Info Security

Subscribe to Info Security  feed
Updated: 2 hours 49 min ago

US Lawmakers Propose Stopping Grinch Bots Act

Wed, 11/28/2018 - 15:12
US Lawmakers Propose Stopping Grinch Bots Act

In an effort to stop hackers from circumventing security controls used by e-commerce sites, US lawmakers have proposed a new legislation, the “Stopping Grinch Bots Act of 2018.”

According to the Washington Post, “A group of Democratic lawmakers is trying to make it illegal for people to use automated accounts to inflate the prices of consumer products online.” 

Sen. Tom Udall (NM), a co-sponsor of the bill, wrote in an email to the Washington Post, “These Grinch bots let scammers sneak down the proverbial chimneys of online retailers and scoop up the hottest products before regular Americans can even log on – and then turn around and sell them at outrageously inflated prices.”

With the exception of those actors who are conducting necessary research in the development of computer security or the field of computer system security, the act would make it illegal for anyone to circumvent a security measure, access control systems or other technological efforts made by internet retailers to protect their sites and their inventory.

Those who violate the law will be subject to the same penalties provided in the Federal Trade Commission Act, which, according to Yoav Cohen, SVP of product development at Imperva, is a step forward from "The Better Online Ticket Sales Act of 2016."

Because the 2016 act applied only to ticket sales, trying to limit the threat proved to be difficult for law enforcement to effectively prosecute offenders. “Ultimately the act did not do much to hinder attackers using malicious bots,” Cohen said. “The Stopping Grinch Bots Act of 2018 is not only giving retailers a weapon to combat malicious bots but protecting consumers from paying ridiculous markups – money that funds cyber-criminal activity.

“Consumers are spending more money year around, not just on Black Friday, on limited edition or high-demand products like the season's hottest toys or the latest shoe release. This demand and the payout is exactly the motivation malicious attackers need to exploit retailers and consumers.

“Application bots are the easiest method for attackers to get their hands on these goods. Because of their ability to rapidly repeat a specific task, bots are used to do things at a scale that humans can’t or simply don’t want to do. In fact, the latest research says bots make up more than half of all internet activity, and more specifically, bad bots make up almost 30 percent of all internet traffic.”

Categories: Cyber Risk News

2.65 Million Records Exposed in Atrium Health Breach

Wed, 11/28/2018 - 14:46
2.65 Million Records Exposed in Atrium Health Breach

Another massive data breach announcement has made headline, this time for healthcare and wellness program provider Atrium Health, formerly known as Carolinas HealthCare Systems, according to a joint announcement from Atrium Health and AccuDoc.

After one of its third-party vendors, AccuDoc Solutions, was hacked, Atrium Health announced that approximately 2.65 million patient records were potentially compromised. The data possibly compromised includes patient insurance policy information, medical record numbers, invoice numbers, addresses, dates of birth and social security numbers.

“Third-party risk management isn't just a security problem anymore. These issues are making their way up to the board because higher levels of risk deter business success and growth,” said George Wrenn, CEO and founder, CyberSaint Security.

“Every stakeholder should have easily accessible visibility into where risks lie within any given vendor list and should be able to have the insights from that information to take meaningful action. There needs to be a better way to manage the growing risk that comes with expanding businesses."

According to the news release, though, AccuDoc and Atrium Health did take meaningful action. Once AccuDoc discovered that a malicious actor had gained unauthorized access, it launched a forensic investigation and “took steps to secure its affected databases and enhance its security control...and informed Atrium Health of the incident on October 1, 2018."

The company continues to monitor its systems for any anomalous activity. AccuDoc also noted that it currently does not have any evidence that any personal information was taken from its systems.

Atrium Health has its own forensic investigator conducting an independent review of the incident. Both companies have been in contact with the FBI.

“Just when we thought things might be improving in healthcare data security, the Atrium Health Breach repositions 2018 as a record year for healthcare cyber attackers. Healthcare security, both on-premise and in the cloud, has not caught up with best practices and likely won’t do so anytime soon,” said Pravin Kothari, CEO of CipherCloud.

Categories: Cyber Risk News

Killing 3ve: US Dismantles Global Ad Fraud Scheme

Wed, 11/28/2018 - 10:50
Killing 3ve: US Dismantles Global Ad Fraud Scheme

The US authorities are claiming victory after dismantling two global cybercrime rings and indicting eight men on charges connected with running a major ad fraud operation.

Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko were charged with wire fraud, computer intrusion, aggravated identity theft, money laundering and more, according to the Department of Justice.

Ovsyannikov was arrested in Malaysia, Zhukov in Bulgaria and Timchenko in Estonia and all three now await extradition to the US, although the others remain at large.

They are believed to be responsible for a notorious ad fraud scheme which could have been in operation since 2014.

Dubbed “3ve,” what started out as a low-level botnet grew into a major operation in 2017, generating between 3-12 billion+ daily ad bid requests at its peak and compromising one million IP addresses, according to a detailed Google report.

There were three components to the scheme.

The first, reported previously as “MethBot,” “Miuref” and “Boaxxe” has been dubbed 3ve.1 by Google. It was comprised of a network of datacenter-based bots which ran fake ad networks. The bots are said to have loaded ads on 5000 fake websites, with the herders leasing 650,000 IP addresses, assigning them to the servers andfraudulently registering them to residential addresses.

The second scheme, 3ve.2, saw the herders use the global Kovter botnet to load the websites they operated from 700,000 infected computers to generate ad revenue.

Finally, 3ve.3 was similar to 3ve.1 except that it used a smaller number of datacenter bots, plus the cyber-criminals rented datacenter servers directly to use as proxies rather than using the residential IPs of bot-infected computers.

To dismantle the botnet, the FBI sinkholed over 30 domains, executed search warrants on 11 US server providers and seizure warrants for bank accounts in Switzerland and elsewhere linked to the scheme.

It's believed the scheme caused firms to pay out over $36m for fraudulent ads.

Categories: Cyber Risk News

Google Staff Urge Firm to Drop China Search Plans

Wed, 11/28/2018 - 10:35
Google Staff Urge Firm to Drop China Search Plans

Hundreds of Google employees have signed an open letter to the firm urging it to drop plans to launch a censored search engine for the Chinese market, dubbed Dragonfly.

They claimed that the project would make Google complicit in human rights abuses and oppression, as the firm would be forced to hand over user data to the state as per local laws.

“Dragonfly would also enable censorship and government-directed disinformation, and destabilize the ground truth on which popular deliberation and dissent rely,” the letter continued. “Given the Chinese government’s reported suppression of dissident voices, such controls would likely be used to silence marginalized people, and favor information that promotes government interests.”

The letter also argued that launching Dragonfly in China would set a dangerous precedent, making it harder for the tech giant to deny similar concessions to other countries with dubious human rights records.

“Our opposition to Dragonfly is not about China: we object to technologies that aid the powerful in oppressing the vulnerable, wherever they may be,” it said.

Google famously pulled its search engine from mainland China in 2010 after the infamous Operation Aurora attack on employees, saying it was no longer prepared to censor results in the country.

“Many of us accepted employment at Google with the company’s values in mind, including its previous position on Chinese censorship and surveillance, and an understanding that Google was a company willing to place its values above its profits,” the letter concluded. “After a year of disappointments including Project Maven, Dragonfly, and Google’s support for abusers, we no longer believe this is the case. This is why we’re taking a stand.”

The move follows Amnesty International’s calls for Google to end development of Dragonfly and an internal Google petition which garnered over 1000 signatures at the firm criticizing the lack of transparency around the project.

The search giant is said to have removed its famous "don't be evil" motto from its code of conduct earlier this year.

Categories: Cyber Risk News

ISACA & Infosecurity Group Partner to Produce Next-Gen 2019 Infosec Event

Wed, 11/28/2018 - 10:30
ISACA & Infosecurity Group Partner to Produce Next-Gen 2019 Infosec Event

ISACA, the leading global association for IT audit, risk, governance and security professionals, and Infosecurity Group, Europe’s leading information security event, are partnering to produce the most progressive information security event in North America.

To debut in New York City’s Javits Convention Center 20-21 November 2019, Infosecurity ISACA North America Expo and Conference is expected to draw more than 2000 attendees and 120+ exhibitors across workshop, conference programs and exhibition. Professionals will be able to gain a range of CPE credits for attending the conference and associated events.

The event will leverage ISACA’s Cybersecurity Nexus (CSX) community and solutions, including expert workshop series, certification preparation sessions and the latest developments related to the CSX Training Platform, with Infosecurity Group, Reed Exhibitions’ immersive event series staged worldwide for the infosecurity industry with strengths in industry expositions, media, immersive learning and leadership networks

“Many in ISACA’s global professional community already hold Infosecurity’s portfolio in high regard and attend Infosec events,” said Gary Van Prooyen, ISACA vice-president of marketing and communications. “By partnering with Infosecurity in a wholly new enterprise, and launching this event in our 50th anniversary year, ISACA will deliver expanded programming, opportunities and incredible experiences to professionals and enterprises facing ever-increasing information and cybersecurity challenges.”

“Infosecurity event attendees, and ISACA’s professionals worldwide, are on the information and cyber front lines, implementing the latest technologies, building the cybersecurity workforce in critical demand today and tomorrow,” said John Hyde, director of Infosecurity North America. “By coming together behind one comprehensive conference and exhibition experience, Infosecurity and ISACA will set the standard for a spectrum of attendees seeking solutions, innovations, and expertise – from practical advice to leadership inspiration.”

Additional early information on the event can be obtained by visiting Registration for the Infosecurity ISACA Expo and Conference 2019 is expected to open later this year.

Categories: Cyber Risk News

C-Suite: GDPR Could Lead to Greater Risk of Breaches

Wed, 11/28/2018 - 09:40
C-Suite: GDPR Could Lead to Greater Risk of Breaches

Almost a quarter of UK and German businesses (23%) believe the GDPR may have resulted in a greater risk of data breaches, six months after the legislation was introduced.

The findings come from a new survey by Thales eSecurity which polled 1000 combined UK and German business executives and 2000 consumers to better understand attitudes to the sweeping data protection legislation.

“I think there are three main reasons businesses might feel more vulnerable as a result of the regulation. The first is that due to the complexity of the GDPR, organizations lack a solid understanding of how to confidentially protect all data appropriately,” solutions marketing manager, Jim DeLorenzo, told Infosecurity.

In fact, nearly a third (30%) of the CEOs, CIOs and CISOs interviewed felt that the introduction of the GDPR had led to increased complexity, with 40% of UK firms forced to seek guidance from the ICO in the first six months.

“Secondly, organizations may find that GDPR creates an internal distraction that draws resources away from other security activities, potentially resulting in an area of exposure,” he continued. “And finally, they may even think hackers will be more inclined to target businesses, due to the severe penalties faced by organizations who become victims of attacks."

Trend Micro has warned in the past about the potential for hackers to target businesses concerned of the financial implications of reporting a major attack. Back in February it claimed that attackers could look to steal data and threaten to go public unless they receive a pay-out, calculated to be less than the approximate GDPR penalty.

However, with businesses still waiting to see how strictly regulators enforce the legislation, it’s unclear what these penalties would be. German chat app Knuddels became the country’s first business to be handed a fine this week.

Thales eSecurity also found rising consumer expectations about how personal data is managed.

The vast majority (86%) of respondents said they would consider switching from a company to a rival if it suffered a breach, with 69% claiming they’d also consider starting legal action against a firm found to have broken the GDPR.

The legislation has also changed the way companies interact with third-parties: 14% said it had created a negative impact on its international partnerships while 38% admitted being forced to completely change their security policies for contractors and vendors.

Categories: Cyber Risk News

Vulnerability Found in Cisco Webex Meetings

Tue, 11/27/2018 - 15:46
Vulnerability Found in Cisco Webex Meetings

A security researcher has discovered a vulnerability in an elevation of privilege in the update service of the Cisco Webex Meeting application. The update service fails to properly validate user-supplied parameters, according to SecureAuth.

The vulnerability was discovered by Marcos Accossatto from SecureAuth exploits' writers team, and the release of today’s vulnerability advisory was a coordinated effort between SecureAuth and Cisco. Reportedly used by millions of people each month, the video conferencing product’s flaw (CVE-2018-15442) impacts code execution in Cisco Webex Meetings v33.6.2.16 and likely affects older versions as well, though they were not checked.

With a common weakness enumeration (CWE-78) classified as OS command injection, the vulnerability could allow an unprivileged local attacker to run arbitrary commands with system user privileges by invoking the update service command with a crafted argument, according to the advisory.

In the privilege escalation proof of concept (PoC), the researcher wrote: “The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 'attacker-controlled-path' (if the parameter 1 doesn't work, then 2 should be used).”

While the video conferencing provider had fixed this vulnerability last month, Accossatto was reportedly able to bypass that fix using DLL hijacking. Cisco’s Webex Meetings has now released a new patch and updated its previous security notice.

According to Cisco's Webex Meetings website, Cisco Webex Meetings is “simply the best video conferencing and online meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters.”

However, the vulnerability in the update service of Cisco Webex Meetings desktop app for Windows, which is related to the security issue addressed in October, potentially allows a local attacker to gain elevated privileges.

Categories: Cyber Risk News

Two US Hospitals Hit with Ransomware

Tue, 11/27/2018 - 15:34
Two US Hospitals Hit with Ransomware

A pair of hospitals owned by Ohio Valley Health Services and Education Corp. are struggling to fully recover from last week's ransomware attack that left both facilities unable to accept emergency transport patients, according to WV News. As a result, emergency squads redirected patients to other area hospitals after learning of the full redirect at both East Ohio Regional Hospital (EORH) in Wheeling, West Virginia, and Ohio Valley Medical Center (OVMC) in Martins Ferry, Ohio.

On November 23, Karin Janiszewski, director of marketing and public relations for EORH and OVMC told The Times Leader, “At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in." Daniel Dunmyer, CEO of OVMC, added, “The OVMC-EORH employees and medical staff have been very adaptive and supportive and we are able to continue with quality patient care.”

Though patient records reportedly remain secure, both hospitals experienced downtime. The hospitals’ IT team took multiple computer systems offline, resulting in the two facilities having to revert to paper charting systems. When the attack struck on Friday evening, it was anticipated that the issue would be resolved by Sunday; however, as of reporting time, no updates have been issued.

The extent of ransomware’s impact is often much larger than an organization’s ability to access its systems, especially for hospitals. “The demanded ransom amounts often pale in comparison to the collateral damage and downtime costs they cause,” said Justin Des Lauriers, technical project manager, Exabeam.

“The ideal case would be to detect and stop ransomware before an infection occurs. Unfortunately, this insidious software is almost always detected after the damage has already occurred – it having reached the ‘payday’ stage of the Ransomware Kill Chain (where the hacker demands ransom).”

Janiszewski also noted that the hospitals have redundant security, but often with ransomware, prevention plans aren’t enough, according to Gijsbert Janssen van Doorn, technology evangelist, Zerto.

“Attacks build in frequency and strength, causing irreparable harm to brand reputation and increasing risk,” Janssen van Doorn said. “Instead, organizations need to invest and create more dynamic, modern approaches to business continuity and disaster recovery (DR). Full IT resilience plans, including backup, disaster recovery and cloud mobility, are key to this and enable organizations to withstand both planned and unplanned disruptions. Being able to easily and quickly recover data and computer systems would help hospitals, like those in Ohio and West Virginia, ensure they can offer patients the lifesaving care they need no matter what.”

Categories: Cyber Risk News

Phishing Sites Fool Users with Security Padlock

Tue, 11/27/2018 - 15:03
Phishing Sites Fool Users with Security Padlock

For several years now, it has been a widely accepted truth that a green padlock in a website’s URL indicated that the site was secure; however, Krebs on Security reported that "Half of All Phishing Sites Now Have the Padlock."

Krebs warned, "Maybe you were once advised to 'look for the padlock' as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with 'https://'.”

In truth, the padlock is no indication that the site is secure. Rather, it merely conveys the fact that information being exchanged between your browser and the site is encrypted, rendering it illegible to the eyes of a third party. Krebs continued, “The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.”

Unfortunately, users assume that if they see a padlock on a site they visit, the site is secure, making the green padlock a red herring that misleads users into having a false sense of security, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.

“Attackers are always quick to adapt any innovative means to increase the click-through of their phishing sites. It does not cost them anything to get an SSL certificate from Let's Encrypt to obtain the green padlock, said Bilogorskiy. In fact, Let's Encrypt has become the largest certificate issuer in the world with over 380 million certificates issued on 129 million unique domains. That said, I am not surprised that attackers have doubled the number of HTTPS phishing sites in a year.”

The study indicates that there is no real way for an average user to verify that the sites they visit are secure. “Users should also look for character replacement ("punycode"), subdomains, and other inconsistencies in a site's real URL and webpage. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL. Other means of combating phishing usually deal with emails and other means of getting victims to the phishing site,” said Paul Bischoff, privacy advocate at

Categories: Cyber Risk News

Edinburgh Napier University Student Named as 2018 Cyber Security Challenge Champion

Tue, 11/27/2018 - 13:32
Edinburgh Napier University Student Named as 2018 Cyber Security Challenge Champion

The Cyber Security Challenge has named 19-year-old Edinburgh Napier University student Charlie Hosier as its 2018 champion.

The winner was announced at a dinner event held in central London at the culmination of Cyber Security Challenge's 2018 masterclass, which saw 42 contestants participate in the three-day event at Barclays HQ. This year’s cryptofactor challenge saw teams tasked with dealing with a cybersecurity attack in the role of a security team that works with a number of fintech and cryptocurrency clients, and presented their findings afterwards at a mock press conference.

The challenge began upon the discovery that cryptomining malware had been installed and data had been stolen from the organization’s sales portal, which then saw cyber-criminals demand a ransom to decrypt the data. Following this news, the contestants worked in teams to investigate, mitigate and control the cyber-attack and worked on an effective and secure network design for future protection.

Prior to the three-day Masterclass, contestants had already completed an exciting and rigorous process to qualify for the grand final competition. This included successfully competing in and winning previous face-to-face competitions that have been held throughout the year. The winning team at the end of the three-day challenge was My Doom.

Hosier said: “It has been an amazing experience to take part in the Cyber Security Challenge UK Masterclass. The challenges and tasks really pushed us, but throughout we have had fun and I’ve met some great people.

“I still can’t believe I won! It’s an amazing feeling and has given me a great opportunity to get my dream job in cybersecurity.”

Colin Lobley, CEO of Cyber Security Challenge UK, added: “This latest Masterclass really highlights the multifaceted role that cybersecurity professionals now need to take on. Having great coding and computer literacy skills is still very useful, however other skills such as psychology and communication are equally important.

“Knowing how to communicate the actions, steps and procedures that a business or organization has taken to mitigate an attack are now business critical. We are really pleased that Barclays sees this too and is helping develop these skills in the UK.”

Categories: Cyber Risk News

EU Voters Worried About Election Hacking and Disinformation

Tue, 11/27/2018 - 11:10
EU Voters Worried About Election Hacking and Disinformation

UK voters are among the most concerned in Europe that elections could be sabotaged by cyber-attacks, according to a new European Commission study.

The survey polled over 27,000 citizens across the EU with face-to-face interviews to better understand their concerns ahead of upcoming European elections in May 2019.

While an average of 61% said they were worried about potential cyber-attacks manipulating the results of the election, the figure rose to 67% in the UK — one of the highest of any country.

UK voters (64%) were also more likely than most Europeans (59%) to fear foreign actors and criminal groups influencing elections covertly.

Across Europe, 67% said they were concerned that their personal data could be used to target the political messages they see — a reference to the Cambridge Analytica scandal that may have impacted the results of the US presidential election and Brexit referendum in 2016.

The good news is that the vast majority of those polled agree that the best way to tackle these threats is to: introduce more transparency to social media, including the affiliation of those behind online ads; give a right to reply for political candidates on social media; and introduce a silence period on social media ahead of key votes, as happens with traditional media.

Laurie Mercer, a security engineer at HackerOne, argued that British voters have nothing to fear from cyber-attacks as — unlike in the US — the system is paper-based.

“Confidence in government IT systems is low. British citizens are worried that their data will be breached. That said, it is difficult to justify this level of concern when thinking of the paper-based elections that we hold in the UK,” he added.

“During British elections, voters mark ballot papers with a pen in a voting booth in a polling station, which are later counted manually. The process is physical: there is a risk of social engineering, but it is really quite difficult to 'hack' a paper-based election to the extent that the result can be affected.”

However, disinformation on social media is a real challenge, according to DomainTools senior security advisor, Corin Imai.

“When we consider how disinformation campaigns spread by outside forces attempted to exert influence over the EU referendum campaign, it makes sense that the UK is more fearful of the cyber-threat to elections than other parts of Europe, but this does not mean that those outside of the UK are safe,” she argued.

“All Western democracies should be concerned by attempts to use cyber-attacks and fake news, which could be used by hostile nation-states for their own gain. While much has been made of how utilities represent critical infrastructure which is vulnerable to cyber-attack, the integrity of our electoral process is just as, if not more critical to our way of life, and should also be considered critical.”

Categories: Cyber Risk News

Microsoft Reveals Causes of Global MFA Outage

Tue, 11/27/2018 - 10:35
Microsoft Reveals Causes of Global MFA Outage

Microsoft has revealed the causes of a major global incident last week that led to large numbers of Azure, Office 365, Dynamics and other Microsoft users being unable to log-in to their services.

The 14-hour outage affected Microsoft Azure AD Multi-Factor Authentication (MFA) services, but “gaps in telemetry and monitoring” for these delayed attempts to spot and understand the underlying causes, Redmond admitted.

The first two causes resulted from a code update that ran from November 13-16. First, there was a latency issue which surfaced during a period of high traffic load and affected communication between the MFA front-end and its cache services.

MFA services experiencing this latency were likely to trigger the second issue, which was a “race condition” in processing responses from the MFA back-end server.

This in turn led to recycles of the MFA front-end server processes which triggered another issue on the MFA back-end.

This third root cause was previously undetected, until triggered by the above.

“This issue causes accumulation of processes on the MFA back-end leading to resource exhaustion on the back-end at which point it was unable to process any further requests from the MFA front-end while otherwise appearing healthy in our monitoring,” explained Microsoft.

The computing giant apologized and claimed it was taking several steps to ensure the same thing doesn’t happen again.

This includes reviewing its update deployment procedures to better identify problems during testing and deployment; reviewing its monitoring services to reduce time-to-detection of incidents and reviewing its containment process to avoid propagating issues to other datacenters.

Microsoft said it’s also looking at its Service Health Dashboard and monitoring tools to detect publishing issues immediately during incidents.

Categories: Cyber Risk News

Uber Slapped with £385K ICO Fine for Major Breach

Tue, 11/27/2018 - 10:02
Uber Slapped with £385K ICO Fine for Major Breach

Uber has been hit with a £385,000 fine by the UK’s data protection regulator after a notorious breach in October/November 2016 which affected over 2.7 million customers and drivers.

The Information Commissioner’s Office (ICO) branded the incident the result of “a series of avoidable data security flaws.”

The hackers managed to obtain username and password combinations previously made available via breaches and apply credential stuffing techniques to crack an Uber GitHub account. In fact, the attackers were able to identify the passwords for GitHub accounts belonging to 12 Uber employees as a result.

In one account they found Amazon IAM credentials for an Uber account with AWS inside a piece of code. This enabled them to access the AWS S3 data stores containing the customer and driver data.

This litany of security missteps allowed attackers to obtain details including full names, email addresses and phone numbers on 2.7 million UK customers and 82,000 drivers — plus details of journeys and how much drivers were paid.

However, Uber added insult to injury by paying $100,000 to the hackers for them to destroy the data. The firm subsequently kept the incident a secret until new CEO Dara Khosrowshahi came clean in November 2017.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” said ICO director of investigations, Steve Eckersley.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack. Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

It goes without saying that under the current GDPR regime, Uber’s fine would have been significantly greater.

The Dutch privacy watchdog also issued a fine today related to the 174,000 of its citizens affected, deciding to levy a harsher €600,000 (£532,000; $679,000).

Categories: Cyber Risk News

Facebook Privacy Documents Seized by Parliament

Mon, 11/26/2018 - 18:55
Facebook Privacy Documents Seized by Parliament

Facebook has again made headlines after the UK Parliament leveraged its legal right to demand documents alleged to include confidential email exchanges between top executives, as well as correspondences with CEO Mark Zuckerberg, according to The Guardian.

The documents are believed to contain the details of Facebook’s data and privacy controls prior to the Cambridge Analytica scandal.

While Ted Kramer, co-founder of US software company Six4Three, was in London on a business trip, Damian Collins, chair of the culture, media and sport select committee, reportedly sent a sergeant-at-arms to Kramer’s hotel room and demanded that he turn over the documents, invoking a rarely used but legal mechanism, which Collins himself called unprecedented.

“That the UK Parliament would go to the lengths it did recently to acquire this information about Facebook’s level of involvement in the Cambridge Analytica scandal speaks volumes about how potentially devastating these findings could be for every party involved,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

“If it is determined that Facebook executives not only knew what was happening but actively supported the privacy policy loopholes that allowed Cambridge Analytica to collect user data in the first place, this would be the most egregious abuse of user privacy that we’ve yet seen.”

Facebook’s Richard Allan, VP of policy solutions, is due to appear before Parliament on Tuesday. In a letter to Collins and shared with Infosecurity Magazine, Allan wrote:

As you know, these documents date from 2013-14 and were disclosed as part of a proceeding brought by Six4Three against Facebook, and are under seal by Court order (as is common practice in US proceedings of this nature). The court that sealed the documents is due to consider these latest developments as early as tomorrow. It will be helpful for all of us to see Six4Three's explanation and any directions given by the judge in this case as we consider their legal status.

This case has become a matter of public debate and it is important that participants in this debate understand its context.

The app that had been developed by Six4Three was designed to surface images of women in bikinis that had been shared by friends. It received some press attention (New 'Pikinis' App Helps Creeps Find Your Bikini Pics With Ease ( when it was launched. We understand that around 4,500 people installed the app.

Since then, the company has filed multiple complaints against Facebook. We consider these to be entirely without merit and that the repeated filings demonstrate that this is more about attacking our company than it is about a credible legal claim. While plaintiffs are free to file any complaint they wish to, however far-fetched, it is important not to take claims made in commercial cases like these at face value.

Categories: Cyber Risk News

EU Takes Down 33,600 Counterfeit Sites

Mon, 11/26/2018 - 16:04
EU Takes Down 33,600 Counterfeit Sites

Law enforcement agencies across the EU have successfully shut down more than 33,600 internet domains distributing counterfeit or stolen items, according to a press release published today by Europol.

Europol announced that its Intellectual Property Crime Coordinated Coalition (IPC3) seized 33,654 domain names that had been selling contraband, including counterfeit pharmaceuticals, pirated films, television shows, music, software, electronics and other fake products.

In addition to seizing tens of thousands of domain names, IPC3 also arrested 12 suspects. The initiative also resulting in blocking hardware devices and enabled authorities to both identify and freeze more than 1 million in multiple bank accounts. The organized criminal groups had been using online payment platforms and a virtual currency farm, which were also frozen by authorities.

As part of a joint operation with law enforcement agencies in 26 other countries – including South Korea, Bosnia and Herzegovina, Colombia and China – IPC3 worked alongside INTERPOL and the US National Intellectual Property Rights Coordination Center in a mission that was the continuation of the In Our Sites (IOS) operation launched in 2014.

In previous years, the joint efforts resulted in the seizure of 20,520 domain names. The ability to shut down even more sites this year was attributed to increased efforts on behalf of anti-counterfeiting associations, brand owner representatives and law enforcement authorities.

“To continuously raise awareness of this growing threat, Europol’s IPC3 launched the campaign 'Don’t F***(ake) Up.' The campaign informs citizens of the risks of buying fake products online and provides forthright advice to help identify illicit websites that sell counterfeit goods, as well as other means used by counterfeiters, such as fake social media accounts and fake apps,” Europol said in the press release.

According to the Don’t Fake Up campaign, the sectors most commonly affected by counterfeit products include manufacturing, consumer goods, technology, software and biotechnology, which includes pharmaceuticals.

“When shopping online, you are more likely to fall victim to counterfeiters. In a digital environment, without the physical product to look at and feel, it can be more difficult for you to spot the differences. Some illicit websites selling counterfeits are so sophisticated that it is hard to detect that they are scams. Infringers are also exploiting mobile app stores as an ideal shop front. Again, users are less likely to question the legitimacy of an app, especially if it appears in an official app store,” Europol wrote.

Categories: Cyber Risk News

Holiday Season Attacks Expected to Increase by 60%

Mon, 11/26/2018 - 15:18
Holiday Season Attacks Expected to Increase by 60%

'Tis the season for cyber-scams, according to the new Holiday Threat Report from Carbon Black. The report compared cyber-attack data over the last two years and found that once cyber-attacks spike on Cyber Monday, they will likely remain elevated throughout the holiday season.

The holiday season of 2016 saw a 20.5% surge in attempted attacks, but by 2017 global organizations encountered a 57.5% increase in attempted attacks during the holiday shopping season, with the greatest number of attempts happening in the days following Christmas, according to the research.

“The majority of these attempted holiday-related cyberattacks were the result of commodity malware, commonly delivered through spear-phishing campaigns. In recent years, attacks targeting major retailers (often through supply chain partners) have resulted in the loss of millions of customer records and credit card numbers as well as major breach costs for the targeted organizations,” the report stated.

The report also found that employees who worked remotely while traveling were the target of spear-phishing campaigns offering discounted airfare or gift card deals.

“The holiday season is one of the most opportune times for cyber-criminals, who look to take advantage of unsuspecting consumers with spear-phishing emails promising holiday deals that are too good to be true,” said Tom Kellermann, chief cybersecurity officer, Carbon Black.

“As a consumer, it’s important to pay extra attention to an email’s grammar, URLs and sender alias. If anything seems ‘phishy,’ do not open, acknowledge or click through. Additionally, never download attachments or open links unless coming from a verified, trusted source. If anything seems off, immediately seek verification," said Kellermann.

“For businesses, the holiday shopping season is a time to prioritize vigilance while safeguarding sensitive data, with attempted cyber-attacks against businesses increasing an alarming rate between Black Friday and New Year’s Day. Retail businesses specifically are often understaffed while operating during the busiest time of year, meaning cybersecurity can sometimes take a backseat–creating an ideal situation for cyber-criminals.”

Categories: Cyber Risk News

Fraud Alert as Cyber Monday Sales Kick Off

Mon, 11/26/2018 - 11:30
Fraud Alert as Cyber Monday Sales Kick Off

Security experts have lined up to warn consumers of a deluge of phishing and gift card scams as Cyber Monday kicks off today.

The US online sales blitz has also become something of a staple across some European countries, especially in the UK where it’s predicted that sales today will take total online spending for the weekend to over £7bn.

However, shoppers have been urged to watch out for two gift fraud scams. One involves cyber-criminals using “dirty” money to buy gift cards, which they can then sell on third-party sites for a discounted price, thereby laundering their funds.

“Gift cards are legitimately traded online by people who, for example, were given a gift card to a store that they never shop at, so instead of a £50 gift card that they will never use, they sell it for £30 and take the cash in return,” explained Trustwave VP of security research, Ziv Mador. “The buyer then gets £20 worth of free credit. This poses a risk to the end customer because if the gift cards are found to be bought with stolen money they could be invalidated.”

In another scenario, cyber-criminals use dirty money to buy gift cards which they then use to purchase legitimate goods. These can be re-sold to unsuspecting customers on eBay and similar sites. Although the customer is likely to be refunded if the scam is spotted and blocked in time, they’ve wasted time and effort in the process.

Elsewhere, experts warned consumers of a surge in phishing emails designed to coincide with the busy sales period, especially those offering huge discounts.

Cybereason chief security officer, Sam Curry, urged users not to click on any links or open attachments, even if they appear to come from ‘trusted’ vendors.

Phishing emails could also come from ‘credit card providers,' he claimed.

“The consumer stressing out about a high volume of debt they are carrying on multiple credit cards, might receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment,” Curry warned. “The unsuspecting consumer gives away their credit card information and other personable identifiable information.”

One company estimated sales of £7bn in the UK from Black Friday to Cyber Monday, with shoppers spending an average of £220 each.

Categories: Cyber Risk News

German Regulator Fines Firm for GDPR Failings

Mon, 11/26/2018 - 10:23
German Regulator Fines Firm for GDPR Failings

A German privacy regulator has issued its first GDPR fine after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app.

The Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the firm having stored user passwords and emails in plain text.

As a result, hackers were able to make off with 330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega.

The breach itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million passwords stolen, although only 330,000 have been confirmed.

Although the lack of encryption breaks a core requirement of the GDPR, the German chat app provider seems to have benefited from responding with speed and transparency.

“The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users' data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI,” the regional regulator said in a statement.

“The very good cooperation with the LfDI spoke in particular to the benefit of the company. The transparency of the company was just as exemplary as the readiness, the guidelines and recommendations of the State Commissioner for Data Protection and Freedom of Information. In this way, the security of the user data of the social media service could be significantly improved in a very short time.”

The action taken in this case will reassure some Data Protection Officers (DPOs) waiting to see how regulators enforce the GDPR that the emphasis is on education rather than making an example of organizations.

UK watchdog the Information Commissioner’s Office (ICO) has said as much in the past.

"Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack," said Stefan Brink, state data protection commissioner for Baden-Württemberg. "The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users."

Categories: Cyber Risk News

Ukrainian Police Nab Suspected RAT-Slinger

Mon, 11/26/2018 - 09:54
Ukrainian Police Nab Suspected RAT-Slinger

Police in Ukraine have arrested a man who allegedly used a notorious Remote Access Trojan (RAT) to target thousands of users around the world.

A statement from the Ukrainian National Police on Friday said that cyber specialists on the force cuffed a 42-year-old man from Lviv on suspicion of using the DarkComet malware.

He’s said to have infected 2000 computers in 50 countries around the world.

On searching his machines, the police found the man installed "a Trojan virus administration program on his computer and modified it to send out client versions of the virus,” according to the statement.

These ‘clients’ are used to harvest data from infected machines. The malware has been around for at least six years and was even used by the Syrian regime to spy on activists and opposition groups.

It features multiple capabilities including keylogging, password and document theft, webcam monitoring, taking screenshots of the victim’s machine, and even disabling AV notification settings.

“The cyber police specialists analyzed the malware. It is found that the virus provides full remote access to controlled computers. In particular — the ability to download and upload files, manage startup and services, remotely manage the registry, install and remove programs, take screenshots from the remote screen, intercept microphone sound and video from embedded or external cameras,” the statement continued.

Perhaps most incriminating of all, the police found screenshots of infected victim computers on the arrested man’s machine.

Ukrainian police also issued a series of steps for users to take to check if their computer has been infected with DarkComet.

This involves checking if the machine is trying to communicate with IP address on port 1604 or 81.

If so, they’re urged to use anti-malware program to remove the infection.

Categories: Cyber Risk News

US Says China Increased Hacking over Trade Dispute

Fri, 11/23/2018 - 15:44
US Says China Increased Hacking over Trade Dispute

In advance of a meeting between US President Donald Trump and China's President Xi Jinping, a US government report made claims that China had increased hacking attempts in an effort to steal American technology and shows no sign of stopping or slowing its cyber-theft practices, according to the Associated Press.

The report from the Office of the United States Trade Representative stated: "cybersecurity firms have observed, in the period from mid-2017 through mid-2018, what appear to be Chinese state-sponsored entities attacking firms in cloud computing, Internet of Things, artificial intelligence, biomedicines, civilian space, alternative energy, robotics, rail, agricultural machinery, and high-end medical devices sectors. One cybersecurity firm, CrowdStrike, observed that Chinese state hacking is gaining in pace and volume, while another, FireEye/Mandiant, similarly stated that previously inactive Chinese hacking groups had now been reactivated.

"In November 2018, cybersecurity firm Carbon Black found a sharp rise in the third quarter of 2018 'in attacks against manufacturing companies – a type of attack that has been frequently tied to Chinese economic espionage.' It also found that 68% of incident response professionals surveyed during the preceding three months assessed that China was the source of the observable cyberattacks, more than any other country." 

Asserting the increased threat to US companies from Chinese advanced persistent threat (APT) group, APT10, the report said the Department of Homeland Security (DHS) had also seen an uptick in cyber-enabled theft coming from China.

“We completed this update as part of this Administration’s strengthened monitoring and enforcement effort,” Ambassador Robert Lighthizer said in a press release. “This update shows that China has not fundamentally altered its unfair, unreasonable, and market-distorting practices that were the subject of the March 2018 report on our Section 301 investigation.” 

In addition, the policies and practices of Chinese adversaries are growing more sophisticated. The report stated: "China’s state-supported hackers have developed new ways of concealing their attacks. In particular, hackers appear to be using generic 'tools' that leave little if any unique traces, making attribution more difficult."

Categories: Cyber Risk News