Info Security

Subscribe to Info Security  feed
Updated: 2 hours 24 min ago

Facebook Improves Political Ad Transparency but Refuses Ban

Fri, 01/10/2020 - 11:00
Facebook Improves Political Ad Transparency but Refuses Ban

Facebook has revealed new capabilities to improve transparency and user control over political ads, but repeated its refusal to ban such advertising outright.

In a blog post on Thursday, director of product management, Rob Leathern, said updates to the Ad Library would help users shine a light on political ads delivered via the social network.

Specifically, users will soon be able to limit the number of political and social issue ads they see on Facebook and Instagram by topic, and remove interests.

They will also be able to stop seeing ads based on advertisers’ “Custom Audiences” — lists they use to target advertising. Users can also see ads that an advertiser had chosen to exclude them from receiving.

This is important because campaigners have argued that political candidates use online advertising to target different groups of voters with often conflicting messages, with neither side aware they are being promised contradictory things.

Users will also be able to see the estimated target audience size for an ad, and Facebook has improved the search and filtering functionality in the Ad Library to help researchers and journalists.

However, Leathern doubled down on the social network’s refusal to join Twitter in banning political ads outright, or Google in limiting the targeting of these ads.

“Ultimately, we don’t think decisions about political ads should be made by private companies, which is why we are arguing for regulation that would apply across the industry. The Honest Ads Act is a good example — legislation that we endorse and many parts of which we’ve already implemented — and we are engaging with policy makers in the European Union and elsewhere to press the case for regulation too,” he continued.

“Frankly, we believe the sooner Facebook and other companies are subject to democratically accountable rules on this the better.”

Experts have warned that, left unregulated, online political advertising could slowly chip away at the legitimacy of election results, especially if ads are micro-targeted. Rights groups have argued that, although strict rules apply to regular advertisers around factual accuracy, politicians can lie on the network without repercussions.

Categories: Cyber Risk News

Dixons Carphone Receives Maximum Fine for Major Breach

Fri, 01/10/2020 - 10:01
Dixons Carphone Receives Maximum Fine for Major Breach

A major UK high street retailer has been fined the maximum amount under the pre-GDPR data protection regime for deficiencies which led to a breach affecting 14 million customers.

Privacy regulator the Information Commissioner’s Office (ICO) fined DSG Retail £500,000 under the 1998 Data Protection Act after POS malware was installed on 5390 tills.

The incident affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, allowing hackers to harvest data including customer names, postcodes, email addresses and failed credit checks from internal servers, over a nine-month period.

The “poor security arrangements” highlighted by the ICO included ineffective software patching, the absence of a local firewall, and lack of network segregation and routine security testing.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said ICO director of investigations, Steve Eckersley.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Eckersley claimed that the stolen data exposed customers to significant risk of follow-on identity fraud and financial theft, with almost 3300 of them contacting the ICO by March 2019 about the breach.

However, the retailer said it is considering an appeal.

“When we found the unauthorized access to data, we promptly launched an investigation, added extra security measures and contained the incident,” said CEO Alex Baldock in a statement.

“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

Another business in the group, Carphone Warehouse, was fined £400,000 by the ICO in 2018 for similar security issues.

Categories: Cyber Risk News

Amazon Ring Workers Fired After Watching Users' Videos

Thu, 01/09/2020 - 18:02
Amazon Ring Workers Fired After Watching Users' Videos

Four employees of Amazon's home security company Ring have been fired after being caught snooping at users' videos. 

The online retail giant admitted terminating individuals over unauthorized access in a letter dated January 6 that was addressed to US senators Ron Wyden, Edward Markey, Gary Peters, Chris Van Hollen, and Christopher Coons. 

In the letter, Amazon states: "Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data. Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. 

"In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual."

Amazon's letter was written in response to an earlier letter dated November 20 that was sent to the company by the aforementioned senators. In that letter, the senators asked Amazon to answer a long list of questions regarding the data and security practices of the Ring company and the security of its camera-bearing doorbell devices, which have been purchased in the millions.

One of the questions asked was "How many employees of Amazon and Ring have access to American users' camera data?" Amazon answered that R&D teams can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent.

"Aside from this," wrote Amazon, "a very limited number of employees (currently three) have the ability to access stored customer videos for the purpose of maintaining Ring’s AWS infrastructure."

The company said that Ring logs and monitors all access, adding that employees and contractors are warned that improper access to, or use of, confidential information or technology could result in termination.

The news puts a fly in the ointment of Ring's attempt to make users feel more secure by launching a "privacy dashboard" at the CES 2020 conference on Monday. The newly unveiled account control panel was designed to help users manage their access settings better and block intruders from viewing their video footage.

After a stream of headlines slamming the security of its video doorbell devices, this latest revelation could potentially push the Amazon-owned company one step closer to bringing down the curtain on its beleaguered devices.

Categories: Cyber Risk News

UK Banks Foiled by Travelex Ransomware Attack

Thu, 01/09/2020 - 16:52
UK Banks Foiled by Travelex Ransomware Attack

The New Year's Eve cyber-attack on currency exchange bureau Travelex is disrupting services for UK bank customers. 

Travelex took all its systems offline as a precautionary measure after being hit by what it initially described as a "software virus" on December 31. On January 7, the company released a statement fingering the culprit as a type of ransomware known as Sodinokibi and also commonly referred to as REvil.

Although the malware has been contained, Travelex has so far been unable to resume normal operations, though the company has said that a number of internal systems are now back up and running normally. 

The ransomware attack is not only causing misery for Travelex and its customers but has also spurned a brouhaha for British banks that rely on the travel money giant. 

RBS, Sainsbury's Bank, First Direct, Virgin Money, and Barclays are among more than a dozen banks that have said their online foreign currency services are down as a result of the incident. 

Requests for foreign currency are being handled in-branch by many of the banks affected. 

According to the BBC, threat actors behind the ransomware attack are attempting to extort $6m from Travelex by encrypting the company's data. 

Travelex said on Tuesday that it was not yet clear what data had been affected by the incident. 

"To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated," Travelex stated on January 7.

Until normal service is resumed, Travelex is doing business the old-fashioned way. The company’s chief executive, Tony D’Souza, said: "Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim."

With all the hullaballoo it seems that reporting the incident to the authorities may have slipped Travelex’s mind. Organizations are legally obliged to inform the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a data breach; however, the ICO said on Tuesday that it had not received a data breach report from Travelex.

Categories: Cyber Risk News

Accenture to Acquire Symantec's Cyber Security Services Business

Thu, 01/09/2020 - 16:05
Accenture to Acquire Symantec's Cyber Security Services Business

Accenture Security is to acquire Symantec's Cyber Security Services business from Broadcom.

No financial terms were disclosed regarding the acquisition, which is expected to close in March 2020, subject to customary conditions.  

The impending Symantec deal is the latest in a long line of acquisitions by Accenture Security in the threat intelligence and cybersecurity fields. Already in Accenture's cyber-stable are Deja vu SecurityiDefenseMaglanRedcoreArismore, and FusionX.

With this latest acquisition, Accenture Security has signaled its intention to become one of the main players on the managed security services stage.

“Cybersecurity has become one of the most critical business imperatives for all organizations regardless of industry or geographic location,” said Accenture’s CEO, Julie Sweet.

“With the addition of Symantec’s Cyber Security Services business, Accenture Security will offer one of the most comprehensive managed services for global businesses to detect and manage cybersecurity threats aimed at their companies.”

The cybersecurity services arm of Symantec operates from six operations centers set in Australia, India, Japan, Singapore, the UK, and the US. 

Included in Symantec’s portfolio of cybersecurity services are global threat monitoring and analysis through a network of security operation centers, real-time adversary and industry-specific threat intelligence, and incident response services. 

Once the acquisition is complete, Accenture hopes to be able to offer clients a more personalized cybersecurity service.

Kelly Bissell, senior managing director of Accenture Security, said: “Companies are facing an unprecedented volume of cyber threats that are highly sophisticated and targeted to their businesses, and they can no longer rely solely on generic solutions. This acquisition is a game-changer and will help Accenture provide flexibility rather than a ‘one size fits all’ approach to managed security services. 

“With Symantec’s Cyber Security Services business, we can now bring clients our combined expertise fine-tuned to their industry with tailored global threat intelligence powered by advanced analytics, automation and machine learning.”

Symantec’s Enterprise Security business, now a division of Broadcom, is headquartered in Mountain View, California, and its Cyber Security Services business includes more than 300 employees around the world who serve top-tier organizations across a diverse range of industries, including financial services, utilities, health, government, communications, media, technology, and retail.

Categories: Cyber Risk News

Interpol Reduces Cryptojacking Infections by 78%

Thu, 01/09/2020 - 12:01
Interpol Reduces Cryptojacking Infections by 78%

Interpol is celebrating after a region-wide operation led to a drastic reduction in the number of routers in southeast Asia infected with cryptomining malware.

Operation Goldfish Alpha began in June 2019 after intelligence identified over 20,000 compromised routers in the ASEAN region, accounting for nearly a fifth (18%) of global infections.

Over the succeeding five months of the operation, law enforcers and CERT staff from Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam worked together with private sector organizations including Trend Micro.

Their mission: to locate the infected routers, alert the victims and patch the devices.

Their efforts led to a 78% reduction in the number of infected routers, with efforts continuing to identify and patch the remaining devices, Interpol said.

The policing organization hailed the support of the Cyber Defense Institute and Trend Micro in helping with information sharing and analysis, as well as providing crucial guidelines for patching infected routers and advice on preventing future infections.

“When faced with emerging cybercrimes like cryptojacking, the importance of strong partnerships between police and the cybersecurity industry cannot be overstated,” said Interpol’s director of cybercrime, Craig Jones.

“By combining the expertise and data on cyber-threats held by the private sector with the investigative capabilities of law enforcement, we can best protect our communities from all forms of cybercrime.”

Trend Micro explained in a blog post that its guidance document detailed how to detect and remove the Coinhive JavaScript being used by hackers to mine for cryptocurrency on affected MicroTik routers.

The firm claimed cryptojacking was its most detected threat in the first half of 2019, in terms of file-based threat components.

“Unlike serious data breaches, phishing attacks, ransomware and banking Trojans, cryptojacking doesn’t have a major impact on the victim. They don’t lose sensitive personal data, there’s no risk of follow-on identity fraud and they’re not extorted for funds by being locked out of their PC,” it continued.

“However, it’s not without consequences: cryptomining malware can slow your home network to a crawl while running up serious energy bills. It may even bring your home computers to a premature end. Also, there’s always the risk with any kind of malware infection that hackers may switch tactics and use their footprint on your home machines to launch other attacks in the future.”

Categories: Cyber Risk News

Police to Implement Facial Recognition at Cardiff-Swansea Football Match

Thu, 01/09/2020 - 11:15
Police to Implement Facial Recognition at Cardiff-Swansea Football Match

South Wales Police has announced that it will be deploying facial recognition technology at the upcoming Premier League football match between Cardiff City FC and Swansea City FC at Cardiff City Stadium this Sunday, 12 January.

In a statement, South Wales Police said: “We will be deploying our facial recognition technology at key areas ahead of the match to assist in identifying those have been issued with banning orders and may attempt to attend the game.”

This comes after the same technology was used by the police when the two teams played each other earlier in the season, a move that, despite causing some controversy regarding privacy concerns, was found to be legally justified and proportionate by the High Court back in September 2019.

Assistant chief constable Andy Valentine said: “This is only the third time in more than two-and-a-half years that the technology has been utilized at a football match and is intended to prevent disorder that has in the past affected matches involving both clubs.

“We are deploying Automated Facial Recognition to prevent offences by identifying individuals who are wanted for questioning for football-related offences or who have been convicted of football-related criminality and are now subject to football banning orders that preclude them from attending.

Football banning orders are issued by the court to those who have misbehaved at a previous football game and hence this provides us with a clear rational in our strategy to prevent any crime and disorder, he added.

“In line with our standard operating procedures, the data of all those captured by the technology on the day, but not on the watch list, will have their data instantaneously deleted.  

However, the news has once again raised privacy concerns and critical comments from the likes of Big Brother Watch, Football Supporters’ Association Wales and North Wales Police and Crime Commissioner Arfon Jones, along with security experts.

Jake Moore, cybersecurity specialist at ESET, said: “Facial recognition software is still very much in its early stages of production and there are many instances of it making mistakes or false positives.

“Something needs to be done in such large gatherings of people but until such a system is in place that can be completely trusted in terms of security and it’s function, I think it could do more harm than good.” 

In November 2019, the UK’s privacy watchdog raised “serious concerns” about police use of facial recognition technology, and called for the introduction of a statutory code of practice to govern when and how it should be deployed.

Categories: Cyber Risk News

TikTok Patches Critical Account Takeover Bugs

Thu, 01/09/2020 - 10:45
TikTok Patches Critical Account Takeover Bugs

TikTok has been forced to patch several critical vulnerabilities which may have allowed hackers to hijack user accounts and steal personal data.

Check Point researchers discovered the flaws in the wildly popular social media platform, including one SMS link spoofing bug affecting a feature on the main TikTok site that lets users send a message to their phone to download the app.

This could allow attackers able to find out a victim’s phone number to send them a custom malicious link, enabling them to take over an account and delete videos, post content and make private videos public.

Check Point also discovered a cross-site scripting (XSS) vulnerability in an ads subdomain of the main TikTok site; specifically in a help center section. This could allow attackers to inject malicious JavaScript into the site to harvest personal user account info, the firm warned.

These bugs were amplified by the lack of anti-cross-site request forgery mechanism, it added in a blog post.

“Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface,” explained Check Point head of product vulnerability research, Oded Vanunu.

“Malicious actors are spending large amounts of money and putting in great effort to penetrate into such huge applications. Yet most users are under the assumption that they are protected by the app they are using.”

TikTok patched the bugs in its latest version of the app, although security concerns about the company persist in Washington, thanks to its Chinese ownership.

Beijing-based ByteDance bought the app from US firm Music.ly in 2017, but given its popularity in the States, lawmakers are becoming increasingly uneasy about the purchase.

Reports suggest that both the US Army and Navy have banned servicemen and women from using the app on government-issued devices.

In the meantime, the increasingly powerful Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. 

Categories: Cyber Risk News

Cyber-Attacks Hit UK Firms Once Per Minute in 2019

Thu, 01/09/2020 - 09:42
Cyber-Attacks Hit UK Firms Once Per Minute in 2019

UK businesses were deluged with cyber-attacks in 2019, with the average firm hit by over half a million attempts to compromise systems, according to new stats from Beaming.

The Hastings-based business Internet Service Provider (ISP) extrapolated the findings from data on its own corporate customers across the country.

It calculated the average number of attacks aimed at a single business last year was 576,575, around 152% higher than the 281,094 recorded in 2018 and the highest since the ISP began analyzing this kind of data in 2016.

That means UK businesses were forced to repel 66 attacks per hour on average in 2019.

The firm identified 1.8 million unique IP addresses responsible for the attacks last year, just under a fifth (18%) of which were located in China. However, this is more an indication of the sheer number of potentially hijacked machines based in the country rather than the origin of the attackers.

There was a fairly big drop to second placed Brazil (7%), which was followed by Taiwan (6%) and Russia (5%) in terms of originating IP addresses for attacks.

Attackers most commonly targeted network device admin tools and IoT endpoints like connected security cameras and building control systems, according to Beaming. These suffered 92,448 attacks in total last year, while 35,807 were targeted at file sharing applications.

Beaming managing director, Sonia Blizzard, described 2019 as the “worst year on record” for cyber-attacks against UK firms, claiming that most were “completely indiscriminate.”

“Most business leaders, particularly at the smaller end of the spectrum, still don't recognize the threat or incorrectly assume that their broadband router and antivirus systems will be sufficient to keep them safe,” she continued.

“With the number of companies falling victim to cybercrime increasing each year, it is clear that most need to do more to protect themselves. We advise businesses to put in place multiple layers of protection, use methods such as two-factor authentication, and to secure their data while it travels over the internet.”

Categories: Cyber Risk News

Apple Is Scanning Your Photos

Wed, 01/08/2020 - 17:43
Apple Is Scanning Your Photos

Apple's senior director of global privacy has confirmed that the company scans photos uploaded to the iCloud for evidence of illegal activities such as child sexual abuse.

Jane Horvath made the admission while speaking at the Consumer Electronics Show (CES) 2020 conference in Las Vegas yesterday, according to The Telegraph.

While speaking at the tech conference, Horvath said that photographs that are backed up to Apple's online storage service are automatically screened for illicit content.

The company has been criticized by law enforcement agencies for allowing criminals to hide behind lanes of protective encryption and for refusing to break into the phones of suspected wrongdoers. 

Addressing this issue yesterday in Las Vegas, Horvath said that giving criminals nowhere to hide by scrapping encryption was "not the way we’re solving these issues" but added: "We are utilizing some technologies to help screen for child sexual abuse material."

Exactly what technologies Apple is using to screen their customers' digital photographs and how long they have been doing so was not specified. 

On the company's website it states: "Apple is dedicated to protecting children throughout our ecosystem wherever our products are used, and we continue to support innovation in this space.

"As part of this commitment, Apple uses image matching technology to help find and report child exploitation. Much like spam filters in email, our systems use electronic signatures to find suspected child exploitation."

Companies including Facebook, Google, and Twitter check for images depicting the sexual abuse of minors with Microsoft’s PhotoDNA system. The system uses hashing technology to check images posted online against a database of previously identified photographs.

Paul Bischoff, privacy advocate at Comparitech.com, believes that Apple may be doing something similar. 

"Here's what I think is happening: Apple has access to a law enforcement database of child abuse photos. Apple hashes or encrypts those photos with each user's security key (password) to create unique signatures. If the signatures of any encrypted photos uploaded from an iPhone match the signatures from the database, then the photo is flagged and presumably reported to authorities. 

"This allows Apple to match photos uploaded to the cloud against the law enforcement database without ever breaking encryption or actually viewing the photos." 

If this is the system that Apple is using, then Bischoff warns it has a serious flaw. 

He said: "If a child abuse photo is cropped or edited, if it's converted to another type of image file, or if it's compressed, then the encrypted signatures won't match up."

Categories: Cyber Risk News

Las Vegas Suffers Cyber-Attack

Wed, 01/08/2020 - 16:49
Las Vegas Suffers Cyber-Attack

The city of Las Vegas is licking its wounds after suffering a cyber-attack on its computer network.

It is not yet known whether any sensitive information was compromised in the incident, which took place in the early hours of Tuesday morning. 

City spokesperson David Riggleman said that it was likely that the threat actors gained access to the city's network via a malicious email. 

Riggleman said that the city's IT department moved fast to counter the invasion and stated that "the city is taking extensive steps to protect its systems."

City officials were notified after unusual activity occurred at around 4:30 a.m. on Tuesday, but by the evening the full extent of the damage wrought by the incident was yet to be confirmed. Riggleman said a clearer picture is likely to emerge over the next day or two.

According to Riggleman, the City of Lost Wages encounters an average of 279,000 attempts to breach its systems every month. 

He observed: "A lot of people out there . . . are trying to open that cyber door."

While Las Vegas works out who it was that managed to step over its digital threshold and what they got up to, city residents are likely to experience some disruption. 

Riggleman said that the city's emails may be affected by system analysts' ongoing investigation into the breach. He expected any disruption, however, to be "minimal."

If the breach turns out to be the latest in a string of ransomware attacks on US cities, then it is highly unlikely that Las Vegas will cough up the money. The city's mayor, Carolyn Goodman, went on record in July as sponsor of a resolution not to pay ransoms in the event of a cybersecurity breach. The resolution was approved by the US Conference of Mayors. 

Given the timing of the attack, some may wonder if it was launched by a vengeful Iran as retaliation for the recent killing of Iranian major general Qassem Suleimani. 

Following the announcement of Suleimani's death on January 2, the US Department of Homeland Security issued a warning for Americans to be on high alert for cyber-attacks coming from Iran.

Categories: Cyber Risk News

Nigerian Betting Company Denies Breach

Wed, 01/08/2020 - 15:53
Nigerian Betting Company Denies Breach

Nigerian online betting company SureBet247 has told the public not to be deceived by "false" reports that the firm has suffered a serious data breach.

According to the website iAfrikan.com, over 32GB of SureBet247 data, spread across six databases, has been exposed online. The information affected by the alleged incident includes user profiles, betting slip logs, a list of SureBet247 staff email addresses, and data linked to the company's website surebet247.com.

The alleged breach came to light after an anonymous source found SureBet247 data online and tipped off Australian security researcher and haveibeenpwned founder Troy Hunt. 

"Within the databases there’s everything from user records to betting histories, the latter consuming more than 100M rows in one of the databases," said Hunt.

"I’m yet to total the user records, but multiple databases contained hundreds of thousands of user records each, so the number is substantial. Impacted data includes names, email addresses, dates of birth and betting records. It’s not yet clear whether passwords were also compromised, that’s something I’m hoping to clarify with them."

The anonymous source reached out to Hunt in December 2019 after an attempt to warn SureBet247 of a potential security issue was spurned. Hunt contacted iAfrikan after his own efforts to notify SureBet247 of the alleged breach elicited no response. 

When iAfrikan's Tefo Mohapi contacted the gambling company to warn them of the alleged breach, he received a suggestion to email technical support and the response that it was SureBet247's decision whether or not to notify their customers of a possible data breach. 

According to MyNaijaBlog.com, the director-normal of Nigeria's National Information Technology Development Agency (NITDA) has requested that an investigation into the alleged breach be carried out by the Data Breach Investigation Workforce.

SureBet247 has publicly denied that any data breach has taken place. Earlier today, the company posted the following message on Twitter: "Dont be decieve [sic] by any false info. We weren’t breached on any data. Thanks."

SureBet247 was founded in 2011 and trades under the name ChessPlus International Limited.

According to Mohapi, other online sports betting operators may have been affected by the alleged security incident. The exposed databases indicate that BetAlfa, BetWay, BongoBongo, and TopBet may have been compromised. 

Categories: Cyber Risk News

Google Shifts to 90-Day Bug Disclosures by Default

Wed, 01/08/2020 - 12:00
Google Shifts to 90-Day Bug Disclosures by Default

Google has tweaked its Project Zero disclosure policy in a bid to drive more thorough patch development and improved adoption.

The new direction for 2020 centers around one major change: from January 1 this year the firm will implement a full 90-day disclosure policy regardless of when a vulnerability is fixed by a vendor. In the past, the relevant researchers could decide whether disclosure came at the end of the 90-day period or when a bug was fixed.

Although the rationale for the previous policy was to speed patch development by affected vendors, Google now also wants to focus on additional goals, according to Project Zero manager, Tim Willis.

With 97.7% of issues identified by Project Zero now fixed within the deadline, thoughts moved to improving the underlying principles of simplicity, fairness and consistency, he said.

With that in mind, Google not only wants to continue pursuing faster patch development but also now to improving the thoroughness of patches.

“Too many times, we've seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” explained Willis. “One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”

Providing a full 90-day window means vendors will therefore have more time to perform root cause and variant analysis.

“We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits,” said Willis.

Google’s second goal for 2020 is to improve adoption of any patches that arise from Project Zero research.

“End user security doesn't improve when a bug is found, and it doesn't improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device,” argued Willis.

“To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.”

Once again, the 90-day time frame should provide more opportunity and incentive for vendors to encourage installation of their fixes by a larger user population.

Google is also betting that leveling the playing field with a mandatory 90-day window will encourage vendors to work more closely with its researchers on bigger problems.

“We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration,” Willis concluded.

Categories: Cyber Risk News

NGOs Demand Google Crackdown on Pre-Installed Apps

Wed, 01/08/2020 - 10:30
NGOs Demand Google Crackdown on Pre-Installed Apps

Global rights groups have joined forces to demand that Google tackles the problem of budget Android smartphones pre-installed with privacy infringing apps that users can’t remove.

Over 50 organizations, including the UK’s Privacy International, today asked the tech giant to stop manufacturers and other Android partners from delivering devices that could undermine user privacy and security.

They argued that because the apps come pre-installed, they can choose which permissions they want — sometimes using the device’s camera, microphone or location without the user's knowledge.

“The failure of Google to moderate the pre-installed app ecosystem has opened it up to a wild-west of exploitation, putting users’ privacy and security at risk,” argued Privacy International technology lead, Christopher Weatherhead. “Google must act now to deter bad actors who shovel malicious and exploitative apps on individuals’ devices.”

The rights groups called for changes so that users can permanently uninstall any apps on their phones, including related background services that run even if the apps themselves are disabled.

They also want pre-installed apps to stick to the same rules as Play Store apps, especially in relation to custom permissions, and to have some form of update mechanism.

When manufacturers or vendors break these rules, Google should refuse certification for privacy reasons, they added.

The initiative comes after research released last March by Universidad Carlos III de Madrid (UC3M), the IMDEA Networks Institute, the International Computer Science Institute (ICSI) at Berkeley and Stony Brook University of New York.

The first-of-its-kind study covered 82,000 pre-installed Android apps on more than 1700 devices manufactured by 214 brands.

“As we demonstrated in this paper, this situation has become a peril to users’ privacy and even security due to an abuse of privilege or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors,” it concluded.

Categories: Cyber Risk News

UK Man Jailed for Using RAT to Spy on Women

Wed, 01/08/2020 - 09:50
UK Man Jailed for Using RAT to Spy on Women

A Merseyside man has been jailed for two years after using a notorious Remote Access Trojan (RAT) to spy on women via their webcams.

Scott Cowley, 27, of St Helens, was sentenced at Liverpool Crown Court this week after pleading guilty to offences under the UK’s Computer Misuse Act and Sexual Offences Act.

He’s said to have used the Imminent Monitor RAT (IM-RAT) to remotely spy on his victims. According to local reports, arresting officers found three folders on his laptop named after each of his victims. They apparently contained images and videos of the women undressing and of one of them having sex.

Officers from the North West Regional Organised Crime Unit (NWROCU) had little problem in tracking him down as he reportedly used a PayPal account linked to his real name and email address to purchase the malware.

NWROCU’s detective sergeant Steve Frame welcomed the sentencing on Monday.

“This conviction demonstrates that despite the high-tech nature of the Cyber Crime, offenders have no place to hide. We take all reports of cybercrime seriously and are absolutely committed to tackling and undermining this evolving threat,” he added in a statement.

“If you have been the victim of a similar crime, or suspect somebody is involved in committing this type of crime please call 101 and report it to your local police force.”

Cowley was arrested as part of a global crackdown on the RAT at the end of November 2019 led by the Australian Federal Police (AFP) and coordinated internationally by Europol.

Some 13 of the RAT’s “most prolific users” were arrested and 430 devices seized, according to Europol. In the UK alone, 21 search warrants led to the arrest of nine individuals including Cowley, and the recovery of 100 items.

The operation began in June 2019 when warrants were issued to search an alleged employee and developer of the IM-RAT.

The malware is thought to have been used in 124 countries and sold to more than 14,500 buyers, generating huge demand thanks to its ease-of-use and relatively low selling price of just $25.

Categories: Cyber Risk News

Utah Company and Its Former CEO Settle with FTC Over Alleged Security Failures

Tue, 01/07/2020 - 17:53
Utah Company and Its Former CEO Settle with FTC Over Alleged Security Failures

The US Federal Trade Commission has reached a settlement with a Utah company and its former CEO over allegations that shoddy security practices led to the personal information of over a million customers' being illegally accessed in multiple hacks.

InfoTrax Systems, L.C. and its founder and former CEO Mark Rawlins allegedly failed to use reasonable, low-cost, and readily available security protections to safeguard the personal information they maintained on behalf of the company’s business clients. 

As a result of the alleged security failures, a hacker infiltrated InfoTrax’s server, along with websites maintained by the company on behalf of clients, more than 20 times from May 2014 until March 2016. 

Sensitive personal information accessed by the hacker included consumers' Social Security numbers, full names, addresses, email addresses, telephone numbers, usernames, passwords, and payment account numbers with expiration data and CVVs, according to the FTC’s complaint. None of the consumer data stored had been encrypted.

It is further alleged that the presence of the intruder inside the company's system from May 5, 2014, to March 7, 2016, was only discovered because InfoTrax began receiving alerts that one of its servers had reached maximum capacity. 

In its complaint, the FTC wrote: "The only reason Respondents received any alerts is because an intruder had created a data archive file that had grown so large that the disk ran out of space. Only then did Respondents begin to take steps to remove the intruder from InfoTrax’s network."

More hacks occurred on March 14 and 29, 2016, when a threat actor gained access to the company's network, infecting it with malware that harvested payment card and other billing data. 

Under the terms of the settlement, InfoTrax and Rawlins are prohibited from collecting, selling, sharing, or storing personal information unless they implement an information security program that would address the security failures identified in the complaint. 

In addition, the company and Rawlins are required to obtain third-party assessments of their company’s information security programs every two years.

Utah State University computer science graduate Rawlins founded MLM services provider InfoTrax Systems in 1998. Clients of the company include doTerra, Xango, and LifeVantage.

Categories: Cyber Risk News

Richard Branson Gets Animated Over Online Scams

Tue, 01/07/2020 - 16:53
Richard Branson Gets Animated Over Online Scams

Sir Richard Branson is so hacked off with cyber-criminals ripping off his name and image that he has released an animated guide to spotting online scams. 

The video features two extremely pink cartoon renderings of the Virgin founder who work together to highlight a variety of scamming tactics over a soundtrack that conjures the most daring of James Bond's espionage escapades.  

Fake Branson tries to tempt you into investing in get-rich-quick scams or giving your personal information away to a stranger, while genuine Branson tells you that he and his team would never do that. 

By the end of the brief video, the fake Branson is revealed to be a robot, whose head then explodes. 

All the fraudulent endorsements and scams mentioned in the video are real tactics that have been used against Branson and his business empire. One such tactic is to send direct messages to people who have posted on Virgin's social media feeds.

Animated Richard points out: "Scammers are contacting people who post on our social feeds. Even if it’s a verified account, know that I never direct message anyone, nor does my team. I never endorse any get-rich-quick schemes—this is a sure-fire way to lose your investment."

To step up the fight against scammers, Virgin has opened its own reporting portal at virgin.com/online-scams and urges anyone affected to report any cases featuring Richard or Virgin that seem suspicious.

If you spot anything else you suspect is a scam, Virgin recommends reporting it to Action Fraud, the UK’s national fraud and cybercrime center, via reporting.actionfraud.police.uk.

In 2017, Branson nearly fell prey to a fraudster posing as a UK government official who requested financial assistance to pay the ransom of a supposed kidnapping victim. 

The billionaire businessman is not alone in being targeted; according to figures released by the British Office of National Statistics in 2018, cases of fraud, including online scams, cost UK consumers £190bn every year.

"Only trust what we post on our official channels," says animated Branson.

"Help us stop scammers and report anything you think is suspicious. If you think it’s a con, send it on."

Categories: Cyber Risk News

Insight Partners Acquires Armis for $1.1bn

Tue, 01/07/2020 - 15:59
Insight Partners Acquires Armis for $1.1bn

In the first major cybersecurity acquisition of 2020, Israeli company Armis has been acquired by private equity firm Insight Partners

Under the terms of the agreement, Insight will acquire the company for cash at a valuation of $1.1bn, with participation from CapitalG for $100m and rollover from certain existing stockholders. 

The deal represents the largest ever acquisition of a private Israeli cybersecurity company and is also the biggest enterprise IoT security software acquisition to date. Closing is expected to occur in February.

Armis was founded in late 2015 with a mission to help enterprises adopt new connected devices without fear of being compromised by cyber threat actors. The company, which is headquartered in Palo Alto, California, counts numerous Fortune 1000 companies among its clients. 

Following the acquisition, Armis will continue to operate independently and will be fully managed by its two co-founders—Yevgeny Dibrov, CEO, and Nadir Izrael, CTO—and the executive team. Going forward, the C-suite will have the support of Insight's business strategy and ScaleUp division, OnsiteSupport.

This heady mix of freedom with an optional shoulder to lean on was a deal-maker for Armis' Dibrov.

He said: "Insight is one of the most sophisticated software investors in the sector, and it is due to the depth of their domain expertise that they really understand the enterprise IoT device challenge we are looking to solve, and the size of the market opportunity. 

"We considered growth rounds and strategic offers, but by partnering with Insight we have the best of both worlds—operational support and independence, both of which were important in our decision to take on a scaleup partner this early in our company journey."

Insight Partners is a leading global venture capital and private equity firm investing in high-growth technology and software companies with a reputation for driving transformative change in their industries. Founded in 1995, the firm currently has over $20 billion in assets under management and has cumulatively invested in more than 300 companies worldwide.

Teddie Wardi, managing director at Insight, said: "We've spoken with their users, who have told us how powerful the Armis platform is at device discovery, classification, and continuous threat assessment. In a world of unmanaged devices, Armis' technology is a game changer."

Categories: Cyber Risk News

Tech Ops Exec Pleads Guilty in $6m Fraud Case

Tue, 01/07/2020 - 12:01
Tech Ops Exec Pleads Guilty in $6m Fraud Case

A senior vice-president at a global internet marketing firm has pleaded guilty to a wire fraud case in which he illegally paid $6m into an IT shell company.

Hicham Kabbaj worked for over four years at affiliate marketing giant Rakuten Marketing, formerly known as Rakuten LinkShare and part of the Japanese multi-national e-commerce firm.

From 2015, he held positions there as director of operations, VP of global technical operations, SVP of technical operations and then SVP of tech ops and engineering, according to his LinkedIn profile.

However, from at least August 2015 until at least May 2019, Kabbaj was defrauding his employer by issuing invoices in the name of a shell company he created, Interactive Systems, for fictitious products and services such as firewalls and servers, according to the Department of Justice.

The resulting payments, amounting to more than $6m in total, were subsequently transferred to his personal accounts.

“Today, Mr Kabbaj pled guilty to a serious felony because he chose to misuse his position of trust as a corporate executive to steal company funds for his own personal gain,” said Internal Revenue Service, Criminal Investigation Division (IRS-CI) special agent in charge, Jonathan Larsen.

“As a result of the dedicated work of IRS-CI special agents, along with our partners at the US Attorney’s Office, Mr Kabbaj will face the consequences of his crime when he is sentenced by a federal judge.”

Kabbaj, 48, of Floral Park, New York, pleaded guilty to one count of wire fraud, which carries a maximum sentence of 20 years behind bars. He has handed over homes in Palm Beach Gardens, Florida, and Hewitt, New Jersey, as “property traceable to the offense,” and will pay over $6m in restitution.

Categories: Cyber Risk News

Facebook Moves to Detect and Remove Deepfake Videos

Tue, 01/07/2020 - 11:30
Facebook Moves to Detect and Remove Deepfake Videos

Facebook has announced plans to ban deepfake videos.

In a blog post, Monika Bickert, the company’s vice-president for global policy management, acknowledged that “while these videos are still rare on the internet, they present a significant challenge for our industry and society as their use increases.”

Bickert said that “misleading manipulated media” will be removed if it has been edited or synthesized – beyond adjustments for clarity or quality – in ways that aren’t apparent to an average person and would likely mislead someone into thinking that a subject of the video said words that they did not actually say. Videos will also be removed if they are the product of AI or machine learning that merges, replaces or superimposes content onto a video, making it appear to be authentic.

“This policy does not extend to content that is parody or satire, or video that has been edited solely to omit or change the order of words,” Bickert said. “This approach is critical to our strategy and one we heard specifically from our conversations with experts.

“If we simply removed all manipulated videos flagged by fact-checkers as false, the videos would still be available elsewhere on the internet or social media ecosystem. By leaving them up and labelling them as false, we’re providing people with important information and context.”

Jake Moore, cybersecurity specialist at ESET, said that deepfakes are increasingly more difficult to spot, and AI is required to help detect them. “Fake videos of famous or powerful people can be extremely manipulative, causing extremely damaging effects in some cases. It is a bold claim from Facebook to ban all such false videos from their platform, as the software used to recognize them is still in its immature phase and requires more research to be effective. 

“Most videos are altered in some way before they land on social media so there is the potential of teething problems with false positives- or even letting a number of genuine deepfakes slip through the net. Not only do we need better software to recognize these digitally manipulated videos, we also need to make people aware that we are moving towards a time where we shouldn’t always believe what we see.”

Facebook has been involved with deepfake detection, launching the Deep Fake Detection Challenge last year, and partnering with Reuters to help media identify deepfakes and manipulated media through a free online training course

Categories: Cyber Risk News

Pages