Info Security

Subscribe to Info Security  feed
Updated: 10 min 16 sec ago

Nearly Half of Citizens Believe There is Online Censorship

Tue, 09/29/2020 - 08:20
Nearly Half of Citizens Believe There is Online Censorship

Nearly half (45%) of citizens across seven countries – the UK, US, Canada, Australia, Russia, Norway and Sweden – do not trust the integrity of information they find online, according to an analysis by TunnelBear. This includes 48% of respondents from the UK.

Amongst the survey of 5500 people aged 18-65 in these countries, there was also a strong suspicion that online censorship is taking place. Over two in five (44%) reported that either they have, or someone they know has, experienced internet censorship, with this figure rising to 58% in the UK.

In addition, more than two-thirds (69%) said they felt there could be censorship taking place within their country while over one-third (35%) believe a significant amount is censored in their country.

More than a third (39%) also commented that they believe political parties and governments are engaging in political censorship in order to avoid upheaval or embarrassment. This figure rose to 44% amongst US participants.

The lack of trust in online information is especially concerning given the growing reliance on this channel as a result of COVID-19 lockdown restrictions this year.

Justin Watts, head of engineering at TunnelBear, stated: “While consumers are increasingly aware of and wary about internet censorship in the UK and globally, they also need to understand how to combat such intrusions on their freedom.”

Speaking to Infosecurity, Watts added: “The tech industry has made some astounding strides in the development of internet services over the past few years. As online services and platforms continue to evolve and play a large role in people’s lives, so does the awareness about the effects of these technologies and the importance of an uncensored lens into our world."

Commenting on the research, Raef Meeuwisse CISM, CISA, author of Cybersecurity for Beginners, said: “There is a predictable lifecycle to the emergence, use and then misuse of new types of electronic information. Whenever new types of digital information emerge that influence or control human decisions, they become high-value targets for subversion.

“Two of the most prominent examples of information misuse have been online product reviews besieged by fake reviews and how the term fake news – once used just to label news that was provably incorrect – is now regularly misapplied to discredit or question real news more often than it is to label genuine fake news.

“With more time being spent online and attention focused on particular subjects and platforms, I think it is inherently evident that there has been more censorship – which by definition is the suppression of speech and communication. As an example, in place of social proof or popularity, some search engines and social media platforms promote what they consider to be ‘authoritative sources’ and may suppress or remove other results. Is that good practice? It really depends on how reliable the censorship decisions are – but what has been evident in many cases is that the sources that have been marginalized turned out to be correct – and the supposedly authoritative sources have sometimes turned out to be the misinformation.”

Categories: Cyber Risk News

OCR Imposes $6.85M Penalty Over Data Breach

Mon, 09/28/2020 - 18:37
OCR Imposes $6.85M Penalty Over Data Breach

A health insurance company in Washington state has been slapped with the second-largest ever HIPAA violation penalty.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85m penalty on Premera Blue Cross to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Premera Blue Cross is a not-for-profit Blue Cross Blue Shield licensed health insurance company based in Mountlake Terrace. In 2014, the company suffered a data breach that impacted the protected health information (PHI) of 10.4 million people.

An advanced persistent threat (APT) group successfully used a spear-phishing attack to gain access to Premera's computer system. Over the course of nine months, the group accessed data including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of Premera customers. 

Attackers compromised Premera in May 2014, but their activities were not discovered by the company until January 2015. The OCR was notified of the data breach two months later.

After investigating the security incident, the OCR identified “systemic noncompliance" with the HIPAA Rules by Premera Blue Cross. 

Failings identified by investigators included neglecting to conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI and not taking steps to reduce risks and vulnerabilities to electronic PHI to a reasonable and appropriate level.

Premera was further found to have failed to implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.

Premera has agreed to pay $6.85m and implement a "robust corrective action plan" that includes two years of monitoring. Under the agreement, the company must set up a risk-analysis plan and review it at least once a year.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will," said Roger Severino, OCR director.

"This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months."

Categories: Cyber Risk News

Hacking Voting Systems to Be a Federal Crime in US

Mon, 09/28/2020 - 17:27
Hacking Voting Systems to Be a Federal Crime in US

Criminals caught hacking into a federal voting system in the United States are to be charged with a federal criminal offense. 

The Defending the Integrity of Voting Systems Act was unanimously approved by the House of Representatives last week after gaining a green light from the Senate last year. The legislation will make hacking federal voting infrastructure a crime under the Computer Fraud and Abuse Act. 

Senators Richard Blumenthal, Sheldon Whitehouse, and Lindsey Graham put their political differences aside to introduce the bill with bipartisan support in 2019. Having gained the approval of the Senate and the House, the legislation will now be sent to the president to be signed into law. 

Blumenthal said in a statement that the bill's successful passage through the House on September 21 had come at just the right time to protect the safety of the 2020 presidential election, for which voting began on September 18 in four states.  

"Our adversaries have shown a willingness and capability to hack the infrastructure that powers our democracy, however, our laws and enforcement lag far behind this dire threat," said Blumenthal.

“This bill must now quickly become law so every vote counts. Nearly a month out from our 2020 elections, there’s no time to waste.”

The origins of the bill stem from a report shared by the Justice Department’s Cyber Digital Task Force in July 2018. 

In the report, the task force noted: "The principal statute used to prosecute hackers—the Computer Fraud and Abuse Act (“CFAA”)—currently does not prohibit the act of hacking a voting machine in many common situations. In general, the CFAA only prohibits hacking computers that are connected to the Internet (or that meet other narrow criteria for protection)." 

The task force warned that electronic voting machines that are typically not connected to the internet would not meet those criteria.

"Consequently, should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers. (The conduct could, however, potentially violate other criminal statutes.)," noted the task force.  

Categories: Cyber Risk News

Tennessee Bureau Urges Parents to Supervise Children Online

Mon, 09/28/2020 - 16:43
Tennessee Bureau Urges Parents to Supervise Children Online

A United States state law enforcement agency has suggested that a huge spike in reports of online child sexual abuse could be linked to parents' letting their kids use the internet for long periods of time while unsupervised. 

A drastic increase in the number of reports of online crimes involving the sexual abuse of children has been seen by the Tennessee Bureau of Investigation (TBI) since the coronavirus health pandemic erupted. 

In March 2020, reports were up 210% year on year. By June, the number of tips being submitted had increased by 400%. 

Special Agent in Charge Nicholas Christian said that following the closure of schools to slow the spread of COVID-19, children had been exposed to the internet more in 2020 than in 2019. He said criminals were taking advantage of the situation to groom more victims.

"I wouldn’t say they’re different cyber tips, I would just say that they’re increasing the victim pool," Christian told News4Nashville. "So, there’s more kids online, and they’re online for a longer period of time."

Christian added that parents, suddenly faced with having children at home all day, could be making it easier for their kids to become victims of abuse by relying on "internet nannying."

Describing what the practice involves, Christian said: "Parents keeping their child in front of a tablet or computer just to keep them busy."

Christian added: "That’s not always the best approach because obviously the more screen time they have, the more opportunities they have to come into contact with someone who doesn’t have their best interests at heart."

The agent said going online without supervision was just as dangerous for a child as exploring the streets of New York City unaccompanied. Crime statistics for NYC in 2020 detail 327 murders, 679 shooting victims, 1,007 rapes, 9,075 robberies, and 14,761 felony assaults. 

Christian said that the TBI had not observed an increase in self-reporting from minors who had been persuaded to send sexually explicit images of themselves to an abuser or who had received such images.

"If you’re a victim of extortion, report them, block them, and call the police," he said.

Christian urged parents to research which applications their kids are using, to implement parental controls, and to manage their children's screentime.

Categories: Cyber Risk News

20% of Remote Staff Have Downloaded Company Data on Personal Devices

Mon, 09/28/2020 - 14:30
20% of Remote Staff Have Downloaded Company Data on Personal Devices

One in five (20%) UK employees have downloaded commercially sensitive or confidential company files on a personal device whilst working from home, a new study from gadget insurance firm Protect Your Bubble has found. What is more, of these respondents, 40% admitted that there was either no password protection or up-to-date security installed on these devices, which include desktops, laptops, tablets or smartphones. A further 7% had neither.

The survey of 2000 UK workers across a range of industries examined employees’ experiences during a prolonged period of remote working as a result of COVID-19 lockdown measures. A number of other studies this year have also highlighted that insecure behaviors are prevalent amongst staff working from home, putting organizations at higher risk of cyber-attack.

The new research also revealed that younger employees are more likely to engage in poor cybersecurity practices, with almost 30% of respondents under the age of 24 acknowledging that they had used personal devices for work purposes during the last six months. Of these, 50% said they did not have either password protection or security software installed on such devices.

Older employees were found to have a more disciplined approach to cybersecurity, with the rate of work from home staff handling company data on their personal devices reducing by age, to under 8% for those aged 45-54 and for over 55s.

The sectors which had the worst records for remote staff downloading sensitive or confidential company documents onto personal devices during lockdown were HR (22%), IT and telecoms (21.4%) and finance (21.4%).

A particularly concerning finding was that healthcare had the highest proportion of employees downloading this type of information onto devices with neither password protection or security software installed, reaching almost 20%. This is despite this sector becoming an increasingly lucrative target for malicious actors amid the global pandemic.

James Brown, director at Protect Your Bubble, commented: “It’s clear from the survey responses that many UK businesses need to address their cybersecurity vulnerabilities and adapt their protocols in light of more employees working remotely.

“Along with more thorough staff training and the issuing of company-owned devices, insurance is also key to make sure employees can remain productive while working remotely in the case of loss, theft or accident.”

Categories: Cyber Risk News

Ivanti Adds VPN and MDM Technolgies in Double Acquisition

Mon, 09/28/2020 - 13:00
Ivanti Adds VPN and MDM Technolgies in Double Acquisition

Ivanti has announced the acquisitions of mobile device management vendor MobileIron and secure access and VPN provider Pulse Secure.

Under the terms of the agreement, Ivanti will acquire all outstanding shares of MobileIron for a total value of approximately $872m. Financial details for the Pulse Secure acquisition have not been disclosed. Ivanti said, by bringing MobileIron and Pulse Secure into its portfolio, organizations will be able to manage and secure users, devices, data and access to ensure that every device in an organization is covered.

Upon completion of the transaction, the combined company will be led by Ivanti chairman and CEO Jim Schaper. “By combining MobileIron and Pulse Secure with Ivanti, we are creating a leader in the large and growing unified endpoint management, security and enterprise service management markets,” he said.

“We now have the most comprehensive set of software solutions that addresses the growing market demand for the future of work,” Schaper added. “With the integration of our industry knowledge and complementary product offerings, Ivanti will be well positioned to provide our expansive customer base with the critical tools needed to tackle IT challenges in the new normal.”

Simon Biddiscombe, CEO of MobileIron, said he was “thrilled to join forces with Ivanti and Pulse Secure” as the a combination will “accelerate MobileIron’s ability to help organizations quickly and securely embrace the future of work, in which employees, IT infrastructures and customers are everywhere – and mobile devices provide access to everything.”

Sudhakar Ramakrishna, CEO of Pulse Secure, said: “We believe that organizations looking for unified endpoint management and secure access solutions will see the combined platform as a new, highly focused partnership with the capabilities to deliver a complete, best-in-class, global solution.”

The announcement follows reports of extensive attacks on Pulse Secure’s VPN solutions. with the US Cybersecurity and Infrastructure Agency issuing an alert advising users to apply a patch for exploit CVE-2019-11510.

Categories: Cyber Risk News

A Fifth of Privileged Users Don’t Need Elevated Access

Mon, 09/28/2020 - 12:00
A Fifth of Privileged Users Don’t Need Elevated Access

Over a third of government and enterprise users have been given privileged access despite not needing it, potentially exposing their organization to greater cyber-risk, according to Forcepoint.

The security vendor polled nearly 1900 privileged users in the UK and US to better understand the current risk of insider threats.

Of the 36% of government and 40% of enterprise respondents who said they didn’t need privileged access, over a third said everyone at their level has privileged access. A similar number said that privileged access from a previous role had not been revoked when they changed jobs, while around a quarter claimed they were granted elevated access rights for no apparent reason.

Operating an access policy of “least privilege” is widely accepted to be cybersecurity best practice. Forcepoint argued that granting excessive privileges can undermine security because users may access sensitive data out of curiosity, be pressured to share their rights with others, and believe they are empowered to access all the info they can view.

Worse still, only half (48%) of government respondents said privileged users are vetted through background checks. Just 46% of government and 52% of enterprise respondents said their organization can effectively monitor privileged user activities, while even fewer (11% and 14%) were confident their organization has visibility into user access.

A lack of unified visibility from a single tool, and challenges around change management with outsourcing and offboarding, were both highlighted as issues.

Privileged abuse can also be hard to spot because of a lack of contextual insight from security tools, high false positive rates and info overload, the report claimed.

“Without granular visibility — visibility not just into who has access, but what they’re doing with it — organizations can’t detect or react to compromised or malicious access fast enough to stay protected,” said Forcepoint director of global government and critical infrastructure, Carolyn Ford.

“The key principle here is a zero-trust motto: ‘never trust, always verify’ particularly since the privileged user threat shows no sign of diminishing. Economic pressure leads to short-staffed companies, which leads to stressed employees who are more likely to cut corners in ways that threaten security. Especially now, real-time visibility into user access and actions should be non-negotiable.”

Categories: Cyber Risk News

Police Scotland to Establish Center of Excellence to Tackle Cybercrime

Mon, 09/28/2020 - 11:01
Police Scotland to Establish Center of Excellence to Tackle Cybercrime

Police Scotland is to establish a “center of excellence” for cybercrime with specialist staff deployed to help combat online offences including child sexual abuse, fraud and the sharing of indecent images.

As reported by the BBC, the center will have at least 150 specialist personnel, initially bringing together 100 officers and staff already working in cyber-criminality and a further 50 staff. The strategy will be put before the Scottish Police Authority board later this week.

Deputy chief constable, Malcolm Graham, said: “The nature of crime is changing and Police Scotland needs to change with it. The online space is becoming a bigger part of the frontline of policing every day.

“As well as keeping people safe on the streets, our officers and staff are keeping children safe on their computers and smartphones in every community in Scotland. ”

Jake Moore, cybersecurity specialist at ESET and former member of the Digital Forensics Unit of Dorset Police, said: “Cybercrime is evolving at such as rapid pace that law enforcement must respond accordingly to minimize the risk of losing control. Digital examinations with online elements have become a part of daily routine investigations, but the police face huge limitations, which are often linked to cost.

“Long have we seen a slow uptake in the rise of cyber-offences, and therefore it is impressive to see Scotland take the lead. Recognizing this change is the first step, but the real proof is in what the force can achieve with these resources. The coronavirus pandemic and associated lockdowns have hastened the rise of cybercrime – and it is unlikely that we will see a drop in the level of online offences the police will have to deal with.”

Categories: Cyber Risk News

Fashion Retailer BrandBQ Exposes Seven Million Customer Records

Mon, 09/28/2020 - 09:30
Fashion Retailer BrandBQ Exposes Seven Million Customer Records

A European fashion retailer has become the latest big-name brand to expose personal data on millions of its customers after misconfiguring a cloud database.

Researchers at vpnMentor discovered the unencrypted Elasticsearch server on June 28 and parent company BrandBQ finally secured it around a month later, on August 20.

The Krakow-based retailer operates online and physical stores across Eastern Europe, in: Poland, Romania, Hungary, Bulgaria, Slovakia, Ukraine and the Czech Republic. Its main brands are Answear and

Among the one billion entries in the exposed database, 6.7 million records related to online customers, with each entry featuring personally identifiable information (PII) including full names, email and home addresses, dates of birth, phone numbers and payment records (although not card details).

An additional 50,000 records relating to local contractors in certain jurisdictions included further information such as VAT numbers and purchase info. The database also contained logs of API calls from Answear’s mobile app, exposing PII on 500,000 users of the Android app and an unknown number who have downloaded the iOS version, vpnMentor claimed.

The exposed data could have provided cyber-criminals with a handy source of PII to launch convincing phishing attacks and identity fraud, it added.

“The same tactics could be used against the contractors exposed in the leak, and BrandBQ itself. A successful phishing campaign against a business can be absolutely devastating and challenging to overcome,” the firm explained in a blog post.

“Furthermore, it only takes a single employee with no education on cybercrime to click a link in an email that could infect a company’s entire network. With over 700 employees, this is a real risk for BrandBQ.”

Attackers could theoretically also have leveraged the data for corporate espionage, and used “sensitive technical information” in the database to probe for vulnerabilities to exploit.

Categories: Cyber Risk News

US Judge Blocks Trump’s TikTok Ban

Mon, 09/28/2020 - 08:31
US Judge Blocks Trump’s TikTok Ban

A US federal judge has blocked a government-mandated ban on TikTok just hours before it was due to take effect, granting a temporary reprieve for the popular Chinese-owned social app.

Judge Carl Nichols issued the ruling on Sunday, in another blow to the Trump administration’s botched attempts to declare the app a national security risk.

He granted a preliminary injunction sought by TikTok and parent ByteDance, which means the app will not be banned from Google Play and the App Store as the Commerce Department had ordered.

However, sitting in the District Court for the District of Colombia, Nichols declined to block additional government restrictions set to take effect on November 12 2020. These will make it illegal for ISPs to handle TikTok traffic, in effect rendering the app unable to function in the US.

There are no further details on the ruling at this time. However, TikTok’s lawyers had reportedly argued that a ban would be “arbitrary and capricious,” impact user security by blocking app updates, and that it is unnecessary in the context of the deal being hammered out with Oracle to assuage national security concerns.

A Presidential Executive Order issued back in August claimed that TikTok “automatically captures vast swaths of information from its users” which “threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage.”

It added that the app also “reportedly” censors content on behalf of the Communist Party and that it “may” also be used for disinformation campaigns on behalf of China’s leaders.

The US government issued a statement on the Sunday verdict claiming it will comply with the injunction but that it intends to “vigorously defend” the Executive Order.

The ruling came just days after another District Court blocked Trump’s attempts to ban Chinese app WeChat on similar national security grounds.

Categories: Cyber Risk News