Info Security

Subscribe to Info Security  feed
Updated: 1 hour 34 min ago

Huddle House Suffers POS Malware Breach

Tue, 02/05/2019 - 10:30
Huddle House Suffers POS Malware Breach

Huddle House has become the latest US restaurant chain to suffer a Point of Sale (POS)-related data breach.

The casual dining and fast food operation revealed on Friday that a malware intrusion had affected an unspecified number of its “corporate and franchised locations.

“Criminals compromised a third-party POS vendor’s data system and utilized the vendor’s assistance tools to gain remote access — and the ability to deploy malware — to some Huddle House corporate and franchisee POS systems,” it said in a notice.

“Huddle House was notified by a law enforcement agency and its credit card processor that some of its corporate and franchise locations may have been victims of a malicious cyber-attack. Huddle House retained a leading IT investigation and security firm in less than 24 hours from notification, to deploy specialized software to prevent further attacks.”

The firm is still investigating and so unable to provide a definitive list of affected locations, but said that anyone who used a payment card at one of its restaurants between “August 1, 2017 and present” may be at risk.

The malware in question appears to have been classic POS-scraping code designed to harvest magnetic stripe data including cardholder name, credit/debit card number, expiration date, cardholder verification value and service code.

These attacks are less common today thanks to the growing adoption of the EMV standard in the US, which encrypts cardholder data thanks to a built-in chip on each card. This makes it virtually impossible to clone cards using stolen information.

However, hackers still try their luck from time-to-time as EMV adoption is patchy and there’s also a chance that it hasn’t been properly implemented by the store/restaurant.

Huddle House urged customers to check their card statements and contact their bank immediately if they spot anything suspicious.

Categories: Cyber Risk News

Kids' Smart Watch Recalled Over Security Concerns

Tue, 02/05/2019 - 09:51
Kids' Smart Watch Recalled Over Security Concerns

The European Commission is trying to recall a German-made children’s smart watch model over security concerns that hackers could communicate with or monitor the wearer.

It issued a recall notice under the Rapid Alert System for Non-Food Products (RAPEX), claiming the risk level is “serious.”

It says that the Safe-KID-One device produced by Hamburg-based Enox Group does not comply with the Radio Equipment Directive and all models should be recalled from end users.

“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed,” the RAPEX notice revealed.

“A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”

The Safe-KID-One is just the latest in a long line of smart devices made for young people that has been found to have serious security and privacy vulnerabilities.

Over 800,000 user accounts and millions of voice conversations between parents and their kids were left exposed online after an issue at California-based CloudPets in 2017.

In the same year, German regulators urged parents not to buy the Cayla doll, warning that hackers could use an insecure Bluetooth device in the toy to listen and talk to the child playing with it.

In fact, UK consumer rights body Which? claimed to have found Bluetooth vulnerabilities in numerous connected smart toys, calling for such devices to be taken off the shelves.

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” argued MD of home products and services, Alex Neill, at the time. “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”

Categories: Cyber Risk News

Flaw in SS7 Lets Attackers Empty Bank Accounts

Mon, 02/04/2019 - 19:38
Flaw in SS7 Lets Attackers Empty Bank Accounts

A UK bank fell victim to a malicious SS7 attack that led to cyber-criminals emptying bank accounts at the UK’s Metro Bank, according to Motherboard.

Though malicious actors have been able to exploit flaws in telecommunication infrastructure for years, it’s not being reported that attacks are able to intercept codes used for banking using Signaling System 7 (SS7) attacks. According to Motherboard, the National Cyber Security Centre (NCSC) said that it is aware that cyber-criminals are exploiting a telecommunications vulnerability to target bank accounts “by intercepting SMS text messages used as 2-Factor Authentication.”

“Legacy communications protocols were often architected with utility in mind, not security,” said Matt Walmsley, EMEA director at Vectra. “We’ve seen old-school fax protocols being recently used to delivery malicious payloads into multifunction printers. Using the telephone infrastructure for illicit activity isn’t new, either."

The attack is concerning, given the widespread use of SMS as an authentication channel. “SMS is increasingly become a low-trust infrastructure, and there are other choices available to provide additional factor authentication, including local token generators and biometrics,” Walmsley said.

Because of the flaws in telco infrastructure, British telco company BT said that it is constantly upgrading its systems. According to a report from Reuters, the attack is not limited to Metro Bank but rather is a sampling of a wider attack on banks across Britain.

“Whether criminals use man-in-the-middle SS7 attacks or engage in SIM card swapping, it just goes to show that relying on a SMS-based method of two-factor authentication is not the most secure way to protect your most sensitive accounts,” said Jon Bottarini, hacker and lead technical program manager at HackerOne. “Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks.”

Categories: Cyber Risk News

Speak Up Malware Targets Linux, Mac in New Campaign

Mon, 02/04/2019 - 18:46
Speak Up Malware Targets Linux, Mac in New Campaign

Linux servers are the target of a new crypto-mining campaign in which a malware dubbed "Speak Up" implants a backdoor Trojan by exploiting known vulnerabilities in six different Linux distributions, according to research from Check Point.

The malware has been seen targeting servers predominantly in Asia and Latin America, including machines hosted by Amazon Web Services (AWS) and Mac devices. Because it implants a new backdoor for which there currently are no detections in VirusTotal, the backdoor is reportedly able to evade all security vendors’ anti-virus software, according to today's blog post. Researchers detected Speak Up being used to spread the XMRig crypto-miner to a machine in China, which was reported to VirusTotal on January 9, 2019.  

Researchers warned that the malware's "obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive."

According to the report, the malware remains in communication with its command and control (C&C), receiving its next task instructions on what researchers called a “fixed ‘knock’ interval.” Built-in to the malware is a Python script that enables lateral movement on the network. The script also scans the local networks for open ports, forces its way into nearby systems using a list of predefined usernames and passwords and then uses one of seven exploits to take over unpatched systems.

“This is malware that targets Linux and macOS. Once this malware is on a system, it does all the same things any malware would do. It follows the attack lifecycle verbatim,” said Chris Morales, head of security analytics at Vectra. “Those behaviors include running shell commands, executing files downloaded from a remote C&C server, and updating or uninstalling itself.

“By monitoring the internal network with machine learning, the listed behaviors becomes a list of behaviors that every attack must perform, and every one of these behaviors is detectable. In fact, the more the attack does, the easier it becomes to notice.”

Categories: Cyber Risk News

Alexa 500 Sites Targeted with Adaptive Malware

Mon, 02/04/2019 - 17:41
Alexa 500 Sites Targeted with Adaptive Malware

A malicious campaign has been targeting premium publishers using malvertising that looks like legitimate ads for popular retailers, according to The Media Trust.

Researchers today published a blog post explaining that a large-scale malicious campaign attempted to exploit 44 adtech vendors with the ultimate goal of attacking the millions of customers who visit 49 of the Alexa 500 premium publisher sites.

Nearly 80% of the devices targeted were running iOS. Of the more than 600,000 attacks that were detected and analyzed, researchers discovered that unsuspecting visitors didn’t even need to click on any of the ads. By visiting the sites, they were redirected to malicious content prompting them to enter their login credentials. This campaign is reportedly unique because of the malware’s adaptability.

“The group behind the attack had designed an adaptive campaign so that as soon as one malware and supply chain route was identified and terminated, another attack would immediately ensue using different malware and alternative supply chain routes,” researchers wrote.

“Each time attacks were identified and foiled, new ones would launch using other ad formats, fire up new supply chain routes, and employ unique code obfuscation techniques.”

Researchers also said, “combining resources that fed into the entire solution was key,” and they suspect that victims who visited less monitored sites likely had some of their credentials compromised.

“The DSO’s success in preventing further damage in an environment of increasingly sophisticated attacks speaks to the effectiveness of continuous monitoring, as well as cooperation,” said Mukul Kumar, chief information security officer and VP of cyber practice at Cavirin.

“Moving forward, in order to ensure an organization’s or site’s cyber posture, this approach must be the norm rather than the exception.”

Given that these adaptive campaigns are growing increasingly more potent and prolific, researchers advised, “the value of real-time scanning and analysis is the only way to keep abreast of these quickly morphing attacks. Anything less would have left the publishers and their vendors defenseless against the onslaught of attacks.”

Categories: Cyber Risk News

Student Loans Company Hit by One Million Cyber-Attacks

Mon, 02/04/2019 - 12:11
Student Loans Company Hit by One Million Cyber-Attacks

The UK’s Student Loans Company (SLC) has been forced to repel nearly one million cyber-attacks over the course of the last financial year, highlighting the growing risk to organizations from hackers.

Think tank Parliament Street sent a Freedom of Information (FOI) request to the non-profit government body, which provides loans and grants to students in the UK.

It revealed the organization was hit by 965,639 separate attacks in the financial year 2017/18. There was little further info on exactly what type of attacks these were, although they included SQLi attempts.

On top of these figures, the SLC broke down a further 323 malware attempts and 235 malicious emails or calls.

Some 127 attempted attacks were not blocked and therefore treated as full blown “incidents,” compared to three attempts in financial year 2015/16 and 95 in 2016/17. However, only one attack succeeded in breaching the SLC’s defenses.

“There was a successful infection of with Monero cryptocurrency mining malware via a third-party plugin,” the FOI response, sent to Infosecurity, revealed.

“ is hosted by a third-party supplier, so this was run as a third-party incident. hosts publicly available material only and no customer data was involved.”

Although the number of attacks sneaking through the perimeter appears to have peaked in 2017/18, the number of malware attempts spiked the previous year. In 2016/17 there were 1015 recorded.

It’s understandable that the SLC is a major target for hackers, given the trove of financial and personal data it stores on the nation’s students. The firm is also a popular target for phishers, who often spoof the organization in an attempt to trick students into disclosing their personal details.

In 2014 it received a dressing down from the ICO after sending applicants’ personal information including medical details to the wrong recipients.

“It’s no surprise that cyber-criminals are relentlessly targeting the personal financial details of students, putting the well-being of tens of thousands of individuals at risk,” said Imperva CTO, Terry Ray. “Tackling this problem means investing heavily in the latest cybersecurity measures, to keep hackers out and limit the risk of a major data breach.”

Categories: Cyber Risk News

Home Improvement Site Houzz Suffers Data Breach

Mon, 02/04/2019 - 10:47
Home Improvement Site Houzz Suffers Data Breach

Home improvement site Houzz has announced a data breach affecting an unspecified number of customers, but claimed that follow-on identity theft is “highly unlikely.”

The firm — which claims to have over 40 million homeowners, home design enthusiasts and home improvement professionals on its books — said it learned about the incident in late December 2018. This could be an issue for GDPR regulators given it has taken over a month to notify.

The California-headquartered business said an unauthorized third party gained access to a file containing user data.

This included: user ID, prior Houzz user names, one-way encrypted passwords “salted uniquely per user,” IP address, and city and postcode inferred from IP address. Also exposed in the breach were publicly available account details like Houzz user name and/or Facebook ID.

Finally, if the user had made the following info publicly visible, then first name, last name, city, state, country and profile description could also be compromised.

The firm claimed not all customers were affected but did not disclose the number. It has emailed those who may have been affected “out of an abundance of precaution” asking them to reset their passwords.

“We do not believe that any passwords were compromised because we do not actually store passwords except in a one-way encrypted form that is salted uniquely per user,” it added. “However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”

No financial information or, in the US, Social Security numbers, were taken, according to the firm.

Tripwire VP, Tim Erlin, also urged users to change their log-ins.

“If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well,” he argued. “Using unique passwords is a good way to protect yourself from this type of risk. Using multi-factor authentication is another way to reduce the risk. The internet is all about connection, and sometimes those connections work to the advantage of attackers."

Categories: Cyber Risk News

ICO Fines Brexit Campaign and Key Backer £120K

Mon, 02/04/2019 - 10:02
ICO Fines Brexit Campaign and Key Backer £120K

The Information Commissioner’s Office (ICO) has fined Leave.EU and an insurance company owned by Brexit backer Arron Banks £120,000 for serous data protection failings.

The UK’s privacy watchdog claimed that segregation of data between the two closely linked companies was insufficient, meaning data collected by Eldon Insurance on its customers was used to bombard them with online messages backing the leave vote.

The reverse was also true, with Leave.EU subscribers sent marketing missives from Eldon Insurance without having given adequate consent.

Leave.EU was fined £15,000 for illegally sending nearly 300,000 political marketing messages, while both Leave.EU (£45,000) and Eldon Insurance (£60,000) were fined for sending nearly one million emails to Leave.EU subscribers, according to the ICO.

“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened,” said information commissioner, Elizabeth Denham, in a statement.

“We have been told both organizations have made improvements and learned from these events. But the ICO will now audit the organizations to determine how they are using customers’ personal information.”

The formal assessments by the ICO will cover data protection practices, staff training and other processes for the two organizations, which share offices.

Eldon Insurance was also served an ICO enforcement notice ordering the firm to comply with electronic marketing regulations.

Rumors of illegality have swirled around the Brexit referendum campaign for years.

Leave.EU is now the subject of a criminal investigation by the National Crime Agency (NCA), referred by the Electoral Commission, after suspicions that Banks was not the source of a multi-million pound donation as he has claimed.

The money is said to have come from one of his subsidiaries in the Isle of Man, which is illegal under UK election law.

MPs have called for the Brexit process to be suspended until the outcome of these allegations of multiple criminal offenses.

Thus far, Prime Minister, Theresa May has resisted calls for a Robert Mueller-like investigation into possible Russian interference in the referendum, despite mounting concerns over the role of firms like AIQ in targeting voters, spending irregularities and Russian social media misinformation.

A grass roots campaign, Fair Vote, is looking to mount a legal challenge to force a public inquiry.

Categories: Cyber Risk News

Execs Remain Weak Link in Cybersecurity Chain

Fri, 02/01/2019 - 15:55
Execs Remain Weak Link in Cybersecurity Chain

Despite their high-ranking positions, senior executives are reportedly the weak link in the corporate cybersecurity chain with a new report from The Bunker, which finds that cyber-criminals often target this known vulnerability.

A recently published white paper, Are You the Weakest Link? How Senior Executives Can Avoid Breaking the Cybersecurity Chain, found that those at the top are guilty of a bit of grandiosity. They disregard cybersecurity threats and policies under the misguided perception that the rules don’t apply to their unique positions.

“Professional hackers and adversaries will usually do a thorough investigation into a senior executive or board level director, including full analysis which could entail in-depth monitoring of the company website and associated social media accounts,” the report said.

Most executives make the same five mistakes, according to the report. Senior executives fail to realize that they are prime targets for cybercriminals, which is potentially a result of their view that cybersecurity is an IT responsibility that doesn’t have anything to do with their executive positions.

In reality, though, the report said, “IT security has now become the remit of all individuals, especially those in the highest positions of each department and senior executives need to take ownership for IT security best practice in their day-to-day behavior.”

Another common mistake among senior executives is that they believe cybersecurity threats are attacks that happen to the business by some external malicious actor rather than being the result of internal threats or accidents.

Many top executives also reportedly believe that a cloud provider is responsible for the backup and security of all information, though they fail to use cloud hosted email securely.

However, cybercriminals know that top executives often have privileged access to company information, so hackers intentionally target their personal accounts.

“Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organizations and their senior executives will be well positioned to avoid the high financial costs, reputational damage and unexpected downtime that could result from a cyber-attack or data breach,” said Phil Bindley, managing director, at The Bunker.

Categories: Cyber Risk News

FDD Finds Trump's Cyber Policies Are Sensible

Fri, 02/01/2019 - 15:22
FDD Finds Trump's Cyber Policies Are Sensible

Two years after President Trump taking office, the Foundation for Defense of Democracies has issued its midterm assessment, The Trump Administration’s Foreign and National Security Policies, which looks in part at the administration’s cyber policies and the advances therein.

Authored by Annie Fixler, deputy director for the Center on Cyber and Technology Innovation (CCTI), and David Maxwell, senior fellow, CCTI, the section on cyber looks at current policy and makes recommendations for moving forward.

In their assessment, Fixler and Maxwell found, “The Trump administration’s cyber policy is moving away from the prioritization of law enforcement to an approach that balances law enforcement, persistent engagement with adversaries in cyberspace, and the pursuit of deterrence. The most significant expression of this shift is the administration’s September 2018 National Cyber Strategy.”

Based on a series of assertions from senior officials who testified before Congress as to the effectiveness of previous policies, the Trump administration took what Fixler and Maxwell commended as positive steps forward.

“In May 2017, the president signed an executive order requiring departments to work with the private sector to support critical infrastructure security. Seven months later, in its first National Security Strategy, the administration pledged to impose 'swift and costly consequences' on malicious cyber actors, and explicitly noted the danger of adversarial cyber-enabled economic warfare.”

The authors also noted that “while it is too early to assess the effectiveness of the Trump administration’s new National Cyber Strategy, the document has received rare bipartisan praise.”

After outlining the effective strategies taken by the administration, the FDD made six cyber-specific recommendations:

  1. Target those responsible for, or benefiting from, malicious cyber operations.
  2. Excise components from authoritarian states engaged in malicious cyber operations from U.S. and allied supply chains.
  3. Synchronize cyber defense capabilities and offensive options with allies.
  4. Use cyber and kinetic capabilities to impose costs on adversaries.
  5. Create secure partnerships and interoperability with the private sector.
  6. Recruit private sector support for U.S. national security goals.

Categories: Cyber Risk News

Why All Users Should Change Passwords Today

Fri, 02/01/2019 - 15:00
Why All Users Should Change Passwords Today

February 1 is change your password day, an annual “holiday” established back in 2012, according to a blog post from Gizmodo, as a way to get a wide collection of end users to change their passwords together.

Over the course of the past seven years, though, passwords have continued to create enormous risks to enterprise security, with many users either crafting weak passwords or reusing passwords across multiple accounts.

According to a LastPass survey, 39% of consumers never change their password unless it is required. In all likelihood, people don’t change their passwords because the average user has nearly 200 accounts to keep track of, which makes changing passwords every month or quarter unrealistic, according to LastPass.

“It will take some time to upload your credentials into the password manager, but invest the time and use the password generator function to create complex, new passwords for your accounts. Using a passphrase with a combination of complex characters such as $ymB0LS drastically increases your security and protection of personal data,” said Joseph Carson, chief security scientist at Thycotic.

What matters most when it comes to password protection is length, which is why it has become more commonplace to see sites requiring a minimum of eight-character passwords. Still, “there is a long-running myth that complex phrases using characters, numbers and letters is secure. They are not. These are simply hard-to-remember phrases that are quickly forgotten and reused in multiple locations,” said Chris Morales, head of security analytics at Vectra.

Instead, Morales said simple phrases, rather than complex combinations of characters and numbers, make better passwords. “'The quick red fox jumped over the lazy brown dog' is a much stronger and infinitely easier to remember password than '1W33$^Adgfi*()tyu.'”

When it comes to enterprise protection, LogRhythm advised businesses to use multifactor authentication whenever possible to protect critical infrastructure, such as VPN and email access. Also, avoid shared accounts. Instead, create separate accounts for each user of an application so that any actions performed are properly attributed to a specific employee, which will also limit the risk of inadvertent password exposure.

Categories: Cyber Risk News

Iran APT Group Targets Foreign Embassies

Fri, 02/01/2019 - 11:24
Iran APT Group Targets Foreign Embassies

Security researchers have uncovered a new cyber-espionage campaign against foreign diplomats in Iran, using malware linked to a well-known APT group.

Kaspersky Lab researcher Denis Legezo claimed the campaign was indicative of hackers in emerging regions using “homebrew” malware combined with publicly available tools.

In this case, they use an improved version of the Remexi backdoor first reported in 2015, enabling them to: harvest keystrokes, take screenshots, exfiltrate credentials, log-ins and browser history and execute remote commands.

Data is exfiltrated using the legitimate Microsoft Background Intelligent Transfer Service (BITS) application, saving the group time and money and complicating attribution efforts, Kaspersky Lab claimed.

“When we talk about likely state-sponsored cyber-espionage campaigns, people often imagine advanced operations with complex tools developed by experts. However, the people behind this spyware campaign look more like system administrators than sophisticated threat actors: they know how to code, but their campaign relies more on the creative use of tools that exist already, than on new, advanced features or elaborate architecture of the code,” Legezo argued.

“However, even relatively simple tools can cause significant damage so we urge organizations to protect their valuable information and systems against all level of threats, and to use threat intelligence to understand how the landscape is evolving,”

There’s no word yet on how the malware is being spread, although it has been linked to a Farsi-speaking APT group known as Chafer, whose activity goes as far back as 2014.

The group is known to focus on domestic targets, although going after foreign embassies within the Islamic Republic represents a new approach.

Legezo urged organizations to arm themselves with: corporate-grade security, including capabilities to detect targeted attacks, enhanced security awareness training for employees and up-to-date threat intelligence data.

Categories: Cyber Risk News

Kwik-Fit in Trouble After IT Systems Go Down

Fri, 02/01/2019 - 10:32
Kwik-Fit in Trouble After IT Systems Go Down

UK car repair shop chain Kwik-Fit has suffered a serious cyber-attack which seems to have put its IT systems out of action for most of the week, angering customers.

A spokesperson told the BBC that the firm first experienced “some issues with a virus in our IT network” last weekend.

“This affected a number of our systems but in the interest of ongoing security we can't confirm the source of the problem,” the statement continued.

"We have been working to get our operational systems back up and running normally and while there is still some disruption, our centers are open as usual."

However, in a Twitter message on Thursday to one of many irate customers, the firm admitted its systems were still down, meaning the individual wasn’t able to access an online MOT booking service.

“Unfortunately we don't have a time for this, but our team are working as hard as they possibly can to get this sorted. Apologies that we can't provide any further information for you,” the message read.

Given the scale of the problem and the delay in getting systems back online, ransomware would be an obvious guess as to what kind of “virus” Kwik-Fit has been subject to.

Darren Williams, CEO and founder of BlackFog, claimed the attack has directly impacted customer trust and the firm’s bottom line, with appointments cancelled and the call center apparently overwhelmed with complaints.

“This will continue to happen as more and more firms around the globe become entirely dependent upon technology to run their business,” he added. “Hackers have become increasingly sophisticated and are attacking organizations from all directions. So, firm’s need a multi-layer defense system.”

Categories: Cyber Risk News

UK Consumers Not Happy with PSD2 Fraud Rules

Fri, 02/01/2019 - 10:06
UK Consumers Not Happy with PSD2 Fraud Rules

UK consumers could undermine attempts by EU regulators to improve fraud screening, according to a new survey from FICO.

The predictive analytics firm polled 500 consumers in the UK, Germany, Spain and Sweden to better understand their attitudes to the new PSD2 banking regulations.

A key part of these rules is a new requirement on banks, card issuers and payment service providers (PSPs) to enforce so-called Strong Customer Authentication (SCA). This means that when a user comes to pay for something online, they will be challenged with an extra two-factor authentication step.

However, just half (53%) of UK consumers polled said they would give their bank their mobile number. This is necessary to support the one-time passcode systems that many lenders may choose to comply with SCA.

Among the reasons they gave were that it’s “not secure or intelligent,” would be too complicated, others could access it and that there’s poor mobile coverage where they are.

Nearly 70% said they think there’s already enough or too many security checks on card payments.

Consumers are certainly right to be wary of this kind of 2FA. Hackers have grown increasingly adept at circumventing security by intercepting one-time codes sent by SMS. This happened to Reddit administrators last August, allowing attackers to compromise staff accounts en route to sensitive customer data.

The FICO poll’s findings seem to suggest that pushing customers into choosing a particular authentication method could be a mistake.

“While it is true that the majority would comply in providing their mobile phone, those that choose a different course of action could have a considerable negative impact on the business,” the firm argued. “A successful SCA strategy should allow customers choice whenever possible and shouldn’t deprive them of service if they are unable or unwilling to adopt a particular method.”

However, not all transactions have to be covered by SCA. Exemptions apply for those under €30, recurring transactions,and those deemed “low risk,” among other types.

Another option would therefore be to invest in sophisticated fraud prevention tools which can monitor and report on transaction risk levels, screening each one to minimize the number of times customers must go through SCA.  

This is the Holy Grail for banks, PSPs and merchants: delivering low friction and fraud and maximizing sales in the process.

The new SCA rules take effect in September this year.

Categories: Cyber Risk News

China, Russia Drive Increased Cyber-Threats to US

Thu, 01/31/2019 - 18:20
China, Russia Drive Increased Cyber-Threats to US

Leaders of six US intelligence agencies testified in front of the Senate Intelligence Committee on January 29, asserting that cyber-threats have evolved, particularly coming from China and Russia.

At issue is the collection and protection of data that can be leveraged in cyber-warfare, a concern expressed by the US Air Force as well. “We are now living in a new age – a time characterized by hybrid warfare and weaponized disinformation, all occurring within the context of a world producing more data than mankind has ever seen,” said Sen. Richard Burr (R-NC), chairman of the Senate Select Committee on Intelligence, according to Air Force Magazine. “Tomorrow, it’s going to be deep fakes, artificial intelligence, and a 5G-enabled internet of things with billions of internet-connected consumer devices.”

In his prepared opening stated, director of national intelligence Dan Coats wrote, “Our adversaries and strategic competitors will increasingly use cyber capabilities – including cyber espionage, attack and influence – to seek political, economic and military advantage over the United States and its allies and partners.”

Among the foreign adversaries that have expanded their cyber-espionage and intelligence activities are China, Russia, Iran and North Korea. According to Coats, China and Russia pose the greatest threats to the US, though Iran and North Korea remain paramount concerns.

“At present, China and Russia pose the greatest espionage and cyber attack threats, but we anticipate that all our adversaries and strategic competitors will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence US policies and advance their own national security interests,” Coats wrote.

Those threats also extend to the US military and critical infrastructure. “China remains the most active strategic competitor responsible for cyber espionage against the US Government, corporations, and allies. It is improving its cyber attack capabilities and altering information online, shaping Chinese views and potentially the views of US citizens.”

The potential that adversaries will again attempt to meddle in the 2020 presidential election remains a top concern among intelligence leaders who anticipate that “US adversaries and strategic competitors almost certainly will use online influence operations to try to weaken democratic institutions, undermine US alliances and partnerships and shape policy outcomes in the United States and elsewhere.”

Categories: Cyber Risk News

Japan to Hack IoT Ahead of 2020 Olympics

Thu, 01/31/2019 - 17:22
Japan to Hack IoT Ahead of 2020 Olympics

The Japanese government approved an amendment to allow government workers to hack into citizens’ internet of things (IoT) devices as part of efforts to improve cybersecurity ahead of the 2020 Tokyo Olympics.

Beginning next month, devices in people’s homes and offices will be subject to government scrutiny, whereby members of the National Institute of Information and Communications Technology will create usernames and passwords as they try to hack into upwards of 200 million devices, such as routers and webcams, according to NHK World.

According to a report from the Ministry of Internal Affairs and Communications Cyber-Security Office, two-thirds of the cyber attacks in Japan in 2016 targeted IoT devices. The heightened risk to connected devices at high-profile events like the Olympics has sparked a desire to mitigate risks with a heightened degree of urgency.

“IoT security is one of the greatest challenges we face today. IoT has gone unregulated and largely unsecured to date. That, paired with the sheer number and types of the devices being networked and connected to cloud interfaces and on-the-internet APIs and you have a perfect storm. A radical shift in approach is needed,” said Ashish Gupta, CEO, Bugcrowd.

“In Japan, which will soon be hit with an influx of visitors for the Olympic Games, the government has taken decisive action to make its citizens and visitors more secure. It’s not the first time a government has stepped in to help improve security for the country – this approach is similar to what Australia did with the hajime worm in 2017.

“While this is relatively novel to take this approach at this scale, many organizations take a similar approach – albeit on a smaller scale – and for good reason. Employee negligence when it comes to security is one of the biggest cybersecurity risks to businesses. Having a robust and proactive security posture is critical in today’s climate.”

Categories: Cyber Risk News

Matrix Ransomware: A Threat to Low-Hanging Fruit

Thu, 01/31/2019 - 16:53
Matrix Ransomware: A Threat to Low-Hanging Fruit

In its 2019 Threat ReportSophos predicted a rise in targeted ransomware attacks. According to new research, Matrix, a copycat targeted ransomware that is flying under the radar, is one such threat that has been observed targeting single machines.

The recent ransomware report, published by SophosLabs, identifies brute-force attacks on weak remote desktop protocols (RDP) as the common thread between various strains of targeted ransomware, including Matrix, BitPaymer, Dharma, SamSam and Ryuk.

Matrix doesn't spread through an organization like SamSam, however. “The attackers’ ransom demands are not embedded within the ransom note. Atypically, the threat actors require victims to contact them first, and submit some of the encrypted files from the victim’s computer, and only then provide the victims with a Bitcoin address and the ransom amount,” the report said.

Though not as sophisticated as more popular attacks, Matrix comes equipped with additional tools that help it to carry out its attack.

“The malware executable bundles within itself several payload executables it needs to accomplish its tasks. It uses RDP within the networks it has infected once it has gained a foothold inside the network. Among the embedded components are some free, legitimate systems administrator tools the malware uses to achieve some of its goals,” the report said.

Interestingly, the malware authors seem to lack a level of professionalism notable in other malware authors, such as those who penned SamSam. With Matrix, researchers have seen several changes and mistakes during their monitoring of 96 samples of the malware. In some cases, the authors completely abandoned features that they had experimented with.

Also, the malware doesn’t seem to have a particular geographical distinction. “The country where the most customers encountered the malware was the United States (27.7% of Matrix detections came from the U.S.), followed by Belgium (16.7% of the detections),” the report said, but it has also been detected on machines in Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.

The researchers reportedly played the role of a victim and contacted the malicious actors who demanded they pay that day's value of a Bitcoin and refrain from asking "stupid questions." However, "the authors' initial sassy attitude eventually morphed to a kind of desperation, as they continued to email us and dropped their ransom demand by nearly a third after we stopped responding to their messages."

Categories: Cyber Risk News

Report: Majority of Small UK Businesses ‘Ignoring GDPR Risks’

Thu, 01/31/2019 - 13:25
Report: Majority of Small UK Businesses ‘Ignoring GDPR Risks’

Most small businesses in the UK have not updated or reviewed their data security and privacy policies since the GDPR came into force, according to new research from tech firm Appstractor.

The Under Attack: Assessing the struggle of UK SMBs against cyber criminals report assessed the views of 500 IT bosses at small UK companies and revealed the majority are ignoring GDPR risks seven months after the new rules were officially introduced.

Three quarters of those polled said their company is yet to take any action to improve how they store data, with a quarter of businesses having no plans to do so at all.

The findings make for concerning reading, particularly given research published by the Federation of Small Businesses prior to GDPR coming into force which claimed that 90% of small business were not GDPR-compliant.

Paul Rosenthal, CEO of Appstractor, said: “Small businesses have long been in denial about the threat they face from cyber-criminals and it seems this denial has carried over into the risk GDPR carries.

“It is not just the financial risk and the fines that can be imposed under GDPR, but businesses now have a responsibility to report a security breach to those whose data has been put at risk. The reputational damage alone of being known as a company that can’t keep its customers’ data safe can be enough to sink a small business before any financial fines are imposed.”

Whatever steps they decide to take, smaller businesses should at least be reviewing how they gather, store and secure customer data to ensure they are as compliant as possible, Rosenthal added. “Unfortunately, it seems many are not taking GDPR seriously enough which could have serious consequences.”

Categories: Cyber Risk News

US Launches Major Effort to Disrupt North Korean Botnet

Thu, 01/31/2019 - 10:54
US Launches Major Effort to Disrupt North Korean Botnet

The US authorities have begun notifying victims of a notorious botnet run by North Korean state-sponsored hackers, as their efforts to disrupt the hermit nation's malicious activity increase.

A court order allowed the FBI and officers from the US Air Force Office of Special Investigations (AFOSI) to operate servers mimicking other peers in the Joanap botnet.

This enabled them to map the extent of the botnet and where infected machines are. The next stage is to notify the owners of those machines, most of whom will have no idea they’re unwittingly aiding a foreign power’s hacking campaigns.

The FBI is coordinating this process via ISPs and in some cases direct communications with the individuals, as well as communicating with foreign governments in cases where victims live abroad.

The Joanap botnet has been in operation since 2009, enabled by the first-stage Brambul worm which targets poorly secured Windows machines.

The latter spreads via a list of hard-coded log-in credentials, which it uses to brute-force its way into SMB shares. Once Joanap is dropped it goes on to scan for other potential victims.

The Joanap malware is a fully functional RAT able to receive multiple commands and linked by the US authorities to North Korean "Hidden Cobra" actors.

It enables them to exfiltrate data, drop additional payloads, initialize proxy communications on a compromised Windows device, manage files, processes and nodes and create and delete directories.

According to a US-CERT alert in May 2018, Joanap had been found on 87 compromised network nodes in countries including China, Spain, Sweden, India, Brazil and Iran.

“Our efforts have disrupted state-sponsored cyber-criminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said US Attorney Nicola Hanna.

“While the Joanap botnet was identified years ago and can be defeated with anti-virus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cyber-criminals from using botnets to stage damaging computer intrusions.”

Categories: Cyber Risk News

Airbus Staff Caught in Data Breach

Thu, 01/31/2019 - 10:21
Airbus Staff Caught in Data Breach

Airbus has revealed it has been the subject of a cyber-attack affecting its commercial aircraft business, which has compromised employee information.

The aerospace giant revealed in a brief statement that it had notified the relevant authorities, mindful of the need to contact GDPR regulators within 72-hours of discovering a breach.

However, there’s not much else to go on.

It claimed that a cyber-incident on the IT systems of its commercial aircraft business resulted in unauthorized access to data.

“This incident is being thoroughly investigated by Airbus’ experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins,” it continued.

“Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe.”

Airbus staffers, of whom there are roughly 130,000 worldwide, have been told to “take all necessary precautions going forward.” However, there’s no word yet on whether the incident was more serious in scope.

Alongside US firm Boeing, the European giant is the world’s leading manufacturer of commercial aircraft for carriers, delivering a record 800 planes to 93 customers in 2018.

That could make its IP of great value to hackers, according to Max Vetter, chief cyber officer at Immersive Labs.

“A huge amount of capital is poured into R&D in such organizations, a cost which malicious actors can circumvent by trying to steal the resulting data,” he argued.

“It is known that some nation states have been using this kind of espionage to speed up the production of technology for years. For this reason, it is crucial that technical countermeasures and cyber-skills are continually refined to keep pace with attackers."

Airbus claimed, however, that the attack had made “no impact” on its commercial operations.

Back in 2015, Airbus was forced to issue an Alert Operator Transmission (AOT) to all operators of a new A400M cargo plane to check the software in their engines, after a fatal crash on a test flight in Spain.

Categories: Cyber Risk News