A new survey from Varonis has revealed that almost half of IT pros expect their organization to suffer a major, disruptive attack in the next 12 months – though the vast majority are confident in their cybersecurity stance and believe their company is in a good defensive position.
The firm quizzed 500 IT decision makers in the UK, Germany, France and US to gauge security practices and expectations following the widely-publicized Equifax and WannaCry breaches earlier this year.
Whilst, on the surface, the findings make for positive reading with regards to how well companies have reacted in the wake of both attacks, Varonis is quick to point out some glaring disconnects between security expectations and reality.
For example, whilst 85% of respondents said their business had either changed or planned to change security policies and procedures in response to incidents such as WannaCry, in actuality four in 10 organizations are still failing to fully restrict access to sensitive information on a need-to-know basis.
“It is encouraging that IT professionals are understanding that it’s a matter of when, not if, their organization will be hit with a damaging cyber-attack,” said John Carlin, former assistant attorney general for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice. “However, their level of confidence when it comes to security is inconsistent with what we see in practice. The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”
Looking ahead to 2018, data theft and data loss were cited as top concerns for organizations, unsurprising considering that 25% of respondents said their company had suffered ransomware with 26% reporting the loss or theft of company data in the past two years.
“Attackers are upping their game, using more sophisticated, blended attacks like WannaCry and NotPetya that make use of multiple attack vectors,” said Varonis CMO David Gibson. “At the same time, valuable data remains vulnerable to attacks that require little to no sophistication, like disgruntled employees snooping through overly accessible folders. While it’s heartening that major security incidents are inspiring preparedness, if the past year is any indication, it is unlikely the actual security of these organizations aligns with perception.”
Under-fire credit agency Equifax has seen profits tumble 27% year-on-year and costs spike by tens of millions during the previous quarter following a major data breach at the company revealed in September.
Third quarter profits stood at $96.3m, down over a quarter from the same period in 2016.
However, costs associated with the massive data breach earlier in the year reached $87.5m: $55.5m in “product cost”, $17.1m in professional fees and $14.9m in consumer support.
It clarified in a statement:
“Expenses include costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred.”
The bad news is not over for Equifax. The firm claimed to have incurred $4.7m in costs as a result of offering free credit file monitoring and identity theft protection to all US consumers. However, this will soon rise to between $56m and $110m, the firm claimed.
Despite the major disruption to its business, Q3 revenues went up 4% to reach $834.8m, although this was below its previous forecast of 6%-7% growth.
Equifax claimed Q4 revenue would also be down by 3%-4% thanks to the breach and subsequent costs.
The stats will be yet another reminder of the high price organizations must pay for cybersecurity failings that lead to serious data breaches.
Equifax has been widely criticized for its incident response following the breach, but the firm also admitted that a failure to patch a known web app vulnerability in its US online dispute portal.
The software flaw in Apache Struts was identified and disclosed by US CERT in early March 2017, and Equifax claimed it “was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure”.
However, the bug apparently remained unpatched until it was spotted again after the firm investigated “suspicious network traffic” in July.
Malwarebytes is celebrating victory after a US judge ruled in its favor in a legal battle with a software company over potentially unwanted programs (PUPs).
District Judge Edward Davila dismissed Enigma Software Group’s case late last week after the firm had sued Malwarebytes for classifying two of its products as PUPs.
PUPs are often downloaded willingly by users but only because they’re linked to applications they genuinely want. PUPs often feature spyware and adware-type programs.
Enigma alleged “false advertising in violation of the Lanham Act, tortious interference with contractual relations and tortious interference with business relations” after Malwarebytes blocked its SpyHunter and RegHunter tools.
However, the anti-malware vendor secured the legal victory after arguing that its actions are protected by the immunity provisions of the Communications Decency Act based on the Ninth Circuit’s opinion in “Zango, Inc. v. Kaspersky”.
That case saw Kaspersky Lab accused of a similar infraction by adware firm Zango — a case the Russian AV vendor won.
“The reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users,” said Malwarebytes co-founder Marcin Kleczynski in a statement. “This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.”
SpyHunter is listed as an anti-spyware program for Windows PCs, however, users online complain of not being able to remove it once installed on their computers.
This isn’t the first lawsuit Engima has been involved in. It sued tech site Bleeping Computer in 2016 after it posted a negative review. Bleeping Computer sued back and eventually the two parties settled out of court.
It’s believed Enigma will appeal the California court’s decision in the Malwarebytes case.
A study of dark web markets by Google has found millions of usernames and passwords that were stolen directly through attacks, and billions of usernames and passwords indirectly exposed in third-party data breaches.
The research, conducted between March 2016 and March 2017 in partnership with the University of California at Berkeley, involved creating an automated system to scan public websites and criminal forums for stolen credentials.
The researchers identified 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing and 3.3 billion credentials exposed by third-party breaches. Also, in the case of the third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password.
Also, as account reset often requires a third factor like a phone, 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.
Google said that the research has enabled it to apply security protections to prevent 67 million Google accounts from being abused.
Lisa Baergen, director at NuData Security, said: “This news affects every company, in every sector. Many people (including employees) continue to reuse usernames and passwords across many sites. Is it time for employer policies that prohibit the employee’s use of off-duty passwords for corporate email accounts, and likewise, the use of workplace emails as secondary verification for personal accounts? A leap from a user’s personal Gmail account into their workplace account sets up a scenario for new levels of successful Whale Phishing.
“The news of ongoing, massive-scale theft of Gmail credentials should be a wake-up call that it’s time to fundamentally re-think authentication, and incorporate continuous validation techniques data that can’t be mimicked, such as passive biometrics. Email contains so much strategic information – it’s time to equip that ubiquitous yet critical application with the security it deserves.”
Europol boss Rob Wainright has warned that ransomware attacks now number as many as 4000 per day, with cybercrime operations large and sophisticated enough to threaten critical infrastructure.
Speaking at the Web Summit conference in Lisbon, the director of the EU agency claimed the financial sector is particularly at risk from crime “conglomerations” with corporate structures, featuring specialized groups.
This has enabled a doubling or tripling of various threats on an almost annual basis, he claimed.
“What really concerns me is the sophistication of the capability, which is becoming good enough to really threaten parts of our critical infrastructure, certainly in the financial, banking sector,” Wainright told Reuters.
“The real threat comes from a sort of exponential, remorseless increase in the scale and significance of cyber-criminal capability.”
The majority of cyber-criminals Europol faces are Russian speaking, he added.
“There is this sort of cyber-criminal underworld that’s a lot bigger and smarter and adept than most people think,” Wainwright said. “And, against it, we still have generally low cyber security standards.”
The biggest recent threat to critical infrastructure came from the WannaCry and NotPetya attacks of May and June, which used NSA exploits to help spread worm-like around the world.
A recent National Audit Office (NAO) report revealed that over a third (34%) of NHS Trusts and nearly 600 GP practices were disrupted because of WannaCry — which could have been stopped with a simple Microsoft patch.
Simon Rodway, consultant at security firm Entersekt, said the existence of criminal conglomerates has been known about in the industry for some time.
“This is one of the reasons why we believe innovation in terms of digital security solutions is crucial,” he added. “For financial institutions, implementing solutions that provide strong authentication and authorization measures can protect customers from cyber-attacks that are indeed becoming increasingly sophisticated."
US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers.
The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people.
Deceased suspect Devin Kelley’s mobile phone is now in the hands of investigators, but they can’t access it — a similar situation to the one following the mass shooting in San Bernardino which resulted in a court room standoff between Apple and the FBI.
It’s now widely understood that there’s no way for an Apple, Facebook or other tech provider to engineer backdoors in encrypted systems that would allow only police to access content in cases such as these, without putting the security of millions of law-abiding customers at risk.
However, that hasn’t prevented Rosenstein becoming the latest senior US government official to call on technology companies to implement backdoors.
“As a matter of fact, no reasonable person questions our right to access the phone. But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge,” he told a meeting of local business leaders in Maryland.
“Maybe we eventually will find a way to access the data. But it costs a great deal of time and money. In some cases, it surely costs lives. That is a very high price to pay.”
For its part, Apple has maintained that it works closely with law enforcement every day, even providing training so that police better understand the devices and know how to quickly request information.
However, it is standing firm on the matter of backdoors, aware that breaking its own encrypted systems for US police would likely lead to a stream of requests from other regions including China.
It’s also been suggested that cyber-criminals or nation state actors could eventually get their hands on any backdoors, which would be catastrophic for Apple and its users.
The University of East Anglia has suffered its second serious data leak this year after personal details of a member of staff were sent to 300 postgraduate students.
The incident seems to have happened when an administrator accidentally used an email distribution list, sending the missive to research students in the social science faculty.
A second email was sent asking the recipient to respect the privacy of the individual in question, whose health details were revealed, and to treat it as confidential.
“This message was sent to you in error, and due to the sensitive nature of its contents, we have worked with colleagues in ITCS to remotely extract the message from all recipients’ accounts...
“The university’s data protection team are investigating this incident as a data breach, and we will look into how and why it occurred, and what can be done to ensure the mistake is not repeated.”
The incident, which occurred last Sunday, came just weeks after privacy watchdog the ICO ruled it would take no further action in a similar case which occurred in June.
Back then, a university staff member accidentally shared highly sensitive details on 40 undergraduate students given essay extensions to over 300 American Studies students.
The spreadsheet in question apparently contained information including students’ suicidal thoughts and recently deceased relatives. It was also sent in error due to the use of distribution lists.
An associate tutor at the university told the Norwich Evening News that the data protection training introduced after the previous breach consisted of a mere eight question multi-choice quiz.
“It’s ridiculous and they haven’t learned the lessons of the previous breach,” they said. “The ICO decision was rubbish, and it’s happened again, not even a few months later.”
Thomas Fischer, global security advocate at Digital Guardian, said the incident heightens the need to “data aware” security technologies in the education sector.
“This would help protect data at source, removing the risk factor associated with human error and insider threats. Had the University of East Anglia had such technologies in place, it could have prevented highly sensitive information from being sent without prior approval and prevented it from being opened by the recipients,” he added. “Universities have a duty of care to their staff and students so must better prioritize data protection so that mistakes like this don’t happen again."
Adenike Cosgrove, EMEA cybersecurity specialist at Proofpoint, argued that breaches are fundamentally a governance issue.
“Organizations must combine information security with data governance programs that identify, classify and protect critical and sensitive data assets,” she added. “Technologies like encryption and Data Loss Prevention (DLP) provide automated controls that protect the processing and storage of confidential information. Only by leveraging technology controls, can the likelihood of data exposure be reduced.”
Human error is by far the number one cause of incidents reported to the ICO, according to FOI request data.
The 14th annual NYU Cybersecurity Awareness Week (CSAW) games have commenced, drawing the top cybersecurity students from around the globe.
The Downtown Brooklyn campus of New York University Tandon School of Engineering is hosting top student white hats and researchers for round-the-clock challenges designed to test a broad range of computer security skills. Last year, the event was expanded to include events at NYU Abu Dhabi and the Indian Institute of Technology (IIT Kanpur). This year it’s even bigger, with five global sites, including Valence, France, at Grenoble INP-Esisar, one of six engineering schools of the Grenoble Institute of Technology; and Ben-Gurion University in the Negev, Israel’s “cyber alley.”
With hackers influencing politics, holding personal devices ransom, stealing the personal data of entire populations, and threatening institutions—costing businesses $400 billion per year, the demand for information security experts has never been higher.
To encourage interest in the space among those soon to enter the workforce, CSAW highlights include High School Forensics, where 10 teams of US high school students, including an all-female team, will find a skeleton in the Maker Space at NYU Tandon. They must use cybersecurity skills and a clue scrawled on a piece of paper to find out who was responsible for the murder. Nineteen teams will compete at NYU Abu Dhabi and Grenoble-INP Esisar.
The signature event of CSAW, Capture the Flag, or CTF, runs for 36 straight hours, as 15 US college student teams hack through the night in a difficult test of both offensive and defensive security skills. NYU Abu Dhabi, IIT Kanpur and Ben-Gurion University will also host CTF finalist teams.
Also, the toughest event at CSAW tackles one of the most frightening security threats: Malware embedded in the underlying hardware of electronics devices. For this year’s event, sponsored by the United States Office of Naval Research, teams from North America, Europe, Middle East & North Africa, and India will compete simultaneously at NYU Tandon, Grenoble-INP Esisar, NYU Abu Dhabi, and, IIT Kanpur.
Rounding out the agenda: A Cyber Journalism Award; a career fair where the companies, not the attendees, work to impress; and a Law & Policy Competition, where four finalist teams present their public policy solutions designed to make it easier for companies to improve data security and protect consumer privacy.
A Windows Movie Maker scam has gone global, thanks to having a high Google ranking.
Amid continuing demand for Windows Movie Maker, Microsoft’s free video editing software that was discontinued in January 2017, ESET found that scammers are hawking a modified version of the software, built to bilk money from unsuspecting users. Interestingly, the spread of the scam has been boosted by search engine optimization of the crooks’ website.
When users install this particular software, they appear to get a functioning Windows Movie Maker—but it continuously prompts the user to “upgrade to the full version” in order to access all features. The upgrade will set victims back $29.95, in what is presented as a 25% discount on the payment website.
ESET said that the website spreading the modified software, windows-movie-maker.org, comes up as one of the top results when searching for “Movie Maker” and “Windows Movie Maker” on Google. On Bing, the search engine with the second largest global market share, the website is also placed on the first page of results. As a consequence, the crooks behind the scam have “managed to reach a global audience,” ESET noted.
For those who have already installed the Movie Maker bogus version, they should uninstall it and run a scan using a reputable anti-malware solution. Users could also consider using the official replacement for the discontinued software—in this case, Windows Story Remix.
ESET recommends that to avoid falling victim to similar scams, users should always stick to official sources when downloading software.
“If you really need to use a piece of software that’s no longer distributed by its original maker, make sure you use a reliable security solution to detect and block malicious content, and don’t pay for software that is or was officially offered for free,” researchers said. “Information on software pricing should be available online.”
Poor mobile app development practices have created the Eavesdropper vulnerability, which has resulted in a large-scale data exposure from nearly 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today.
The affected Android apps alone have been downloaded up to 180 million times.
According to researchers at Appthority, Eavesdropper is caused by developers hard-coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite the best practices the company outlines in its documentation. As a result, those applications then give full access to all records stored in the Twilio backend for the developer’s account.
Over the lifetime of the apps and the developer’s use of the same credentials, the Eavesdropper vulnerability exposes massive amounts of sensitive current and historic data, including hundreds of millions of call records, minutes of calls, minutes of call audio recordings, and SMS and MMS text messages.
“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of security research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white-label navigation apps for customers such as AT&T and US Cellular.
Further, Appthority said that the issue is not specific to developers who create apps with Twilio.
“Hard-coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps,” said Appthority researchers, in an analysis. “[We] are finding that developers who hard-code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.”
Notably, Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks.
Twilio has reached out to all developers with affected apps and is actively working to secure their accounts. Unfortunately, Eavesdropper isn’t resolved by removing an affected app from the app store or user’s devices. The lifetime of the app’s data and the data from other apps created by that developer is exposed, until the credentials for all apps are properly updated and, of course, not disclosed in clear text in the apps.
Unfortunately, Eavesdropper is just the latest data leakage discovery by Appthority; researchers also recently identified the HospitalGown vulnerability, which exposed a massive 43 terabytes of data (some of which was ransomed) on over 21,000 backend servers. Appthority also recently highlighted risks associated with platform services such as Uber, and the low adoption of encryption standards such as App Transport Security. These are just a few examples of data and privacy risks that require a thorough analysis of mobile apps to identify mobile threats to enterprise data and privacy.
“The complexity of computing environments and software applications means in both instances, developers and system admins are relying on third-party code and infrastructure to enable services,” said Chris Morales, head of security analytics at Vectra, via email. “The risk of all third-party services is exposure through unknown system and application vulnerabilities, be it APIs used in software development or cloud infrastructure used for hosting those applications and data. It is critical for organizations to perform their own security assessments of third-party services and to provide a form of external monitoring of activities on these services, independent of the service provider. Don’t trust your third-party providers. Monitor what happens in those environments for unapproved behaviors.”
The Scottish government has announced an ambitious plan to improve the cybersecurity of the nation’s public sector bodies.
The new document, Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland, describes an action plan for 2017-18.
Drawn up by the government north of the border and the National Cyber Resilience Leaders’ Board, it aims to establish a culture of cyber resilience within the public sector.
“While many Scottish public bodies already have sound standards of cybersecurity in place, our aim is for the Scottish public sector as a whole to become an exemplar in this field over time,” said deputy first minister, John Swinney, in a statement.
“By undertaking the actions set out in this plan, Scottish public bodies will be committing to implementing a common approach to cyber resilience, offering greater assurance to those who make use of our digital public services.”
The plan includes measures designed to improve baseline security such as ensuring public bodies: join up to the NCSC’s Cybersecurity Information Sharing Partnership (CiSP); undergo Cyber Essentials “pre-assessments”; have in place training and awareness raising arrangement; draw up incident response plans; and implement the NCSC’s Active Cyber Defence Programme.
The latter is a list of four measures including implementation of DMARC; scanning of websites via the NCSC-built Web Check tool; DNS blocking using GCHQ and private sector intelligence; and phishing and malware mitigation in collaboration with Netcraft.
The Scottish government action plan also focuses on securing the supply chain, such as recipients of public grants, and will create a Dynamic Purchasing System for Digital Services including cybersecurity — to ensure all public bodies have access to the right expertise.
David Stubley, CEO of Scottish cyber consultancy 7 Elements, told Infosecurity: "The new cyber action plan shows that the Scottish Government takes the digital security of the country seriously and is a great start in making Scotland the safest place to be online."
The plan will be followed by similar reports for the private and third sectors, and has itself been accelerated after the WannaCry attacks of May this year, which affected 11 out of 14 Scottish health boards.
Cyber-criminals will up their game in 2018 to drive profits, targeting IoT systems and installing ransomware on mission critical POS systems, according to Forrester Research.
The analyst house claimed in its Predictions 2018 report for cybersecurity that attackers will look to ransomware to generate profits from POS as the EMV standard and end-to-end encryption systems take hold, making it virtually impossible to scrape card data.
“Work with your incident responders and disaster recovery teams to ensure you understand and have tested your ability to recover systems and data in the event of a ransomware attack,” the analyst argued. “Paying the ransom is not an option you want to take, as there is no guarantee you can trust the cyber-criminal to release your systems and data; you also mark yourself as an easy target for a future attack.”
The report also warned that financially motivated hackers will aim to launch ransomware and data-stealing attacks at IoT systems, as well as looking to compromise them to launch DDoS.
Forrester warned that organizations have been slow to react to systemic problems raised by Mirai, with time-to-market still trumping security too often.
Security professionals should focus their efforts on plugging the gaps exposed by default passwords, weak encryption implementations and inadequate patching/remediation capabilities.
There was also mention of the forthcoming EU GDPR, with Forrester warning that firms which try to hunt insider threats too aggressively could end up being sued by employees.
Firms must remember that employee data is personal data and therefore covered by the GDPR — so a fine balancing act is required to protect employee privacy whilst minimizing the risk of insider-related breaches.
“Document what you monitor, how, why — and be sure to inform employees about monitoring,” the report advised. “Ask your tech vendor if there are capabilities in the product to address employee privacy requirements and prevent privacy abuse. Also assess the capabilities these tools have against tampering; question how you can trust the integrity of its alerts.”
The report also claimed the 2018 US midterm elections could be another major opportunity for hackers to disrupt, and will provide a clear indication of how resilient the US voting system is.
Young women in Europe, the US and Israel have decided before they are even 16 years old that they don’t want a career in cybersecurity, according to a new study from Kaspersky Lab.
The Russian AV firm interviewed 4000 young people from the UK, US, France, Germany, Italy, Spain, Israel and the Netherlands to compile its report.
It revealed that young men were much more likely than women to choose mathematics (49% vs 36%) and IT (21% vs 7%) as their preferred subjects at school.
What’s more, just 20% of respondents were clear on what a cybersecurity expert does, falling to just 16% for women.
There’s clearly still a perception and awareness issue here, evidenced by the fact that a third of young women interviewed said they thought IT security professionals are 'geeks', while a quarter think they are 'nerds'.
In total, 78% of young women surveyed said they’ve never considered a career in cybersecurity.
With just 11% of the cybersecurity professionals currently women and a shortfall of 1.8 million practitioners predicted by 2022, there’s a pressing need to change perceptions and encourage more into the industry.
However, this is going to be tough, especially as half of those surveyed said they’d prefer to work in an environment that has an equal male/female split.
“Helping women to develop the right skills at an education level certainly has an important role to play in overcoming barriers to entry, and a lot of previous reports into STEM subject uptake have discussed this at length,” argued Kaspersky Lab general manager, Adam Maskatiya.
“But we believe there’s also a need to change the industry’s image as a whole, and promote the careers within. An important part of that process is making the roles more visible and more enticing, and debunking the stereotype of IT security geeks sitting in a dark room hacking computers.”
The news comes as Israeli start-up Morphisec announced its inaugural Women in Cybersecurity Scholarships program this week in the US and Israel.
It's open to female students currently taking degree courses in cybersecurity, information assurance, information security, information systems security and other disciplines of computer science.
“Cybersecurity is a great career for women,” said program founder and Morphisec VP of products, Netta Schmeidler.
“The work is demanding and fast-paced but inherently flexible as to work day structure as well as types of work available: from deep research to sales, marketing and high level management, and the industry needs more women. Their diverse voices, viewpoints and opinions help drive innovation, improvement and resilience.”
Two execs who exited their Fortune 500 companies in the wake of massive security breaches (and who walked away with millions of dollars in exit package perks) are testifying on Capitol Hill in Washington.
The US Senate Commerce Committee will hear testimony on Wednesday from former Yahoo! chief Marissa Mayer, Equifax’s former CEO Richard Smith and Equifax interim CEO Paulino do Rego Barros, regarding the enormous cybersecurity breaches that hit their companies under their watches.
“Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity," said Senator John Thune, chairman of the Commerce Committee, in remarks ahead of the hearing. “And there should be consequences if they fail to do so."
In 2013 and 2014, when Mayer was at the helm, Yahoo! saw two massive data breaches in which billions of users' accounts were compromised. The incidents did not come to light until 2016, while Verizon was working on a buy of major assets from the internet pioneer. At the time, it was revealed that 1 billion users—essentially, all of its users—had their names, email addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers stolen; but just last month, Verizon issued an update via its Oath division saying the number of accounts affected was actually closer to 3 billion.
The committee reportedly resorted to subpoenaing Mayer to testify in the hearing, after she refused multiple requests to appear of her own free will.
In prepared remarks, she reiterated that Yahoo! “promptly” disclosed the breach and worked closely with law enforcement afterward; she also talked up how the company devoted “substantial resources” to security and outlined its bug bounty program.
“With an increasingly connected world also comes a new host of challenges, including a dramatic rise in the frequency, severity, and sophistication of hacking, especially by state-sponsored actors,” she said. “Throughout my tenure as CEO, we took our obligations to our users and their security extremely seriously. We worked hard from the top down and bottom up to protect our systems and our users…After I joined Yahoo, we roughly doubled our internal security staff and made significant investments in its leadership and the team. We hired strategically, filling our ranks with security specialists who focused on threat investigations, e-crimes, product security, risk management and offensive engineering.”
The rosy assessment stands in contrast to reports that the executive suite ignored repeated warnings from security staff about impending attacks and employee targeting.
Equifax meanwhile was the subject of the now-infamous data breach in July that compromised the sensitive financial and personal information of 145.5 million Americans (the majority of the country’s adult population) and 700,000 Britons—however, the company didn’t reveal the breach for more than a month. In that time period, four Equifax executives, including the firm’s CFO, were investigated and cleared for insider trading, after they sold shares just before the breach was announced and the company’s stock price dropped.
Equifax is responsible for determining credit scores based on people’s debt loads, credit repayment histories, credit availability and so on—and is one of three main companies that US financial institutions rely on to determine qualifications for mortgages and other loan approvals. The incident saw criminals make off with names, Social Security numbers, dates of birth and physical addresses, and potentially information on credit accounts, including the type of account, when it was opened, the limit, and the balance and payment history, and information on consumers' address history and debt.
In a summary given to lawmakers in the hearing, Mandiant, the company hired to carry out a forensic investigation of the Equifax incident, said that the hacking tactics don’t offer up any obvious fingerprints.
“Mandiant has not been able to attribute the identified attacker activity within the Equifax environment to any targeted threat actor group that Mandiant currently tracks," the firm said in the report, obtained by Bloomberg. “The tools, tactics and procedures the attackers used did not overlap with attacker activity identified in previous Mandiant incident response investigations.”
Smith advocated in his prepared remarks for an industry standard placing control of access to consumers’ credit data in the hands of the consumers themselves—a scheme that would somewhat alleviate the burden on financial companies for data protection. He also argued against using the Social Security number as the default financial tracking mechanism in the US.
“Equifax’s free lifetime lock program will allow consumers, and consumers alone, to decide when their credit information may be accessed,” he said. “This should become the industry standard. Second, we should consider the creation of a public-private partnership to begin a dialogue on replacing the Social Security Number as the touchstone for identity verification in this country. It is time to have identity verification procedures that match the technological age in which we live.”
Despite the canned comments, it is likely that both execs will be grilled by the committee on their respective roles within the corporate culture surrounding security and consumer data protection—and what oversights were made that, if addressed, could have prevented the breach.
Smith for his part has been cooperative on this front with Congress so far—he has already appeared before four other congressional panels in recent weeks to discuss the anatomy of the incident.
While consumers fend off phishing attempts and worse stemming from the breaches, it should be noted that Mayer walked away from Yahoo! after the Verizon sale with an exit package of $260 million in stock options and other perks, including $23 million in severance payments.
Smith at age 57 meanwhile exited his company, albeit under a cloud, with $90 million in retirement—or roughly 63 cents for every customer affected by the data breach. While he forfeited his 2017 bonus (estimated to have been around $3 million), he’ll collect $72 million this year alone and another $17.9 million in the coming years from vestments, according to Fortune estimates.
Karen Zacharia, deputy general counsel and chief privacy officer at Yahoo! parent Verizon and Todd Wilkinson, president and CEO of Entrust Datacard, are also set to give sworn testimony.
The rise of the internet of things (IoT) and operational technology (OT) is causing serious anxiety for security and line of business (LoB) leaders, thanks to the negative business ramifications a security failure can have on critical business operations. Yet most organizations in a survey from Forrester Consulting lag when it comes to their security profiles in these areas.
According to the survey results, collected from more than 600 global enterprise businesses, 90% of companies are expecting to see their volume of connected devices increase over the next few years, but 77% agreed that the increased usage of connected devices creates significant security challenges.
For instance, 82% said that they struggle to identify all of their network-connected devices, and when asked who is primarily responsible for securing IoT, IT and LoB leaders did not have a clear answer or delineation of ownership. Additionally, over half of respondents (59%) said they are willing to tolerate a medium-to-high risk level in relation to compliance requirements for IoT security.
As a result, 76% of respondents said IoT-related anxieties are forcing them to rethink their IT and LoB security strategies. In all, more than half of respondents (54%) stated that they have anxiety due to IoT security, with LoB leaders having higher amounts (58%) compared to their IT counterparts (51%). Aside from an awareness of the magnitude of impact that a breach can have on enterprise operations, most are worried about the added costs and time needed to manage these devices, as well as a lack of security skills.
“The survey results demonstrate a dynamic shift in the way organizations are starting to think about security and risk as it relates to IoT,” said Michael DeCesare, president and CEO at ForeScout, which commissioned the survey. “Each new device that comes online represents another attack vector for enterprises and it only takes one device to compromise an entire network and disrupt business operations, which can impact the bottom line. Securing IoT is not just a cybersecurity issue, it is a business issue and operating at any risk level is too much. Enterprises need full visibility.”
Nonetheless, there are hurdles to overcome. IT and LoB respondents cited budget constraints (IT 45%; LoB 43%) as the greatest barrier to investing in IoT security, followed by senior leadership skepticism. The report found that, without the added investment, many security professionals will continue to rely on their traditional security approaches to protect IoT/OT (40%).
As for a best-practices path forward, the survey shows that a combination of top-down executive support, proper security tools and audits instill greater confidence in device visibility. In fact, 48% of all respondents stated that improving awareness and visibility of IoT devices is a top priority for improving IoT security, and 82% of respondents expect their IoT/OT security spend to increase over the next one to two years. When considering the adoption of IoT security solutions, more than half of the respondents (55%) said integration with existing security systems was the most important criteria.
“Businesses can already see the benefits of connecting devices to the network that were not traditionally connected to improve their business processes and functions,” the study noted. “Technological advancements have given rise to a deluge of new types of connected devices—i.e., internet of things (IoT)—which, in turn, introduce new security threats that enterprises are ill-equipped to combat and even recognize. With increased funding and a new security strategy focused on visibility and compliance, companies can begin taking strides forward to reduce their anxiety about IoT and regain confidence that their networks are secure.”
Cyber Monday is looming on the calendar, that date that everyone gets online looking for sales and deals for the holiday season. Accordingly, the scammers and hackers are gearing up too.
In the US, Cyber Monday has evolved as a follow-on to Black Friday, which falls on the day after the Thanksgiving holiday in late November. Black Friday is America’s busiest shopping day of the year, with retailers officially opening up their festive season sales. Cyber Monday, which falls on the Monday after Thanksgiving, has quickly grown to be Black Friday’s equal in retail significance, and has gone on to do so globally. In fact, according to DomainTools, nearly all (98%) of the UK population shops online and nearly a third (29%) plans to shop on Cyber Monday, with regional e-commerce players getting in on the action (despite there obviously being no Thanksgiving holiday weekend for retailers to tie it to).
Along with this enthusiasm however comes risk: In DomainTools’ survey, which queried 1,000 UK consumers, one in five admitted to having already been caught out by an online scam.
“Cyber Monday has grown in popularity year over year, and unfortunately, so has phishing and online counterfeiting,” said Tim Chen, CEO of DomainTools. “A range of techniques are used to trick shoppers into visiting a fake website or clicking on a malicious link. This can result in a shopper unintentionally sharing financial and personal information with these criminals or even downloading ransomware. As shoppers search for Cyber Monday deals, it’s important that they remember to look closely at links and email addresses before clicking.”
When asked if they had ever clicked on a link or email that turned out to be a scam, a fifth of survey respondents admitted that they had. When asked what happened as a result, over a quarter (27%) of victims’ computers were infected with viruses. In addition, 12% had their credit card information stolen, and a further 10% were tricked into buying a false product. Moreover, nearly a quarter know of someone else who has purchased fake goods from a website that they thought was legitimate.
“Email, in-app advertising and SMS campaigns are popular with big brands during the busiest shopping time of the year as a way to let consumers know about deals and the latest products,” said Chen. “The trouble is, cyber-criminals take advantage of this form of communication by combining look-alike branding with a deceptive domain name. They’re able to reach a broad audience and it only takes a few unsuspecting consumers to result in a successful phishing or malware campaign.”
Case in point: This week, a scam impersonating supermarket giant Asda swept across WhatsApp, duping users into clicking on a “coupon” and providing personal information in exchange for a phony £250 voucher.
The brands most likely to be spoofed this November likely correspond with the most popular online retailers in the UK, which according to the survey include Amazon (87%), Argos (46%) and Tesco (35%).
Chen explained how looks can be deceiving—many illegitimate sites look virtually identical to the real thing. This is where looking closely at the URL can make a real difference for staying safe online.
To stay safe, shoppers should first and foremost be paranoid: Assume links are dangerous, navigate directly to a company’s website instead of clicking on links in emails or social media and closely examine URLs and email senders for typos.
Organizations that use CCTV systems could be putting themselves at risk of breaching GDPR data protection and privacy requirements by failing to understand how the forthcoming regulations cover the collection of visual data.
Charlesworth highlighted the fact that because there has been little regulation governing CCTV systems (until now) there is a danger that users will fall short in their obligations to ensure safe usage under GDPR, which comes into force in just six months. What’s more, a lack of any compulsory CCTV registration process makes it difficult to gauge how many systems are actually being used in the UK, although research from Cloudview suggest the figure sits around 8.2 million cameras – all of those will need to comply with the GDPR come May 2018.
“Changing technology created the need for the GDPR, altering both the data protection environment and public perceptions of what constitutes acceptable data processing,” Charlesworth said. “From May all CCTV operators will have to be proactive in assessing, improving and ‘evergreening’ their compliance efforts – tickbox compliance will no longer be sufficient.”
Users need to assess their CCTV systems alongside the rest of their IT, advised James Wickes, CEO and co-founder of Cloudview, and remember that the law applies to everything from a single camera monitoring the entrance to their office or home to a larger system used in a business, housing or public spaces.
“The good news is that the GDPR gives CCTV users an opportunity to tackle what is often a negative image and take the lead in demonstrating accountability and privacy protection. They can also use new technologies such as cloud, which enables them to meet the new regulations while improving data accessibility and security.”
Facebook is trialing a new way to tackle revenge porn which involves users sending the social network nude pics of themselves.
The pilot project is taking place in Australia in partnership with the government, and is based around a system of image 'hashing'.
Users who think they might have been the victim of revenge porn are encouraged to actually send themselves the images in question via Messenger.
The social network then apparently applies hashing technology to create a unique digital fingerprint of the image, so that if another user tries to upload it the image will be blocked.
Australian e-Safety Commissioner, Julie Inman Grant, was at pains to point out that the images would not end up on the social network’s servers.
"They're not storing the image, they're storing the link and using artificial intelligence and other photo-matching technologies,” she told broadcaster ABC.
It’s unclear whether hashing technology is good enough to deal with attempts to circumvent such AI filters, which involve changing the original image in a minute way.
There may also be concerns over sending such highly sensitive images to a firm which has struggled in the past to allay user concerns over security and privacy — even if users are effectively messaging themselves.
“Conceptually the idea has merit but it would work better if the user was provided a self-service tool to accomplish the task and upload the file up to a Facebook portal,” One Identity EMEA director, Andrew Clarke told Infosecurity.
ESET security specialist Mark James raised concerns that the service could potentially be abused by scammers.
“The likelihood of Facebook being compromised is slim of course, but if the user was tricked into sending them to a third party — that could open them up for further abuse,” he told Infosecurity. “Of course, we always encourage people to be very careful about where they store intimate photos and preferably to not store them online in any form.”
The new pilots — which are taking place in three countries besides Australia — are just part of a series of measures Facebook has been rolling out to combat the growing social problem of intimate images shared without the subject’s permission.
Users of popular crypto-currency wallet Parity were left locked out of almost $300m in funds after a user triggered a coding error, it has emerged.
The firm deals in ether — the currency traded on the Ethereum blockchain. A critical security alert on Tuesday explained that the issue came about following a bug in its platform in July, which ended up in the theft of $32m worth of ether from its popular multi-sig wallets.
Multi-sig wallets are so-named because they require multiple people to verify and sign-off transactions.
Following the July incident a new version of the Parity Wallet library contract was deployed.
The alert continued:
“However that code still contained another issue — it was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function. It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.”
The result is that no funds can be moved from any multi-sign wallets.
It’s believed that over 900,000 ether are locked in those wallets, worth roughly $282m at today’s prices. It’s been reported that $90m in funds raised by Parity founder Gavin Wood is also locked down.
However, a Twitter update from Parity yesterday claimed that: “The total ETH circulating social media is speculative.”
The news will do nothing to calm the nerves of investors, who have seen a string of cyber-attacks and reliability issues plague start-ups in the crypto-currency space.
Just last month, hackers were spotted using malicious spoof apps for crypto-currency exchange Poloniex, in a bid to harvest log-ins for users of the platform and their Gmail accounts.
With visibility spanning ISPs and mobile carriers, Cloudmark correlates email threat telemetry data from billions of daily emails into its Global Threat Network, including intelligence derived from malware campaigns and targeted attacks.
As part of the acquisition, Cloudmark's Global Threat Network will be incorporated into Proofpoint's Nexus platform, and will complement Proofpoint's Email Fraud Defense and Domain Defense products. The acquisition will also provide visibility into fraudulent and malicious SMS messages.
"Messaging has been the number one threat vector for years, but with ransomware and BEC, it's never been a more urgent issue," said Jason Donahue, chief executive officer of Cloudmark. "We're thrilled to be continuing our work to fight advanced threats in messaging as part of Proofpoint."
Gary Steele, chief executive officer of Proofpoint, said: “By combining the threat intelligence from Cloudmark with the Proofpoint Nexus platform, we can better protect all of our customers - both enterprises and ISPs - from today's rapidly evolving threats."
In an email to Infosecurity, Scott Crawford, research drector for Information Security at 451 Research said that if there’s anyone that needs actionable threat intelligence applied to content, it’s an email and content security provider like Proofpoint.
“While we expect Proofpoint to sustain Cloudmark’s business, the integration of Cloudmark’s Global Threat Network with Proofpoint’s Nexus platform will enhance the broader Proofpoint portfolio with telemetry from Cloudmark’s substantial service provider and carrier customer base, giving Proofpoint considerable visibility across many of the networks that connect enterprises as well as individuals worldwide. Proofpoint has been building out a more comprehensive portfolio in recent years – this move gives it a much wider range of intelligence from global service providers.”