Info Security

Subscribe to Info Security  feed
Updated: 27 min 30 sec ago

Silence Please: New Carbanak-Like Group Attacks Banks

Thu, 11/02/2017 - 09:30
Silence Please: New Carbanak-Like Group Attacks Banks

Researchers have uncovered a new advanced threat group which has targeted at least 10 financial institutions globally using tools and techniques similar to the notorious Carbanak group.

The group, dubbed “Silence” by Kaspersky Lab, begins its attacks via classic spear-phishing attempts, made more likely to succeed because it has already compromised the target company to hijack a real internal email account.

They will then request to open an account with the bank.

However, the attachment with the email contains a Microsoft Compiled HTML Help file, compromised to run malicious JavaScript once opened.

This will download and execute an obfuscated .VBS script which downloads and executes the final dropper: a win32 executable binary file which communicates with the C&C server, sends the ID of the infected machine and downloads and executes malicious payloads.

These payloads are designed to monitor everything the victim does — via screenshots and even a “real-time pseudo-video stream” — in order to build up a picture of their daily activity.

This activity is apparently similar to that of the Carbanak gang — first discovered by Kaspersky Lab in 2015 — which is estimated to have stolen in the region of $1bn from banks and individuals worldwide.

So far, the Silence group’s victims are mostly Russian banks, but researchers also found infected organizations in Malaysia and Armenia. Kaspersky Lab said that language artifacts discovered in the process of the investigation lead it to believe the hackers are Russian-speakers.

“The Silence Trojan is a fresh example of cyber-criminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” said security expert, Sergey Lozhkin.

“The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”

The vendor urged organizations to invest in advanced threat detection systems, conduct regular pen testing and application assessments to minimize their attacks surface and configure email systems to scan for malicious attachments and phishy characteristics.

Categories: Cyber Risk News

Internet Monitoring Platform Put Families at Risk

Thu, 11/02/2017 - 08:59
Internet Monitoring Platform Put Families at Risk

Researchers have discovered a number of vulnerabilities in popular internet monitoring platform for parents, Circle with Disney, potentially exposing countless families to malware and covert surveillance.

Cisco’s Talos Intelligence team revealed 22 flaws in the product, which pairs wirelessly with the home Wi-Fi network to manage every device including smartphones, tablets, PCs and smart TVs. The idea is that parents can monitor and control what their children access by creating user profiles via the Android/iOS app interface.

Cisco had the following:

“Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands, install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.”

The bugs include CVE-2017-2898, which allows specially crafted network packets to cause unsigned firmware to be installed on the device, resulting in arbitrary code execution.   

Another, CVE-2017-2911, means that certificates for specific domain names can cause the product to accept a different certificate than intended, while CVE-2017-2864 can cause a valid authentication token to be returned to the attacker — resulting in authentication bypass.

Despite the long list of vulnerabilities, Cisco Talos was quick to acknowledge the vendor’s willingness to resolve the issues.

“The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication,” it said. “Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.”

Cesare Garlati, chief security strategist of the non-profit prpl Foundation, argued the case is another example of why the IoT is broken from a security perspective.

“This simple reason alone should also be a warning to globally recognized companies who wish to distribute or manufacture such devices with a ‘sales-first’ mentality,” he added. “These companies need to take a step back, look at more secure alternatives such as using open source, and work security from the ground up into their products. It’s high time for security to stop being an afterthought.”

Categories: Cyber Risk News

North Korea Accused of Stealing Warship Blueprints from the South

Wed, 11/01/2017 - 19:51
North Korea Accused of Stealing Warship Blueprints from the South

North Korea has likely hacked Daewoo Shipbuilding, taking a significant number of warship blueprints, according to South Korean opposition lawmaker Kyung Dae-soo.

Kyung told Reuters that he was "almost 100% certain that North Korean hackers were behind the hacking,” adding that the classified military documents that were taken include blueprints for an Aegis-class vessel and submarines.

He said that South Korea's Ministry of Defence uncovered the incident, but that he wasn’t briefed on the attack vector. However, he revealed that the cybercrime division did say that the heist has the North’s digital fingerprints all over it, being carried out using a tried-and-true method known to be used by the country.

Meanwhile, Daewoo Shipbuilding said that it is in the process of confirming the hack.

North Korea has been busy of late when it comes to government targets. In October, reports surfaced that the DPRK had plans to hack the American power grid in a spear phishing gambit. Emails containing fake invitations to a fundraiser delivered malware in the form of attachments—however, the attack was ultimately unsuccessful and no disruptions were logged.

Also in October, a South Korean lawmaker said that in that instance, hackers from North Korea stole a large cache of military documents from South Korea in September last year, including a plan to assassinate Kim Jong-un, wartime contingency plans developed with the US, plans for the South's special forces and information on significant power plants and military facilities.

Meanwhile, British authorities said last week that North Korea was responsible for the devastating WannaCry ransomware attack that hit hundreds of thousands of victims in May, including over a third of NHS trusts in England.

Categories: Cyber Risk News

Hilton Told to Pay Up After Mishandling Data Breaches

Wed, 11/01/2017 - 19:41
Hilton Told to Pay Up After Mishandling Data Breaches

Hilton Hotels has been hit with a $700,000 fine in the United States, in the wake of two separate credit card data breaches.

The point-of-sale attacks, which were discovered by the hotel giant in 2014 and 2015, saw more than 363,000 payment cards impacted—but according to state investigators in the US, customer notifications weren’t sent until November 2015, more than nine months after the first breach and more than three months after the second.

In the first instance, the PoS malware had been detected as being active between November 18 and December 5, 2014, during which time hackers may have accessed cardholder names, payment card numbers, security codes and expiration dates. In the second incident, the same type of PoS code was active between April 21 and July 27, 2015, when an intrusion detection system alerted Hilton that malware was communicating with a C&C server.

When the hotelier finally admitted that the incidents occurred, it was two months after independent security researcher Brian Krebs reported that hackers may have compromised registers in gift shops and restaurants at a “large number” of Hilton properties.

Because of the notification gap—during which time hackers could be making fraudulent purchases unbeknownst to victims—and an array of inadequate security measures, the penalty has been imposed. The monies will be split between the states of New York and Vermont.

As part of the settlement, Hilton committed to disclosing any future breaches in a more timely manner, and said that it would beef up its ongoing security and intrusion detection efforts.  

"Hilton is strongly committed to protecting our customers' payment card information and maintaining the integrity of our systems," the company said in a statement.

The Hilton portfolio covers over 4,000 properties in more than 90 countries worldwide including Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, Curio - A Collection by Hilton, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Hampton by Hilton, Homewood Suites by Hilton, Home2 Suites by Hilton and Hilton Grand Vacations.

Categories: Cyber Risk News

The Devil Targets Japan with Bad Rabbit-like Wiper-Ransomware

Wed, 11/01/2017 - 19:03
The Devil Targets Japan with Bad Rabbit-like Wiper-Ransomware

A new family of ransomware, dubbed ONI, has been discovered being used as a wiper to cover up an elaborate hacking operation in targeted attacks against Japanese companies.

The name ONI, can mean “devil” in Japanese, and it also appears in the email address found in its ransom note. Attacks observed by Cybereason suggest that the malware lives up to its name. They generally to date have lasted between three to nine months, and all ended with an attempt to encrypt hundreds of machines at once. Aside from encrypting files on the infected machines, ONI can encrypt files on removable media and network drives—and there’s evidence that the true purpose of the attack is to exfiltrate and destroy data.

Cybereason said that the attacks started with spear-phishing emails carrying weaponized Office documents, which ultimately dropped the Ammyy Admin RAT. Using the Ammyy Admin RAT and other hacking tools, the attackers then mapped out the internal networks, harvested credentials and moved laterally, ultimately compromising critical assets, including the domain controller (DC), to gain full control over the network. From there the ONI ransomware was deployed to encrypt a large array of files, while the bootkit MBR-ONI was used on critical assets such as an AD server and file servers, and likely used as a wiper to conceal the operation’s true motive.

The MBR-ONI bootkit has technological ties to the recently discovered Bad Rabbit ransomware.

“During our investigation, Cybereason discovered a new bootkit ransomware dubbed MBR-ONI used by the same threat actor in conjunction with ONI,” said Assaf Dahan, a security researcher with Cybereason, in an analysis. “This bootkit ransomware is based on DiskCryptor, a legitimate disk encryption utility, the very same tool whose code was found in the recently discovered Bad Rabbit ransomware.”

But classifying ONI and MBR-ONI merely as ransomware leaves some open questions regarding the observed attacks.

“It is very unlikely that an attacker would not be interested in distinguishing between infected machines,” Dahan said. “That also supports our suspicion that there was never an intention to recover the encrypted disk partitions.”

Also, why spend three to nine months in the environment without a sure monetization plan?

“From a cost-effectiveness perspective, there is no guarantee the attacker will be rewarded with a ransom payment at the end of this long operation, despite sustaining an active operation and risking detection,” said Dahan. “We do not dismiss the possibility that financial gain was the motive behind these attacks. However, given the nature of the attacks and the profile of the targeted companies, other motives should not be dismissed lightly. “

While the ONI attacks are specific to Japan, Cybereason also believes they point to a concerning global trend.

“Using ransomware in targeted hacking operations is still quite uncommon compared to the popularity of ransomware in the overall cyber threat landscape,” said Dahan. “In recent years, though, there have been increased reports about ransomware and wipers used in targeted attacks carried out by cyber-criminals and nation-states [including] Bad Rabbit].”

The three- to nine-month infection window does point out the need for secondary defenses, according to Stephan Chenette, founder and CEO, AttackIQ.

"In the latest case of ONI ransomware, attackers waited a month after compromising these machines to activate the ransomware that had been installed. Defenders had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact. To avoid mass system compromises, organizations need to have secondary detection and response controls in place after their prevention controls. They should continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence."

Categories: Cyber Risk News

Facebook Claims Kremlin-Linked Content Seen by 126 Million

Wed, 11/01/2017 - 11:11
Facebook Claims Kremlin-Linked Content Seen by 126 Million

Facebook, Twitter and Google all agreed with US intelligence reports yesterday that their platforms had been used by Kremlin agents to spread misinformation and propaganda in a bid to influence the 2016 presidential election.

According to testimony at a Senate hearing seen by Infosecurity, Facebook general counsel, Colin Stretch, went into particular detail.

He admitted that 29 million Facebook users were served ads and promoted content directly from the 80,000 posts over a two-year period connected with the infamous Russian propaganda organ the Internet Research Agency (IRA).

However, thanks to viral sharing and promotion of content, the real number may be closer to 126 million users. That’s a far cry from the 10 million users the social network originally claimed saw the ads.

Although this equals 0.004% of content in News Feed, or one out of 23,000 pieces of content, it’s still a large number of people: more than a third of the US population, for example.

These ads are said to have been focused on “divisive social and political messages from across the ideological spectrum touching on topics from LGBT matters to race issues to immigration to gun rights.”

Twitter’s acting general counsel, Sean Edgett, claimed 2752 accounts were linked to the IRA, much more than the 201 originally found.

He added that 36,746 automated accounts were identified as Russian-linked and tweeting election-related content 1.4 million times, 0.74% of overall election-related posts on Twitter at the time.

Google got away pretty lightly, having found just two Russia-linked accounts on its ads network and a little over 1000 YouTube videos with political content, most with pretty low viewing figures.

Interestingly, Facebook also claimed it identified activity from a handful of accounts it assessed as belonging to infamous Kremlin hacking group APT28 (Fancy Bear).

“This activity, which was aimed at employees of major US political parties, fell into the normal categories of offensive cyber activities we monitor for. We warned the targets who were at highest risk, and were later in contact with law enforcement authorities about this activity,” Stretch testified.

“Later in the summer we also started to see a new kind of behavior from APT28-related accounts — namely, the creation of fake personas that were then used to seed stolen information to journalists. These fake personas were organized under the banner of an organization that called itself DC Leaks. This activity violated our policies, and we removed the DC Leaks accounts.”

Categories: Cyber Risk News

Bipartisan SAVE Act Aims to Protect US Elections

Wed, 11/01/2017 - 10:21
Bipartisan SAVE Act Aims to Protect US Elections

US senators have released bipartisan legislation designed to protect the US election system and specifically voting infrastructure from foreign interference.

Republican Susan Collins and Democrat Martin Heinrich, members of the Senate Select Committee on Intelligence, argue that the Securing America's Voting Equipment (SAVE) Act will help protect voting systems, registration data and ballots from “theft, manipulation, and malicious computer hackers.”

The legislation would designate state election systems as critical infrastructure, meaning the Department of Homeland Security (DHS) would be required to work with states to establish risk mitigation measures and a federal grant would help states upgrade equipment.

The Act would also require the Director of National Intelligence (DNI) to sponsor security clearances for federal election bosses in each state, usually the secretaries of state, and then share any relevant classified info with them regarding threats to their infrastructure.

Under the new proposals the comptroller general would be required to audit elections. A “CooperativeHack the Election" program is also mooted to root out vulnerabilities in systems.

"Our democracy hinges on protecting Americans' ability to fairly choose our own leaders. We must do everything we can to protect the security and integrity of our elections," said Heinrich in a statement.

"The SAVE Act would ensure states are better equipped to develop solutions and respond to threats posed to election systems. Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation's democratic institutions will remain vulnerable."  

US intelligence has concluded that Russian hackers probed state election voting centers and state-level voter registration databases as part of wider efforts to undermine the democratic process and attempted to swing the election in favor of incumbent Donald Trump.

However, it’s not thought that these efforts at least had any effect on the election outcome.

Potentially far more serious were the propaganda moves on social media and the hacking and dissemination of damaging Democratic Party emails via Wikileaks, which Hillary Clinton has blamed in part for her loss.

Categories: Cyber Risk News

Malaysian Data Breach Could Affect Entire Population

Wed, 11/01/2017 - 09:57
Malaysian Data Breach Could Affect Entire Population

Malaysia has suffered its biggest ever data breach after the personal details of over 46 million mobile subscribers were found being traded on the dark web.

That figure represents more than the 31 million population of the country, and could include foreigners living there.

The targeted telcos include: Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.

The breached data includes customer names, billing addresses, mobile numbers, sim card numbers, IMSI numbers, handset models and ID card numbers, according to the site that first broke the news.

However, the breach gets even worse, with data from employment site and several government websites also discovered. These are: the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia. claimed the Jobstreet data featured records on as many as 17 million customers, including names, login names, hashed passwords, email id, nationality, address and phone number.

Over 20,000 records were stolen from the Malaysian Medical Association while 62,000 were taken from the Malaysian Medical Council which registers all doctors in the country. The data included ID card numbers, addresses and mobile numbers.

Malaysian communications and media agency MCMC said it was investigating the incident and confirmed that 42.6 million people were affected.

According to local reports officials have already met with the affected telcos, although the source of the breached data has yet to be disclosed.

Some of the data dates back as far as 2012 but it’s unclear when the breach took place.

ESET security specialist, Mark James, argued that the data could make follow-on phishing attempts highly successful.

“The user can immediately relate to the data and would in most cases follow any instructions that may be within an email, or even through a personal phone call, because in most cases we have no control over what is stored about us online, we have no choice but to comply,” he added.

“If we want the benefits of connected services and the ability for medical organizations to have all the info at hand in case of emergency, in most cases they have to have our most private details."

Categories: Cyber Risk News

Apple FaceID Confidence Runs High

Tue, 10/31/2017 - 18:50
Apple FaceID Confidence Runs High

Apple’s latest biometrics push, facial recognition for iPhone, is seen by most to be a trustworthy authentication mechanism, despite it not yet being released into the market.

The results of a survey conducted by Secret Double Octopus, found that among 522 employees of medium and large enterprises, 81% of respondents perceive FaceID as trustworthy, and 91% think it will be easy to use.

The survey, which focused on preferred authentication methods and password usage, found that 73% of employees surveyed said they prefer FaceID to passwords if given the choice, with 70% categorizing FaceID as ‘extremely or very trustworthy’—results from a technology they have never actually used.

Apple’s TouchID, deployed on iPhone 6 and iPhone 7, is the leading alternative to passwords, with respondents ranking it first in all three survey parameters: ease of use, trust and preference.

“We initiated this survey because we wanted to look past the hype to really understand what people think about the authentication methods they are required to navigate daily—anything from passwords, tokens and SMS to TouchID,” said Raz Rafaeli, CEO of Secret Double Octopus. “We also wanted to know what people are expecting from new authentication alternatives, specifically FaceID. The results demonstrate the need for organizations to seriously consider the impact FaceID will have on their security environment and explore how they can leverage the technology both as a second-factor authentication measure, as well as a way to replace passwords altogether, because that is where we are headed.”

The survey also revealed ongoing concerns around password use. Even though 91% of companies having a policy for password strength (longer passwords and frequent replacements, for example), the survey found that many employees are not adhering to even the most basic of protections, and are exposing themselves and their organizations to increased chances for malicious activity. About a quarter (23%) of employees surveyed say they rely on paper notes to remember their passwords. Further, 14% have shared their work passwords with colleagues or other people; 21% of employees use work-related passwords for non-work related online services; and 5% of employees admit they have entered their work-related passwords into fraudulent forms or web pages.

The results are interesting given the results from a survey of the hacking community, which found that facial recognition was rated as the worst tool for authentication by a fifth of respondents—six times more often than fingerprint authentication.

Categories: Cyber Risk News

Only a Third of US Office Workers Know What Ransomware Is

Tue, 10/31/2017 - 18:34
Only a Third of US Office Workers Know What Ransomware Is

The threat of ransomware is growing exponentially, yet only a third of US office workers know what it is.

Intermedia’s latest 2017 Data Vulnerability Report, which surveyed 1,000 US knowledge workers, found that even with the increased publicity and impact of global ransomware attacks like WannaCry and Petya, and emerging strains such as BadRabbit, awareness still lags behind. This is not for lack of effort among companies though, with 70% of office workers saying their organization regularly communicates about cyber threats and nearly one-third (30%) saying their organization specifically highlighted the WannaCry ransomware attack as an example.

The stakes are significant: The study shows that the average amount paid in ransom among office workers now stands at approximately $1,400.

Interestingly, the report found that employees shoulder costs of ransomware payments more often than employers: Of the office workers that have fallen victim to a ransomware attack at work, the majority (59%) paid the ransom personally, and 37% said their employers paid. About 68% of impacted owners and executive management said they personally paid a work-related ransom.

Also, more than 73% of impacted Millennial workers, often viewed as the most computer-savvy group of employees, report paying.

“Our latest report shows that, even in the face of increasing attacks, there are large gaps in overall awareness of how to handle a ransomware strike,” said Jonathan Levine, CTO at Intermedia. “Employees are willing to go to great lengths to try to get data back, including paying ransoms out of their own pockets, even though 19% of the time the data isn’t released even after the ransom is paid.”

SMBs are particularly vulnerable to ransomware attacks, the study uncovered.

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat,” Levine continued. “This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must, afford. And hackers realize this.”

Categories: Cyber Risk News

CryptoShuffler Trojan Sucks Cash from Wide Range of Crypto-Wallets

Tue, 10/31/2017 - 18:29
CryptoShuffler Trojan Sucks Cash from Wide Range of Crypto-Wallets

The CryptoShuffler Trojan is siphoning funds from cryptocurrency wallets, targeting a wide range of the most popular cryptocurrencies, including Bitcoin, Ethereum, Zcash, Dash, Monero and others.

Uncovered by Kaspersky Lab, the bad code steals cryptocurrencies from a wallet by replacing the user’s legitimate address with its own in the device’s clipboard. To date, criminals have already succeeded in lucratively attacking Bitcoin wallets, stealing equivalent to almost $140,000. The total amounts stolen from other wallets range from a few dollars to several thousands.

“Clipboard hijacking attacks like this have been previously seen in the wild, targeting online payment systems; however, experts believe cases involving a cryptocurrency host address are currently rare,” researchers said.

CryptoShuffler’s mechanism is simple yet effective, capitalizing on the common transaction process used by most cryptocurrency users: They copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction. The trojan simply monitors the infected device’s clipboard, and replaces the user's wallet address with one owned by the malware creator. Therefore, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to, and as a result, the victim transfers their money directly to criminals.

“CryptoShuffler’s ability to replace a destination literally takes milliseconds because it’s so simple to search for wallet addresses—the majority of cryptocurrency wallet addresses have the same beginning and certain number of characters,” Kaspersky said. “Therefore, intruders can easily create regular codes to replace them.”

To keep crypto savings safe, users should pay close attention during transactions, and always check the wallet number listed in the destination address line against the one they are intending to send coins to. Users should also be aware that there is a difference between an invalid address and an incorrect address: In the first case, the error will be detected and the transaction won't be completed; in the latter, there’s no alert.

“Cryptocurrency is not tomorrow's technology anymore. It is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals,” said Sergey Yunakovsky, malware analyst at Kaspersky Lab. “Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So, users considering cryptocurrency investments should think about protecting their investments carefully.”

Categories: Cyber Risk News

Code Signing Certs Traded for $1000+ on Darknet

Tue, 10/31/2017 - 12:25
Code Signing Certs Traded for $1000+ on Darknet

Digital code signing certificates are being traded on the dark web for over $1000, undermining trust in the entire authentication system on which the internet is based, according to new Venafi research.

The cybersecurity vendor teamed up with the Cyber Security Research Institute in a six-month project to peel back the curtain on the shadowy underground markets used to buy and sell illegal goods and services.  

It found code signing certificates available for purchase for up to $1200, making them more expensive than some counterfeit passports, handguns and stolen credit cards.

Attackers can use these certificates to hide the malware used for attacks in encrypted channels, making them highly sought-after.

Venafi chief security strategist, Kevin Bocek, explained that the certs could be sold many times over before losing their value, ensuring they are a major money-maker for cyber-criminals.

He described the research as a “rude awakening” for the system which essentially defines trust on the web.

“With no knowledge of which certificates should really be trusted, IT teams will have to either assume they can’t trust their applications and software, or risk criminals using their certificates to slip past defenses undetected to distribute malware. Neither option is acceptable,” he told Infosecurity.

“The only way organizations can effectively protect themselves is by having complete intelligence and control over every single certificate in use and trusted. But since firms have an average of more than 16,000 certificates they’re unaware of, this is no small feat. This is why it’s so important to automate the discovery, inventory and reputation scoring of every digital certificate, and for every code signing certificate in use, it’s key must be protected and every use controlled and audited.”

The researchers claim they only scratched the surface of the illegal darknet trade in code signing certificates, explaining they believe TLS, VPN and SSH key and certificate trading is also rife.

Categories: Cyber Risk News

EU to Declare Cyber-Attacks “Act of War”

Tue, 10/31/2017 - 11:42
EU to Declare Cyber-Attacks “Act of War”

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document, said to have been developed as a deterrent to provocations by the likes of Russia and North Korea, will state that member states may respond to online attacks with conventional weapons “in the gravest circumstances."

The framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

Security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The suspected state-sponsored group known as Dragonfly has also been active of late probing US energy facilities.

That said, definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with Nato moves in the past establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense.

That states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.

Categories: Cyber Risk News

Security Alert as USB Found Containing Heathrow Plans

Tue, 10/31/2017 - 10:02
Security Alert as USB Found Containing Heathrow Plans

Heathrow airport has launched an urgent inquiry after an unencrypted USB stick containing top secret maps and other documents related to the site was found in a London street.

A man who found the 2.5GB storage device in a street in Queen’s Park plugged it into a library computer and found over 170 documents, some of which were labelled “confidential” or “restricted”.

The details included those of individuals exempt from security screening, radio codes in case of aircraft hijacking and the Queen’s route to the Royal Suite, which is located in a hidden part of the airport.

Other highly sensitive pieces of information on the USB included satellite images and operating manuals for the Doppler radar surveillance system used to scan runways and the perimeter fence, as well as the location of maintenance tunnels and escape shafts.

It’s unclear whether the storage device was accidentally left by a Heathrow employee or if the info on it was compiled by a terrorist planning an attack.

"The worry is it ends up on the dark web and used by bad guys to pick holes in airport security,” a police source told the Sunday Mirror.

Blancco Technology Group chief strategy officer, Richard Stiennon, argued that USB ports on enterprise endpoints should be strictly controlled and monitored, with only approved encrypted devices allowed to connect.  

“Another aspect to worry about when doing a complete data audit is where does the data end up? Are there copies of secret documents all over? Those should be sanitized,” he added.

“A comprehensive data santization policy and plan can address the trillions of gigabytes of so called 'dark data' that resides in organizations around the world.”

Micro Focus vice-president, Geoff Webb, also argued for encryption as standard.

“It’s simply too easy to copy information and walk out the door with it – or move it up to a cloud file sharing service – and if the information isn’t encrypted, the potential for loss is significant.”

Categories: Cyber Risk News

Virtual Reality Could Help Close Workforce Gap

Mon, 10/30/2017 - 18:10
Virtual Reality Could Help Close Workforce Gap

About three-quarters of respondents in a recent survey said that virtual reality (VR) tools could be a critical next-gen approach to addressing the cybersecurity workforce gap.

By 2020, a projected 1.8 million cybersecurity jobs will be unfulfilled, leaving organizations scrambling to think outside of the box when it comes to attracting talent. In a survey from ESG and ProtectWise based on the opinions of 1,000 US-based millennials/post-millennials (the workforce’s newest generation and the next one poised to enter it, 74% said that the presence of VR tools increases their likelihood of pursuing a career in cybersecurity.

Meanwhile, 65% admitted that they haven’t been exposed to cybersecurity in school, and only 9% of 16-24-year-olds said they are interested in pursuing the cybersecurity field at some point in their career. The top reason for this is a general lack of awareness—39% cited a general lack of knowledge about cybersecurity as a career path—both pointing to a massive opportunity for education on cybersecurity as a viable profession.

“Employers are seeking candidates for tier-one analyst roles who have prior security experience, when in reality 87% of cybersecurity workers don’t start in the field,” the report noted. “Employers also want cybersecurity candidates with highly technical skills to which the average student is not exposed, including intrusion detection, attack mitigation and secure software development. Advanced certifications are required for roles that aren’t necessarily advanced, which deters workers who can earn an attractive salary and develop innovative technology in other fields without the burden of earning more credentials.”

The survey also revealed that this younger group is very aware of next-gen technology, and that gamification of the enterprise is something they would welcome. The survey found that 76% play games regularly and have a high affinity for VR tech. About 58% have used/regularly use VR technologies and expect to do so in the future—and are attracted to jobs that incorporate them. Meanwhile, 72% agreed that access to VR/AR in cybersecurity would make them more effective.

“One solution [to the workforce gap] may be to use technologies that capitalize on humans’ natural ability to reason visually and spatially in order to solve critical problems,” the report said. “Immersive technologies incorporating virtual reality (VR), augmented reality (AR) and collaborative gaming principles accomplish this and are being used to problem-solve in other industries—in healthcare to combat obesity, in automobile manufacturing to reduce waste and inefficiency and in the US Army to train recruits. The cybersecurity industry could similarly build solutions that enable fast, effective anomaly detection and remediation based on technologies that do not require highly specialized certifications and education. Doing so could open up the cybersecurity talent pool, particularly among millennials and post-millennials who are avid gamers and have a strong affinity for VR.”

Categories: Cyber Risk News

T-Mobile USA Calls Customers to Warn on SIM Hijacking

Mon, 10/30/2017 - 17:45
T-Mobile USA Calls Customers to Warn on SIM Hijacking

T-Mobile USA is warning some customers that they could be targeted by hackers looking to hijack their SIM cards.

According to reports, the company has contacted “a few hundred” customers in last two weeks, in the wake of a website flaw that was initially reported by Vice’s Motherboard. The bug, which was patched October 10, allowed hackers to access customers' email addresses, account numbers and phone IMSIs. Armed with this information, bad actors could impersonate the user to gain access to an account and duplicate the SIM card, gaining control over the phone number. In turn, with access to the phone, they could intercept SMS codes for two-factor authentication and gain access to bank accounts and the like.

One of the affected T-Mobile customers, Lorenzo Franceschi-Bicchierai, wrote that he got a call from customer service to warn him "of a detected alert" about his personal information.

The bug was reported in early October by Karan Saini, founder of startup Secure7. But it had been exploited since at least August 6, when a black-hat uploaded an exploitation tutorial on YouTube.

Initially, T-Mobile said that there was no indication that customer accounts were affected in any broad way—though clearly that is not the case. However, the carrier now has said the number of affected users is quite low, representing a tiny fraction of its 70 million customers.

"We found that there were a few hundred customers targeted," a spokesperson told Franceschi-Bicchierai “We take our customers' privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure."

Categories: Cyber Risk News

'unCAPTCHA' Defeats Google CAPTCHA with 85% Accuracy

Mon, 10/30/2017 - 17:40
'unCAPTCHA' Defeats Google CAPTCHA with 85% Accuracy

unCAPTCHA, an artificial intelligence-based automated system designed at the University of Maryland, can break Google's audio-based reCAPTCHA challenges with an accuracy of 85%.

Google has been working on refining and strengthening reCAPTCHA for years, a Turing test-based methodology for proving that website users aren’t robots, and recently extended it to mobile websites for Android users.

unCAPTCHA, to be fair, doesn’t address what most of us are familiar with: Challenges asking us to read distorted text and type it into a box. Instead, the AI is trained to crack audio challenges, which are offered as an option for people with disabilities.

unCaptcha combines free, public, online speech-to-text engines with a phonetic mapping technique. The system downloads the audio challenge, breaks it into several digital audio clips, then runs them through several text-to-speech systems to determine exact and near-homophones, weights the aggregated results by confidence level, and then sends the most probable answer back to Google.

The results of the trial showed that the AI could solve 450 reCAPTCHA challenges with an 85.15% accuracy in 5.42 seconds: That’s less time than it takes to listen to the challenge in the first place.

The research work proves that bad actors don’t need significant resources to mount a large-scale successful attack on the reCaptcha system.

“Prior work has generally assumed that attackers against CAPTCHA systems are well-resourced,” the researchers said in a paper. “In particular, the standard threat model involves an attacker who can attack the CAPTCHA tens or hundreds of thousands of times for a relatively small number of successes, and can scale this attack to abuse services.”

They added, “An attacker with many resources can afford a lower success rate, and thus some have argued that even a success rate of 1/10,000 is sufficient to threaten the integrity of services. In our work, we will assume an attacker with limited resources; unlike previous works attacking captchas, our threat model limits the attacker to one computer, one IP address, a small amount of RAM and limited training data (less than 100MB). Therefore, we aim for accuracy benchmarks above 50%, as a low-resource attacker cannot afford a lower percentage of success.”

Categories: Cyber Risk News

McAfee Says "No" to Foreign Govt Code Reviews

Mon, 10/30/2017 - 11:20
McAfee Says "No" to Foreign Govt Code Reviews

Security giant McAfee has decided to discontinue a policy of allowing foreign governments to analyze its source code for hidden backdoors.

The policy is seen as an essential step for US and other Western tech firms looking to sell into the Russian and other regions, ostensibly intended to allay any security concerns foreign governments may have.

However, it’s increasingly seen as a risk which could actually expose the provider’s software, despite the possibility for such tests to be conducted so that no code is allowed to leave the premises.

McAfee is said to have made the decision after it was spun-off from Intel.

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokeswoman told Reuters. “This decision is a result of this transition effort.”

McAfee now joins Symantec, which adopted the policy in 2016 amid security fears.

It’s not just the Russian government involved here; a recent Cybersecurity Law passed in China could lead to Beijing demanding code reviews from any “critical information infrastructure” provider wanting to operate in the country.

Again, the government claims such measures are necessary to protect national security, but critics have suggested it could also give agents an opportunity to research their own backdoors.

The value of AV tools as a means for intelligence operatives to monitor targets has been brought to light by the recent showdown between the US government and Russian security firm Kaspersky Lab.

It is claimed Russian intelligence may have used backdoors in its products to spy on and steal info from an NSA contractor.

Kaspersky Lab therefore seems to be going in a different direction to McAfee and Symantec, forced to open up its source code to the US government in a bid to regain trust after Washington banned its products for federal use.

Cesare Garlati, chief security strategist at the non-profit prpl Foundation, argued that all software should be open source, available for scrutiny by all.

“There is consensus in the security community that the so called ‘security through obscurity’ never worked: just look at Windows Microsoft or Adobe Flash if you need proof,” he added.

“Close source software does not make any software more secure. In fact, is the exact opposite. All recent high-profile incidents involve reverse engineering of closed source software, identification of vulnerabilities and their systematic exploit."

Categories: Cyber Risk News

UK Government Blames WannaCry on North Korea

Mon, 10/30/2017 - 10:43
UK Government Blames WannaCry on North Korea

The British government has joined the likes of Microsoft and others in blaming North Korea for the devastating WannaCry ransomware attack that hit hundreds of thousands of victims in May, including over a third of NHS trusts in England.

Security minister, Ben Wallace, told BBC Radio 4’s Today program on Friday that the hermit nation “was the state that we believe was involved in this worldwide attack on our systems.

“We can be as sure as possible. I can’t obviously go into the detailed intelligence but it is widely believed in the community and across a number of countries that North Korea had taken this role,” he claimed.

Wallace also claimed North Korea had launched other attacks aimed at stealing foreign currency; potentially a reference to its attacks on Bitcoin exchanges in recent months.

Earlier this month, Microsoft president, Brad Smith, made similar remarks.

“I think at this point that all observers in the know have concluded that WannaCry was caused by North Korea using cyber tools or weapons that were stolen from the National Security Agency in the United States," he told ITV News.

WannaCry caused chaos around the globe when it landed in mid-May. It could have affected many more victims than the 300,000 it hit if it hadn’t been for a “kill switch” discovered by researcher Marcus Hutchins.

In the end, the ransomware managed to compromise many organizations that had failed to patch a known SMB vulnerability for which Microsoft had issued a fix in March.

Scores of them were NHS trusts: 81 to be precise.

WannaCry caused the cancellation of an estimated 19,000 operations and appointments and infected hundreds of primary care and GP practices.

A National Audit Office (NAO) report released last week revealed that systemic failures in the NHS and Department of Health left the health service woefully exposed to the threat.

Categories: Cyber Risk News

Twitter Bans RT and Sputnik Ads Following Election Meddling

Mon, 10/30/2017 - 10:12
Twitter Bans RT and Sputnik Ads Following Election Meddling

Twitter has decided to ban Russian-Linked media companies Russia Today (RT) and Sputnik from buying ads on its platform, blaming their alleged interference in the US election.

The social media giant said it would “off-board” advertising from all accounts owned by the two companies, heavily linked to the Russian government.

It explained:

“This decision was based on the retrospective work we've been doing around the 2016 US election and the US intelligence community’s conclusion that both RT and Sputnik attempted to interfere with the election on behalf of the Russian government. We did not come to this decision lightly, and are taking this step now as part of our ongoing commitment to help protect the integrity of the user experience on Twitter.”

Twitter references a US government report from January which claims both outlets are part of “Russia’s state-run propaganda machine”.

“State-owned Russian media made increasingly favorable comments about President-elect Trump as the 2016 US general and primary election campaigns progressed while consistently offering negative coverage of Secretary Clinton,” it notes.

Twitter says it will take the $1.9m projected to have been earned from RT advertising since 2011 and donate it “to support external research into the use of Twitter in civic engagement and elections, including use of malicious automation and misinformation, with an initial focus on elections and automation.”

The news has been welcomed by Senators Mark Warner and Amy Klobuchar, who have proposed an Honest Ads Bill designed to force greater transparency in political advertising.

That comes following a closed door briefing to the Senate earlier this month described as “deeply disappointing” and “inadequate” by Warner.

However, the Russian outlets will still be free to use their influence to tweet organically. An arguably bigger problem is that of bot-driven profiles which can elevate specific stories or fake news to trending topics, and then be dismantled before an investigation can begin.

Google, Facebook and Twitter have all been asked to appear before a public Senate Intelligence Committee hearing on November 1.

The news comes as the World Economic Forum called on Silicon Valley social media firms to do more to halt the spread of extremism and state-backed propaganda.

Categories: Cyber Risk News