Info Security

Subscribe to Info Security  feed
Updated: 1 hour 51 min ago

Plenty to Patch as Microsoft and Adobe Fix 115 Vulnerabilities

Wed, 08/09/2017 - 08:51
Plenty to Patch as Microsoft and Adobe Fix 115 Vulnerabilities

This month’s Patch Tuesday update round from Microsoft fixed 48 vulnerabilities, but only two have been publicly disclosed prior to release, with none known to have been exploited in the wild thus far.

At first sight it’s a daunting collection of bugs, covering Windows, Internet Explorer (IE), Edge, the subsystem for Linux, Kernel, SharePoint, SQL Server and Hyper-V; with 25 CVEs listed as critical, 21 important and two moderate.

Experts agree the priority should be CVE-2017-8620; a Windows Search Remote Code Execution Vulnerability.

Dustin Childs of Trend Micro’s Zero Day Initiative (ZDI) project claimed it to be the most critical bug this month.

“In addition to being similar to a previous search vulnerability – also under active attack – this bug allows a malicious SMB request to execute code on a target system,” he explained.

“As with the previous search flaw, within an enterprise, an attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer. That’s pretty close to wormable and just the sort of thing malware writers look for in a bug. Also, let this be your monthly reminder to disable SMBv1.”

Another interesting bug highlighted by ZDI is a Windows Hyper-V Remote Code Execution Vulnerability (CVE-2017-8664) which could allow an attacker on a guest OS to attack the hypervisor. Childs noted that a similar vulnerability won $100,000 at the 2017 Pwn2Own competition.

Bobby McKeown, senior manager of engineering at Rapid7, pointed out that this is the first time Microsoft has patched the Linux subsystem under Windows, with CVE-2017-8627 (DoS) and CVE-2017-8622 (privilege escalation) the first of their kind.

There were also two critical updates for Adobe Flash, Digital Edition, and Reader, and one important-rated update for Adobe Experience Manager, covering 43 critical and 24 important CVEs.

Chris Goettl, product manager at Ivanti, urged admins to focus on the OS, Flash, Reader and browser updates.

“There are a number of critical vulnerabilities resolved here and a few public disclosures in the OS updates which give attackers a bit of a head start on developing an exploit,” he added. “As the first half of 2017 has shown us, time is a significant variable in defending our environments against cyber threats. The quicker we can plug critical vulnerabilities the lower our overall risk will be.”

However, he urged sysadmins not to feel overawed by the task ahead.

“August Patch Tuesday has a lot at first glance, but this lion may be more of a lamb,” Goettl said.

Categories: Cyber Risk News

Disney Faces Lawsuit Over Apps That Allegedly Spy On Kids

Tue, 08/08/2017 - 18:47
Disney Faces Lawsuit Over Apps That Allegedly Spy On Kids

A slew of Disney-branded mobile applications, including some Star Wars, Moana and Disney Princess apps, are allegedly spying on children across the United States.

A class-action suit filed in California claims that The Walt Disney Co is commercially exploiting minors, including kids under the age of 13, by secretly tracking them using high-end behavioral analytics code. The apps use sophisticated SDKs to allegedly collect personal data without consent before going on to “exfiltrate that information off the smart device for advertising and other commercial purposes,” according to the suit.

“These are heavy-duty technologies, industrial-strength data and analytic companies whose role is to track and monetize individuals,” Jeffrey Chester, the executive director of the Center for Digital Democracy, told the Washington Post. “These should not be in little children’s apps.”

The mom that brought the initial suit, Amanda Rushing, said in the complaint that her daughter, “L.L.” downloaded Disney Princess Palace Pets, an app that lets users “groom, bathe, accessorize and play” with 10 different pets, and which is clearly marketed towards children under the age of 13. She alleges that the defendants collected personal information on L.L. without her permission, and that there were no disclosure statements on the app nor requests for consent.

The complaint names Disney and three app development companies, Upsight, Unity and Kochava—alleging that they have violated COPPA, the Children’s Online Privacy Protection Act. COPPA requires companies to directly obtain parental consent when a child’s personal information is collected, disclosed or used. There are additional protections for the privacy of children under 13 as well. The suit seeks an injunction barring the companies from collecting and disclosing the data without parental consent, as well as punitive damages and legal fees.

The House of Mouse, while not denying the actual spying activity, said that it has done nothing to fall afoul of regulations. “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families,” the company said in a statement. “The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

As a class action, the case also seeks to represent consumers in 35 states. The pool could end up being quite large: According to the Google Play store, Where’s my Water? 2 alone has been installed between 100 million and 500 million times.

The affected apps are:

  • AvengersNet
  • Beauty and the Beast
  • Perfect Match
  • Cars Lightening League
  • Club Penguin Island
  • Color by Disney
  • Disney Color and Play
  • Disney Crossy Road
  • Disney Dream Treats
  • Disney Emoji Blitz
  • Disney Gif
  • Disney Jigsaw Puzzle!
  • Disney LOL
  • Disney Princess: Story Theater
  • Disney Store Become
  • Disney Story Central
  • Disney's Magic Timer by Oral-B
  • Disney Princess: Charmed Adventures
  • Dodo Pop
  • Disney Build It Frozen
  • DuckTales: Remastered
  • Frozen Free Fall
  • Frozen Free Fall: Icy Shot
  • Good Dinosaur Storybook Deluxe
  • Inside Out Thought Bubbles
  • Maleficent Free Fall
  • Miles from Tomorrowland: Missions
  • Moana Island Life
  • Olaf's Adventures
  • Palace Pets in Whisker Haven
  • Sofia the First Color and Play
  • Sofia the First Secret Library
  • Star Wars: Puzzle Droids
  • Star Wars: Commander
  • Temple Run: Oz
  • Temple Run: Brave
  • The Lion Guard
  • Toy Story: Story Theater
  • Where’s My Water?
  • Where's My Mickey?
  • Where's My Water? 2
  • Where’s My Water? Lite/Where’s My Water? Free
  • Zootopia Crime Files: Hidden Object
Categories: Cyber Risk News

Criminals Drain Cash from ROBLOX Gamers

Tue, 08/08/2017 - 18:05
Criminals Drain Cash from ROBLOX Gamers

ROBLOX, a popular multiplayer video game with more than 178 million registered accounts, is being targeted by cybercriminals via its chat function in an effort to siphon off millions of dollars from players.

The criminals are using an API in the chat platform, called Discord, to steal browser cookies containing ROBLOX login credentials. The end game is stealing ROBUX (in-game currency), and exchanging it for real cash.

The game relies heavily on user-created content to thrive; it allows its players to create their own mini games and environments within the ROBLOX game world that other players can then play and share. ROBLOX also has a social networking element that encourages users to socialize, play and create content together, and take part in the earning and spending of ROBUX.

According to Trend Micro research, the criminals are infecting targeted systems via a gaming forum, where the crooks have posted malware in the guise of a “cheat application” that would allow players to modify their characters and therefore gain unfair advantage over other players. The malware waits until it detects ROBLOX on a victim’s system. And once it does, it steals the user’s game account cookie.

The malware also has a Discord webhook coded into it, which is a feature that allows the chat program to send a message to a specified channel or user when a certain requirement of a specified app or program is fulfilled.

In this case, the malware uses the webhook to send the stolen cookie to the bad guys once it’s in hand, who can then use the stolen cookie to remotely log into the compromised ROBLOX account to steal any stored ROBUX.

The malware runs persistently on the affected system, making it possible to obtain new game account cookies whenever they’re detected—meaning that password changes are useless.

“This isn’t the only malicious routine that cybercriminals can force Discord (or any similar chat platform) to carry out by abusing its API,” Trend Micro said in an analysis. “In fact, our analysis shows that with only some modifications, creative cybercriminals can possibly turn it into a command-and-control (C&C) infrastructure, allowing them to communicate with their malware without having to expend the resources for a home-brewed alternative.”

The firm is working with Discord to eliminate threats in its network, but users should always be careful about what they download from web forums, especially if message board posts are asking users to try out cheat applications.

Categories: Cyber Risk News

HBO Hackers Leak Senior Exec Emails, Demand Ransom

Tue, 08/08/2017 - 18:00
HBO Hackers Leak Senior Exec Emails, Demand Ransom

The HBO hackers have upped the ante on their cyber-activities, dropping a ransom note on the premium cable network and leaking executive emails and more Game of Thrones tidbits.

The criminals sent in the goods to The Hollywood Reporter, in the form of nine confidential files with screenshots of the stolen materials. They included a month’s worth of emails from the inbox of a senior executive, plus a screenshot of a file directory with folders for various shows, including unreleased episodes of upcoming shows like Room 104, Insecure and Curb Your Enthusiasm, and an untitled show by Silicon Valley director Mike Judge. On the Game of Thrones front, the materials include plot summary for this week’s upcoming episode, marketing spreadsheets and media plans—and contact information for stars of the hit series.

This is the latest escalation of the breach that came to light last week. The attackers say they have 1.5 terabytes of information in all—seven times the volume of the 2014 Sony breach.

The hackers also delivered a video letter to HBO CEO Richard Plepler saying the network was their 17th target: "We successfully breached into your huge network. … HBO was one of our difficult targets to deal with but we succeeded (it took about six months)."

As the video continues, set to the Game of Thrones theme music, a ransom demand is laid out (the ransom amount is unknown—it’s been redacted in all published versions of the letter): "Our demand is clear and Non-Negotiable: We want [redacted] dollars to stop leaking your Data. HBO spends 12 million for Market Research and five million for GOT7 advertisements. So consider us another budget for your advertisements!"

The letter added, "Its a game for us. Money isn’t our main purpose," the ransom note reads. "We don’t want to endanger HBO’s situation nor cause it to lose its reputation. We want to be your partner in a tiny part of HBO’s huge income."

And finally: "Leakage will be your worst nightmare. So make a wise decision!"

The deadline for payment is three days from when the letter was sent.

HBO thinks the attackers could be overstating things, according to its latest media statement: "HBO believed that further leaks might emerge from this cyber incident when we confirmed it last week. As we said, the forensic review is ongoing. While it has been reported that a number of emails have been made public, the review to date has not given us a reason to believe that our email system as a whole has been compromised."

Ross Rustici, senior director, intelligence services, at Cybereason, told Infosecurity via email that what happens now will depend on HBO’s ability to gather more information.

“If we take the new reports at face value that this is an extortion attempt then the decision to pay or not hinges on a couple of key points of information,” he said. “If [the hackers] were really good and managed to hide their traces well, the forensic effort is going to be a very long and ultimately incomplete job. HBO will never know the totality of the breach. Without knowing the totality of the breach, HBO executives will have to make a decision about how valuable the claimed information is to them (both from an actual investment perspective and a brand damage perspective), without having any real confidence in the data that is missing.”

He added, “An audit of senior emails and other documents that may have damaging or embarrassing information will help inform the risk calculation of whether it makes more sense to pay and pray or hold firm and weather the storm of the media should the worst-case scenario of leaks happen.”

Paying a ransom of course would require significant trust that the hackers wouldn't take the money and then release the information anyway or resell it to a competitor.

“The longer HBO can draw out the negotiating process the more likely it is that they will be able to make a more informed decision,” Rustici said. “The hackers are likely aware of this scenario as well, so it is likely that if the hackers are being honest about the ransom demand and monetary motivation we will see dumps that are increasing in frequency and availability as a way to put pressure on HBO.”

Categories: Cyber Risk News

Hotspot Shield VPN Accused of Breaking Privacy Promises

Tue, 08/08/2017 - 10:25
Hotspot Shield VPN Accused of Breaking Privacy Promises

A privacy non-profit has urged the Federal Trade Commission (FTC) to investigate alleged deceptive and unfair trade practices by the provider of the popular Hotspot Shield Free VPN.

The Center for Democracy & Technology (CDT) claimed in a lengthy filing that it contradicts headline privacy and security claims in its own privacy policy; facilitates targeted ads; redirects traffic to secret VPN servers and “employs insecure and unreasonable data security practices.”

The tool, produced by Hotspot Shield, has managed to attract around 500 million customers from around the world with promises of “anonymous browsing” and claims that it keeps “no logs of your online activity or personal information.”

It even distances itself from other “disreputable” free VPN services which “make their money tracking and selling their users’ activities.”

However, its own privacy policy reveals that the VPN logs user connection data “to identify [a user’s] general location, improve the Service, or optimize advertisements displayed through the Service”, the filing states.

Hotspot Shield Free VPN claims to clear any browsing info after each session, but it actually “deploys persistent cookies and concedes that it works with unaffiliated entities to customize advertising and marketing messages”, the FTC filing continues.

CDT’s research was aided by Carnegie Mellon University’s Mobile App Compliance System, which it claims found “undisclosed data sharing practices with third party advertising networks.”

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes,” the filing alleges.

“Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the VPN uses more than five different third-party tracking libraries, contradicting statements that Hotspot Shield ensures anonymous and private web browsing.”

Hotspot Shield also redirects e-commerce traffic to partner websites that include online advertising companies, CDT claimed.

It also argued that consumers using the paid for version of the VPN have become victims of credit card fraud.

This could be because the app doesn’t transmit mobile carrier information through an HTTPS connection, rendering it susceptible to leaks or attacks from malicious third parties, the FTC complaint alleges.

Media reports quote David Gorodynasky, CEO of parent company AnchorFree, as saying the claims are “unfounded”.

Categories: Cyber Risk News

UN Asks Apple for Answers Over China VPN Move

Tue, 08/08/2017 - 09:31
UN Asks Apple for Answers Over China VPN Move

The UN has written to Apple boss Tim Cook requesting more information on why it withdrew scores of VPN apps from its China App Store last month.

Apple released the following statement on July 30:

“Earlier this year China’s MIIT [Ministry of Industry and Information Technology] announced that all developers offering VPNs must obtain a license from the government. We have been required to remove some VPN apps in China that do not meet the new regulations. These apps remain available in all other markets where they do business.”

The removal of the apps, which reports claim numbered around 60, leaves only domestic licensed VPNs for iOS users. The problem with such apps is that the government can demand data from their providers at will, defeating the point for many users of anonymizing their browsing.

Now the UN’s David Kaye, special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has asked for more info on Apple’s decision-making, given that previous statements from the tech giant claim “that Apple states a point of view and speaks up in the context of restrictions on fundamental rights.”

In particular, he wants to know: whether Apple received a specific request from the government, whether it made a legal analysis of the situation, if it objected, if it raised China’s obligations under international human rights law or if it raised non-legal concerns about removing VPNs, such as the impact on innovation, individual security and “commercial connections”.

In a carefully worded letter, Kaye clearly highlights the difficulties facing US tech firms in China; of balancing their commitment to free speech and online freedoms with a promise to obey the laws of the land.

“In recent years, China has expanded the scope of its censorship tools and efforts, coming at the expense of individual rights to freedom of expression, access to information, freedom of association, and other fundamental human rights. Chinese restrictions put you in the position – unenvious, and likely reluctantly – of having to mediate between your customers, Chinese citizens, and Chinese law,” he wrote.

“While [Apple] may be a natural target for government censorship, it has also become indispensable to the lives of hundreds of millions of users worldwide, and therefore uniquely qualified to speak truth to power and stand up for their rights.”

Categories: Cyber Risk News

DHS CIO Staropoli Quits After Just Three Months

Tue, 08/08/2017 - 09:03
DHS CIO Staropoli Quits After Just Three Months

The US Department of Homeland Security has been rocked by yet another departure, this time the resignation of CIO Richard Staropoli just three months into his role.

The former US Secret Service agent resigned last week and will officially leave his post at the beginning of September, according to The Hill.

Although there’s no official word on the resignation on the department’s website, officials told the site that Staropoli would be replaced temporarily by deputy CIO Stephen Rice, until a permanent successor is found.

Staropoli promised a major shake-up to the department’s IT function when he arrived, claiming he would organize it in the same way as his old set-up at hedge fund Fortress Investment Group, where he was CISO.

It’s unclear whether these promises to cut bureaucracy and rein-in spending led to the resignation, which remains a mystery for now.

However, Staropoli is the second big name to leave the DHS after secretary John Kelly accepted the role of Donald Trump’s chief of staff at the White House.

That leaves the department in a somewhat precarious position when it comes to the IT security part of its remit.

The Department of Homeland Security (DHS) leads domestic cybersecurity policy including industry information sharing efforts, protecting critical infrastructure, skills, R&D and defending federal networks.

Officials were heavily involved in investigating alleged election hacking by the Russian state last year.

Last month, acting director of the cyber division of the DHS Office of Intelligence and Analysis, Samuel Liles, revealed that as many as 21 states may have been targeted by state-sponsored snoopers.

Staropoli is the latest in a growing line of departures from US government positions, leaving an unprecedented gap in capability at the top of government, compounded by the President’s sluggish appointment of people to key roles.

Back in June, the Washington Post revealed that 85% of top science jobs in the new administration didn’t even have an appointee, including the President’s Council of Advisers on Science and Technology.

Categories: Cyber Risk News

Tech Companies Embrace Gender Diversity in STEM Positions

Mon, 08/07/2017 - 18:45
Tech Companies Embrace Gender Diversity in STEM Positions

To address the looming expertise shortage in IT and security, Global Risk Technologies said that it plans to increase the number of women it employs in technology positions to 25% of its workforce within the next 10 years. And, it's not alone.

“We intend to do our part in creating more opportunities for women in tech,” said Monica Eaton-Cardone, who serves as CIO of the company, which specializes in risk management and fraud detection. “That doesn’t mean our hiring decisions will be based solely on gender; as always, we’ll be looking for employees with hard skills and technical abilities, and promoting based on merit. But we plan to nurture those who show promise, giving them an opportunity to shine and prove themselves as equals.”

The news comes as a controversial memo circulates at Google, where the author notes multiple ways that he believes women are unfit for working in the tech sector—including “neuroticism” and a greater penchant for work-life balance than men. It’s an attitude that Google quickly distanced itself from, saying the screed does not represent the company’s stance on workplace diversity.

Also refuting the anti-diversity opinion is a 2017 report from GE saying that unfilled tech jobs are “holding back the growth of key industries and slowing economic development,” which poses a problem for US companies seeking to fill an estimated two million computing and engineering positions over the next decade. Many companies are turning to gender diversity to fill the gap, and the GE report suggests this is a savvy move: It cites numbers showing that closing the gender gap could increase the US gross domestic product (GDP) 10% by 2030. GE also emphasized the direct economic benefits to companies, with gender-diverse firms achieving up to 53% better financial performance and nearly $599 million more in average sales revenue than those employing fewer women.

Unsurprisingly, GE has set goals of having 20,000 women in science, technology, engineering and math (STEM) roles throughout the company by 2020, and achieving a 50:50 representation in all technical entry-level programs.

The key to meeting these goals is widely seen in broadening participation in STEM education. But, there’s a long way to go: According to the latest US Bureau of Labor Statistics (BLS) report, from April, women represent 46.8% of the labor force, but account for less than a quarter of computer, math and engineering occupations, and hold only one-fifth of computer sciences and engineering bachelor’s degrees.

Some colleges are already reporting greater gender diversity in their engineering and IT degree programs, suggesting that Generation Z shows great promise for the future of women in technology. And, some tech giants are also working to bring more females into the industry: Oracle has pledged $3 million to educate girls in STEM fields through the government’s Let Girls Learn initiative, while Google itself has invested $50 million to teach young girls how to code.

“Women have historically been underrepresented in technology careers. However, this is poised to change now that tech companies are actively courting females,” said Eaton-Cardone. “The current focus on educating girls in STEM should help ensure a greater pool of qualified candidates for tech jobs in the coming years.”

That said, some say that employers should keep an open mind when hiring; a recent Women in Cybersecurity report noted that less than half of female information security professionals working today have a background in IT or computer science.

Categories: Cyber Risk News

Malware-less Threats Against Endpoints Start to Crest in 2017

Mon, 08/07/2017 - 18:30
Malware-less Threats Against Endpoints Start to Crest in 2017

When it comes to what threatens endpoints—and the users behind them—malware-less threats are on a significant rise.

According to research from the SANS Institute, the most common threats seen by respondents' organizations include spyware (50%), ransomware (49%) and trojans (47%). Yet almost one-third of respondents also experienced a malware-less threat entering their organization, impacting IT systems and adding to IT staff workload.

These attacks are more difficult to find because they can't be detected by signature-based technologies. Scripting attacks were the most common malware-less incident, while credential compromise or privilege escalation caused the most impact.

Few of the threats respondents faced were new zero-day threats, with 76% admitting that under 10% of the significant threats they saw were zero-day.

"Today's threats predominately leverage the same old vulnerabilities and techniques," said Lee Neely, SANS analyst, mentor instructor and author of the survey report. "The time is ripe to change our protections as well as remediation processes to stem the tide of successful threat vectors."

Phishing was cited as the most common threat by 72% of respondents; and, about 40% of survey respondents said they have been impacted by phishing attacks, including spearphishing and whaling, in the last year.

"Users and their endpoints are still in the cross hairs," said Neely. "Traditional and malware-less threats keep popping up at every corner, making our jobs as defenders resemble an ongoing game of Whack-a-Mole to keep them at bay."

Users are also part of the solution, with 37% of respondents indicating that calls to the help desk helped them discover their most impactful threats. According to the survey results, user training, improved operational security practices and improved visibility into network and endpoint behavior are the top measures to improve threat prevention success and reduce the need to play Whack-a-Mole.

Categories: Cyber Risk News

FireEye: There Was No Breach, Attacker Fabricated Documents

Mon, 08/07/2017 - 18:17
FireEye: There Was No Breach, Attacker Fabricated Documents

FireEye said that the attacker responsible for compromising two of its customers did so without any breach of its networks—despite “multiple failed attempts to do so.” Further, the pool of FireEye customers impacted remains standing at two.

As we reported last week, the cybersecurity company said that preliminary investigations showed that “at least two” of its customers had been impacted by a malicious actor. Now, chief security officer Steven Booth, in a blog post, confirmed this week that there are no further victims. 

“Two customer names were identified in the victim’s personal email and disclosed by the attacker. We believe these are the only two customers impacted by this incident,” he said. “We contacted the two identified customers as soon as we learned of this incident and have kept them apprised of the situation throughout the week.”

Further, the attacker claimed he had breached the FireEye corporate network, and said in a since-deleted Pastebin manifesto that his cache of ill-gotten goods contained “top secret document, complete business and personal emails dump, FireEye licenses, private contracts,” along with Mandiant internal network and client data. FireEye said that this picture is a complete fabrication.

In reality, the attacker was able to access, steal and publicly release only three FireEye corporate documents. The rest are faked screenshots or non-sensitive information.

“A number of the screen captures created by the attacker and posted online are misleading, and seem intentionally so,” Booth said. “They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the attacker. All of the other documents released by the attacker [other than the three mentioned] were previously publicly available or were screen captures created by the attacker.”

Instead, the original compromise began with the capture of passwords and/or credentials to an individual’s personal social media and email accounts. FireEye refers to this individual only as “the victim,” but added that this person, apparently a FireEye employee or former employee, “supports a very small number of customers.” The company contained the victim’s systems, collected and reviewed forensic data from those systems, disabled victim’s FireEye corporate accounts and worked with the victim to regain control of his personal online accounts, including implementing multi-factor authentication where possible.

“The attacker did not breach, compromise or access the victim’s personal or corporate computers, laptops or other devices,” Booth said.

While spearphishing seems an obvious attack vector, the compromised credentials would have been an easy “get” for the attacker; they were already exposed in at least eight publicly disclosed third-party breaches (including LinkedIn), FireEye said, dating back to 2016 and earlier.

Starting in September 2016, the attacker used those stolen credentials to access several of the victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts.

Categories: Cyber Risk News

UK Writes GDPR into Law with New Data Protection Bill

Mon, 08/07/2017 - 10:49
UK Writes GDPR into Law with New Data Protection Bill

The pressure is now on for UK organizations to comply with the EU’s General Data Protection Regulation (GDPR) after the government announced its intention to write the legislation officially into law in the form of a new Data Protection Bill.

The proposed bill will upgrade the UK’s privacy laws for the digital age, providing consumers with sweeping new rights while mandating strict requirements on businesses which handle their data.

Organizations will: have to ask customers to opt-in for them to collect and use their personal data; be required to notify to the ICO within 72 hours of a 'serious' data breach; and face strict penalties for non-compliance of up to 4% of global annual turnover or £17 million, whichever is higher.

“Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be help to account,” said digital minister Matt Hancock, in a statement.

New consumer rights enshrined in the legislation include the right to be forgotten and the right to data portability, which will make it easier for netizens to request companies erase personal data on them and to transfer data between providers, respectively.

Julian David, CEO of industry body techUK, welcomed the proposed legislation as building “a culture of trust and confidence” in the UK which will help encourage “data-driven innovation”.

“techUK supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations,” he added.

UKFast CEO, Lawrence Jones, also welcomed the new proposals.

“We have been able to win significant amounts of business from our giant American competitors simply because we are held to higher standards on data regulation than the US, and people trust that standard,” he explained.

“We will be doing everything we can to lobby the government and guarantee that our new standards are at least equal to the incoming EU regulation.”

However, there are still question marks about whether data will be able to flow unhindered between the UK and EU post-Brexit, given the mass surveillance powers granted to the UK authorities in the Investigatory Powers Act.

Some experts have suggested that there aren’t enough safeguards in place as yet for EU bodies to be comfortable having European citizens’ data stored in the UK, where it may be subject to snooping from the police or security services.

Top10VPN head of research, Simon Migliano, hinted at such concerns, arguing that consumers shouldn’t rely on the government to look after their digital rights and data.

“It feels hypocritical for the government to be trumpeting these new data protection measures while at the same time being responsible for the Investigatory Powers Act, or Snoopers' Charter, that runs completely contrary to these proposals,” he argued.

“Will the government have to ask ‘explicit’ permission to harvest your data? Will you be able to ask them to view or delete the data the Government holds on you? I doubt it.”

That said, organizations will still need to comply with the new legislation, when the GDPR comes into force on 25 May 2018.

RSA Security’s field CTO EMEA, Rashmi Knowles, warned that the new rules broaden the scope on what constitutes “personal data”, and that there’s a long road ahead for compliance, even for those organizations already governed by the UK’s Data Protection Act.

“The biggest challenge is going to be process; particularly around issues such as data availability and consent,” she added.

“This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit.”

Categories: Cyber Risk News

UK Government Introduces Connected Car Security Guidance

Mon, 08/07/2017 - 09:52
UK Government Introduces Connected Car Security Guidance

The UK government has introduced comprehensive new guidelines designed to improve the cybersecurity of connected and autonomous vehicles.

The eight principles, drawn up by the Department of Transport and Centre for the Protection of National Infrastructure (CPNI), are intended to put Britain at the center of R&D for connected cars.

“Risks of people hacking into the technology might be low, but we must make sure the public is protected. Whether we’re turning vehicles into Wi-Fi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks,” said transport minister, Lord Callanan.

“That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry. Our key principles give advice on what organizations should do, from the board level down, as well as technical design and development considerations.”

The eight principles include mandates for security to be “owned” by the board; extended to the supply chain; maintained over the lifetime of systems; achieved using defence-in-depth strategies; and ensure systems can withstand hacking attempts and still function.

“The security of the car's network [is] paramount to the safety of the driver and those in the car's vicinity,” argued McAfee chief scientist, Raj Samani.

“Driverless vehicles must be secure by design, and the government's new guidelines will undoubtedly play a key role in ensuring that UK car manufacturers make that happen.”

The government said that these principles, which could in time be enshrined in law, come alongside provisions in the Autonomous and Electric Vehicles Bill that aim to create a new framework for self-driving vehicle insurance.

In March in the US, the Security and Privacy in Your Car (SPY Car) Act of 2017 was re-introduced by senators keen to regulate to improve baseline security and privacy in the industry.

It mandates things like separation of critical from non-critical systems, and requires all cars to be equipped to spot and flag hacking attempts.

Categories: Cyber Risk News

British Security Researcher Hutchins Set for Release on Bail Today

Mon, 08/07/2017 - 09:08
British Security Researcher Hutchins Set for Release on Bail Today

Indicted British malware researcher Marcus Hutchins is set to be released on $30,000 bail today, with prosecutors claiming he confessed without a lawyer to developing the Kronos banking malware.

The 23-year-old from Ilfracombe, Devon, is facing six charges of creating and distributing the infamous Trojan, and was arrested just before boarding a plane back from Las Vegas, where he had attended the Black Hat and Def Con hacking conferences.

Family and supporters are said to have raised the $30,000 bail on Friday only to be confounded by a bail office which shut at 4pm, meaning he spent the weekend behind bars.

According to defense attorney, Adrian Lobo, he will now likely fly straight to Wisconsin, where he’s due in court on Tuesday.

“He’s dedicated his life to researching malware not trying to harm people,” she told reporters on Friday. “Use the internet for good is what he’s done.”

Despite the Feds’ argument that he sold and profited from the malware, Hutchins pleaded not guilty to the charges.

Prosecutors also tried to keep him in jail under federal gun laws after discovering that Hutchins had been to a local tourist spot where foreigners are allowed to shoot guns. Lobo described those allegations to reporters as “garbage”.

“He is completely shocked. This isn’t something he anticipated,” she continued. “He came here for a work-related conference and he was fully anticipating to go back home and had no reason to be fearful of coming or going from the United States."

However, prosecutors claim to have caught him out in a sting operation when officers bought code for him back in 2015 for $2000 worth of crypto-currency, according to the BBC.

There are apparently chat logs of Hutchins and an as-yet-unnamed co-defendant where the former complained of not receiving enough money for the sale.

Supporters have leapt to the defense of the 23-year-old Brit, who goes by the handle “MalwareTech”, with district judge, Nancy Koppe, presented with letters of support in a bid to sway her bail decision.

Categories: Cyber Risk News

Masses of Common Flaws Crack Open 55% of Corporate Networks

Fri, 08/04/2017 - 18:55
Masses of Common Flaws Crack Open 55% of Corporate Networks

Corporate information systems became more vulnerable in 2016, even as user awareness regarding information security significantly decreased.

That’s the word from Positive Technologies, which found in an overview of security audit findings that critical vulnerabilities were detected in 47% of investigated corporate systems last year.

During audits, experts simulate how actual attackers (external and internal) would try to penetrate corporate systems. In an alarming development, when acting as an external intruder, PT testers could gain full control over corporate infrastructure on 55% of systems. As an internal intruder, they were successful on all systems. In 2015, these figures were 28% and 82%, respectively.

At the same time, staff awareness of information security was extremely low in half of systems in 2016 (compared to 25% of systems in 2015). In addition, wireless network security was also extremely poor in most cases (75%), with every second system allowing access to LAN from Wi-Fi.

The audits identified a large number of common protection flaws, including high-risk vulnerabilities are frequently related to configuration errors (40% of systems), errors in web application code (27% of systems) and failure to install security updates (20% of systems). Among out-of-date systems, the average age of the oldest uninstalled updates is a whopping nine years.

The analysis also found that bypassing the network perimeter is possible on 55% of systems for an intruder with minimum knowledge and skills. In most cases, an external intruder needs only two steps to penetrate the perimeter. Common perimeter vulnerabilities include dictionary passwords, unencrypted data transfer protocols (detected on all systems), vulnerable software versions (91% of systems), as well as publicly available interfaces for remote access, equipment control and connection to database management systems (also 91% of systems).

"The vast majority of attacks on corporate infrastructures involve exploitation of common vulnerabilities and flaws,” said Evgeny Gnedin, head of information security analytics at Positive Technologies. “Companies can dramatically improve their security stance and avoid falling victim to attacks by applying basic information security rules: Develop and enforce a strict password policy, minimize privileges of users and services, do not store sensitive information in cleartext, minimize the number of open network service interfaces on the network perimeter, regularly update software and install operating system security updates."

The research also found that although web application vulnerabilities are not the largest threat, they are still dangerous: Web application vulnerabilities made it possible to bypass the network perimeter on 77% of systems.

The most common internal network vulnerabilities are flaws in network layer and data link layer protocols leading to traffic redirection and interception of information about network configuration (100% of systems).

Categories: Cyber Risk News

Half of US Consumers Willing to Trade Data for Discounts

Fri, 08/04/2017 - 18:30
Half of US Consumers Willing to Trade Data for Discounts

When it comes to privacy, consumers are willing to toss it out if it means saving money : Roughly half (50%) of US broadband households are willing to share data and device control for discounts on electricity.

Research firm Parks Associates, in the 360 View Update: The Value of Data—New Smart Home Business Models report, found that interest is consistent across different product categories, with 51% of smart thermostat owners, 50% of hot water heater owners and 48% of owners of smart clothes dryers willing to share data and control for electricity discounts.

 “The real value from the internet of things will be derived from the data collected by smart products,” said Tom Kerber, director of IoT strategy at Parks Associates. “In general, IoT industries agree that the consumer owns the data from smart products and that smart home solution providers are the stewards of the data. Given this reality, it is essential for all IoT players to understand consumers’ willingness to exchange data for services, their views on privacy and security, and the conditions under which they will grant access to their data.”

Parks Associates also found that 40% to 50% of consumers are willing to share data under some circumstance when presented with a variety of non-monetary incentives.

“Consumers are more likely to share data for non-monetary value related to warranties, product improvements, product education and remote technical support,” said Brad Russell, research analyst at Parks Associates. “They are less likely to share data to receive product recommendations or to simplify ordering consumables. For data-sharing programs to be successful, service providers and utilities need to ensure they are communicating value propositions that align with their consumers.”

Categories: Cyber Risk News