Info Security

Subscribe to Info Security  feed
Updated: 2 hours 27 min ago

Equifax Partner Breaches Customer Data

Wed, 02/13/2019 - 12:01
Equifax Partner Breaches Customer Data

A technology partner of the three big credit reporting agencies has been breached in what appears to be a classic supply chain attack.

Image-I-Nation Technologies is a North Carolina-based provider of software and hosting services. It’s part of FRS Software, which produces employee and background screening software used by Equifax, Experian and TransUnion, among other organizations.

Although the firm remains tight-lipped on the nature of the incident, breach notifications to various US states shed some light on what happened.

It claimed hackers may have had a two-week window in which to steal sensitive personal information including Social Security numbers, names, dates of birth and home addresses.

“On December 20, 2018, Image-I-Nation Technologies discovered that there had been unauthorized access to our database containing the personal information of individuals who had a consumer report through our system at some point in the past,” it revealed in a noticed published by the Montana DoJ.

“Based upon our investigation, we have determined that the incident began on or about November 1, 2018 and that our systems were secure as of November 15, 2018.”

The firm claimed not to be aware of any misuse of personal info as a result of the incident, but that will not reassure those whose details have been exposed to the risk of identity theft and follow-on phishing attacks.

It’s unclear how many individuals may have been affected although Infosecurity has been able to locate breach notifications filed with at least four states: Washington, Montana, Vermont and New Hampshire.

Given Image-I-Nation’s relationship with the big credit agencies, it’s perhaps not surprising that it has been targeted by hackers looking for valuable identity information. Although cyber-criminals have gone after the agencies themselves, most notably in a major breach of around 148 million Equifax customers, they may view trusted partners of the firms as an even softer target.

“It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain,” the UK’s National Cyber Security Centre warned last year. “Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”

Image-I-Nation is not to be confused with a UK chip specialist which shares the same name, without the hyphens.

Categories: Cyber Risk News

Millions Affected by 500px Data Breach

Wed, 02/13/2019 - 10:55
Millions Affected by 500px Data Breach

Online photography network 500px has forced a password reset for all users after revealing this week that it suffered a data breach last summer.

The site claimed that the incident, which it believes occurred on around July 5 2018, was not discovered until last week, when its engineering team “became aware of a potential security issue affecting certain user profile data.”

The firm said all users on or prior to July 5 have been affected. The site currently claims to have over 15 million photographers signed up.

“We’ve concluded this issue affected certain information that users provided when filling out their user profiles ... Our engineers are closely monitoring our platform and we’ve found no evidence to date of any recurrence of this issue,” an FAQ about the incident revealed.

“A system-wide password reset is currently underway for all users, prioritized in order of potential risk, and we have already forced a reset of all MD5-encrypted passwords.”

The stolen data includes: users’ names, email addresses, usernames, hashed passwords and birth date, gender and city/state/country if provided.

The photo network claimed that there’s no evidence to suggest hackers managed to compromise individual accounts, and said that payment card details aren’t stored on its servers. However, it did warn of possible follow-on attacks.

“Regardless of whether or not you were directly affected, given the nature of the personal data involved, we are alerting you to this matter so you can take steps to help protect yourself against the risk of phishing, spam, and other misuse of your information as a result of this issue,” it said.

“We recommend you change your password on any other website or app on which you use a password that is the same as or similar to your password for your 500px account.”

Some reports suggest 500px user data is already up for sale on the dark web.

Categories: Cyber Risk News

Patch Tuesday Roundup Includes IE Zero Day

Wed, 02/13/2019 - 10:04
Patch Tuesday Roundup Includes IE Zero Day

Microsoft has given system admins plenty of work to do this month with patches for nearly 80 vulnerabilities, including a zero-day flaw in Internet Explorer and a publicly disclosed Exchange server bug.

Top of the priority list in this month’s Patch Tuesday security round-up will probably be CVE-2019-0676, an information disclosure vulnerability in IE which Microsoft claimed has been actively exploited in the wild.

The bug allows attackers to test for the presence of files on the disks of targeted machines.

Also up there is CVE-2019-0686, an elevation of privilege vulnerability in Exchange Server 2010 and newer systems. Microsoft said no attacks had been spotted exploiting the flaw as yet but that this was “likely” in the future.

Recorded Future senior solutions architect, Allan Liska, claimed exploitation requires both Exchange Web Service and push notifications to be enabled.

“While this is not a common configuration, the vulnerability is relatively easy to exploit using the PushSubscriptionRequest API call,” he added.

Also of note this month are two remote code execution vulnerabilities in the Windows SMBv2 server: the same service WannaCry and NotPetya used to spread globally.

“While you can take comfort in the knowing that an attacker would need to be authenticated to exploit them, they could easily run arbitrary code on a vulnerable system,” warned Rapid7 senior security researcher, Greg Wiseman.

He argued that IT teams should prioritize yet another vulnerability for patching: CVE-2019-0626.

“It is an RCE in Windows DHCP Server that could allow an attacker to execute arbitrary code on an affected DHCP server,” he explained. “CVE-2019-0662 and CVE-2019-0618 are also worrisome as RCEs in the Windows Graphic Device Interface could allow a miscreant to take control of affected systems via web-based or file-sharing attacks.”

Other vulnerabilities noted by the experts included: CVE-2019-0540, a security bypass bug in Office, CVE-2019-0636, a Windows information disclosure flaw and CVE-2019-0590, a memory corruption bug in the Chakra Core scripting engine.

“This is the now the 17th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine. The last Patch Tuesday without a Chakra disclosure was September of 2017,” said Liska.

Categories: Cyber Risk News

Phishing, Humans Root of Most Healthcare Attacks

Tue, 02/12/2019 - 18:31
Phishing, Humans Root of Most Healthcare Attacks

Across healthcare organizations in the US, malicious actors are successfully leveraging phishing attacks to initially gain access to networks, according to findings from the 2019 HIMSS Cybersecurity Survey published by the Healthcare Information and Management Systems Society (HIMSS).

The study, which surveyed 166 qualified information security leaders from November to December 2018, found that there are particular patterns of cybersecurity threats and experiences distinctive to healthcare organizations.

“Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging email as a means to compromise the integrity of their targets,” the survey said.   

Nearly half (48%) of all respondents identified two different categories of major threat actors, which included online scam artists (28%) and negligent insiders (20%). The hospitals that participated in the survey said that when looking at the security incidents that occurred in the last 12 months, the initial point of compromise for 69% of the attacks was the result of phishing emails.

Not all healthcare organizations are hospitals, though. Among all the survey participant, 59% said that the most commonly cited point of compromise was email and 25% were human error.

“There are certain responses that are not necessarily 'bad' cybersecurity practices, but may be an 'early warning signal' about potential complacency seeping into the organization’s information security practices,” the report said.

“Notable cybersecurity gaps exist in key areas of the healthcare ecosystem. The lack of phishing tests in certain organizations and the pervasiveness of legacy systems raise grave concerns regarding the vulnerability of the healthcare ecosystem.”

The potential complacency is particularly concerning given that the healthcare industry as a whole is making positive advances in cybersecurity practices.

“Healthcare organizations appear to be allocating more of their information technology ('IT') budgets to cybersecurity," according to the report. "Complacency with cybersecurity practices can put cybersecurity programs at risk.”

Categories: Cyber Risk News

VFEmail Suffers Catastrophic Attack, All Data Lost

Tue, 02/12/2019 - 17:43
VFEmail Suffers Catastrophic Attack, All Data Lost

A major cyber-attack has hit email provider VFEmail in what the company is calling a "catastrophic attack," which has destroyed all data in the US, including backups.

The company issued an alert via its website and social media accounts on February 11, 2019, warning, “At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”

In an update, VFEmail owner Rick Romero wrote that new email was being delivered and that efforts were being made to recover what user data could be salvaged. Romero also noted that the malicious actor was last identified as aktv@

In one tweet, VFEmail said, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”

These types of attacks are rare and highly destructive. “The devastating attack on VFEmail is a strong reminder to enterprises that a single keystroke or attack can destroy thousands of workloads and take down a business," said Balaji Parimi, CEO, CloudKnox Security.

“Attacks of this magnitude – where the goal is simply to attack and destroy – are well within the power of attackers who gain access to infrastructure. Enterprises need to do a better job of mitigating the threat of over-privileged identities, and that begins with gaining an understanding of which identities have access to the types of privileges that can destroy their business and limiting those privileges to properly trained, security-conscious personnel.”

That an attacker was able to pull off this attack also raises questions about the company’s disaster recovery plans, as this attack left VFEmail and some of its customers without access to their information.

“What disaster recovery strategy was in place and why wasn't data backed up into cold storage, thus making it unavailable to attackers?” asked Fausto Oliveira, principal security architect at Acceptto. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data.”

Categories: Cyber Risk News

SMBs Believe Attack Will Kill Their Company

Tue, 02/12/2019 - 16:20
SMBs Believe Attack Will Kill Their Company

Just under half of a surveyed set of British small to medium-sized businesses (SMBs) believe that a cyber-attack would put them out of business.

The survey of 501 IT decision makers by Webroot found that 48% have suffered a cyber-attack or data breach in their lifetime, with over one in seven saying this happened more than once. The same number also believed that the cases negatively impacted relationships with partners, with almost a quarter (22%) admitting they are no longer a supplier as a result.

One example of a company going out of business was Code Spaces, which was forced to close down after a wiper attack deleted its files as part of a larger DDoS attack in 2014. Then, Code Spaces claimed it “will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility." 

In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that companies of all sizes suffer from attacks, some of which are successful, but rarely have we seen anyone actually go under from such.

“It smarts of hyperbolic fear mongering” he said. “When assessing risk, you must consider impact and thus consequence to the business. Is there any evidence to back this claim where cyber-attacks have actually resulted in the closure of a business to the extent that this is a tangible consequence? The simple answer is no. Most business have it in them to recover. A clear ability to plan; to respond and recover is a must for any organization. 

“Closure is a possibility, but using current evidence of successful cyber-attacks then it would be a remote, rather than likely consequence.”

Nearly two-thirds of respondents (64%) said that being smaller enables their business to react more quickly to industry or political change than larger enterprises.

Paul Barnes, senior director of product strategy at Webroot, said: “SMBs can no longer consider themselves too small to be targets. They need to use their nimble size to their advantage by quickly identifying risks and educating everyone in the business of how to mitigate those risks, because people will always be the first line of defense.

“Working with the right cybersecurity partner or managed service provider (MSP) to develop the right strategy for their size will allow smaller businesses to prioritize the activities that matter most and help them grow.”

Categories: Cyber Risk News

#TEISS19: Brute Force Won’t Change People's Behaviors, You Must ‘Modify’ Their Beliefs

Tue, 02/12/2019 - 13:04
#TEISS19: Brute Force Won’t Change People's Behaviors, You Must ‘Modify’ Their Beliefs

Speaking at The European Information Security Summit 2019 in London, Adam Anderson, CSO and founder, Hook Security, explored behavioral psychology and how IT security leaders can effect changes in behaviors to improve security buy-in from the C-suite.

Anderson said that you “can’t change [people’s] behaviors with just brute force efforts, you have to modify their beliefs to get to behavioral change.”

When it comes to beliefs about security that C-level execs typically hold, he pointed to the following:

  • “Security slows down my project”
  • “Security is going to kill my budget”
  • “Security doesn’t understand what I’m trying to do so it can’t advise me effectively, I most likely don’t need as much as they think I do”

Anderson argued that these beliefs are damaging to a company’s security efforts and the challenge for security leaders is to change them. However, he argued that the number one cybersecurity risk facing the world is the “nerd’s inability to write a business case that the CFO will fund.

“Technology is not a problem,” he added. “All of us [IT security leaders] are very, very smart and have a very solid idea of what kind of technology we need to lay down on top of various security controls or risks. What we fail at is communicating that to anyone that has the power to do something about it.”

So, to rise to that challenge, Anderson said that IT security leaders must stop overusing compliance and fear-mongering language and change their own approach to communicating to C-level execs to ultimately gain the buy-in they need.

Firstly, security leaders must understand their target by finding out who the CIO reports to.

They must also remember that they are not the “hero” or the star of the story: the business is the star and “your job is to advise it, and you do that by changing your words.” IT leaders do not “own” risk, they advise on it; they do not “enforce” compliance, they align it; and they do not “inflict” business, they enable it.

Anderson concluded by saying that by changing the damaging security beliefs of the C-suite, you will “help them avoid the horrible consequences of their decisions.”

Categories: Cyber Risk News

#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs

Tue, 02/12/2019 - 13:04
#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs

Speaking at The European Information Security Summit 2019 in London, Adam Anderson, CSO and founder, Hook Security, explored behavioral psychology and how IT security leaders can effect changes in behaviors to improve security buy-in from the C-suite.

Anderson said that you “can’t change [people’s] behaviors with just brute force efforts, you have to modify their beliefs to get to behavioral change.”

When it comes to beliefs about security that C-level execs typically hold, he pointed to the following:

  • “Security slows down my project”
  • “Security is going to kill my budget”
  • “Security doesn’t understand what I’m trying to do so it can’t advise me effectively, I most likely don’t need as much as they think I do”

Anderson argued that these beliefs are damaging to a company’s security efforts and the challenge for security leaders is to change them. However, he argued that the number one cybersecurity risk facing the world is the “nerd’s inability to write a business case that the CFO will fund.

“Technology is not a problem,” he added. “All of us [IT security leaders] are very, very smart and have a very solid idea of what kind of technology we need to lay down on top of various security controls or risks. What we fail at is communicating that to anyone that has the power to do something about it.”

So, to rise to that challenge, Anderson said that IT security leaders must stop overusing compliance and fear-mongering language and change their own approach to communicating to C-level execs to ultimately gain the buy-in they need.

Firstly, security leaders must understand their target by finding out who the CIO reports to.

They must also remember that they are not the “hero” or the star of the story: the business is the star and “your job is to advise it, and you do that by changing your words.” IT leaders do not “own” risk, they advise on it; they do not “enforce” compliance, they align it; and they do not “inflict” business, they enable it.

Anderson concluded by saying that by changing the damaging security beliefs of the C-suite, you will “help them avoid the horrible consequences of their decisions.”

Categories: Cyber Risk News

#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

Tue, 02/12/2019 - 12:30
#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

“The security discussion starts with risk, but what has become very apparent at the board level is that most don’t really understand what’s in front of them.”

These were the words of Ali Neil, director international security, Verizon, speaking at The European Information Security Summit 2019 in London. Neil said that quantifying security posture is key to mitigating risk, and “we need a means of measurement” for proving that value to business leaders.

Neil presented a ‘360º Risk Visibility’ assessment of the security industry that highlighted the following:

  1. In 70% of attacks where we know the motive for the attack there is a secondary victim
  2. Traditional risk evaluation is often done through point in time engagements
  3. Supply chain audit is increasingly burdensome, diverse in method and costly
  4. Security programs must be programs of continuous improvement and their budgets and efficacy validated
  5. Risk evaluation in M&A activity is an increasing factor and workload
  6. Strategic, operational and tactical intelligence needs to be decoupled and provided to the right business user
  7. Organizations and service providers need a dynamic tool to measure the efficacy of their security strategy

He therefore suggested a framework of what is needed in order to do an effective risk measurement of where an organization sits in the market.

The first step of that framework is rating: using data from public sources on the internet, where external risk vectors are identified and evaluated to provide a risk rating.

The second is an external risk view, contextualized: external risk vectors data is augmented with the DBIR's three pattern data and dark web analytics for an enhanced external rating.

Third is an internal view from endpoint and infrastructure: a refined security posture rating through an internal scan for malware, unwanted programs and dual usage tools within your endpoints and infrastructure.

The fourth step is a culture and process view: an in-depth, onsite assessment of the security culture, processes, policies and governance within an organization.

Lastly is a security posture rating: an aggregated rating across all levels providing a 360º view of a company’s cyber-risk posture.

Categories: Cyber Risk News

UK Firms Are Drowning in Breaches

Tue, 02/12/2019 - 11:55
UK Firms Are Drowning in Breaches

The vast majority of UK businesses have suffered data breaches over the past 12 months, many of them multiple times, according to new research from Carbon Black.

The endpoint security vendor’s second UK Threat Report is based on interviews with over 250 CIOs, CTOs and CISOs in the country from a range of industries.

Of the 88% of respondents that claimed to have been breached over the previous year, over a quarter had seen this happen five or more times. That’s an average of 3.7 breaches per organization — up from around 3.5% in last September’s report.

Unfortunately, 100% of government and local authority respondents said they’d been breached: five times or more for 40% of them. That amounts to an average of just under 4.7 breaches per public sector organization.

Some 87% of total respondents said they’d seen an increase in attack volumes, up from 82% in September, while 89% of respondents claimed that attacks had become more sophisticated.

Phishing attacks were the root cause of just 20% of successful breaches, a much lower figure than the 93% claimed by Verizon in its 2018 Data Breaches Investigations Report.

Malware (27%) was described as the most prolific attack type, followed by ransomware (15%).

Rick McElroy, head of security strategy for Carbon Black, claimed the findings prove cyber-attacks are escalating.

“The report suggests that the average number of breaches has increased, but as threat hunting strategies start to mature, we hope to see fewer attacks making it to full breach status,” he added.

Carbon Black defines a breach for the purposes of this research as “the release of secure or private and confidential information to an untrusted environment,” although a spokesman told Infosecurity that individual respondents may have different interpretations.

However, either way, the good news is that 93% of organizations surveyed said they plan to increase security spending. In addition, 60% said they are proactively threat hunting, an activity which 95% claimed has improved their security posture.

Categories: Cyber Risk News

#TEISS19: Boards Must Become More Technical to Make Orgs More Secure, says NCSC CEO

Tue, 02/12/2019 - 11:10
#TEISS19: Boards Must Become More Technical to Make Orgs More Secure, says NCSC CEO

Speaking at The European Information Security Summit 2019 in London, Ciaran Martin, CEO, National Cyber Security Centre, reflected on the NCSC’s vision for a more secure Britain.

Martin said “Our approach isn’t to close down the many and vast opportunities for the UK in cyber space, we’re not seeking security as an end in itself. We want security only so that we can prosper safely; it’s not our aim to make our systems so secure they are not usable or too expensive, we want to secure the internet as it is and not as we might want it to be.”

For what that means for business leaders, Martin explained that there is a need for boards to become more tech-savvy.

Traditionally, “Most businesses leaders don’t spend their time thinking about cybersecurity,” he added. “We’ve [recently] made it our business to understand what businesses think about cybersecurity.

“We want to help business leaders manage the risks of cybersecurity in a way that works for them and their businesses. To do that, we need boards to get a little bit technical.”

Martin said that “we are getting there in terms of awareness,” but the bigger problem is a lack of understanding of and fear about cybersecurity.

To tackle the issue, the NCSC is this month launching a new board tool kit to support business leaders with a series of practical steps they can take to protect their company from the most common cyber-threats.

“We want to inform cybersecurity conversations at board level,” Martin concluded. “The stakes are high. This country, made up of our families and communities, has bet very, very heavily on a digital future and security is a vital underpinning of that. It needs a whole community effort, with business at the forefront.”

Categories: Cyber Risk News

Critical Runc Flaw Spells Trouble for Containers

Tue, 02/12/2019 - 10:39
Critical Runc Flaw Spells Trouble for Containers

Security researchers have discovered a critical flaw in runc, the default runtime for Docker and Kubernetes, allowing a malicious container to attack the host and all other containers running on it.

Aleksa Sarai — one of the maintainers for runc — made the announcement on Tuesday, attributing the discovery to researchers Adam Iwaniuk and Borys Poplawski. The runc runtime also supports containerd, Podman, CRI-O and countless other container offerings.

“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” said Sarai.

“The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: creating a new container using an attacker-controlled image; attaching (docker exec) into an existing container which the attacker had previous write access to.”

RedHat senior principal product manager for containers, Scott McCarty, described this as a “bad scenario” for IT managers and CXOs.

“Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” he added.

“A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.”

The same vulnerability also affects LXC and Apache Mesos containers, meaning virtually any organization running containers should get patching urgently.

“This isn’t the first major flaw in a container runtime to come to light and, as container deployments and interest in associated technologies increase, it’s unlikely to be the last,” said McCarty.

“Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well.”

Categories: Cyber Risk News

ICO Helps Secure Bans for Mobile Spam Bosses

Tue, 02/12/2019 - 09:55
ICO Helps Secure Bans for Mobile Spam Bosses

The directors of two UK companies have received several-year bans after allowing their respective firms to make hundreds of thousands of nuisance calls and texts.

Aaron Frederick Stalberg, (27), from Exmouth, was director of market research and polling business The Lead Experts, which made 115,000 illegal automated marketing calls to members of the public.

The messages didn’t reveal the name of the company, and it also tried to hide its identity by routing calls through Buenos Aires, according to a notice by the Insolvency Service and the Information Commissioner’s Office (ICO).

After denying everything to the data protection watchdog, the firm failed to respond to a £70,000 ICO penalty, leading to a six-year directorship disqualification against Stalberg.

“By working closely with The Insolvency Service we have been successful in stopping the unscrupulous activities of company directors like Aaron Stalberg who cause upset and distress to millions of people who are on the receiving end of this kind of illegal marketing activity,” said ICO investigations group manager, Andy Curry.

In a similar case, 51-year-old Keith Nicholas Hancock, was handed a four-year ban after his company — lead gen and data brokerage Lad Media — sent over 393,000 SMS messages to members of the public who had specifically removed their consent.

Although the firm protested that the data list was obtained through a data supplier and the text messages were sent on its behalf by another third party, it was fined £20,000.

However, Hancock never paid the money, so the firm was shut down and investigators submitted a disqualification undertaking against the director.

“There is clear guidance on the internet about what communications you can send to people when it comes to marketing so there is no excuse about not knowing what your responsibilities are,” said David Brooks, chief investigator for the Insolvency Service.

“Keith Hancock clearly failed to ensure Lad Media carried out sufficient checks on who was being sent direct marketing, even if it was done by a third party, and thanks to the joint work with the ICO, we have secured a ban appropriate for the seriousness of the offence.”

The news proves the ICO is finally able to flex its muscles and show directors of nuisance call/text companies that there are consequences to their actions. In December it was granted the power to fine directors directly up to £500,000 for their part in any such activities that break the Privacy and Electronic Communications Regulations (PECR).

That came after a significant lobbying campaign and several big ticket PECR fines going unpaid as the directors in charge simply filed for bankruptcy — leaving them free to start other similar businesses.

Categories: Cyber Risk News

AWS Issues Alert for Multiple Container Systems

Mon, 02/11/2019 - 19:40
AWS Issues Alert for Multiple Container Systems

A security issue that affects several open source container management systems, including Amazon Linux and Amazon Elastic Container Service, has been disclosed by AWS.

The vulnerabilities (CVE-2019-5736) were reportedly discovered by security researchers Adam Iwaniuk, Borys Poplawski and Aleksa Sarai and would allow an attacker with minimal user interaction to “overwrite the host runc binary and thus gain root-level code execution on the host.”

Also among the affected AWS containers are the service for Kubernetes (Amazon EKS), Fargate, IoT Greengrass, Batch, Elastic Beanstalk, Cloud 9, SageMaker, RoboMaker and Deep Learning AMI. In its security issue notice published 11 February, AWS said that no customer action is required for those containers not on the list.

Though blocked when correctly using user namespaces, the vulnerability is not blocked by the default AppArmor policy or the default SELinux policy of Fedora [++], according to Sarai.

A common type of container exploit, this vulnerability is known as a host breakout attack, according to Praveen Jain, chief technology officer at Cavirin. “That these still occur, and will continue to occur, is all the more reason to ensure you have the people, processes and technical controls in place to identify and immediately remediate these types of vulnerabilities with a goal of securing their cyber posture.”

If malicious actors were to leverage this vulnerability, Sarai said they could create a new container using attacker-controlled images or attach to an existing container to which the attacker had previous write access.

“This is the first major container vulnerability we have seen in a while and it further enforces the need for visibility of your hosts and containers both in the cloud and traditional data centers using docker and other containers,” said Dan Hubbard, chief product officer at Lacework.

“Security here starts with deep visibility into who is installing containers and what are their behaviors and, of course, timely patching.”

Categories: Cyber Risk News

Data Privacy Top of Mind for 2020 Candidates

Mon, 02/11/2019 - 18:25
Data Privacy Top of Mind for 2020 Candidates

More candidates announced that they are throwing their hats into the 2020 presidential race, with one of the latest declarations coming from Sen. Amy Klobuchar, who promises to focus on data privacy regulations.

After posing the rhetorical question of what she would do as President, Klobuchar said she would protect consumer privacy.

“We need to put some digital rules of the road into law when it comes to privacy,” Klobuchar said in her announcement on 10 February, according to

“For too long the big tech companies have been telling you: ‘Don’t worry! We’ve got your back!’ while your identities in fact are being stolen and your data is mined. Our laws need to be as sophisticated as the people who are breaking them. We must revamp our nation’s cybersecurity and guarantee net neutrality.”

In addition to her promise to put forth legislation to protect consumer data from being misused by tech giants, Klobuchar also spoke of her support for net neutrality as an imperative to ensure that every household is able to be connected to the internet by 2020.

As the campaign trail gets underway, candidates can expect to be the target of malicious online activity from trolls to bots that spread misinformation, another reason why Klobuchar is driven to move data privacy regulations forward in the US.

In an interview with NPR today, Kelly Jones, news intelligence journalist at Storyful, said, “I think that the idea of automation or suspicious accounts is going to be an ongoing theme through the election. Obviously, the idea of memeing is going to be a theme because these people who are posting this content are creating these images to cause political discourse. And, in fact, one poster we saw on a fringe network claimed that they memed Trump into presidency.”

Categories: Cyber Risk News

OkCupid Users Victims of Credential Stuffing

Mon, 02/11/2019 - 17:35
OkCupid Users Victims of Credential Stuffing

Love is in the air this week, but cyber-criminals are reportedly targeting user accounts on dating sites like OkCupid ahead of Valentine’s Day. Multiple news outlets have reported that OkCupid users say their accounts have been hacked, which the company says is likely the result of credential stuffing.

“There has been no security breach at OkCupid. All websites constantly experience account takeover attempts and there haven't been any increases in account takeovers on OkCupid. There's no story here,” a spokesperson shared in a statement.

According to the website's Help page, “Account takeovers...happen because people have accessed your login information. That can happen in a few ways. The simplest, of course, is using a password that's easy to guess. Another option is because of a breach on another site. If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach.”

Given that 2018 was a record-breaking year for the number of compromised records exposed in data breaches, it’s likely that hackers are able to purchase user credentials on the dark web; however, if a malicious actor attempts an account takeover by using stolen credentials, two-factor authentication (2FA) can stop them from gaining access. OkCupid does not use 2FA.

“With so many consumer apps available, it is more important than ever for people to be extra diligent about how they manage their personal access to data since consumer-facing breaches can potentially expose the enterprise as well,” said Juliette Rizkallah, chief marketing officer at SailPoint. “More hackers are using credential stuffing techniques in which they take advantage of users who are not following password best practices so that they can breach multiple accounts, including business applications, by the same user.”

While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being targeted by a credential stuffing hack. Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”

Consumers are often the weakest link, which is true even when it comes to protecting their own privacy. “Passwords are frequently reused across sites and legacy endpoint protection often doesn’t pick up certain malicious tools such as keyloggers,” said Terence Jackson, chief information security officer at Thycotic.

“This highlights the need for consumers to practice better cyber hygiene, for example using a password manager, avoiding risky sites and applications and maybe even avoiding services that don’t offer MFA.  It’s also likely that some of the OkCupid users were phished and willingly handed over access to their accounts as phishing attacks have gotten more sophisticated and prevalent.”

Categories: Cyber Risk News

CIOs Must Join Chief HR Officers to Change Culture

Mon, 02/11/2019 - 16:29
CIOs Must Join Chief HR Officers to Change Culture

Because so many businesses are continuing on their digital transformation journeys, it is becoming ever more important to focus on changing not only technology but also culture, according to Gartner.

Announced in a February 11 press release, Gartner predicts that by 2021, CIO will be playing a role in establishing the right mindsets and practices in the organization, among their many other duties.

“A lot of CIOs have realized that culture can be an accelerator of digital transformation and that they have the means to reinforce a desired culture through their technology choices,” said Elise Olding, research vice president at Gartner, in the press release. “A partnership with the CHRO is the perfect way to align technology selections and design processes to shape the desired work behaviors.”

Many cybersecurity experts agree that this prediction from Gartner makes sense for the industry. "As an educator, I hear from CIO’s and CSO’s who talk about their organizational challenges, and the understanding that cultures need to change comes up regularly," said Jack Koziol, CEO and founder InfoSec Institute

"Particularly as we look at D&I [diversity and inclusion], this has been a male-dominated industry for years, and it’s time to move forward with the understanding that we will best serve our organizations by embracing the rich viewpoints from a diverse workforce. Cybersecurity work requires problem-solving skills and a holistic view of a challenge to resolve an issue. Having a team made up of diverse individuals can only improve the outcomes."

Nearly two-thirds (67%) of organizations have already initiated a culture change as part of their digital transformation, according to a recent Gartner survey, which found that by 2021, the number will rise to 80%. This latest prediction follows one made by Gartner in 2018 suggesting that at least 95 percent of security failures through 2022 will be the result of human error, which could stem from anyone in the company, said Jonathan Bensen, interim CISO and senior director of product management, Balbix.

“All employees in a business must be educated on cybersecurity best practices and committed to following set rules and guidelines, without fail. This cultural shift must stem from company executives, including CIOs and CISOs.”

Contributing to and being responsible for culture change is a shift in the direction of soft skills, which is beyond the normal scope of responsibilities that fall under the purview of the CIO, but “digital transformation definitely requires change in routine processes with which staff have become comfortable,” said Wesley Simpson, chief operations officer, (ISC)2.

“Part of shifting the culture is to make sure the CIO, CHRO or other transformation leader is communicating transparently with those affected to clearly explain the why behind the initiative and how it will benefit the organization in the months and years ahead. People are much more willing to adopt new technology practices if they understand the vision, the plan and what their part is in it. Making the tie back to each employee will help ensure a successful and supported transformation. After all, technology is the easy part.”

Categories: Cyber Risk News

Senators Urge Security Audit of Foreign VPNs

Mon, 02/11/2019 - 11:10
Senators Urge Security Audit of Foreign VPNs

Two US senators have called for an urgent investigation into whether foreign-owned Virtual Private Networks (VPNs) represent a risk to national security.

Ron Wyden and Marco Rubio signed a joint letter to the director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs.

It points to the popularity of mobile data-saving and VPN apps, many of which have been downloaded millions of times by Americans despite being made by companies “in countries that do not share American interests or values.”

“Because these foreign apps transmit users’ web browsing data to servers located in or controlled by countries that have an interest in targeting US government employees, their use raises the risk that user data will be surveilled by those foreign governments,” the letter continued.

In fact, they claimed, the US has already recognized these risks, by banning federal use of Kaspersky Lab products for fear of the influence of the Kremlin, and urging that Chinese telecommunications companies be locked out of competing for major infrastructure projects in the US.

“In light of these concerns we urge you to conduct a threat assessment on the national security risks associated with the continued use by US government employees of VPNs, mobile data proxies and other similar apps that are vulnerable to foreign government surveillance,” the letter concluded.

“If you determine that these services pose a threat to US national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers.”

A study of the 30 most downloaded apps in the UK and US last year by Top10VPN found over half (59%) had links to mainland China.

“We found a few apps that explicitly stated that users’ internet activity was logged, which we have never seen anywhere else with VPNs. VPN policies usually state that they never ever log data,” explained head of research, Simon Migliano, at the time.

“We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy.”

Categories: Cyber Risk News

China Gives Police New Powers to Snoop on Foreign Firms

Mon, 02/11/2019 - 10:41
China Gives Police New Powers to Snoop on Foreign Firms

Security experts have warned foreign firms operating in China that new laws may give the authorities more power to spy on and censor them.

Issued in November last year were updates to the country’s infamous 2017 Cybersecurity Law, dubbed: Regulations on Internet Security Supervision and Inspection by Public Security Organs.

They give the Ministry of Public Security (MPS) sweeping new powers to conduct remote pen testing and on-site inspections of any company with five or more internet-connected computers, which means virtually every foreign firm operating in the country today, according to Recorded Future.

The MPS is allowed to copy user information and check for vulnerabilities, if necessary using third-party “cybersecurity service agencies” to help them — which will increase the risk of vulnerability discovery and data leaks, the vendor argued.

The law also give the MPS the authority to audit firms for prohibited content, effectively enabling it to act as censor under the auspices of cybersecurity.

“Since the scope of inspections is not limited in these new regulations, Article 16 may also empower MPS officers to access parts of the company’s enterprise not even related to or within territorial China,” the report warned. “The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations.”

The MPS is also under no obligation to notify an organization when it is under inspection or of the results of that inspection.

The updates to the law come on top of wide-reaching powers granted to the Ministry of State Security (MSS) under the original Cybersecurity Law to conduct ‘national security reviews’ of various firms — the results of which it could use to conduct espionage operations.

Recorded Future urged foreign firms in China to prioritize vulnerability scanning and patch management to prevent state inspectors from “easily gaining unwanted access or escalating privileges.”

“Recorded Future recommends that all international corporations operating in China take measures to evaluate their technology footprint within the country, their evacuation and government relations policies, and their system architecture to minimize the impact of the law and effectively address the worst-case scenario if subjected to an MPS inspection,” it added.

“Altering company system architecture to keep connections between Chinese and international operations as segmented as possible is important to prevent inspections from spilling into corporate networks or databases with no connection to territorial China. Further, keeping one’s employees safe and informed of the inspections should remain a top priority for companies operating within the country.”

Categories: Cyber Risk News

Mumsnet Privacy Snafu Exposes User Info

Mon, 02/11/2019 - 09:59
Mumsnet Privacy Snafu Exposes User Info

Mumsnet has suffered a serious data leak affecting potentially thousands of users after a software glitch during an IT system migration to the cloud.

Justine Roberts, founder and CEO of the popular parenting forum, explained in a blog post late last week that the issue affected users for the best part of two days: from 2pm on February 5 to 9am on February 7.

“During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched,” she said.

“We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.”

The site admins also forced users to log-in again, ensuring they would be locked out of any accounts not their own.

Although passwords were encrypted and could not be changed by other users, the glitch meant that they would have been able to view other users’ email addresses, account details, posting history and personal messages.

The site was notified by users of 14 incidents as of last week, but Roberts claimed many more could have been affected: some 4000 Mumsnet user accounts were logged in at the time of the privacy snafu.

Max Heinemeyer, director of threat hunting at Darktrace, said the incident rings alarm bells over digital transformation projects.

“Organizations can outsource their IT processes, but they cannot outsource their security function altogether,” he argued.

“Cloud software is ultimately lines of code and one seemingly small mistake in that code can result in unintended risks emerging.”

Lamar Bailey, director of security research and development at Tripwire, added that poor planning is the enemy of seamless cloud migration.

"The best way to prevent these issues happening is to prepare thoroughly for cloud migration, taking into account that the process could potentially take time and resources,” he argued.

“Not rushing is paramount to maintaining the security of the enterprise, and sometimes it might be advisable to migrate services one by one, starting with the less critical, to ensure that the process is running smoothly. Organizations should also ensure that they have well trained and skilled personnel on the task.”

Categories: Cyber Risk News