Attorneys general from eight states put politics aside today to launch a united investigation into Facebook's alleged anti-competitive business practices.
The probe will focus on the social media giant's dominance in the industry and assess whether Facebook has stifled competition and put users at risk.
Leader of the bipartisan coalition and New York attorney general Letitia James said in a statement: “We will use every investigative tool at our disposal to determine whether Facebook’s actions may have endangered consumer data, reduced the quality of consumers’ choices, or increased the price of advertising.”
Joining James on the leadership team investigating Facebook are the attorneys general of Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee, and the District of Columbia.
The news follows a report by machine identity protection provider Venafi that reveals the majority of IT security professionals have no faith in the government when it comes to cybersecurity.
Of the 384 pros questioned while attending Black Hat USA 2019 in Las Vegas, 82% don't trust the government to protect their personally identifiable information and don't believe their elected officials understand cyber risks well enough to develop and enact effective security regulation.
The results also showed that 80% of respondents believe government officials do not even understand the cyber-risks targeting digital infrastructure.
The respondents didn't think much of social media either, with 93% saying they do not trust social media organizations to protect their personally identifiable information, and 80% agreeing that more security and privacy legislation is needed, especially for social media organizations that store personal data.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said: "This general lack of understanding of cybersecurity is still universal in the public and private sector; it’s a common problem with regulators, in the board room and executive suites, as well as with politicians."
Bocek described cybersecurity as a major component of prosperity and freedom for every industry and nation, on a par with economic policy, and called for governments to offer more competitive remuneration to attract top cybersecurity talent.
He said: "In cybersecurity talent is a critical asset; people set strategy and define the technology required to provide security and privacy. Governments need to invest differently and provide incentives to recruit top technical talent, because there are huge incentives to join the private sector."
The United States Department of Defense (DOD) is marking the country's first ever Insider Threat Awareness Month by training staff in insider threat detection.
The DOD, together with other federal agencies, will be teaching its employees to be on the lookout for indicators that a co-worker may be stealing sensitive or classified information, hatching a plan of sabotage, or plotting a violent attack. The training will include a reminder that contractors and anyone who has access to facilities could pose a threat.
"Insider threats are posed by persons who use trusted access to do harm to the department's facilities, resources, or people," said Dr. Brad Millick, director of the Defense Department's counter–insider threat program within the Office of the Undersecretary of Defense for Intelligence.
Millick warned employees to be on the alert for any incidences of ironically self-sabotaging plan leakage, a recognized psychological phenomenon where insiders with malicious intent can't resist talking about their plans before they put them into action.
Staff will be issued a communications packet containing awareness training, eLearning games, case studies, posters, and videos, all available on the Center for Development of Security Excellence website.
According to Joshua Reese, policy and program advisor for the Defense Department's counter–insider threat program, the DOD goals for the inaugural Insider Threat Awareness Month are to educate the workforce about the department's insider threat programs and encourage the reporting of indicators and potential threats.
Reese said that an analysis of past incidences indicated that DOD staff were reluctant to report people they thought were acting suspiciously.
The DOD is doing their bit to raise awareness of insider threats externally too. This week, together with the Department of Homeland Security (DHS), they released a new document that offers guidance on how critical manufacturing organizations can approach the development of insider threat programs.
The implementation guide states: "Effective insider threat programs deploy risk management strategies that identify the assets or resources to be protected, identify potential threats, determine vulnerabilities, assess risk, and deploy countermeasures. Many countermeasures are no or low cost to the organization and include training and awareness, clear reporting policies, managing organizational trust, and enhanced security procedures."
New Zealand has reported the country's highest ever recorded quarterly financial losses to cybercrime.
A report published yesterday by the government's national Computer Emergency Response Team (CERT NZ) revealed that $6.5 million in direct financial losses was reported nationwide in the second quarter of 2019.
CERT NZ's findings show a marked increase in the number of cybersecurity attacks inflicted on businesses and individuals across the country between quarters one and two of this year.
A total of 1,197 incidents were reported in quarter two, a 21% increase over quarter one. Out of all the cybercrime reported in quarter two, 23% involved some type of financial loss.
More incidents—1,333—were reported in quarter four of 2018, but it was the period from April to June of this year that hit New Zealanders' wallets the hardest.
"Scams and Fraud" was the highest reported category in quarter two, making up 38% of all reports. Of the 458 scam and fraud incidents recorded, 19% were related to buying and selling goods online.
In one case, an online shopper reported a fake website that was posing as a re-seller of an international clothing brand. The shopper was about to complete their transaction when they realized that the website URL didn’t use HTTPS and didn't have any contact information, so they reported it to CERT NZ.
CERT NZ said: "We were able to quickly identify it was a scam website and worked with the hosting provider to have the site taken down, protecting other shoppers from the scam."
Ransomware incidents increased 38% over the previous quarter. CERT NZ strongly advises against paying ransom demands, warning those affected that paying up doesn't mean you'll get the data back.
CERT NZ director Rob Pope said: “The good news is that the risk of these attacks impacting you or your business can be easily mitigated with a few simple steps; updating your operating systems and software, backing up your files regularly, and installing antivirus software can go a long way to help keep you safe online.”
People aged 65 and over suffered the highest number of attacks, but there was little difference in the number of reported cybersecurity incidents affecting individuals in four categories covering the ages of 25 to 64.
Cyberspace is primarily a peaceful domain, a domain of operations “where we must have freedom of action, and the best capabilities and the best people to deploy them when we need them,” but it must not be militarized.
Speaking this week at the Billington Cybersecurity event, National Cyber Security Centre (NCSC) CEO Ciaran Martin said that the intention of keeping the internet peaceful is “a practical and tactical” point too as “we will always have more to gain by keeping the internet free and safe than our adversaries will.”
Focusing on what he called the “big four” main nation state threats, China, Russia, Iran and North Korea, Martin said that these “have been a constant over the past few years” but “we know more about them now than we did then and that helps us fight back.” He detailed the threats as:
- Russia seeking traditional political advantage by new, high-tech means
- China conducting cyber-attacks on commercial interests, which is being treated as business as usual
- Intrusions from Iran, and attempts to steal money by North Korea. “Both of these nations are prepared to launch aggression digitally in a way they never would dare physically”
Martin argued that this is “the threat that we risk underestimating” as “their attacks amount to a direct and real challenge to having a thriving digital economy that commands public confidence.”
He said that there is a need for coordinated action with partners to manage this threat, and for constant vigilance to be maintained.
Martin also received the International Cyber Security Leadership Award, praising other recipients: Christopher Krebs, first director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), and Yigal Unna, director general of the Israel National Cyber Directorate.
Martin added: “Yigal and his National Cyber Directorate in Israel is, like the NCSC, a world leader in looking to make the internet automatically safer for citizens, and fusing the best of national security capabilities with technical know-how.
“I want to pay tribute to Chris’s leadership in establishing CISA, and in doing so, I want to welcome his emphasis on partnership with allies like us.”
Widespread data loss from a leading operating system provider could cost US businesses nearly $24bn in insured losses, according to new projections calculated by Guy Carpenter and CyberCube Analytics.
The risk management firm and cyber analytics platform provider joined forces to work out the impact of 23 cyber “catastrophe” incidents on US insurers.
The resulting report, Looking Beyond the Clouds: A US Cyber Insurance Industry Catastrophe Loss Study, reveals just how reliant modern organizations are on technology systems.
Most (94%) of the predicted $23.8bn losses stemming from that catastrophic incident at an OS provider were ascribed to business interruption, caused when supply chains and factories fail.
Business interruption also accounted for the vast majority (92%) of losses stemming from another catastrophic scenario: a long-lasting outage at a leading cloud service provider, predicted to cost $14.3bn in insured losses.
Of the five most costly potential scenarios, the remaining three were: large-scale ransomware infection at a leading cloud service provider ($11.5bn), widespread theft from a major email service provider ($19.1bn) and large-scale data loss from a cloud services firm ($22.2bn).
The report also revealed that financial firms are most likely to be impacted in these events, accounting for over 20% of overall insured loss.
“As the cyber-market continues to expand, the (re)insurance industry must develop a much more granular understanding of the potential impact of systemic events,” argued Robert Bentley, CEO of Global Strategic Advisory at Guy Carpenter.
“More work similar to that which we have carried out with CyberCube Analytics needs to be undertaken to help (re)insurers make sound and informed risk tolerance decisions and help create a cyber market sufficiently robust to withstand these catastrophic events.”
However, although the report paints a concerning picture, it deals specifically with insured losses.
According to a Lloyd’s of London report earlier this year, a massive 86% of total economic losses are uninsured. It predicted a major global ransomware attack could therefore cost organizations an estimated $166bn once reimbursements from insurers have been accounted for.
Two thirds of organizations in the UK do not provide their employees with regular security awareness training for email, according to new research from Tessian.
The security company surveyed 1000 UK workers at organizations with 100+ employees and discovered that not only does email security training need to be delivered on a more regular basis, but also that the training needs to be more effective to better resonate with employees.
More than a quarter of respondents said that they were given email security training when they first joined their organization, but have not received any since. Furthermore, 22% stated that they had never received email security training at their company at all.
Of the respondents that were given email security training, less than a quarter said they remember and act upon it.
Perhaps most interestingly, Tessian’s research discovered that employees in industries that do provide email security training were actually most likely to click on phishing emails. An example cited by Tessian is the financial services industry: despite 45% of employees in the financial services industry receiving regular training, one in three admitted to clicking on a phishing email at work. Again, this highlights that a lack of email security training is not the only issue, but also that training that is being given is not effective enough.
Tim Sadler, CEO at Tessian, argued that there needs to be a shift in the way employees are trained about threats on email. “Tick-box training exercises are not enough to stop people falling for the types of advanced spear phishing attacks we see today,” he said. “To be most effective, training needs to be in-situ and provide context. It also needs to be supported by technology that can automatically detect suspicious emails and alert individuals of a potential threat. To solely rely on training means businesses are putting complete trust in their people to do the right thing 100% of the time, and this is an unrealistic ask.”
Dr Helen Jones, cyber psychologist at University of Central Lancashire, added: “We’ve seen, in our own research, that even when people are explicitly told to be wary of malicious email messages, they remain vulnerable to making risky cyber-decisions. The problem is that phishing attacks are constantly shifting. So while email security training may provide an immediate short-term improvement in people’s ability to spot a malicious email, individuals are less able to adapt this knowledge in line with ever-changing and developing threats.”
Security researchers have discovered a South Korean company leaking highly sensitive client and personal emails, which has refused to engage with either them or journalists asking for more info.
Industrial pipe manufacturer DKLOK exposed an unprotected email database to the public internet, where white hat hackers from vpnMentor were able to probe it using simple port scanning techniques.
“Our team was able to access this database through a vulnerability in a peripheral system linked to their email hosting service, which has left its entire email database unsecured and unencrypted,” it explained in a blog post.
“The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.”
What they found was highly sensitive information about DKLOK’s operations, products and client relations. This included private emails between employees and clients featuring product prices and quotes, project bids and discussions about suppliers and internal projects and operations.
The leaked information covered the firm’s operations around the world, from Iran to Germany, Australia, the US and many other countries.
The database also included personally identifiable information (PII) on employees and customers, including full names, email addresses, phone numbers, personal emails and more.
The research team warned that cyber-criminals could monetize both corporate info and PII in a range of scenarios.
“Once stolen, the data could be sold to competitors and used to undercut DKLOK. The same tactic can also be used to target their clients. Hackers can use the knowledge gained by reading these emails for use in further corporate fraud. In any cyber-crime, information is crucial. The more private information you can gather about a company, the better you can target them for fraud or malicious attacks,” argued vpnMentor.
“Finally, with access to the personal details and private emails of DKLOK employees, hackers can target individuals for attacks like phishing campaigns.”
However, it appears as if the South Korean firm is adopting a head-in-the-sand approach to the discovery, having refused to respond to vpnMentor.
The researchers said that access to DKLOK’s email database enabled it to see that its repeated attempts to contact the firm have been received. It also saw the firm actively bin an email from a journalist asking for more info on the leak.
Security researchers are warning of a new Android vulnerability in the way certain handsets receive over-the-air (OTA) updates, allowing hackers to potentially craft convincing SMS phishing attacks.
Check Point revealed the flaw, which has now been patched by some handset manufacturers, earlier this week.
It claimed that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), only features limited authentication. As a result, remote agents could exploit this to impersonate network operators in spoof OMA CP messages to users, it claimed.
If a user is deceived, they will accept malicious settings which could lead to them being routed to a proxy server under the control of the attackers.
Check Point claimed Samsung devices are most vulnerable to the bug because they don’t feature any authenticity checks for OMA CP message senders.
Huawei, LG and Sony devices feature authentication, but hackers only need the IMSI of a recipient to pass these checks. This could be obtained via rogue Android apps, the researchers claimed.
Another option for attackers is to send a target a text message posing as a network operator asking them to accept a PIN-protected OMA CP message. If the user enters the PIN, accepting the message, the malicious settings will be installed.
It’s unclear exactly how many users could be affected but given the large market share of Samsung and Huawei and the huge global Android user base, it could top one billion.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Check Point security researcher Slava Makkaveev.
“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning. When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone.”
Fortunately, the researchers worked responsibly with the affected vendors to fix the problem, disclosing their findings back in March.
Samsung apparently fixed the issue in a Security Maintenance Release for May (SVE-2019-14073), LG released a fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.
Only Sony could be letting its customers down by refusing to acknowledge the vulnerability. According to Check Point, the Japanese handset maker told the firm its devices follow the OMA CP specification.
Research has revealed that 40% of IT security professionals think paying to retrieve data targeted by ransomware should be made illegal.
The findings come from a survey of 145 security pros who visited AT&T's booth at this year's Black Hat USA in Las Vegas. Despite 60% of respondents saying that they wanted to have the option to pay ransomware without falling foul of the law, only 11% said that they would willingly splash their cash if targeted.
A further 31% of respondents said that they would grudgingly cough up the cash to ransomware creators only as a last resort.
There was no question in the survey designed to ascertain whether ransomware was bad news in general, but if there had been, it's likely that 100% of respondents would have replied in the affirmative. But despite the widespread and growing use of ransomware by threat actors, nearly a third of survey respondents considered themselves ill-equipped to deal with an attack.
When asked if they felt prepared for a ransomware attack, 31% said they were unsure. That's not really what you want to hear, especially after Malwarebytes Labs reported a 195% increase in business detection of malware from Q4 2018 to Q1 2019, with attacks up more than 500% compared to the same period the year before.
“It’s clear from this research that organizations are still struggling when it comes to ransomware. Many do not know the best practices when it comes to ransomware, or worse, do not feel confident to handle attacks efficiently,” said Rick Langston, lead product manager at AT&T Cybersecurity.
“Companies not only have to mitigate ransomware by having a solid security program that uses protection tools to close down all possible attack vectors, but also have back-ups that are separate from the network in case the worst happens.”
Incentivizing companies to get their act together when it comes to the increasingly complex world of cybersecurity might be tough. With no security system 100% impregnable, it could be comforting to have the option to simply pay to get data back. However, not everyone will be happy to put a price on their ethical principles and let the bad guys win.
Research into insider threats has found that employees are so reticent to snitch on bosses they suspect are threat actors that senior staff are virtually immune from being reported.
Researchers at Red Goat Cyber Security questioned 1,145 participants across a range of roles, countries, and industries to gain insight into insider threat reporting practices. Respondents were asked how likely they would be to report colleagues, friends, new staff, senior staff, and contractors as threat actors in five different suspicious scenarios.
Scenarios included observing withdrawn behavior in the person and becoming aware that the person had criticized the company on social media.
The data gathered revealed an overall reluctance to report friends and colleagues irrespective of the severity of their actions. And even in the fifth and most potentially damning scenario—clocking that a person was keeping strange hours and bringing unauthorized people into the business—only 14% of respondents said they would report a senior staff member.
Employees were most likely to report suspicious behavior observed outside their immediate tribe. When it came to scenario five, 96% of respondents would rat on new staff, and 97% would point the finger at a contractor.
Piers Shearman, partner at Red Goat Cyber Security, said the results indicate "that the people with the most authority and the most access to data will not be reported if they abuse their position."
With a rise in the number of companies falling victim to insider threats, this new research exposes a problem destined to become more serious. According to research carried out by Verizon, the percentage of companies hit by insider attacks increased from 26% in 2016 to 34% in 2018.
Insider threats are not only hard to spot—who hasn't appeared withdrawn at work at some point?—but the majority stem from accidents, negligence, and staff unwittingly being taken in by phishing scams.
Asked how businesses can neutralize insider threats, Shearman said: "Make sure HR are heavily involved in any insider threat program you implement. Provide staff with adequate training on detection of concerning behaviors, why they are concerning, and how to report them.
"The key point to note when it comes to monitoring behavior is to be able to identify significant and sustained changes in someone. This requires a holistic view and needs to be handled sensitively too."
Security flaws have been discovered in 600,000 GPS tracking devices intended to keep society's most vulnerable members safe.
Researchers at Avast Threat Labs found a number of vulnerabilities in 29 different device models commonly used to track the whereabouts of children, seniors, and pets.
Affected trackers expose data sent to the cloud, enabling hackers to lock on to the real-time GPS coordinates of the device's wearer. Design flaws in the trackers also made it possible for third parties to hack into devices and falsify data to give an inaccurate location reading.
In what seems like an obvious drop of the ball, data being sent from the devices to the cloud was unencrypted, unauthenticated, and written in plaintext, making it an easy target for hackers.
Furthermore, devices with built-in cameras and microphones were found to contain a flaw that made it possible for them to be used by hackers wishing to spy or eavesdrop on the wearer.
The faulty devices, which are widely available for $25–$50 from online merchants, are made by Chinese manufacturer Shenzhen i365 Tech and resold under various brand names.
Analysis by Avast's Threat Intelligence Team found that users of the T8 Mini GPS Tracker Locator were directed to an unsecure website to download the device's companion mobile app. Users who downloaded the app had their information exposed.
User account information was also made vulnerable by the mass assignment to users of the default password "123456," commonly recognized as the password equivalent of throwing hackers a welcome party with free booze.
Avast made their findings known to Shenzhen i365 Tech and were met with radio silence.
Martin Hron, senior researcher at Avast, said: "We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices.”
Avast advised people to steer clear of suspiciously cheap and knock-off smart devices, and noted that the use by children of even those tracking devices deemed safe from an information security perspective may affect their ability to learn how to be independent and may also give adults a false sense of safety.
A 21-year-old Washington man has pleaded guilty to charges related to his role in developing and deploying the infamous Satori IoT botnet.
Kenneth Currin Schuchman, of Portland suburb Vancouver, pleaded guilty to one count of aiding and abetting computer intrusions.
Between July 2017 and October 2018, he’s said to have participated with at least two others in a conspiracy to develop the botnet and use it to launch DDoS attacks against a range of targets. The group is said to have monetized these efforts by selling access to the botnet to others.
Court documents claim Schuchman’s speciality was in finding new vulnerabilities in IoT devices which could be exploited to conscript them into the botnet.
Satori was originally developed using the source code for Mirai, which was released online in 2016. However, Schuchman — who went by the moniker “Nexus” and “Nexus-Zeta” — and co-conspirators “Vamp” and “Drake,” built upon that code with new features, eventually compromising 100,000 devices.
Continually improving the botnet, they gave new names to the new iterations, such as “Okiru” and “Masuta” — with the latter eventually infecting as many as 700,000 endpoints.
By around March 2018, the botnet had evolved into Tsunami/Fbot, supported by tens of thousands of compromised Goahead cameras and High Silicon DVR systems.
Schuchman doesn’t seem to have employed particularly effective OpSec during his work: the control server he used was registered in his name.
Even after being indicted in August 2018, he developed another IoT botnet, Qbot, while on supervised release, the court docs claim. He’s also said to have called in a swatting attack on “Vamp’s” home.
Several sources have told journalist Brian Krebs that UK-resident Vamp was involved in the 2015 attack on TalkTalk and the 2016 Mirai DDoS that overwhelmed DNS service provider Dyn, leading to some of the internet’s biggest websites crashing.
Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!
A Massachusetts city has revealed that cyber-criminals tried to hold its data ransom to the tune of more than $5m over the summer, in a sign of the growing risk to organizations from online extortionists.
The city of New Bedford was hit with the popular Ryuk strain of ransomware in early July, encrypting data on over 150 workstations, according to mayor Jon Mitchell.
Fortunately, the attack came during the July 4 holiday when systems were powered off, preventing the malware from spreading further. The city’s Management Information Systems (MIS) staff disconnected servers and shut down systems when they came in the next day.
In the end only around 4% of the city’s PCs were affected.
Mitchell revealed in a press conference on Wednesday that the hackers wanted $5.3m in Bitcoin, a figure he countered with a much lower sum of $400,000 as this apparently would have been covered by cyber insurance.
The attackers rejected that sum outright, highlighting just how high the bar is now for victims of ransomware attacks. In New Bedford’s case the relatively small number of machines affected meant restoring from back-up was pretty straightforward and no critical systems were impacted.
Only the city’s financial management system and several workstations used by the Fire Department for admin purposes were temporarily affected.
“We live in a world now that is so interconnected that simply pulling up the proverbial drawbridge is unrealistic,” Mitchell said. “We will rely on the advice of our experts to guide us, but we must remain constantly vigilant and willing to devote the resources necessary to protect our system from a much more debilitating attack than the one we just experienced.”
New Bedford is just the latest in a long line of US cities targeted by ransomware. Two cities in Florida paid hundreds of thousands of dollars for decryption keys after being hit, while others including Baltimore, Albany and 23 government entities in Texas have also suffered major infections.
In July, the United States Conference of Mayors passed a resolution not to cooperate with ransomware attackers. However, when critical services like emergency responders are impacted, it can be difficult for city leaders not to cave, even if it’s not guaranteed that the decryption key will work.
Google and YouTube have agreed to pay $170m to settle a case brought by the FTC and New York Attorney General alleging they illegally harvested personal data on children.
The Children's Online Privacy Protection Act (COPPA) requires online firms to first seek parental consent if they try to collect data on under-13-year-olds from content specifically targeted at kids.
However, the FTC and New York Attorney General allege in their complaint that Google/YouTube violated COPPA by collecting personal information from viewers of child-oriented channels without asking parents first.
This info came in the form of the “persistent identifiers,” or cookies, used to track individuals across the web for behavioral advertising purposes. Google is said to have made millions off the back of advertising which was targeted using these cookies.
The FTC alleged that although YouTube is a general purpose site, some of its channels — such as the ones run by toy manufacturers like Hasbro and Mattel — are specifically targeted at children and so must comply with COPPA.
In fact, it argued, YouTube explicitly marketed itself as a top online destination for kids in presentations to children’s toy-makers.
“YouTube touted its popularity with children to prospective corporate clients,” said FTC chairman Joe Simons. “Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”
The settlement is the largest ever seen in a COPPA case since the law was passed in 1998. Some $136m will go to the FTC and $34 to New York.
In addition, Google and YouTube will be required to put in place a new system that allows channel owners to flag any child-directed content on YouTube so that it can ensure it is complying with COPPA.
The firms must also notify channel owners that child-directed content may be subject to the COPPA rules and provide annual training on compliance for employees who deal with YouTube channel owners.
A global cyber-skills training provider has become the first company to integrate its platform with the MITRE ATT&CK framework.
Immersive Labs has mapped its training to the globally recognized knowledge base, which organizes and categorizes various types of tactics, techniques, and procedures used by digital-threat actors to help organizations spot flaws in their cyber-defenses.
According to Immersive Labs CEO James Hadley, this new approach of mapping skills against a framework of threats was driven by market need.
He said: "We are being asked for this by CISOs, so we looked at a variety of different frameworks, and MITRE was the one that we discovered had the most depth and credibility in the industry, and therefore it has had our initial focus.
"MITRE’s advantage is that it highlights specific types of threat-actor tactics, enabling organizations to better organize threat intelligence as well as testing their capabilities against real-world attacks.
"As far as we know, no other company has mapped skills to MITRE in this way. It is a mindset switch for companies to start thinking of people as a part of their defensive perimeter in the same way that they think of technology."
MITRE, a systems engineering company set up in 1958 to work on issues of national defense, set up the not-for-profit ATT&CK framework in 2013. The framework provides a valuable record of cyber-attacks. However, since it is updated only quarterly via publicly available threat intelligence and incident reporting by security experts, it may not always provide an accurate picture of the current threat landscape.
To mitigate against any time lag between the ATT&CK framework and the status quo, Immersive Labs' platform uses real-time feeds of the latest attack techniques, hacker psychology, and technological vulnerabilities to rapidly build gamified learning environments for IT and security teams. Platform users can then have a crack at tackling the newest wave of threats and identify any gaps in their cybersecurity knowledge.
For Hadley, a strong, forward-looking cybersecurity strategy relies on company-wide training.
He said: "Cybersecurity is no longer something handled by a select few while the majority remain ignorant; it is everyone’s problem, and because of this, cyber-skills initiatives need to engage and inspire every part of an organization."
Five companies accused of falsely claiming that they were certified under the EU–U.S. Privacy Shield framework have settled with the Federal Trade Commission (FTC).
The Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with the European Union Directive on Data Protection.
In separate actions, the FTC alleged that DCR Workforce, Inc., EmpiriStat, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. all fallaciously stated on their websites that they were certified under the framework when in fact their certification had either lapsed or never been ratified.
According to the FTC, management software provider DCR Workforce obtained Privacy Shield certification in January 2017 but continued to claim its participation in the framework even after that certification lapsed in February 2018.
EmpiriStat did slightly better. The company obtained Privacy Shield certification in February 2017 and actually initiated an application for re-certification in January 2018. However, the FTC alleged that the statistical analysis and support services provider failed to complete all the steps necessary to gain re-certification from the Department of Commerce.
Facial-recognition software provider 214 Technologies, cloud-based file-transfer software provider Thru, and LotaData, which provides analyses of mobile users’ data, are all alleged to have claimed participation in the framework despite having neglected to complete their applications for certification.
LotaData is possibly the worst offender, with the FTC alleging that the company also falsely claimed that it was a certified participant in the Swiss–U.S. Privacy Shield framework, which establishes a data-transfer process similar to the EU–U.S. Privacy Shield framework.
“These companies made false claims about complying with Privacy Shield, and today’s settlements show that the FTC is protecting Privacy Shield’s integrity and supporting the thousands of U.S. businesses who do it right,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
As part of the proposed settlements with the FTC, all five companies are prohibited from misrepresenting the extent to which they participate in any privacy or data-security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program or return or delete the information.
A bill intended to strengthen and modernize the cybersecurity of federal agencies will be introduced to the United States House of Representatives this week.
The Advancing Cybersecurity Diagnostics and Mitigation Act would formally codify the dynamic Continuous Diagnostics and Mitigation (CDM) program, introduced by the Department of Homeland Security (DHS) in 2013 to ensure federal agencies can access the industry-leading tools and services they need to fight cybercrime.
Under the CDM program, agency-installed sensors are deployed to search for known cybersecurity flaws. Results from the sensors are fed into an agency dashboard, which produces automated reports and issues prioritized alerts for the systems most vulnerable to attack.
This steady flow of reports and alerts is used by network managers to allocate resources based on the severity of the risk of attack, allowing them to respond to threats in a matter of minutes. Progress reports and summary information is then fed into a federal enterprise-level dashboard.
The bill, which will be introduced by Representatives John Ratcliffe and Ro Khanna, requires that the CDM program be made available to state, local, and tribal governments. It also demands that the DHS comes up with a strategy that will allow the CDM program to tackle new cyber-threats as they emerge.
Ratcliffe was in the running to become America’s next national intelligence director but withdrew himself from consideration following a dearth of support for his candidacy.
Commenting on the proposed bill, Ratcliffe said: "As cyber-threats continue to increase in frequency and complexity, we must constantly work to enhance our nation’s cyber-defense capabilities.”
Khanna said: “The technology is there: we just have to ensure our agencies have the necessary tools to defend against hackers and cyber-threats. A strong CDM program will be instrumental in that effort.”
A Senate version of the bill was introduced in July 2019 by Senators Maggie Hassan and John Cornyn. It was referred to the Senate Homeland Security and Governmental Affairs Committee but is yet to produce any action beyond uniting Democrats and Republicans in the fight against a common enemy.
Hassan said: “I'm pleased that the House of Representatives is introducing their version of this critical bill, and I look forward to continuing to work on a bipartisan basis across the House and Senate to move this bill forward."
Online scammers are using changes to European banking rules around customer authentication to trick consumers into handing over their sensitive financial details, according to Which?
The consumer rights group warned that attackers are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.
Firms across the EU are gearing up for the changes, part of PSD2, which will require a form of two-factor authentication on any online transactions over €30, although some exceptions apply.
Ironically, payments providers and e-commerce firms in the UK have been given a further 18 months to comply with the new rules, originally set for a September 14 deadline.
Yet that hasn’t stopped the scammers: Which? claimed it has already spotted phishing emails imitating emails from Santander, Royal Bank of Scotland (RBS) and HSBC.
Urging the recipient to update their banking information ahead of “new procedures,” they include links designed to take the victim to a legitimate-looking page designed to harvest banking details.
Which? argued that in many cases, legitimate brands are making it harder for consumers to spot phishing emails, by including links in their own emails, and by using multiple unusual domains for various landing pages.
The group claimed that 78% of its members think banks and other financial firms should never include links in emails, to make phishing attempts easier to spot.
Tripwire VP, Tim Erlin, agreed, arguing that companies can’t simultaneously tell customers not to follow links in emails but then continue to send them emails urging them to click through.
“As long as banks send legitimate emails as a means of communicating with customers, scammers will attempt the same with fake emails,” he added.
“Email as implemented today is a terrible system for conducting business. While attempts have been made to improve the technology, none of them have taken hold.”
Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!
The infamous Stuxnet cyber-attack on Iran’s nuclear program was made possible by an insider recruited by a Dutch intelligence agency, who fed back crucial information and deployed the virus, according to a new report.
Although not confirmed by Dutch agency AIVD, the CIA or Mossad, a Yahoo News story cites four unnamed intelligence sources to back-up its claims.
Operation “Olympic Games,” as it was known, is said to have involved not just these but also intelligence agencies from Germany, France and the UK.
The AIVD was useful to the operation because the crucial centrifuges at the Iranian Natanz nuclear facility were apparently based on designs stolen from a Dutch company in the 1970s by a Pakistani scientist.
It was these centrifuges, used to enrich the uranium needed to produce nuclear weapons, that the Western allies decided they needed to disrupt in order to set Iran’s nuclear program back.
The AIVD then played another crucial role, using an insider in Iran to gain employment at the plant as a mechanic.
Once there, he was able to gather vital intelligence on the configuration of the centrifuges, so that the Stuxnet code could be written to sabotage the facility only in specific operational circumstances.
He then deployed the virus via USB to jump the air-gap — either directly or by infecting a Natanz engineer’s computer system, according to the report.
Later versions are said to have circumvented the lack of direct connectivity at the plant by infecting targets who they unwittingly carried the malware inside with them.
Phil Neray, VP of industrial cybersecurity for CyberX, explained that it’s much easier to infect industrial environments today.
“The air gap has disappeared in virtually all environments except perhaps nuclear facilities, driven by business initiatives like Industry 4.0 and IIoT that require increased connectivity between OT networks, IT networks, and the internet,” he added.
“It's a lot easier today to send a phishing email to an employee or third-party contractor who has remote access to the control network, and then steal their credentials to conduct cyber-espionage to identify the specific manufacturers and model numbers of devices in the environment, followed by remotely inserting custom malware specifically designed to compromise those devices.”
The UK’s Crown Prosecution Service (CPS) is in the dock after recording a sharp rise in device losses, an increase in unauthorized disclosure of sensitive data and rising electronic media losses.
The government agency for criminal prosecutions in England and Wales made 1378 unauthorized disclosures of confidential data in 2018-19, up from 1329 in the previous financial year.
Of these, the majority were low-risk, as the actual data loss was classed as “minor” or “retained within the criminal justice profession who are bound to professional standards of data protection,” the CPS Annual Report and Accounts claimed.
However, the number of “serious” incidents rose from 108 to 115 over the period. In these instances, data loss is significant and/or data is not recovered/not retained within the criminal justice profession.
There was also an 80% increase in lost laptops, tablets and BlackBerrys — from 15 to 27 — although the CPS clarified that in 77% of cases the device was recovered, and in any case they are encrypted to government standards.
Perhaps more alarming is the rise in losses of electronic media and paper documents from secured government premises, which increased by 156% from 2017-18 to 2018-19, to reach 172 incidents. Similar losses from outside secured government premises rose from 36 to 53.
The CPS also played down these findings, claiming that in a majority of cases in both categories the data loss was either “very minor and eventually recovered,” or the incident was “reported but caused by non-CPS staff.”
This is not the first time the prosecution service’s data security processes have come under scrutiny. In 2018, it was fined £325,000 by the Information Commissioner’s Office (ICO) for losing DVDs containing recordings of police interviews with child sex abuse victims.
Given the seriousness of the case and the potential distress it caused to victims, this would certainly have garnered a major financial penalty under the GDPR.
“The CPS is an organization which oversees some of the most sensitive data imaginable. Clearly their information security posture is in need of overall strengthening and improvement, to ensure that the public have complete confidence that critical files are completely protected at all times, from witness statements to court documents,” argued Absolute Software VP, Andy Harcup.
“Such a sharp rise in device losses and unauthorized disclosures of confidential data is a gift to cyber-criminals and fraudsters. It’s vital that the CPS improves its endpoint security measures and reduces the number of data leaks as a matter of urgency.”