Info Security

Subscribe to Info Security  feed
Updated: 28 min 36 sec ago

NCSC’s ‘Active Cyber Defence’ Initiative Boasts Impressive First-Year Results

Mon, 02/05/2018 - 11:10
NCSC’s ‘Active Cyber Defence’ Initiative Boasts Impressive First-Year Results

The National Cyber Security Centre (NCSC) has today released the results of its Active Cyber Defence (ACD) initiative, which was launched one year ago.

The technology, which is free at the point of use, improves defense against threats by blocking fake emails, removing phishing attacks and stopping public sector systems veering onto malicious servers.

As detailed in the report Active Cyber Defence - One Year On, since the inception of the ACD, UK share of visible global phishing attacks has dropped from 5.3% (June 2016) to 3.1% (Nov 2017), with 121,479 phishing sites hosted in the UK removed.

What’s more, takedown availability times for sites spoofing government brands came down from 42 hours to 10 hours and there was a drop of scam emails from bogus ‘’.

There have been more than one million security scans and seven million security tests carried out on public sector websites, with an average of 4.5 million malicious emails blocked per month from reaching users.

“Through the National Cyber Security Centre, the UK has taken a unique approach that is bold and interventionalist, aiming to make the UK an unattractive target to criminals or nation states,” said Dr Ian Levy, technical director of the NCSC.

“The ACD program intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber-attacks.

“The results we have published today are positive, but there is a lot more work to be done. The successes we have had in our first year will cause attackers to change their behavior and we will need to adapt.”

Bob Rudis, chief data scientist at Rapid7, said that the design and labor behind the NCSC’s ACD initiatives – along with the inaugural published results – are nothing short of incredible.

“The NCSC has proved that with collaboration and appropriate support, it is possible to implement foundational cybersecurity monitoring, configuration, and reporting that fundamentally changes the economics for opportunistic/commodity attackers.

“This ‘active defense’ experiment by the NCSC – if adopted by other countries and even other large organizations – could radically change the attacker/defender landscape.”

Categories: Cyber Risk News

API Security Concerns Are on the Rise

Fri, 02/02/2018 - 17:45
API Security Concerns Are on the Rise

In an application-centric, cloud-native world, businesses have a heightened concern for cybersecurity risk related to API use of late: Specifically, 63% of respondents in a recent survey said they are most worried about distributed denial of service (DDoS) threats, bot attacks and authentication enforcement for APIs.

APIs power the interactive digital experiences users love and are fundamental to an organization’s digital transformation. However, they also provide a window into an application that presents a heightened cybersecurity risk.

According to an Imperva poll of 250 IT professionals, more than two-thirds (69%) of organizations are exposing APIs to the public and their partners, and organizations are on average managing 363 different APIs.

Public-facing APIs are a key security concern because they are a direct vector to the sensitive data behind applications. Eighty percent of organizations use a public cloud service to protect the data behind their APIs, with most people using the combination of API gateways (63.2%) and web application firewalls (63.2%).

 “APIs represent a growing security risk because they expose multiple avenues for hackers to try to access a company’s data,” said Terry Ray, CTO for Imperva. “To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications.”

Ninety-two percent of IT professionals believe that DevSecOps, the combination of development, security and operations, will play a part in the future of application development. This highlights an increased desire from many organizations for security to be built in from the very beginning of software development rather than as an after-thought, Imperva noted.

 “It is very encouraging that the majority of respondents to our survey expect DevSecOps to be involved in the future of application development,” Ray said. “Cybercrime is pervasive, and it is vital that organizations keep their applications safe from hackers. Embracing DevSecOps provides organizations with the building blocks needed for defense against some of the most serious cybersecurity threats.”

In an application-centric, cloud-native world, businesses have a heightened concern for cybersecurity risk related to API use of late: Specifically, 63% of respondents in a recent survey said they are most worried about distributed denial of service (DDoS) threats, bot attacks and authentication enforcement for APIs.

APIs power the interactive digital experiences users love and are fundamental to an organization’s digital transformation. However, they also provide a window into an application that presents a heightened cybersecurity risk.

According to an Imperva poll of 250 IT professionals, more than two-thirds (69%) of organizations are exposing APIs to the public and their partners, and, organizations are on average managing 363 different APIs.

Public-facing APIs are a key security concern because they are a direct vector to the sensitive data behind applications. Eighty per cent of organizations use a public cloud service to protect the data behind their APIs with most people using the combination of API gateways (63.2%) and web application firewalls (63.2%).

 “APIs represent a growing security risk because they expose multiple avenues for hackers to try to access a company’s data,” said Terry Ray, CTO for Imperva. “To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications.”

Ninety-two% of IT professionals believe that DevSecOps, the combination of development, security and operations, will play a part in the future of application development. This highlights an increased desire from many organizations for security to be built in from the very beginning of software development rather than as an after-thought, Imperva noted.

 “It is very encouraging that the majority of respondents to our survey expect DevSecOps to be involved in the future of application development,” Ray said. “Cybercrime is pervasive, and it is vital that organizations keep their applications safe from hackers. Embracing DevSecOps provides organizations with the building blocks needed for defense against some of the most serious cybersecurity threats.”

Categories: Cyber Risk News

Fraudulent Money Transfers Cost Orgs $352K on Average

Fri, 02/02/2018 - 17:27
Fraudulent Money Transfers Cost Orgs $352K on Average

Cybercriminals are using ever-more sophisticated methods to exploit human weaknesses in an organization’s cyber-defenses, including business email compromise (BEC, or fraudulent instruction scams), which are significantly on the rise and costing businesses crippling damage.

Claims data recorded by Beazley, a specialist provider of cyber-insurance, indicates that organizations are facing an increased threat to their operations from fraudulent instruction scams. The number of incidents reported to Beazley Breach Response Services (BBR Services) quadrupled in 2017, with policyholders incurring losses ranging from a few thousand dollars up to $3 million. With claims amounts in 2017 averaging $352,000, fraudulent instruction has rapidly become a significant financial threat to many organizations.

In the gambit, criminals use hacking and phishing techniques to accumulate information that allows them to send plausible-looking requests to transfer funds to bogus accounts. In addition to losing money, organizations may also have to conduct exhaustive systems analysis to ensure that individuals’ personal and private data has not been compromised.

“Cybercriminals are finding new ways of getting organizations to part with their hard-earned cash,” said Katherine Keefe, global head of BBR Services. “In 2017 we saw fraudulent instruction emerge as a new trend which offers significant reward for the perpetrators in return for little effort but brings potentially devastating financial consequences for the victim."

The top three industry sectors affected in 2017 were professional services (22% of the total reported to Beazley), financial services (21%) and retail (12%), but incidents are growing across all sectors, and in particular where single large transactions, such as real estate purchases, are involved, the firm found.

Categories: Cyber Risk News

Just 20% of Orgs Have Breach Notification Plans

Fri, 02/02/2018 - 17:23
Just 20% of Orgs Have Breach Notification Plans

With the European Union's General Data Protection Regulation (GDPR) going into effect this May and lawmakers in the US proposing stricter data breach legislation, companies are facing increased pressure to better protect data and improve notification procedures. However, they’re falling down on the job.

Tripwire surveyed 406 cybersecurity professionals and found that just over three quarters (77%) of companies subject to GDPR could meet the 72-hour notification window, with 24% claiming they could notify customers of a data breach within 24 hours.

However, when asked how prepared their organization was to notify customers in the event of a data breach, less than a fifth (18%) said that they were fully prepared with a process in place. The majority (73%) said they were “somewhat prepared” and would have to figure things out “on the fly.”

“When it comes to cybersecurity, it’s shortsighted to figure things out on the fly,” said Tim Erlin, vice president of product management and strategy at Tripwire. “The majority of data breaches and security incidents can be avoided by following basic security steps and implementing tried and tested foundational controls. With GDPR coming into effect this year, running a business without a fully baked plan is really asking for trouble.”

When asked to characterize their company’s capabilities for knowing where its customer data is stored versus for protecting customer data, respondents were more confident in knowing where the data is. Over a third (35%) said their knowledge of where the customer data is stored is "excellent" by comparison to just over a fifth (21%) saying the same for their ability to protect customer data.

Other findings from the study revealed that most don’t feel they are fully prepared for any aspect of a security breach. Less than a fifth (18%) felt they were fully prepared with a cross-functional team in place to work across IT, finance and communications. Nearly three quarters (73%) were not fully prepared to protect customers, and only a fifth (22%) felt prepared to absorb potential financial penalties as a result of a security breach.

“There are plenty of tried and tested frameworks available from governing bodies in the cybersecurity space that can help organizations who feel like they’re struggling to prepare for a security incident and more specifically, GDPR,” Erlin added. “If you are an organization subject to GDPR – and as the rules apply to all companies worldwide that process personal data of European Union (EU) data subjects, that will be the majority of global businesses – you are not alone. Start researching for resources that cater to your needs now to help you prepare, so that you aren’t hit with a big fine come May 2018.”

Categories: Cyber Risk News

Over 500,000 Windows Machines Infected with Monero Mining Software

Fri, 02/02/2018 - 10:50
Over 500,000 Windows Machines Infected with Monero Mining Software

More than 526,000 Windows hosts – mostly Windows servers – have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint.

In a blog on its website Proofpoint, having been monitoring the miner since the end of May 2017, explained that it spreads using the EternalBlue exploit (CVE-2017-0144), and whilst Smominru has been well-documented, its use of Windows Management Infrastructure is unusual for coin mining malware.

“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the blog reads. “The operators had already mined approximately 8900 Monero (valued this week between $2.8m and $3.6m). Each day, the botnet mined roughly 24 Monero, worth an average of $8500 this week.”

At least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size of the botnet, Proofpint added, with the hosts appearing to sit behind the network autonomous system AS63199.

“Other researchers also reported attacks via SQL Server, and we believe the actors are also likely using EsteemAudit (CVE-2017-0176 RDP), like most other EternalBlue attackers. The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, who we notified of the abuse but did not receive a reply.”

Proofpoint warned that the operators of this botnet are persistent, use all available exploits to expand their botnet and have found multiple ways to recover after sinkhole operations.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity.”

“Crypto-mining malware is becoming attacker's popular mode of operation, regardless of their targets,” said Nadav Avital, security researcher at Imperva. “Our analysis also shows that attackers favor anonymous cryptocurrencies, with Monero being the most prominent. Cryptocurrencies are popular as they are both secure, private and difficult to trace. Since many servers are not updated or patched on a regular basis, attackers have a bigger chance of success.”

Categories: Cyber Risk News

Bomgar Acquires Lieberman Software Adding Privilege to Access

Fri, 02/02/2018 - 09:40
Bomgar Acquires Lieberman Software Adding Privilege to Access

Bomgar has acquired Lieberman Software to enhance its portfolio of secure access software with Privileged Access and Identity Solutions.

With the acquisition, Bomgar will offer a comprehensive Privileged Access Management (PAM) platform that provides protection against the most pervasive and dangerous cyber-threats, combining Lieberman’s Rapid Enterprise Defense Suite. Terms of the transaction were not disclosed. 

The combined product suite will see Bomgar offer privileged account auto-discovery, credential management and rotation across an enterprise, service account management and privileged session management to securely monitor and record privileged access sessions.

“We’re thrilled to join Bomgar and add our solutions and expertise to its leading Secure Access platform,” said Philip Lieberman, founder and CEO of Lieberman Software.

“Lieberman’s customers and partners will continue to benefit from our innovative privileged identity and credential management solutions, with the added value of Bomgar’s secure remote and privileged access technology. As a combined company, we can further lead the market in developing modern PAM solutions that solve the most complex enterprise challenges.”

Matt Dircks, CEO of Bomgar, added: “The addition of Lieberman Software underscores our commitment to delivering world-class secure access solutions that significantly enhance the security posture of our customers without forcing them to compromise business agility or sacrifice productivity.

“We’re excited to welcome the Lieberman team to the Bomgar family, and look forward to providing the exceptional products and service that both Bomgar and Lieberman customers have come to enjoy. With our combined technologies, we will deliver a true defense-in-depth PAM solution with a quick time to value, rapid deployments, and a winning user experience.”

In an email to Infosecurity, independent analyst Bob Tarzey said that despite being a relatively new company, 15-year-old Bomgar has moved into the privileged access management mainstream through the acquisition of the veteran vendor, Lieberman, who were founded in 1978.

“One Identity seems to be doing well since it broke away from Dell during the Quest divorce, Balabit will add PAM pedigree to its portfolio. It is good to see the whole PAM sector doing well, as controlling privilege is a keystone in the effort to protect against cyber-threats.”

Categories: Cyber Risk News

JenX Botnet Emerges to Target IoT Devices and Grand Theft Auto

Thu, 02/01/2018 - 20:47
JenX Botnet Emerges to Target IoT Devices and Grand Theft Auto

A new botnet, dubbed JenX, shares characteristics with the Satori botnet, and is using Grand Theft Auto (GTA) to recruit internet of things (IoT) devices.

According to Radware, the botnet uses hosted servers to find and infect new victims, leveraging one of two known vulnerabilities that have become popular in IoT botnets recently: CVE-2014-8361 and CVE-2017–17215. Both have related exploits.

Both exploit vectors are known from the Satori botnet. The malware is based on the Satori code that was part of a recent public Pastebin post by the author of BrickerBot, along with attributes from the PureMasuta botnet, which had its source code published in an invite-only dark forum, the firm said.

Interestingly, the bot herder seems to be a big gaming fan: Radware researchers found that the command and control server is hosted under the domain, a site that provides mod servers for Grand Theft Auto: San Andreas, in addition to cybercrime offerings like distributed denial of services (DDoS) via the botnet.

One of those services is dubbed “Corriente Divina” (which translates to “divine stream”). It’s described as “God’s wrath will be employed against the IP that you provide us.”

According to Radware researcher Pascal Geenens, it provides a DDoS service with a guaranteed bandwidth of 290 to 300 Gbps.

Interestingly, it doesn’t have scanning and exploit payloads, meaning that this functionality is centralized. This provides the bot herders with more flexibility to add and improve the functionality as they go.

“Untypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,” Geenens said. “Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta, perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but that comes at the price of flexibility and sophistication of the malware itself.”

Since it doesn’t spread machine-to-machine, JenX targets the C2 site’s other obsession. Or rather, its competition.

“Unless you frequently play GTA San Andreas, you will probably not be directly impacted,” said Geenens. “The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet. But it does contain some interesting new evolutions, and it adds to a list of IoT botnets that is growing longer and faster every month.”

He did have a caveat: “That said, there is nothing that stops one from using the cheap $20 per-target service to perform 290 Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would be opposed to it.”

Categories: Cyber Risk News

Critical Infrastructure More Vulnerable Than Ever Before

Thu, 02/01/2018 - 20:11
Critical Infrastructure More Vulnerable Than Ever Before

Despite widespread awareness of the physical and data-related danger inherent in exposing critical infrastructure to cyberattack, the number of internet-accessible industrial control systems (ICS) is increasing every year.

According to a report from Positive Technologies, advanced industrial countries, such as the US, Germany, China, France and Canada, are home to the largest numbers of internet-accessible ICS components, which run factories, transport, power plants and other facilities. Of the 175,632 internet-accessible ICS components detected, approximately 42% were in the US, representing a 10% increase over the previous year (from 50,795 to 64,287).

This is a long stretch above second place, where Germany sits the second year in a row with 13,242 discovered. That’s up from 12,542 in 2016.

The PT research team also noted that more and more Internet-accessible ICS components are actually network devices, such as Lantronix and Moxa interface converters, which represented 12.86% of detected components in 2017, up from 5.06% in 2016. Although these converters are often regarded as relatively unimportant, they can be quite useful for hackers, the firm noted.

The most common software on internet-accessible ICS components is Niagara Framework components. Niagara connects and enables management control over systems like air conditioning, power supplies, telecommunications, alarms, lighting, security cameras and other important building systems. Software like this often contains vulnerabilities, and, beyond proof of concept, they’ve already been hacked in the wild, PT said.

And indeed, there is a growing number of vulnerabilities in ICS components. The number of vulnerabilities reported by major vendors in 2017 was 197, compared to only 115 in the prior year. Over half of these vulnerabilities were considered critical or high-risk in nature. A large share of the vulnerabilities disclosed in 2017 involved ICS network equipment such as switches, interface converters and gateways.

Most reported ICS vulnerabilities can be exploited remotely without hackers needing to somehow obtain privileges in order to access targeted systems.

In terms of the number of vulnerabilities publicly disclosed in 2017, the previous year's leader, Siemens, fell back to second. The 47 vulnerabilities disclosed in Schneider Electric ICS products are almost 10 times the amount from the year before (just 5). Moxa also showed a growing vulnerability count with 36 in 2017, compared to 18 in 2016.

“Despite numerous incidents, reports and large-scale regulatory efforts, it is alarming that, overall, industrial systems aren’t more secure than they were 10 years ago,” said Vladimir Nazarov, head of ICS Security at PT. “Today, anyone can go on the internet and find vulnerable building systems, data centers, electrical substations and manufacturing equipment. ICS attacks can mean much more than just blackouts or production delays − lives may be at stake. This is why it's so important that before even writing the first line of code, developers design-in the security mechanisms necessary to keep ICS components secure. And when these mechanisms eventually become outdated, they need to modernize them in a timely manner.”

To improve ICS security, basic measures that can be taken immediately by organizations include: (1) separating operational networks from the corporate LAN and external networks (such as the internet), (2) diligently installing security updates and (3) regularly auditing the security of ICS networks in order to identify potential attack vectors.

Categories: Cyber Risk News

Criminals Move to Cash in on Cryptocurrency Gold Rush

Thu, 02/01/2018 - 20:08
Criminals Move to Cash in on Cryptocurrency Gold Rush

With over 1,442 cryptocurrencies in circulation, and new alternative coins – “altcoins” – emerging every week, cybercriminals have developed several schemes to defraud those looking to profit from the growth in cryptocurrencies.

According to security firm Digital Shadows, criminals are exploiting interest in virtual currencies like Bitcoin and Monero in many ways. For one, 2017 saw the rise of point-and-click services like Crypto Jacker, which lets nontechnical operators create links with embedded mining scripts. They can then disseminate these to unsuspecting victims via social media. Crypto Jacker’s menus let scammers clone popular websites and entice readers with simple, deceptive tags like “News” and “Fitness.”

Criminals also use underground and mainstream freelance sites to recruit people with skills for creating phony initial coin offerings (ICOs), designed to scam cryptocurrency investors. Groups often try to pump up the value of questionable currencies using Twitter, Reddit and other platforms before quickly cashing out.

“This new gold rush is creating a new frontier for professional cybercriminals moving away from less profitable techniques and exploits to make money on the back of the huge interest in these digital currencies,” the firm said in its report.

Digital Shadow’s report also found that attackers increasingly impersonate currency exchanges with elaborate, phony websites that capture user credentials, thus letting criminals simply steal from accounts. On just one popular criminal forum, Digital Shadows has identified over 100 user accounts being offered as recently as January 2018. Individual account details are exposed through phishing and credential stuffing. Credential stuffing works by automatically injecting compromised username and password pairs into login portals to fraudulently gain access to user accounts. Digital Shadows detected multiple users sharing files that targeted cryptocurrency sites.

“Cybercrminals follow the money, and right now they see in the unregulated and largely unsecure world of digital currencies a huge opportunity to target people, businesses and exchanges – and make money quickly and easily,” said Rick Holland, vice president of strategy at Digital Shadows. “In many ways, it’s like the gold rush of the 1840s, as people flood to the opportunity that cryptocurrencies present and are preyed on by criminals and the unscrupulous.”

Botnets meanwhile were first used to mine Bitcoin in 2014, but the complexity of doing so made it financially unviable. However, it’s now making a comeback because newer cryptocurrency like Monero are easier to mine. As such, Digital Shadows has observed botnets available to rent for as little as $40.

“This is a rapidly changing space and we see new scams crop up daily,” said Holland. “While the future of cryptocurrencies remains somewhat uncertain, what we can be sure of is that cybercriminals will continue to find new ways of making money as long as there are enough suitable targets and the profits to be made justify their time and effort. Those that buy and trade cryptocurrencies should be aware it is the ‘Wild West’ and be on your guard at all stages of the transaction cycle.”

Categories: Cyber Risk News

Cisco: Crypto-Mining Botnets Could Make $100m Annually

Thu, 02/01/2018 - 10:56
Cisco: Crypto-Mining Botnets Could Make $100m Annually

Cyber-criminals are increasingly turning to stealthy crypto-mining malware to generate revenue rather than ransomware, according to a new Cisco Talos report.

The security vendor claimed that while ransomware has made its authors healthy sums in the past, it is now very much in the sights of law enforcement and security vendors, which are increasingly able to block the malware.

“There are a couple of limitations with the use of ransomware. First is the fact that only a small percentage of infected users will actually pay the ransom demanded by the attacker,” the report claimed. “Second, as systems and technology get better at detecting and blocking ransomware attacks the pool of possible victims is changing. Potential victims in many countries lack the financial capabilities to pay $300-$500 to retrieve their data.”

There’s also the time and effort necessary to interact with the victim and the “extraneous law enforcement attention that comes with ransomware attacks,” Cisco argued.

Crypto-currency mining, on the other hand, requires a zero-touch approach once the victim is covertly infected with the mining malware. IoT devices in particular offer a relatively unprotected target without direct victim oversight: minimal effort, maximum reward.

“To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year,” explained the vendor.

“Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically.”

Organizations should act now by updating their security policy to work out how the use of miners on enterprise systems should be handled, as they may not be classified as malware.

For those that want to block them, the primary vectors are spam, exploit kits, and direct system exploitation, the firm warned.

Categories: Cyber Risk News

US Government in Whois GDPR Warning

Thu, 02/01/2018 - 10:28
US Government in Whois GDPR Warning

The head of a US government agency has warned against over-zealous changes to the Whois internet lookup service in order to comply with the forthcoming EU General Data Protection Regulation (GDPR).

The decades-old system publishes the personal details including name, address, email and telephone number of every domain name registrant. However, this flies in the face of Europe’s new privacy laws, which state that businesses must obtain clear consent from individuals to store and publish their personally identifiable information (PII).

One of the key issues is that Whois is also a valuable tool for cybersecurity researchers and law enforcers who use it to try and attribute attack campaigns.

That’s a point alluded to by David Redl, the new head of the US National Telecommunications and Information Administration, who talked tough at a State of the Net 2018 presentation this week.

“Here are the facts: the text of the GDPR balances the interests of cybersecurity, law enforcement, and consumer protection, and many European officials have noted that limited changes to the Whois would be necessary to achieve GDPR compliance. Still, there are some who are trying to take advantage of the situation by arguing that we should erect barriers to the quickly and easily accessible Whois information. Some have even argued that the service must go dark, and become a relic of the internet’s history,” he reportedly argued.

“Today, I would like to be clear — the Whois service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all internet stakeholders that it does.”

This could set the US government on collision course with ICANN, which has offered three options to protect registries and registrars from GDPR liability until its new — and long-awaited —  Next-Generation gTLD Registration Directory Services (RDS) is ready.

These proposals include one in which only “a defined set of third-party requesters would be authorized to gain access to individual registrants' personal data,” according to the EFF. In a more extreme option still, access to personal data would only be given under subpoena or court order.

That would seem to fly in the face of Redl’s comments when he argued: “the US government expects this information to continue to be made easily available through the WHOIS service.”

DomainTools CEO, Tim Chen, welcomed the remarks.

“Whois data has been a critical resource in defending the openness, transparency and security of the internet,” he argued. “The security and protection of individuals, employees, customers, brands, IP and a host of other important assets and constituencies will continue to depend on understanding who owns and controls resources on the internet.”

Categories: Cyber Risk News

Fortune 500 Staff Spill 2.7 Million Log-Ins to Dark Web

Thu, 02/01/2018 - 09:53
Fortune 500 Staff Spill 2.7 Million Log-Ins to Dark Web

Researchers have discovered a massive 2.7 million stolen online account log-ins from Fortune 500 employees on the dark web, representing a major security risk to the companies involved, according to VeriClouds.

The credential monitoring firm analyzed a database of eight billion stolen online account credentials it has been collecting over the past three years, claiming it to be the largest commercially available database of its kind.

Over 2.7 million belonged to Fortune 500 employees, with username and password exposed. VeriClouds claimed it found around 10% of their employee emails used to set up these accounts.

That’s a security risk because it means hackers could use the same credentials to infiltrate the corporate network, either via brute forcing the password or potentially by using the same email and password combination, if the user has shared them across their online and corporate accounts.

The highest number of leaked credentials was in the financial sector, where VeriClouds found 555,000 email credentials — over 20% of the total Fortune 500 trove.

The firm added:

“Those numbers are disconcerting, since the higher the number of leaked credentials at a company, the higher the risk of data breach. We see that on average each leaked email account is part of 2.3 leaked data sources. This fact contributes to the increased credential availability to bad actors. Furthermore, the availability of credentials data is increased as many bad actors are repackaging or combing older breach data and offering it to other bad actors who have not been able to obtain it in the past.”

Interestingly, the vendor claimed that only 10% of the credentials leaked to the dark web came as a result of first- or third-party breaches.

ESET security specialist, Mark James, argued that using complex, unique passwords or multi-factor authentication could help to mitigate the risks highlighted in the report.

“When all these small amounts of seemingly insignificant data gets accumulated and collated to form a footprint of your digital world, this of course could be used for further data or identity theft, targeted phishing attacks or indeed CEO fraud with a much higher than normal chance of success, due to the trust relationship established through legit proven data,” he warned.

The cybercrime underground is fast becoming saturated with such credentials.

Researchers found a trove of 1.4 billion breached credentials on the dark web back in December whilst last month 1.2 million breached corporate email addresses belonging to some of the UK’s top legal firms were found on the dark web, 80% of which had an associated password.

Categories: Cyber Risk News

Security Not Keeping Up with Cloud-First Business Strategies

Wed, 01/31/2018 - 17:40
Security Not Keeping Up with Cloud-First Business Strategies

About 35% of organizations in a new survey said they’re taking a “cloud-first” approach to their business – meaning that all new projects are done in the cloud. However, 40% of respondents felt that their security solutions aren’t as flexible and scalable as the rest of their cloud initiatives.

According to Hurwitz & Associates’ Balancing Velocity and Security in the Cloud report, which surveyed 85 IT leaders from the Americas and Europe, nearly 50% of participants said they are taking a selective approach to the cloud, where significant and large projects are being developed or migrated to the cloud while others will continue to remain on-premises.

“Customers are increasingly depending on cloud computing to support the need for business agility and speed of transformation,” said Dan Kirsch, vice president and principle analyst at Hurwitz & Associates. “However, to be successful, business leaders need assurance that cloud security is handled in a predictable manner through automation to ensure compliance and predictability.”

In the cloud, continuous integration practices shorten cycle times and improve efficiency. Yet when confronted by this increasingly complex and dynamic network environment, it is difficult for security to keep pace.

“The high velocity and scale of public clouds are shattering everything the security industry has assumed for the past 10 years,” said Sanjay Karla, co-founder and chief product officer at Lacework, which sponsored the survey. “The acceleration of cloud adoption is now paving the way for security teams to deploy automated security solutions that naturally augment security teams’ ability to continuously validate their cloud configuration for security and maintain secure daily operations in the cloud.” 

The survey indeed found that automation is critical. Almost all respondents (95%) agreed that “cloud automation is increasingly important to meeting our business goals.”

When it comes to security practices (and “safe and secure” was the No. 1 cloud characteristic according to 53% of respondents), 85% recognized that cloud security is different than traditional data center security. Nearly three-quarters agreed that “controlling vulnerabilities related to unpatched software is a challenge,” although another 78% agreed that “we fix security vulnerabilities fast enough to avoid significant business risk.”

Only 35% of respondents felt that “security limits our ability to maximize the benefits of DevOps and operations automation.”

Categories: Cyber Risk News

UK Financial Firms Admit to "Shocking" Cybersecurity Practices

Wed, 01/31/2018 - 17:36
UK Financial Firms Admit to "Shocking" Cybersecurity Practices

Security professionals within financial services firms are losing the battle to keep vital data safe against a rising tide of cyber-threats.

That’s the assessment of a VMware survey of 201 UK-based IT security professionals, which found that 67% of respondents admit that cybersecurity practices in their organizations “would shock outsiders.”

Almost all (90%) also stated that they have had to make compromises that could leave other areas exposed when protecting their businesses, and half (51%) admitted that they do this regularly.

For instance, the study suggests that too great of a focus has been placed on protecting more visible consumer services, such as customer-facing websites, potentially leaving exploitable holes surrounding internal systems and trading data.

Similarly, findings show that while there is quite rightly an overwhelming focus on protection for e-banking and other applications, this too is often at the expense of other systems (71%).

“In chasing the digital promised land, financial services organizations run the constant risk of overstretching already antiquated security infrastructures,” said Ian Jenkins, head of network and security, UK at VMware. “Those on the front line defending against cyber-threats clearly feel there are significant flaws ready to be exploited: This should act as a wake-up call that there are serious risks to data if security isn’t baked into everything the organizations do. Ignoring them and the compromises they’re having to make could be hugely damaging.”

There also appears to be a sense of frustration in the direction those responsible for defending against security threats received, alongside a lack of understanding from leadership teams of the potential for breaches. Over half (53%) of the respondents said that they don’t believe their leadership team understands the complexity of today’s threats. A quarter (25%) stated the impact of cybercrime was simply treated as a cost of doing business; and 62% revealed they struggle to secure funding for urgent cybersecurity projects.

On a no-doubt related data point, 65% admitted that the stress associated with their role is hard to cope with.

“This past era of compromise towards cybersecurity must end,” said Richard Bennett, head of accelerate and advisory services at VMware. “A revised approach to protecting digital assets, starting at a security by design philosophy, is required to allow IT security professionals to dynamically manage the myriad of threats now faced. This involves understanding that cybersecurity does not begin and end with IT but is a challenge for the whole organization.”

Categories: Cyber Risk News

Vulnerable Medical Imaging Devices Open the Door to Death

Wed, 01/31/2018 - 17:33
Vulnerable Medical Imaging Devices Open the Door to Death

Cybersecurity researchers at Ben-Gurion University in Israel are warning that hacks against medical imaging devices (MID) are on the rise, with hacks against CT scanning devices and MRI machines presenting the greatest real-world risk.

In a paper entitled Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices, researchers lay out several exploits for unpatched MIDs, as well as weaknesses in medical and imaging information systems, and medical protocols and standards. CT scanners and MRI machines are especially ripe for ransomware attacks.

“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” warned researcher Tom Mahler, speaking to the Jerusalem Post. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyberattacks.”

The concern is not ill-founded. In a survey Synopsys ran with Ponemon Institute last year, it was found that in 38% of cases where a medical device had been breached, inappropriate healthcare had been delivered to the patient – a state of affairs that could be lethal.

The Ben-Gurion researchers also laid out a technique to secure MIDs based on machine learning. An algorithm determines whether the incoming and outgoing commands to the MID are appropriate given the patient’s profile and blocks those that seem untrustworthy. Mahler said that a next step is to collaborate with imaging manufacturers or hospitals to put the ideas into action.  

 “Medical device vendors really must start to address security in their code,” said Adam Brown, manager of security solutions at Synopsys, via email. “A recent Building Security in Maturity Model (BSIMM) report shows that it is still evident that healthcare falls behind other industries when it comes to software security practices.”

He added, “Speaking to buyers of this equipment, I have found that they are frustrated; in similarity to speaking to large software vendors, the response they get is woefully similar: A reluctance to change or a justification that other large organizations don’t ask for security. I would urge medical device manufacturers to take a long hard look at their software security practices and maturity, as there is a lot of work to do.”

Categories: Cyber Risk News

Hackers Steal Ransomware Payments from Fellow Crims

Wed, 01/31/2018 - 11:00
Hackers Steal Ransomware Payments from Fellow Crims

Enterprising dark web cyber-criminals are stealing ransomware payments destined for rival black hats via a Tor proxy, according to new research from Proofpoint.

Ransomware-authors often advise victims to use a Tor proxy to complete payment to a specified Bitcoin address, as most users typically don’t have a Tor browser installed.

However, this workaround has proved to be the undoing of some. 

Proofpoint spotted several cases where hackers are using the onion[.]top proxy to effect a kind of man-in-the-middle attack, stepping in to redirect payment to their own Bitcoin address.

On the LockerR ransomware portal there’s even a notice urging victims not to use the proxy, and instead download the Tor browser.

The security vendor also found similar attack techniques at work to redirect payments intended for the authors of GlobeImposter and Sigma ransomware.

Although the researchers only found around $22,000 in Bitcoin in these addresses, the scale of the operation may be far greater. The same proxy is not being used to redirect payments for all ransomware variants, however.

“Sophisticated ransomware operators appear to be aware of this behavior and are attempting to mitigate with ‘user education’ and technical workarounds,” explained Proofpoint.

“Magniber ransomware appears to combat Bitcoin address replacement by splitting it into four parts in the HTML source code, making it harder for proxies to detect the Bitcoin address pattern. GlobeImposter ransomware urges users to use the Tor browser and hides the .onion payment address from the victims. Instead of providing it as a link in ransom note, it is obfuscated in the note, and de-obfuscated at run-time when the user clicks a button.”

While it’s somewhat satisfying to see some ransomware-slingers get a taste of their own medicine, the latest tactic is also bad news for victims: if they’re unable to pay the ransom there’s zero chance they’ll get their files back.

“Ultimately, this type of activity undermines the somewhat dubious trust relationship that underpins the ransomware business,” Proofpoint concluded.

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms.”

Over half (54%) of global organizations were infected with ransomware last year, according to Sophos.

Categories: Cyber Risk News

US DoJ Launches Dark Web Drugs Taskforce

Wed, 01/31/2018 - 10:23
US DoJ Launches Dark Web Drugs Taskforce

The US Department of Justice has launched another high-profile attempt to uncover drug-dealers hiding their tracks on the dark web.

Backed by attorney-general, Jeff Sessions, the new Joint Criminal Opioid Darknet Enforcement (J-CODE) team will focus specifically on illegal opioid sales.

President Trump declared opioid abuse a “health emergency” back in October 2017. Over 64,000 Americans died of overdoses in 2016, a 21% increase on the previous year, with three-quarters coming from drugs derived from the opium poppy.

Now his government is looking to make headlines with an eye-catching taskforce to tackle dark web sales.

J-CODE will more than double the FBI’s investment in fighting internet-based opioid trafficking, with dozens of Special Agents, Intelligence Analysts and other staff being assigned to the new taskforce.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening. We have already infiltrated their networks, and we are determined to bring them to justice,” said Sessions in a statement.

“In the midst of the deadliest drug crisis in American history, the FBI and the Department of Justice are stepping up our investment in fighting opioid-related crimes. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.”

However, where law enforcement has been able to crack dark web drug dealing in the past, it has largely relied on offline work and mistakes by the perpetrators to infiltrate networks.

For example, one dealer was caught out after eagle-eyed postal workers’ suspicions were raised when he handed over packages wearing latex gloves.

In another case, the DEA traced a Bitcoin address for tips from satisfied customers and found it registered to suspected dark web dealer “OxyMonster.”

J-CODE's detractors could claim that the current online crackdown is a distraction from the real problem: legal opioid sales and over-prescription — a problem not seen to such an extent in the UK thanks to stricter NHS guidelines.

Abuse of the system appears to be growing, with bipartisan lawmakers flagging alleged “pill dumping” last September.

Categories: Cyber Risk News

Blow for Snoopers' Charter After Liberty Court Victory

Wed, 01/31/2018 - 09:40
Blow for Snoopers' Charter After Liberty Court Victory

Campaigners are claiming that large parts of the Snoopers’ Charter are effectively illegal after the Court of Appeal backed a challenge by MP Tom Watson and Liberty.

The rights group, representing the labour deputy leader in a long-running legal battle with the government, received a boost in December 2016 when the EU Court of Justice (CJEU) ruled that the DRIPA legislation “exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society.”

That law was the forerunner to the infamous Investigatory Powers Act (IPA) passed by parliament last year, and contains many of its provisions.

In fact, experts have argued that the IPA gives the state even more power to pry into the private lives of blameless citizens and many of them said exactly that at the committee stage.

DRIPA forces communications companies to store info on the “who, when and how” of every email, text, phone call and internet communication in the country, along with location data. It also allows government agencies, police forces and other bodies to access this information even if they don’t suspect a crime.

Now the Court of Appeal judges have ruled that DRIPA was illegal because it didn’t restrict this access to investigations into serious crimes, and that it allowed police and others to self-authorize, rather than be forced to request access from a court or judicial body.

“Yet again a UK court has ruled the government’s extreme mass surveillance regime unlawful. This judgment tells ministers in crystal clear terms that they are breaching the public’s human rights. The latest incarnation of the Snoopers’ Charter, the Investigatory Powers Act, must be changed,” argued Liberty director, Martha Spurrier.

“No politician is above the law. When will the government stop bartering with judges and start drawing up a surveillance law that upholds our democratic freedoms?"

Anticipating this ruling, the government has already proposed changes to the IPA, but campaigners say these “half-baked” plans don’t go nearly far enough to protect citizens’ privacy.

Liberty is now pursuing a case against the government regarding the IPA, which is due to be heard in the High Court later this year.

The Snoopers’ Charter goes further than DRIPA in forcing communications providers to store browsing histories for a year, as well as sanctioning mass hacking, spying on phone calls and emails en masse, and collecting huge databases containing sensitive information on millions of people.

It could still be argued, however, that merely by forcing communications providers to retain such detailed data — irrespective of what controls are put in place to access it — the government is painting a giant target on its back. That info could prove to be a goldmine to hackers looking for highly sensitive personal info to monetize through blackmail.

Bulk retention of data has also been criticized by former NSA technical director William Binney, who told parliament that it makes the job of intelligence services harder. In fact, he claimed such collection hobbled his team and let the 9/11 terrorists slip through the net.

In the US, this kind of surveillance is still favored, as per the recent FISA ruling, but Europe is moving away from this kind of regime to one which allows more targeted hacking of suspects by law enforcers.

Categories: Cyber Risk News

White Hat Ball Raises £191,000 for NSPCC's Childline Service

Wed, 01/31/2018 - 08:30
White Hat Ball Raises £191,000 for NSPCC's Childline Service

Last Friday, January 26, £191,000 was raised for Childline at the annual White Hat Ball, held at the prestigious Lancaster Hotel in London.

In its 13th year, the Ball is now a major event in the information risk and security industry calendar, generating more than £1.5m for the NSPCC’s Childline service since its inception.

With more and more young people reaching out to Childline for help with issues that they encounter online, the support given by the information security industry has never been more valuable. In 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

This year’s Ball, attended by 650 guests (including Infosecurity Magazine) was hosted by ballroom dancer, singer and television presenter Anton du Beke. Also present was Childline founder and president Dame Esther Rantzen.

“At Childline we’ve become more aware of the dangers of the online world and it’s wonderful to have the support of an industry which is determined to help keep the internet safe,” Dame Rantzen said.

“The money the information security and risk industry have raised will help us be there for more young people, some of whom are in desperate need of our help.”

The evening began with a Champaign reception followed by a three-course dinner and music from live band The Phat Cats. There were also various fundraisers including a silent auction, raffle, pledge and live auction, hosted on stage in typically entertaining style by Clive Room, committee chair.

“Each year the White Hat Ball raises an amazing amount of money for a cause we are deeply passionate about,” Room said. “Thanks to all of those involved in making it happen, our sponsors and those who attended, donated and gave so generously.”

“I’m extremely proud to be part of an industry which has made such a difference to so many young lives over the past 13 years.”

Eleanor Dallaway, editor and publisher, Infosecurity Magazine, added: 

“The White Ball has always been a fantastic occasion, but this year it really was one of the best I’ve been to! It’s so heartening to see so many well-known industry faces coming together for such a worthy cause and to support a charity that does such important work for so many children.”

Categories: Cyber Risk News

NATO Implements Fresh Cyber-Defense Training

Tue, 01/30/2018 - 16:51
NATO Implements Fresh Cyber-Defense Training

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) has been selected to coordinate education and training solutions in the field of cyber-defense operations for all NATO bodies across the Alliance.

The CCDCOE is a NATO-affiliated knowledge hub based in Estonia, which counts 20 nations as members. Technically a military organization, it’s tasked with providing a 360-degree look at cyber-defense for the Allies, with expertise in the areas of technology, strategy, operations and law.

Its new role as head of Cyber Defence Operations Education and Training Discipline, was granted by the Supreme Allied Commander Transformation (SACT), one of NATO’s two strategic commanders. The Centre will work closely with Allied Command Transformation in Norfolk, VA, which heads up the NATO Education and Training department.

“We are honored to play a part in this new challenge. Investing in training and education is probably the best kind of commitment one can make,” said Merle Maigre, director of CCDOE. “The returns are huge, though not always measurable in terms of dollars or euros. This is especially relevant in the context of the tidal wave of technology, which opens new opportunities, but also makes skills obsolete more quickly.”

In addition to its new role, the CCDCOE is also home to the Tallinn Manual 2.0, a comprehensive guide on how international law applies to cyber-operations, and it organizes the world’s largest and most complex international technical live-fire cyber-defense exercise, Locked Shields

Categories: Cyber Risk News