Info Security

Subscribe to Info Security  feed
Updated: 1 hour 15 min ago

Experts Raise Concerns Over Government Mobile Data Grab

Wed, 11/08/2017 - 09:45
Experts Raise Concerns Over Government Mobile Data Grab

Security experts have raised question marks over possible plans to use mobile phone data to help complete the UK national census after 2021.

It was revealed this week that the Office of National Statistics (ONS) has been tracking the anonymized movements of thousands of adults in London to study commuter patterns.

It’s part of the Administrative Data Census Project, an ONS initiative designed to work out whether the government can meet its stated ambition that “censuses after 2021 will be conducted using other sources of data.”

That means that the next once-a-decade national survey might be the last one which is completed via a paper-based questionnaire.

The ONS claimed that the mobile phone data (MPD) collected during this project was done in accordance with the law, and that “any intention to use MPD within the future production of official statistics will involve extensive evaluation including privacy impacts.”

However, the prospect has caught the attention of security and privacy experts.

“This government experiment in tracking people’s movements between their homes and places of work using mobile phone data is a glimpse into a not-too-distant future; where tracking devices in everyone’s pockets are routinely used to amass detailed data about our behavior, privacy be damned,” argued Simon Migliano, head of research at

“This creepy and intrusive tracking feels like a cost-cutting exercise combined with an opportunistic data grab. I’m very uncomfortable with the fact that Vodafone customers would have been unaware that they have been tracked in this way.”

He argued that an independent and transparent review would need to be carried out on any prospective anonymization methods to ensure no personally identifiable info (PII) could be extracted from the data.

“Even with that in place, there will be many people who are simply not comfortable with this kind of intrusive tracking, for whom there should be some kind of opt-out,” Migliano concluded. “What’s worrying though is that this appears unlikely, if the current mandatory completion of the census is anything to go by.”

David Emm, principal security researcher, Kaspersky Lab, also flagged security concerns.

“Clearly, there are potential benefits in this case – perhaps saving us all the need to complete a census questionnaire and saving the government money,” he argued.

“But it is also important that we recognize that our personal data can be equally valuable to cyber-criminals. New data protections laws are designed to make organisations more careful with our data, but regardless of this, it is important that, at an individual level, we know what information is being collected and stored and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands.” 

Categories: Cyber Risk News

Privileged Accounts Usually Poorly Managed, if Managed at All

Tue, 11/07/2017 - 20:58
Privileged Accounts Usually Poorly Managed, if Managed at All

Privileged IT accounts, those administrator “unicorn” accounts that grant virtually unlimited access to nearly every component of a company's IT infrastructure, sensitive systems and data, are mostly poorly managed, leaving the door wide open for criminals.

A survey of 913 IT professionals from around the globe from One Identity has exposed three key areas where distressingly inferior practices for privileged account management occur, including in management platforms and tools; monitoring and visibility; and unsurprisingly, password management.

When it comes to management, about a fifth (18%) of respondents admit to using paper-based logs, while a surprising 36% are using equally inadequate spreadsheets for tracking privileged accounts. The survey also found that two-thirds (67%) of companies are relying on two or more tools for management—indicating widespread inconsistency in privileged access management (PAM).

Also, the majority of IT security professionals (57%) admit to only monitoring some privileged accounts, or not monitoring privileged access at all. Even worse, 21% of respondents confessed they are unable to monitor or record activity performed with admin credentials, while 32% said they cannot consistently identify individuals who perform admin activities.

On the password front, an overwhelming 86% of organizations are not consistently changing the password on their admin accounts after each use. Further, a shocking 40% of IT security professionals don't take the basic best practice of changing a default admin password at all.

The findings come against a backdrop of heightened attacks: A recent Forrester Consulting report states that eight out of 10 breaches that occur involve privileged credentials, highlighting just how much of a target they are for hackers.

"When an organization doesn't implement the very basic processes for security and management around privileged accounts, they are exposing themselves to significant risk," said John Milburn, president and general manager of One Identity. “Over and over again, breaches from hacked privileged accounts have resulted in astronomical mitigation costs, as well as data theft and tarnished brands. These survey results indicate that there are an alarmingly high percentage of companies that don't have proper procedures in place. It is crucial for organizations to implement best practices regarding privileged access management without creating new roadblocks for work to get done."

Categories: Cyber Risk News

US Orgs Show Dangerous Overconfidence in DDoS Protections

Tue, 11/07/2017 - 20:39
US Orgs Show Dangerous Overconfidence in DDoS Protections

A full 88% of US businesses claim confidence in their current DDoS mitigation, despite 69% having suffered a successful DDoS attack in the last 12 months.

According to a report from Sapio Research on behalf of CDNetworks, US businesses have the second highest proportion of successful attacks, beaten only slightly by the UK (71%). Also, for 27% of businesses, more than half of all DDoS attacks against them have been successful—almost twice as high as the next most vulnerable country (the UK stands at 15%).

The survey, which polled 500 senior IT personnel with material control over IT security from organizations in the US, UK, Germany, Austria and Switzerland, further found that US businesses’ overconfidence in their DDoS mitigation strategies is all the more concerning given 88% believed new attacks to be likely or almost certain in the next 12 months, compared to only 77% in DACH.

“The results show that most US companies are mindful of the alarming recent rise in DDoS attacks, and are increasing their investment in mitigation technology in response,” said Alex Nam, MD at CDNetworks Americas. “This has understandably led to a confidence in resilience. But when comparing alongside the frequency of DDoS attacks and the likelihood of their success, this confidence tips worryingly into complacency.”

Businesses in the DACH region are the most conservative in their self-assessment, as only 82% are confident in their DDoS mitigation; however, the majority (57%) have suffered a successful DDoS attack in the last 12 months. 

The self-assurance of US companies appears to stem from their high and growing DDoS investment, and their long track record in investment in DDoS mitigation. For all five of the key DDoS mitigation measures (manual protection, self-service DDoS technologies, managed mitigation, WAF and resilience audits), US businesses are the most likely to have invested for the first time more than five years ago.

Businesses in the US are spending the most on DDoS mitigation—an average of $34,750 per year, compared to DACH respondents who have spent only $29,000 on average. More than a quarter (26%) of all US respondents have invested more than $53,000 in the last 12 months.

There’s nowhere to go but up on that: A full 66% of US companies said they will further increase investment in mitigation technology over the next 12 months.

“While initial and prolonged investments are theoretically putting US companies in a strong position to protect themselves against DDoS attacks, it seems businesses have not noticed they are losing the arms race against cyber-criminals,” said Nam. “Only with fundamental changes in mindset and more targeted investment can such confidence be earned.”

The results also reveal that US businesses believe malicious attacks by competitors are the most likely reason for an attack (32%), closely followed by blackmail (30%). The belief that they are being deliberately attacked, as opposed to being targeted at random (24%), makes the motivation for the attacks almost more alarming than their prevalence.

Categories: Cyber Risk News

Drive-by Cryptomining Hassles Unsuspecting Website Visitors

Tue, 11/07/2017 - 20:35
Drive-by Cryptomining Hassles Unsuspecting Website Visitors

Drive-by crypto-mining is digging into the web, victimizing unsuspecting visitors to some websites by utilizing 100% of their CPU to mine for cryptocurrency with no knowledge or consent given.

According to analysis from Malwarebytes, a company called Coinhive launched a service back in September that could mine for the digital currency known as Monero from directly within a web browser, using JavaScript-based code. The mining API is cross-platform compatible and works on all modern browsers.

In and of itself, the technology offers a potential new revenue stream for website owners, perhaps replacing annoying banners and pop-ups with small slowdowns in computer performance stemming from the mining activity. It could be, in theory, a win-win.

There’s just one problem: the technology was almost instantly abused.

“The simplicity of the Coinhive API integration was one of the reasons for its immediate success…[but] many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking,” explained Malwarebytes analyst Jerome Segura. “While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.”

The scale of drive-by mining activity is not minor, either. Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, Segura said, which adds up to approximately 248 million blocks in a single month.

“With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists,” Segura said. “This could also benefit users who might not mind trading some CPU resources for an ad-free online experience. In the meantime, drive-by mining continues unabated.”

Categories: Cyber Risk News

Privacy Fail as Charity Leaks Info on Vulnerable Adults

Tue, 11/07/2017 - 12:05
Privacy Fail as Charity Leaks Info on Vulnerable Adults

The website of a Scottish charity which works with some of society’s most vulnerable members has been shut down after a major data leak was revealed, exposing sensitive information on around 50 people.

The Scottish Appropriate Adult Network (SAAN) works to safeguard the interests of children or vulnerable adults that have been arrested or called in for questioning by the police.

It does this by providing so-called “appropriate adults” to accompany and offer support to these individuals during the process.

However, scores of these volunteers and vulnerable adults had their personal details including names, email addresses and phone numbers exposed by the SAAN website, The Sunday Post reported.

Also apparently included on the site was information about rape victims and domestic abuse cases.

To make matters worse, SAAN was contacted last year about the privacy snafu but failed to respond — apparently because of the same issue with the site.

“As soon as we were notified of the difficulties, we took immediate action and the website is unavailable until the issue has been resolved,” SAAN interim chair, Karen Donoghue, told the paper.

The ICO is said to be investigating the case.

Mark James, security specialist at ESET, argued that highly sensitive data of this kind is more than just a hassle to replace, it could put the victims in physical danger.

“For companies that are charged with keeping that data safe, there must be stricter rules and regulations to ensure that the means used for storing and protecting that data, must exceed those used for ‘ordinary’ data,” he added.

“How can we determine what data is more sensitive that others, is it even possible? Each case is different, but if actual harm could come from this type of data making itself public we need to do more to protect it in the first place.”

The GDPR will levy potentially huge fines for serious infractions when it comes into force on May 25 next year, with regulators likely to take a particularly dim view of highly sensitive information of the sort leaked by SAAN.

Categories: Cyber Risk News

Most Organizations Run Out-of-Date Office Software

Tue, 11/07/2017 - 11:37
Most Organizations Run Out-of-Date Office Software

Over two-thirds of organizations are running unsupported versions of Microsoft Office, exposing them to cyber-threats, according to a new study from Spiceworks.

The IT professional network polled over 1,100 IT pros in the US, Canada and UK to better understand the usage of productivity suites in their organizations.

It found 68% are still running some instances of Office 2007, despite the package reaching end of support in October this year.

The bad news doesn’t end there: 46% were running Office 2003; 21% Office 2000; and 15% are still on Office XP (2002 version). Some 3% even claimed they are still running some machines on Office 97.

“Although they might not grab as many headlines as end-of-support OSes, Office suites that are past their prime are susceptible to danger, similar to their OS cousins,” explained Spiceworks senior technology analyst, Peter Tsai.

“Just like any software or system in use, productivity suites need to be patched for security reasons. Once an OS no longer receives updates, it's a security liability. Over the years, there have been hundreds of vulnerabilities identified in Microsoft Office.”

If organizations need reminding of the damage that can result from an unpatched vulnerability, they just need to look at the chaos inflicted by WannaCry and NotPetya, two worm-like ransomware threats that caused mass service outages across the globe in May and June.

Global shipper Maersk has already admitted NotPetya may end up costing it $300m, while FedEx arrived at a similar figure.

It’s not all bad news, however, with Spiceworks revealing that over half (53%) of responding organizations are using Office365, the online productivity suite which is always up-to-date. A further 17% plan to migrate over the next two years.

In addition, 17% are currently using Google’s G Suite.

The report claimed mid-sized firms (100-1,000 employees) are most likely to run Office 2007, with larger organizations usually having more funds to keep up-to-date with the latest software and smaller counterparts having migrated more readily to Office 365.

Categories: Cyber Risk News

Trend Micro: GDPR Chiefs Need to Clarify “State of the Art”

Tue, 11/07/2017 - 09:53
Trend Micro: GDPR Chiefs Need to Clarify “State of the Art”

Trend Micro has called on regulatory bodies to provide greater clarity on a key part of the EU GDPR, after a new survey highlighted confusion among global organizations on what constitutes “state of the art” security.

The vendor polled 1,000 IT leaders from businesses across the globe and found a wide variety of interpretations of the phrase, which describes the kind of security that firms should be investing in to keep customer data safe.

Some 30% claimed it meant buying from an established market leader; 17% said it meant products that pass independent third-party tests; 16% said it referred to security that meets with analyst approval; and 14% that it covers innovative start-up tech.

More worrying still, 12% claimed they’re more concerned about the cost of products than whether they meet GDPR requirements, while 9% admitted they had no idea what “state of the art” means.

“There are many hurdles for businesses to overcome in establishing GDPR compliance – trying to demystify what ‘state of the art’ means is but another challenge on the list,” said Bharat Mistry, principal security strategist for Trend Micro.

“Regulatory enforcement bodies should offer further clarification on what ‘State of the Art’ means, so businesses can ensure they’re not stepping into a fine once May 2018 arrives.”

This confusion may account for the wide range of products IT security teams are currently investing in. Most common was network-layer security to spot intruders (34%), while DLP (33%) and encryption (31%) were also common.

The research also revealed that many organizations aren’t able to meet a key requirement of the new law: 72-hour breach notifications.

Only 63% said they have a notification process in place for their customers, while 21% said they’re able to notify regulators but not customers.

The report also uncovered a lack of preparedness in supporting the key “right to be forgotten” strand of the GDPR. While 77% have a process in place for data they collect, only 64% can process requests for data their partners collect, and fewer still for data held by CSPs (63%) and third-party agencies (60%).

Categories: Cyber Risk News

DDoS Attacks Become More Frequent in Q3, with Linux Dominating

Mon, 11/06/2017 - 21:27
DDoS Attacks Become More Frequent in Q3, with Linux Dominating

The share of Linux botnets is continuing to grow—accounting for 70% of attacks in Q3, compared to 51% in Q2.

According to Kaspersky Lab’s Q3 2017 DDoS Intelligence Report, experts have continued to see an increase in the number of countries where resources have been targeted, with 98 countries subjected to DDoS attacks in the quarter—an increase from 86 countries in Q2.

Kaspersky Lab experts also saw a growing number of DDoS attacks on gaming services, including Final Fantasy, Blizzard Entertainment, American Cardroom and the UK National Lottery. Additionally, the report shows an increase in the number of DDoS attacks targeting platforms conducting next-generation financial services, such as initial coin offerings (ICOs) – an initial deployment of tokens using blockchain technology. Such DDoS attacks are aimed at either discrediting these services, or worse, serving as a distracting maneuver during ordinary theft.

"Entertainment and financial services—businesses that are critically dependent on their continuous availability to users—have always been a favorite target for DDoS attacks,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab. “For these services, the downtime caused by an attack can result not only in significant financial losses but also reputational risks that could result in an exodus of customers to competitors. It’s not surprising that gaming services with multi-million-dollar turnovers attract the attention of criminals and that new types of financial sites have come under attack.”

In terms of number of targets, Russia has moved up from seventh to fourth place. Meanwhile, the top 10 most popular host countries for botnet command servers this quarter included Italy and the United Kingdom, displacing Canada and Germany. In both cases, China, South Korea and the United States continued to top the leaderboards as the most popular countries for hosting inexpensive data centers.

Cyber-criminal strategies have also changed over the last quarter to attacks that are more sophisticated. For example, in the third quarter, the WireX botnet that spread via legitimate Android apps was taken down, and ‘pulse wave’ technology, which increases the power of DDoS attacks using a vulnerability in hybrid and cloud technologies, was revealed. There has also been an increase in the number of mixed attacks, in which criminals used multiple methods simultaneously.

Categories: Cyber Risk News

Multi-vector Attack on Android Throws the Kitchen Sink at Victims

Mon, 11/06/2017 - 20:42
Multi-vector Attack on Android Throws the Kitchen Sink at Victims

A multi-pronged attack on Android devices has been uncovered, which incorporates a bevy of threat vectors and social engineering tricks into a single scheme involving the Marcher Android banking Trojan.

According to researchers at Proofpoint, attacks begin with a banking credential phishing scheme, followed by an attempt to trick the victim into installing the Marcher banking trojan, before finally finishing up with attempts to steal credit-card information.

“As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments,” said Proofpoint researchers, in an analysis. “Moreover, as we use mobile devices to access the web, and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here.”

They added that attacks involving Marcher have become increasingly sophisticated, with documented cases involving multiple attack vectors and a variety of targeted financial services and communication platforms. In this latest case, a threat actor has been targeting customers of Bank Austria, Raiffeisen Meine Bank and Sparkasse since at least January 2017.

Marcher is frequently distributed via SMS, but in this case, victims are presented with a link in an email. Oftentimes, the emailed link is a shortened link, used to potentially evade detection. The link leads to a phishing page that asks for banking login credentials or an account number and PIN. Once the victim enters his or her account information on the landing page, the phishing attack then requests that the user log in with their email address and phone number in step two of the credential phish.

Having stolen the victim’s account and personal information, the scammer then introduces a social engineering scheme, informing users that they currently do not have the “Bank Austria Security App” installed on their smartphone and must download it to proceed and avoid their accounts from being blocked. A URL and QR code are provided, leading to a bogus version of the app, using stolen branding and fraudulent copy, that is actually just the Marcher banking trojan in disguise.

In addition to operating as a banking trojan, overlaying a legitimate banking app with an indistinguishable credential theft page, the malware also asks for credit-card information from infected users when they open other applications.

To avoid being a victim, mobile users should be wary of installing applications from outside of legitimate app stores, and be on the lookout for bogus banking sites that ask for more information than users would normally provide on legitimate sites.

“Unusual domains, the use of URL shorteners and solicitations that do not come from verifiable sources are also red flags for potential phishing and malware,” the researchers added.

Categories: Cyber Risk News

Hackers Leak Sexually Explicit Photos, Messages of WWE Star Paige

Mon, 11/06/2017 - 20:37
Hackers Leak Sexually Explicit Photos, Messages of WWE Star Paige

Private photos and explicit WhatsApp conversations of British wrestling star Saraya-Jade Bevis, who goes by the name stage name Paige, have reportedly been leaked online.

The cache contains the WWE star’s highly personal WhatsApp conversations with fellow wrestler Xavier Woods, according to the International Business Times.

This incident follows another in early March, in which unknown attackers released other nude photos of the star in what they dubbed “Fappening 2.0".

It’s unclear if these hackers are part of the same cyber-criminal group responsible for the enormous trove of photos of celebs that was published in 2014, which included compromising pics of Jennifer Lawrence as well as reality TV star Kim Kardashian and singer Rihanna.

"Time and again we hear stories that someone’s personal photos or intimate life has been leaked through a hack, data breach or password reuse,” Mark James, security specialist at ESET, said via email. “Not all are hacks of course, some [attackers simply have] the right credentials to login and gain access just like the owner, but every time it happens, people have to ask themselves—how private are our online, private accounts?”

He added, “If we need to be honest (and sometimes we do!) we have to understand nothing posted online is ever secret. Even kept safe with the best encryption or two-factor authentication, there is always a small chance someone is going to find a way to access it; and because there is always a market for high-profile information or data regardless of its morality. The media may well take a stance and state they won’t publish it or make its source known, but the real value is online and in areas the media have no control over: A world where anything and everything can be purchased, sold and traded for—virtually anything you want.

He added that to truly keep information private, users shouldn’t store it online.

“If you have to store it, then use an offline encrypted area that’s not accessible by anyone except you,” said James. “Sorry to say, this includes partners, friends or anyone else you may currently trust; everyone you trust is one link less in the chain of security."

Categories: Cyber Risk News

UK Orgs: Almost One in Five Unprepared for Cyber-Attack

Mon, 11/06/2017 - 14:00
UK Orgs: Almost One in Five Unprepared for Cyber-Attack

Almost one in five (18%) UK businesses are unprepared for a cyber-attack, with that figure rising to 23% of public sector organizations, according to new findings from Advanced.

The firm’s Advanced Trends Report 2017 reveals how organizations are coping with changes in the business and societal landscape, including risks surrounding cybersecurity threats.

Nearly a third (31%) of the 1000 UK professionals surveyed said they have “no confidence” in the ability of company leadership to create and run a modern digital infrastructure, with a quarter either “unsure or not confident” their organization will be ready for the upcoming General Data Protection Regulation (GDPR).

What’s more, 36% claimed they do not have the right tools to do their job effectively in the digital era.

“WannaCry caused massive disruption in the public sector, perhaps unnecessarily after a new government report has found the NHS attack could have been avoided,” said Nick Wilson, managing director – public sector, health & care, Advanced. “But an alarming number of organizations are still ill-prepared six months on. In this digital era, it’s critical every single organization makes data security a top priority and indeed a deciding factor when adopting new technology.”

Tom Thackray, CBI director for innovation, added that without strengthened efforts to improve cybersecurity, the undoubted potential of the UK’s digital economy will be unfulfilled.

“Cyber resilience is increasingly important for all companies across the economy. They must continue to move from awareness to action, by ensuring cybersecurity is a board level priority and making the right investments for their digital future.”

Julian David, techUK’s CEO, echoed similar sentiments: “It’s no longer a question of whether or not your company will experience a cyber-attack, but rather when it will be attacked,” he warned. “That is why it is so important that cybersecurity is a top level priority for organizations, from the boardroom down. Organizations that priorities security can confidently adopt new technologies, from cloud to IoT to AI, which facilitate innovation and help them grow their businesses.”

Categories: Cyber Risk News

Chinese KeyBoy Group Unlocks More Victim Networks

Mon, 11/06/2017 - 11:43
Chinese KeyBoy Group Unlocks More Victim Networks

Security researchers have discovered Chinese APT group KeyBoy back on the scene with new tools and techniques targeting Western organizations.

It’s been around a year since the last sighting of the group, according to PwC threat intelligence analyst, Bart Parys.

“KeyBoy is believed by the industry to be a hacking group based in or operating from China, and is mainly engaged in espionage activity,” he explained in a blog post.

“In the past it has targeted organizations and individuals in Taiwan, Tibet, and the Philippines, but in its latest campaign, KeyBoy appears to have expanded its targeting, as it now appears to be going after mostly Western organizations, likely for corporate espionage purposes.”

The group was observed using a specially crafted Microsoft Word document using the Dynamic Data Exchange (DDE) protocol to fetch/download remote payloads.

In the example given, it is a fake DLL downloaded using PowerShell.

Once the malware has been installed, the original DLL is deleted, with pop-ups blocked on the machine so the user has no idea what has happened.

The malware in question is designed to take screenshots, gather system information, browse and download files, shutdown and reboot victim machines and use custom SSL libraries to hide C&C traffic.

PwC claimed the group is capable of at least a medium level of technical and operational know-how.

“Several connections can be made to CitizenLab’s report from 2016, such as the continued usage of fake services and related DLLs, powerful capabilities, several exports and strings present in the (sometimes decrypted) DLLs, as well as campaign or version identifiers which are reminiscent and consistent with earlier reported identifiers”, it added.

We reported the group as far back as 2013 targeting Southeast Asia victims via malicious Word documents.

PwC has a list of potential indicators of compromise for security teams to check here.

Categories: Cyber Risk News

Equifax Execs Cleared of Wrongdoing After Selling Shares

Mon, 11/06/2017 - 10:47
Equifax Execs Cleared of Wrongdoing After Selling Shares

An independent investigation has cleared four Equifax executives including the firm’s CFO of insider trading, after they sold shares just before a major data breach was revealed, causing its stock market price to tumble.

The four are: CFO John Gamble, Jr, president of information solutions, Joseph Loughran, III, president of workforce solutions, Rodolfo Ploder and Douglas Brandberg, SVP of investor relations.

They’re each said to have offloaded hundreds of thousands of dollars’ worth of shares totaling around $1.7m between July 28-August 2.

The breach was discovered on July 29, after the Equifax security team spotted suspicious network traffic that it turned out was linked to an attack exploiting a known vulnerability in the Apache Struts web application framework.

According to an Equifax report on the investigation, the security team were “aware” of the vulnerability — patched by Microsoft in March 2017 — and “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure” at the time.

The probe of the four Equifax executives was conducted by an independent “Special Committee” comprising three executives from other firms: former Kimberly-Clark president, Elane Stock, former Reuters CEO, Robert Daleo and Thomas Hough, treasurer of Metro Atlanta Chamber of Commerce.

It claims to have carried out 62 interviews and reviewed 55,000 documents, including emails, texts, phone logs and other records.

In the end, the breach exposed highly sensitive personally identifiable information belonging to 145.5 million Americans and 700,000 British customers.

Following its disclosure on September 7, just over a month after the breach was first detected, the Equifax stock market price dropped from around $142 per share to just $93.

The incident has already cost the jobs of CEO Richard Smith, CIO Dave Webb and CSO Susan Mauldin.

Categories: Cyber Risk News

Paradise Papers Breach is Hell for Offshore Tax Avoiders

Mon, 11/06/2017 - 09:59
Paradise Papers Breach is Hell for Offshore Tax Avoiders

Media organizations across the globe went into overdrive on Sunday publishing the first in several instalments from a trove of breached secret documents listing dubious financial offshore dealings of the rich and famous.

In what could be one of the biggest breaches of its kind in history, the so-called “Paradise Papers” lift the lid on some questionable practices by figures as diverse as the US commerce secretary, Wilbur Ross, the Queen, Tory party donor Lord Ashcroft and organizations including Facebook, Twitter, Nike and Apple.

The 1.4TB data dump is said to come primarily from offshore law firm Appleby, which a fortnight ago issued a lengthy statement in a bid to preempt the revelations.

The firm issued a similar missive on Sunday as the first reports hit the news-stands, claiming:

“We wish to reiterate that our firm was not the subject of a leak but of a serious criminal act. This was an illegal computer hack. Our systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that a forensic investigation by a leading international Cyber & Threats team concluded that there was no definitive evidence that any data had left our systems. This was not the work of anybody who works at Appleby.”

Among the revelations uncovered by the data breach are millions of pounds of investment from the Queen’s private estate to offshore accounts, secret financial dealings between commerce secretary Ross and a Russian firm part-run by Vladimir Putin’s son-in-law and millions of dollars of investment in Facebook and Twitter from Russian state companies.

Apple and Nike are also accused of major tax avoidance by investing in offshore funds like the one run by Appleby from Bermuda.

The incident comes 18 months after the 2.6TB Panama Papers leak exposed the shady financial dealings of numerous celebs and world leaders including Putin and Chinese President Xi Jinping.

Hi-Tech Bridge CEO, Ilia Kolochenko, claimed obligatory data security standards should be considered for law firms, which are becoming an increasingly attractive target for cyber-criminals.

“Many law firms still carelessly rely on the law for data protection, but this is in vain. Paucity of financial resources and lack of qualified personnel preclude law enforcement agencies from investigating and prosecuting the vast majority of crimes committed in digital space,” he added.

“This creates a very dangerous atmosphere of unlawfulness and impunity in the internet, undermining trust in the government and its ability to protect our society.”

Categories: Cyber Risk News

Quarter of UK Employees Have 'Purposefully Leaked Business Data'

Mon, 11/06/2017 - 09:29
Quarter of UK Employees Have 'Purposefully Leaked Business Data'

New research from Egress Software Technologies has revealed that one in four (24%) UK employees have intentionally shared confidential business information outside their organization, typically to competitors or new and previous employers. 

The firm quizzed 2000 workers whose jobs required them to frequently use email to shine a light on risks surrounding email misuse within the enterprise.

Half of respondents said they either had or would delete emails from their sent folder if they had sent information somewhere they shouldn’t, with more than a third (37%) admitting they do not always check emails before clicking send.

Of those who had sent an email to the wrong person by mistake, one in 10 admitted to leaking sensitive data such as bank details or customer information. Less crucially, but no less embarrassingly, 40% had also accidently insulted the recipient or included rude jokes, swear words or risqué messages.

With regards to the human factors behind sending emails in error, 68% of respondents said ‘rushing’ was the biggest problem, whilst alcohol was also deemed to play a part in 8% of wrongly sent emails. Technology didn’t fare much better either, with almost have of those polled blaming autofill tech for selecting the wrong recipient from a list.

“Email is frequently misused by the UK workforce,” said Tony Pepper, CEO and co-founder, Egress. “While offending an accidental recipient may cause red faces, leaking confidential information can amount to a data breach. As we move towards the EU General Data Protection Regulation, it has never been more important to get a grip on any possible risk points within the organization and, as this research shows, email needs serious attention.”

Speaking to Infosecurity Jenny Radcliffe, social engineer, speaker and host of The Human Factor podcast, said that, from a technical perspective, to help nullify risks surrounding email misuse companies should employ filters for large files or extended distribution lists and not allow users to include large numbers of recipients on an email without at least a ‘warning’ message or a technical/managerial ‘check’ feature. 

“However, technical solutions only go so far and won't prevent a disgruntled employee causing damage or mistakes,” she added. “With 24-hour access to technology mistakes, mischief and malice will cause information to be widely distributed on occasion and the best defense for an enterprise remains good knowledge of individuals within the company. At line management level, being fully aware of what is ‘normal’ behavior from staff and addressing exceptions in an informed and practical way remains a good defensive measure in potentially detecting patterns of behavior that might eventually develop into serious risks for the organization.”

Categories: Cyber Risk News

Global CISOs Unprepared for Evolving Threats

Fri, 11/03/2017 - 18:05
Global CISOs Unprepared for Evolving Threats

Research by the Ponemon Institute focusing on chief information security officers (CISOs) worldwide has found worrying levels of business readiness for cybersecurity threats.

Drawing on insights from 184 global CISOs, the report noted that today’s IT security strategies and tactics are shifting away from a focus on strong perimeters to smart data, networks, devices and applications.

According to 60% of CISOs surveyed, material data breaches and cybersecurity exploits are driving change in organizations’ attitudes to security programs, while another 60% of respondents believe security is considered a business priority.

Yet, while awareness levels are clearly growing, the report’s clear message is that there is plenty of room for improvement.

For instance, 80% of respondents said the internet of things (IoT) will cause “significant” or “some change” to their practices and requirements. However, most companies are not hiring or engaging IoT security experts (41%) or purchasing and deploying new security technologies to deal with potential new risks (32%).

“This new research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, CISO at F5 Networks, which commissioned the report. “It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”

Finding the right talent is also a significant hurdle, with 56% struggling to identify and recruit qualified candidates. Almost half of surveyed CISOs branded their staffing as inadequate (42%).

Interestingly, 50% consider computer learning and artificial intelligence important to address staffing shortages. In two years, 70% say these technologies will be important to their IT security functions.

Most CISOs agreed cybersecurity threats are here to stay. Organizations represented in the study experienced an average of two data breaches in the past 24 months. About 83% said the frequency of data breach will increase or stay the same. Another 87% believe the severity of data breach incidents will increase or stay the same.

On average, respondents also experienced three cyber exploits or attacks in the past 24 months. Also, 89% of respondents said cyber exploits will increase or stay the same; while 91% predicted the severity of cyber exploits or attacks would increase or stay the same.

Advanced persistent threats (APTs) were ranked the top threat to the security system followed by DDoS, data exfiltration, insecure apps (including SQL injection), credential takeover, malicious insiders and social engineering.

Categories: Cyber Risk News

EternalBlue is Back, with New Tricks

Fri, 11/03/2017 - 17:56
EternalBlue is Back, with New Tricks

An email-server message block (SMB) blended threat has been uncovered, which uses the compromised machine as a stepping stone to propagate laterally via the EternalBlue exploit.

Netskope Threat Research Labs said that the inclusion of the EternalBlue exploit is insidious because it will be launched internally from the newly infected machine, permitting direct access to shared SMB machines such as file shares and backup systems. This puts core data stores at risk in a fashion that may be impossible to anticipate. Also, SMB, a file sharing protocol that provides shared access to files in a network, is a widely adapted program, meaning the vulnerability has a considerable impact.

“We have observed that the presence of embedded document files in a cloud storage and collaboration services possesses a more significant threat to an enterprise environment since it arrives from a trusted source,” said Netskope researcher Ashwin Vamshi. “Once an endpoint is compromised with the second-stage payload like EternalBlue, it creates a wormed infection, leading all neighboring internal computers to be attacked via SMB from the newly compromised internal stepping-stone system.”

Earlier this year, The Shadow Brokers group disclosed a series of exploits, backdoors and several attack tools affiliated with nation-state activity. One of the exploits, EternalBlue, targets open SMB ports to leverage remote code execution, and has been widely used in attacks such as WannaCry, NotPetya and more recently Bad Rabbit.

In this case, the initial attack begins with a Swiss regional email which contains a Word Document with an embedded .lnk object, which is actually a backdoor that downloads the EternalBlue payload. From there, the threat moves from a cross-perimeter attack to an internal attack, with EternalBlue spreading itself across an organization’s network, without any user intervention, leading to internal attacks that organizations may not be prepared for.

“The use of cloud services by enterprises, along with the implicit trust, has led to an increase in malware attacks and thus posing a new challenge for organizations,” said Vamshi, adding that organizations should enforce policy on usage of unsanctioned services as well as unsanctioned instances of sanctioned cloud services.

Categories: Cyber Risk News

Trump's Twitter Deactivation: Security Questions Arise

Fri, 11/03/2017 - 17:37
Trump's Twitter Deactivation: Security Questions Arise

Donald Trump’s Twitter account was deactivated briefly on Thursday night by a rogue employee at the social media company. The incident raises serious questions about the security of the president’s Twitter feed, which he uses to trumpet policy changes, saber-rattle with North Korea and connect with the American people.

The employee, who was working his or her final day at Twitter, accessed the president's personal account, @realDonaldTrump, and took it offline, so that visitors to the feed were greeted with the message, “Sorry, that page doesn't exist!” The account was down between about 6:45 and 7 pm ET.

Twitter initially posted a statement saying the “account was inadvertently deactivated due to human error by a Twitter employee. The account was down for 11 minutes, and has since been restored. We are continuing to investigate and are taking steps to prevent this from happening again.”

Later however, the company revised its assessment, saying that the deed was done “by a Twitter customer support employee who did this on the employee's last day.”

For his part, Trump used the opportunity to brag about his social media influence.

“My Twitter account was taken down for 11 minutes by a rogue employee,” he tweeted on Friday morning. “I guess the word must finally be getting out—and having an impact.”

A source told BuzzFeed that hundreds of Twitter employees have access to high-profile accounts and have the power to deactivate one. Despite discussions, no special protections on verified accounts have been implemented, according to the source.

Twitter users were swift to point out the potential security implications: “It is shocking that some random Twitter employee could shut down the president's account. What if they instead had tweeted fake messages?” tweeted POLITICO editor @blakehounshell.

Any impersonation would have been problematic given that the tweets are given weight as Trump’s preferred method of communication. The National Archives in fact plans to preserve the tweets as part of the president’s legacy of correspondence for future generations; where Abraham Lincoln had diaries and letters, this president has 140-character social media missives.

World leaders also take the Twitter posts seriously. When Trump tweeted, “Just heard Foreign Minister of North Korea speak at U.N. If he echoes thoughts of Little Rocket Man, they won't be around much longer!”, it increased tensions between the two countries, with North Korea weighing whether to take the statement as a declaration of war.

Jackson Shaw, senior director of products for One Identity, said via email that the insufficient protection of Trump's Twitter account points out potentially endemic security oversights at the company. Also, given password reuse, which the president may or may not be guilty of, the people with access to his account password could possibly compromise email accounts and more, making for a serious national security risk.

“I'm sure there was no process to take the rogue employee's access away when he or she resigned,” he said. “In fact, I'm sure their access was informally given: ‘Here's the Twitter password’ versus actually granting access by an identity access management or privileged access management system. This goes to show that Twitter and other social media accounts count as privileged accounts and should be treated just as if they are part of a company's most valuable IT assets. Reputation has incalculable value—as shown in this example. It should be protected accordingly." 

Categories: Cyber Risk News

Synopsys Set to Acquire Black Duck Software

Fri, 11/03/2017 - 15:20
Synopsys Set to Acquire Black Duck Software

Synopsys is set to boost its application security testing portfolio with the acquisition of Black Duck Software.

Adding capabilities in IoT, DevOps and the Cloud, under the terms of the definitive agreement, Synopsys will pay approximately $565 million (or $548 million net) for the Massachusetts company. Black Duck provides products that automate the process of identifying and inventorying the open source code, detecting known security vulnerabilities and license compliance issues.

Synopsys said that the addition of Black Duck’s Software Composition Analysis solution will enhance its efforts in the software security market, and enable users to improve the software development cycle to allow continuous integration/continuous delivery and the move to the cloud.

Andreas Kuehlmann, senior vice-president and general manager of the Synopsys Software Integrity Group, said: “Our vision is to deliver a comprehensive platform that unifies best-in-class software security and quality solutions. Development processes continue to evolve and accelerate, and the addition of Black Duck will strengthen our ability to push security and quality testing throughout the software development lifecycle, reducing risk for our customers.”

“We’re excited to join an organization that shares our commitment to addressing security and quality issues at the earliest phases of the software development process,” said Lou Shipley, chief executive officer of Black Duck. “Doing so will enable us to provide leading solutions that enable customers to develop and deliver more secure and higher-quality software faster than ever before.”

Categories: Cyber Risk News

Apple Red-Faced After iOS 11.1 is Hacked

Fri, 11/03/2017 - 11:46
Apple Red-Faced After iOS 11.1 is Hacked

Apple has released a slew of iOS patches including a fix for the KRACK vulnerability, but its new OS version 11.1 and Safari have already been hacked successfully several times this week by researchers.

Trend Micro’s Mobile Pwn2Own 2017 contest pitted some of the best white hat hackers in the business against iPhone 7 devices running the newly updated iOS version.

Tencent Keen Security Lab was the first to score a success, with a Wi-Fi exploit which earned them $110,000.

“They used a total of four bugs to gain code execution and escalate privileges to allow their rogue application to persist through a reboot,” explained Dustin Childs of the Tipping Point-founded Zero Day Initiative.

The same team were at it again with a successful Safari browser exploit.

“It took them just a few seconds to successfully demonstrate their exploit, which needed only two bugs — one in the browser and one in a system service to allow their rogue app to persist through a reboot,” said Childs.

“Next, Richard Zhu (fluorescence) also targeted the Safari Browser on the Apple iPhone 7. He used a bug in the browser and an out-of-bounds bug in the broker to escape the sandbox and execute code.”

Details of the attacks are being kept under wraps until Apple gets around to fixing them.

The tech giant will be more than a little embarrassed by the ease with which the researchers managed to pick holes in its software, just hours after it released iOS 11.1.

That update included a fix for CVE-2017-13080, one of several components of the infamous KRACK vulnerability in the WPA2 protocol discovered last month.

KRACK could allow hackers to steal sensitive information from victims or inject malware into targeted websites.

However, Apple has only made that specific fix available to iPhone 7 and later handsets, and iPad Pro 9.7-inch and later devices.

It was claimed last month that over two-fifths (41%) of Android devices are vulnerable to this kind of attack.

Categories: Cyber Risk News