users.”

Password reuse is one issue that has led to numerous data breaches, according to Aaron Zander, head of IT at HackerOne. “That password we used hundreds of times in the early 2000s has come back to haunt us. Users can protect themselves with password managers, but it’s up to the operators of websites and apps to prevent themselves from becoming test-beds for valid credentials,” Zander said.

Categories: Cyber Risk News