Info Security

Subscribe to Info Security  feed
Updated: 1 hour 21 min ago

Chinese Bank Forces Firms to Download Backdoored Software

Mon, 06/29/2020 - 09:45
Chinese Bank Forces Firms to Download Backdoored Software

Organizations doing business in China have been warned that official looking software mandated for download by domestic banks may actually contain backdoor malware.

Trustwave explained in a new report that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation.

Although it worked as advertised, the software also contained a powerful backdoor that could not be removed, even if Intelligent Tax was uninstalled.

“It installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, Trojans or other malware),” explained Trustwave VP of cyber-threat detection and response, Brian Hussey.

“Basically, it was a wide-open door into the network with system-level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.”

He admitted that it remains unclear whether the backdoor was added to the software unbeknownst to the local bank, or if the scheme is one that affects a wide range of businesses across China.

Although the current campaign began in April this year, GoldenSpy variants apparently date back to December 2016, a couple of months after Aisino announced a new ‘big data’ partnership with a company called Chenkuo Network Technology.

That same company digitally signs GoldenSpy using text, “certified software version upgrade service,” designed to legitimize the malware.

Neither Chinese firm had replied to Trustwave at the time of writing.

“We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment and remediation countermeasures, as outlined in our technical report,” concluded Hussey.

Categories: Cyber Risk News

Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

Mon, 06/29/2020 - 09:15
Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

An open letter has been sent to UK Prime Minister Boris Johnson, asking for an update to the Computer Misuse Act (CMA) as it marks its 30th anniversary of reaching royal assent..

Coordinated by the CyberUp Campaign, a group of cybersecurity organizations are pushing for an update of the Computer Misuse Act to make it fit for the digital age.

“In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist,” the letter read. “Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”

The letter cited the COVID-19 pandemic, stating that this demonstrates “how reliant modern society is on secure and effective digital technologies.”

It claimed: “The government has committed to investing in the UK’s digital and technology credentials and, as we move beyond the pandemic, we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber-defenders the tools they need to keep Britain safe.”

In the past few years, efforts have been made to bring the CMA up-to-date, with NCC Group admitting that a lot of the work it does “is hampered by the CMA” and with a reform, it wants to make a change so as to make vital threat intelligence commercially and ethically easier.

The CyberUp Campaign includes NCC Group, alongside representatives from vendors Digital Shadows, McAfee and Trend Micro, industry trade bodies techUK and CREST, and a number of prominent lawyers, academics and researchers in the field of cybersecurity.

In an email to Infosecurity, Robert Schifreen, who was one of the two people initially charged with accessing the Duke of Edinburgh’s personal message box after gaining access to BT’s Prestel interactive viewdata service, agreed that the CMA “could do with a polish.” However. he also said it is basically fit for purpose, “and I don't see much evidence that researchers are being dissuaded from researching in case their possession of pen test tools results in them being prosecuted.”

He added: “If anyone wants to criticize a key element of the fight against cybercrime, attacking Action Fraud would be more useful than attacking the CMA.”

Categories: Cyber Risk News

Online Learning Platform Exposes Data on One Million Students

Mon, 06/29/2020 - 08:45
Online Learning Platform Exposes Data on One Million Students

Over one million North American students have had their data exposed after a popular online learning platform left it in a publicly accessible cloud database, according to vpnMentor.

Researchers from the firm claimed that the Elasticsearch database belonging to provider OneClass was left completely unsecured.

The trove contained over 27GB of data, amounting to 8.9 million records, including many students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.

Although OneClass secured the database just a few days after being notified on May 20 this year, it subsequently claimed that the exposed information was merely test data, according to vpnMentor.

“However, during our investigation, we had used publicly available information to verify a small sample of records in the database,” the researchers continued.

“Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database. Based on this, we doubt the veracity of OneClass’s claim and stand by our assessment.”

It goes without saying that hackers could have conducted highly effective follow-on phishing emails with the exposed data, with a view to obtaining financial details from victims, or even spreading malware.

“Furthermore, OneClass users are very young — including minors — and will generally be unaware of most criminal schemes and frauds online. This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk,” vpnMentor explained.

“With so many students relying on remote learning due to coronavirus, OneClass could be experiencing a surge in new users. Hackers could quickly create fraudulent emails using the pandemic and related uncertainty as a pretext to contact potential victims, posing as OneClass and asking them to divulge sensitive information.”

That’s not to mention the reputational hit to OneClass itself and a potentially significant regulatory compliance burden. Headquartered in Toronto, the firm provides online education resources to millions of students in North America.

Categories: Cyber Risk News

US Bill Proposes Ban on Feds' Using Facial Recognition Technology

Fri, 06/26/2020 - 15:30
US Bill Proposes Ban on Feds' Using Facial Recognition Technology

US lawmakers have introduced a bill that proposes banning federal law enforcement agencies from using facial recognition and biometric surveillance technology.

The Facial Recognition and Biometric Technology Moratorium Act of 2020 was introduced yesterday by Senators Ed Markey and Jeff Merkley. 

If passed into law, the wide-sweeping bill would make federal funding for state and local law enforcement agencies contingent on the implementation of similar tech and surveillance bans. 

Markey said the bill would prevent the use of technology that poses a physical threat to minority groups residing in the United States. In the Massachusetts senator's opinion, banning the police from using such tools is the "only responsible thing to do."

“Facial recognition technology doesn’t just pose a grave threat to our privacy, it physically endangers Black Americans and other minority populations in our country,” Markey said in a statement. 

“As we work to dismantle the systematic racism that permeates every part of our society, we can’t ignore the harms that these technologies present."

The bill proposes making it unlawful for any federal official or agency to "acquire, possess, access or use” biometric surveillance technology in the United States. It further prohibits the use of federal cash to procure this type of technology.

Use of this type of surveillance technology is not prohibited entirely under the new bill but would only be allowed if exercised with extreme caution and in adherence to a federal law containing a long list of provisions.

Cynics might conclude that the timing of the bill's introduction, in the wake of protests triggered by George Floyd's death and in an election year, was motivated by political gain. 

The Pinellas County Sheriff’s Office in Florida has been using FACES (Face Analysis Comparison and Examination System) for two decades. And, according to a 2019 report by the United States Government Accountability Office (GAO), the FBI has logged more than 390,000 facial-recognition searches of federal and local databases since 2011.

Various civil liberties and human rights groups including Amnesty International and the American Civil Liberties Union have been campaigning for surveillance technology to be banned for years on the grounds that it infringes upon people's constitutional freedoms and is marred by racial and gender bias.

Categories: Cyber Risk News

Fraudster Jailed for Stealing Millions from US Seniors

Fri, 06/26/2020 - 15:14
Fraudster Jailed for Stealing Millions from US Seniors

A despicable Brit has been jailed after stealing from America's elderly to fund his extravagant millionaire lifestyle. 

Fraudster Gareth David Long was sentenced to 70 months in prison for running an elaborate scheme that claimed more 375,000 victims during a six-month period in 2013. 

Las Vegas resident Long operated a third-party processing company V Internet Corp from 2008 to 2013 that specialized in the creation and deposit of remotely created checks (RCCs). Through his work, the 41-year-old had access to the personal and financial information of hundreds of thousands of consumers whose accounts he was trusted to debit.

After he stopped acting as a third-party payment processor in January 2013, Long used the data he had acquired over the previous five years to charge purchases to his victims' accounts. 

Not content with the data he had acquired legally and then exploited illegally, Long purchased the information of additional consumers in the form of lead lists.

Over the course of his large-scale wire fraud and identify theft scheme, Long deposited more than 750,000 fraudulent RCCs totaling more than $22m. While approximately half of the checks were immediately reversed by victims’ banks, the unscrupulous criminal nevertheless succeeded in stealing approximately $11m.

When victims called to complain about the charges, Long instructed his employees to pass the charges off as payments authorized by the victims in connection with an online payday loan application. Many of the victims were elderly.

Long used the proceeds of his morally derelict scheme to purchase cars, three airplanes, a fire truck, a ranch, and 23 acres of land in Texas and to pay his personal expenses. He also bought construction and farming equipment. 

The US Postal Inspection Service seized more than $2.9m from Long’s company bank accounts. Property that Long purchased with the proceeds of his fraudulent activity, including his cars and planes, was also seized by postal inspectors. 

Long pleaded guilty to wire fraud and aggravated identity theft charges. As part of the sentencing hearing, the court ordered Long to forfeit $11.2m and the ranch and land he purchased in Texas.

Jody Hunt, assistant attorney general for the Justice Department’s Civil Division, said: “The defendant exploited his access to sensitive personal and financial information to steal millions of dollars from victims throughout the United States."

Categories: Cyber Risk News

$200m Spear Phished from Cryptocurrency Exchanges

Fri, 06/26/2020 - 14:46
$200m Spear Phished from Cryptocurrency Exchanges

A newly detected threat group has stolen an estimated minimum of $200m from cryptocurrency exchanges in just two years.

The dastardly deeds of cyber-criminal organization CryptoCore were discovered by security firm ClearSky Cyber Security. Recently published research by the company revealed that the threat group has been active since at least May 2018, primarily targeting victims in the United States and Japan. 

CryptoCore appears to have achieved dizzying heights of financial success despite relying on unsophisticated attack techniques. 

"This group is not extremely technically advanced, yet it seems to be swift, persistent, and effective, nevertheless," wrote researchers. 

"The CryptoCore group is known for having accumulated a sum of approximately 70mil USD from its heists on exchanges. We estimate that the group managed to rake in more than 200mil USD in two years."

CryptoCore almost exclusively targets cryptocurrency exchanges and companies working with them via supply-chain attacks. 

The key goal of the group's heists is to gain access to digital wallets associated with cryptocurrency exchanges, including corporate wallets and wallets belonging to the exchanges' employees. Researchers say that access is gained via spear phishing.

"The group’s key infiltration vector to the exchange is usually through spear phishing against the corporate network," wrote researchers, adding that "the executives’ personal email accounts are the first to be targeted."

The spear phishing is typically carried out by impersonating a high-ranking employee either from the target organization or from another organization with connections to the targeted employee. 

Contained within the spear phishing email is a malicious Bitly link that appears to go to a Google Drive folder but actually sends the victim to a landing page controlled by the threat group.

After gaining an initial foothold, the group accesses the victim’s password manager account and steals their crypto-wallet keys.

ClearSky has been tracking the threat group for two years, observing a fairly constant stream of activity, though attacks did slow in the first half of 2020, with researchers attributing the lull to the COVID-19 pandemic. 

Despite their prolonged tracking of CryptoCore, researchers were unable to conclusively pinpoint the threat group's origin. Researchers would say only that "we assess with medium level of certainty that the threat actor has links to the East European region, Ukraine, Russia or Romania in particular."

Categories: Cyber Risk News

Microsoft: Patch IIS Bug Now to Protect Exchange Servers

Fri, 06/26/2020 - 10:50
Microsoft: Patch IIS Bug Now to Protect Exchange Servers

Microsoft has warned Exchange customers to patch their servers urgently after reporting a surge in attacks exploiting an Internet Information Service (IIS) vulnerability.

That flaw, CVE-2020-0688, was patched in February, but attackers are still finding victims compromised by such attacks. With access to the targeted server, hackers often deploy a web shell to steal data or perform other malicious actions in the future, explained Hardik Suri of the Microsoft Defender ATP Research Team.

Multiple APT groups were detected exploiting the bug back in March, but a month later 350,000 servers were still unpatched, according to Rapid7.

“If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance,” Suri added.

“This is exacerbated by the fact that Exchange servers have traditionally lacked anti-virus solutions, network protection, the latest security updates and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”

Following a web shell deployment, attackers may perform reconnaissance, perhaps using EternalBlue to identify vulnerable machines on the network. If the server has been misconfigured, they may have gained privileges that enable them to add a new account for persistence.

Compromised Exchange servers can also enable credential access for some of the “most sensitive users and groups in an organization,” said Suri.

Lateral movement, Exchange Management Shell abuse, remote access and exfiltration typically follow, he added.

Apart from applying the latest security updates, Microsoft recommended Exchange server customers keep anti-virus and other protections on at all times, review highly privileged groups, restrict access and prioritize alerts.

Categories: Cyber Risk News

European Commission: Still Work to Do on GDPR

Fri, 06/26/2020 - 09:30
European Commission: Still Work to Do on GDPR

The GDPR has successfully met its main objectives but work still needs to be done to improve cross-border investigations, increase regulator resources and address fragmented approaches across the EU, according to the European Commission.

The review of the data protection legislation two years on highlights several areas for improvement.

One of the most pressing is the need for harmonization across the region. This is because, although the regulation must be applied across the board, it allows for member states to legislate in some areas and provide specificity in others.

This has led to the “extensive use of facultative specification clauses,” which has made for differences in areas such as the age of children’s consent across different countries, the report claimed.

This could create problems for cross-border business and innovation, especially in tech and cybersecurity innovation, the Commission said.

“A specific challenge for national legislation is the reconciliation of the right to the protection of personal data with freedom of expression and information, and the proper balancing of these rights,” it argued.

“Some national legislations lay down the principle of precedence of freedom of expression, whilst others lay down the precedence of the protection of personal data and exempt the application of data protection rules only in specific situations, such as where a person with public status is concerned.”

Other areas that need continued work include the more efficient handling of cross-border cases and the disparity in “human, financial and technical” resources between many regulators.

This echoes a report issued in April by web browser firm Brave, which claimed that regulators are unable to match the financial might of technology giants like Google and Facebook, which puts them at a distinct disadvantage in investigations.

Only five of Europe’s 28 GDPR regulators have over 10 tech specialists, while half have budgets of under €5m. The UK’s ICO, which is the largest and most expensive watchdog to run, has only 3% of its 680 staff focused on tech issues, the report claimed.

Stewart Room, global head of data protection and cybersecurity at DWF, took issue with the Commission’s claim that GDPR has “successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the EU.”

“A key problem to note is that there is an absence of such evidence on data protection performance levels under the previous legal regime (the 1995 Directive), so, therefore, there isn't a benchmark available to substantiate progress made under the GDPR,” he argued. 

“In contrast, reports of personal data security breaches have not run dry, there are still structural problems in the AdTech environment and with the ceaseless progression of developments in technology, such as facial recognition and AI, there have to be doubts about the ability of the law and the regulatory system to keep up speed.”

Categories: Cyber Risk News

Domestic Abuse Victims Exposed in Cloud Misconfiguration

Fri, 06/26/2020 - 08:30
Domestic Abuse Victims Exposed in Cloud Misconfiguration

Thousands of domestic violence victims have had their emergency distress messages exposed after a developer misconfigured a back-end AWS bucket.

Researchers at vpnMentor led by Noam Rotem and Ran Locar found the voice recordings stored on a publicly accessible AWS S3 bucket.

They were traced back to Aspire News, an application built by US non-profit When Georgia Smiled, which features an emergency help section via which domestic abuse victims can send their distress messages. It’s backed by US TV celebrity and clinical psychologist Dr Phil.

In total, the researchers found around 230MB of data, containing around 4000 voice recordings dating back to September 2017. Fortunately, once contacted, AWS informed the non-profit and the issue was shut down the same day.

However, the data exposed in the voice recordings was highly sensitive, including victims’ full names and home addresses, details of their circumstances and their abusers’ names and personal details.

Domestic violence cases are said to have surged dramatically during lockdown, when abusers are often confined at home with their victims for extended periods.

“Had malicious or criminal hackers accessed these recordings, they could be weaponized against both victims and abusers to pursue blackmail and extortion campaigns,” said vpnMentor.

“The potential devastation caused by such an outcome can’t be overstated, risking the health, emotional wellbeing and safety of all those impacted.”

Cloud configuration errors surged by 80% between 2018 and 2019, according to DivvyCloud by Rapid7.

“This particular instance is a critical reminder of the importance of securing data in the cloud,” said the firm’s co-founder, Chris DeRamus.

“By implementing a proactive and holistic approach to detecting risks and misconfigurations in the cloud in the build process, security lapses can be identified and remediated before data ever has a chance to be exposed.”

Categories: Cyber Risk News

Police Seize Alleged Bitcoin Raider's $90m in Assets

Thu, 06/25/2020 - 18:00
Police Seize Alleged Bitcoin Raider's $90m in Assets

Police in New Zealand have seized $90m worth of assets belonging to a man wanted for cybercrimes in France and the United States. 

Alexander Vinnik allegedly masterminded a Bitcoin laundering ring that handled billions of dollars via a digital currency exchange. He is also wanted for some minor crimes in his native Russia.

Digital cash allegedly laundered by the exchange is believed to have included $4bn in funds stolen from the now defunct Tokyo-based bitcoin exchange Mt. Gox in a cyber-heist. 

US authorities assert Vinnik has committed a string of crimes ranging from computer hacking and money laundering to drug trafficking while in control of digital currency exchange BTC-e. 

The 38-year-old alleged criminal has declared himself innocent of all the charges made against him, some of which date as far back as 2011. Vinnik maintains that he was merely a technical consultant to BTC-e and was not employed in an operational capacity. 

The alleged criminal mastermind was admitted to a French hospital earlier this year after staging a hunger strike to protest his innocence. 

Vinnik was arrested in Greece in 2017 on money laundering charges and has since been extradited to France, where he is being held in custody. 

French officials charged Vinnik on counts of extortion, aggravated money laundering, conspiracy, and harming automatic data-processing systems. 

Zoe Konstantopoulou, a member of Vinnik's defense team, said: "Alexander’s crime is to be Russian and a person with extraordinary technological knowledge that could liberate people economically."

The multi-million-dollar seizure of Vinnik's assets—worth NZ$140m—is the largest restraint of funds in New Zealand Police history. 

New Zealand Police Commissioner Andrew Coster said the funds are probably ill-gotten gains pilfered from a slew of victims around the world.

"This restraint demonstrates that New Zealand is not, and will not be, a safe haven for the illicit proceeds generated from crime in other parts of the world," said Coster.

The seizure was a joint effort achieved by close cooperation between the New Zealand Police and the US Internal Revenue Service. New Zealand cops said that it has applied to the High Court seeking forfeiture of the funds. 

Categories: Cyber Risk News

HelpSystems Acquires Two Security Software Companies

Thu, 06/25/2020 - 17:00
HelpSystems Acquires Two Security Software Companies

Minnesota software company HelpSystems has acquired two data classification companies in response to “brisk” demands for its security software. 

The company said that the addition of Canadian company Titus and British firm Boldon James to its security portfolio establishes HelpSystems as “the leading platform in data classification and meets customers’ needs for a comprehensive, powerful suite of data security options.”

From its headquarters in Ottawa, Titus provides solutions that enable businesses to accelerate their adoption of data protection. The company’s products enable organizations to discover, classify, protect, analyze, and share information. 

Titus has millions of users in over 120 countries. Customers of the company include some of the largest financial institutions and manufacturing companies in the world, government and military organizations across the G7 and Australia, and Fortune 2000 companies. 

Boldon James is a 30-year-old company based in the small village of Farnborough, just outside of London. HelpSystem's new acquisition describes itself as an industry specialist in data classification and secure messaging, delivering globally recognized innovation, service excellence, and technology solutions that work.

“Bringing Titus and Boldon James into the HelpSystems family is another step toward our unwavering goal of giving customers the most robust collection of trusted security and automation solutions available, backed by a people-first commitment to long-term customer success,” said Kate Bolseth, CEO, HelpSystems. 

“The talent, success, and market-leading solutions that characterize both Titus and Boldon James enrich and expand our ability to help our customers keep their data safe.”

HelpSystems said that the solutions offered by Titus and Boldon James will work in lockstep with its GoAnywhere Managed File Transfer and Clearswift email and web security solutions to ensure sensitive information is classified properly and secured throughout its life cycle.

"Titus fits well with HelpSystems’ security portfolio, and we are thrilled to expand the range of solutions for our customers,” said Jim Barkdoll, CEO, Titus. 

“We are confident we have found the right place to continue driving our innovation and business forward.”

CEO of Boldon James Martin Sugden added: “Joining these well-known players in the data security space is the ultimate way to offer global organizations the ability to detect and protect their ever-growing troves of sensitive data.”

Categories: Cyber Risk News

350,000 Social Media Influencers and Users at Risk Following Data Breach

Thu, 06/25/2020 - 16:06
350,000 Social Media Influencers and Users at Risk Following Data Breach

Personal data of an estimated 100,000 social media influencers has been accessed and partially leaked following a breach at social media marketing firm Preen.Me, Risk Based Security has discovered. The same breach has also led to more than 250,000 social media users having their information fully exposed on a deep web hacking forum, leaving these individuals at risk of being targeted by scams.

The leak was discovered by Risk Based Security’s data breach research team on June 6 when a known threat actor revealed they had compromised Preen.Me’s systems and were holding the personal information of over 100,000 affiliated influencers under ransom on a popular deep web hacking forum. The actor shared 250 records via PasteBin on the same day, and two days later on June 8, stated their intention to release the other 100,000 records, although this has not yet occurred.

The information includes influencers’ social media links, email addresses, names, phone numbers and home addresses. It was noted that those affected appear to be associated with cosmetic or lifestyle-related content.

Roy Bass, senior dark web analyst, Risk Based Security, commented: “While passwords were not leaked, threat actors can search for compromised passwords from other database leaks and link them to the accounts through email addresses/other personal information, or employ brute force techniques. We observed one threat actor state his intention to do so.

“They [those exposed] are also susceptible to spam and substantial harassment via their leaked contact information, as well as spear-phishing and identity theft scams if enough personally identifiable information is gathered.”

Then on June 14, the same cyber-criminal fully leaked the details of over 250,000 social media users who use Preen.Me’s application, ByteSizedBeauty. This includes their social media links, as well as personal information such as home and email address, date of birth, eye color and skin tone.

Bass added: “Regarding the other social media users, they are vulnerable to the previously mentioned threats with an increased risk for spear-phishing and identity theft scams due to more personal information being leaked.”

Categories: Cyber Risk News

PlayStation Announces Bug Bounty Program

Thu, 06/25/2020 - 14:07
PlayStation Announces Bug Bounty Program

PlayStation has announced that it will pay hackers thousands of dollars to unearth vulnerabilities in its network and entertainment products. 

The gaming titan launched its PlayStation Bug Bounty program yesterday morning in hopes of rooting out flaws and providing players with a more secure user experience. 

The initiative is being run in collaboration with well-known security platform HackerOne

PlayStation has been running a private Bug Bounty program for some time in partnership with an elite group of researchers. Now, for the first time in the 26-year-old gaming console's history, the public are being invited to report bugs in return for cash.

A PlayStation spokesperson said: "We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network."

The new program recognizes the high levels of skill and resourcefulness needed to be among the ethical hacking netizenry.

"To date, we have been running our bug bounty program privately with some researchers," said PlayStation. "We recognize the valuable role that the research community plays in enhancing security, so we’re excited to announce our program for the broader community."

Under the new program, vulnerabilities will attract different sized monetary rewards depending on their severity and on the quality of the report submitted. 

While hackers are invited to flag flaws in both the PlayStation Network and the PlayStation 4, higher bounties will be awarded for faults found in the latter. Detecting a critical vulnerability impacting PlayStation 4 could earn an ethical hacker an extremely pretty penny. 

"Our bug bounty program has rewards for various issues, including critical issues on PS4," said a PlayStation spokesperson. "Critical vulnerabilities for PS4 have bounties starting at $50,000."

PlayStation did not reveal the maximum amount that could be paid out for a single flaw. 

Explaining which flaws they are most concerned about, PlayStation said: "We are currently interested in reports on the PlayStation 4 system, operating system, accessories and the PlayStation Network."

Domains within the scope include .playstation.net, .sonyentertainmentnetwork.com, api.playstation.com, my.playstation.com, store.playstation.com, social.playstation.com, transact.playstation.com and wallets.api.playstation.com.

Categories: Cyber Risk News

NCSC: One Million Phishing Messages Reported in Two Months

Thu, 06/25/2020 - 13:45
NCSC: One Million Phishing Messages Reported in Two Months

The National Cyber Security Centre (NCSC) has announced that in just two months of its Suspicious Email Reporting Service being launched, it has received one million reports.

According to a statement, the service, which was launched in April as part of the Government’s Cyber Aware campaign, receives a daily average of 16,500 emails.

NCSC chief executive officer Ciaran Martin called the number of reports a “milestone” and said it was “testament to the vigilance of the British public.”

He added: “The kind of scams we’ve blocked could have caused very real harm and I would like to thank everyone who has played their part in helping to make the internet safer for all of us.”

Ed Macnair, CEO of Censornet, said: “Although it is positive to see people being vigilant against spam and phishing attacks, these figures from the NCSC demonstrate the extent of the problem. Cyber-criminals will continue to capitalize on the hysteria surrounding COVID-19 to exploit both organizations and individuals, preying on their curiosity and vulnerability.”

Figures show that 10% of the scams were removed within an hour of an email being reported, and 40% were down within a day of a report. Also, 10,200 malicious URLs linked to 3485 individual sites have been removed thanks to the one million reports received.

The Suspicious Email Reporting Service was co-developed with the City of London Police. Its commander Karen Baxter said: “Unquestionably, a vast number of frauds will have been prevented, thanks to the public reporting all these phishing attempts. Not only that, but it has allowed for vital intelligence to be collected by police and demonstrates the power of working together when it comes to stopping fraudsters in their tracks.”

Fake cryptocurrency investment lures made up more than half of all the online scams detected as a result of reporting from the public. In these cases, investors are typically promised high returns in exchange for buying currency such as Bitcoin, but scammers masquerade as crypto exchanges or traders to trick people into handing over money by using fake celebrity endorsements and images of luxury items.

According to the FCA, cryptocurrency investment scams have cost the British public around £27m, as victims are encouraged to invest more and more money.

Macnair also warned of the danger of social engineering attacks, and said it is crucial that organizations take it upon themselves to protect employees from these email attacks in the first instance. “Businesses need to use email security that combines algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves against these evolving attacks,” he said.

Categories: Cyber Risk News

IRMS Appoints New Chair with Diversity, Inclusion and Education at Top of Agenda

Thu, 06/25/2020 - 13:00
IRMS Appoints New Chair with Diversity, Inclusion and Education at Top of Agenda

The Information and Records Management Society (IRMS) – the association for information professionals and students in information governance, records management, data protection and information security – has announced the appointment of Reynold Leming to the position of chair.

Leming, who has worked in the data processing and information governance industry for over 30 years, will focus on initiatives that promote diversity and inclusion, as well as encourage new talent to choose a career in the sector.

Leming will be commissioning a comprehensive survey of diversity within the information and records management profession, including investigating barriers to entry and career progression.

Leming said: “We have an important role in advocacy and must ensure the IRMS is representative, rich in diversity and inclusivity.”

In addition to leading a research program, Leming and the executive team will also focus on engagement with the skills and education sector.

“We will seek to collaborate with schools and colleges to actively promote the teaching of data and information and encourage the next generation to take qualifications and/or vocational pathways that will lead them to a successful career in our sector.”

Categories: Cyber Risk News

33% Surge in Financial Fraud Attempts During #COVID19 Lockdown

Thu, 06/25/2020 - 12:15
33% Surge in Financial Fraud Attempts During #COVID19 Lockdown

Financial fraud attempts rose by 33% in April as the UK entered lockdown due to the COVID-19 pandemic, new analysis from Experian and the National Hunter Fraud Prevention Service has revealed.

Fraudsters targeted a myriad of financial products, including current and savings accounts, as they sought to take advantage of the disruption to both businesses and their customers brought about by the virus outbreak.

Across all financial products, fraud rates increased by a third when compared with previous monthly averages. The largest increase was in fraudulent car and other asset finance applications, which saw a rise of 181%, followed by current accounts (35%) and then saving accounts (28%), according to Experian.

Fraudulent credit card applications (17%) and unsecured loans (10%) also went up, Experian claimed.

However, while the findings highlight an increase in the proportion of fraudulent applications, they also signal that fraud teams have been able to successfully identify and investigate new fraudulent activity since the pandemic began.

Micah Willbrand, managing director of identity and fraud at Experian, said: “The rise in fraud rates across each category is a warning that banks, building societies and other financial providers need to be as alert as ever in identifying fraudulent applications, even in the unique circumstances the country finds itself in.”

It's likely fraudsters have been looking to take advantage of the situation under the belief that the disruption would give them a better chance of success, “but they have been largely disappointed," added Willbrand.

“Fraud teams have had greater capacity to flag and investigate openings that otherwise may have gone unchecked, resulting in incidents of fraud being successfully identified.”

Categories: Cyber Risk News

Medical Devices Among Most Risky to Security

Thu, 06/25/2020 - 11:02
Medical Devices Among Most Risky to Security

Medical devices, physical access operations and networking equipment are among the most risky when it comes to risks posed to businesses.

Using analysis of metrics and data from the Forescout Device Cloud, the company identified points of risk inherent to device type, industry sector and cybersecurity policies. It determined that the riskiest device groups include smart buildings, medical devices, networking equipment and VoIP phones.

The data, which was correlated from around 11 million devices, determined the risk posed by connected medical devices because of their potential impact, both in terms of business continuity and their potential to harm patients. Forescout said that alongside a reliance on new technologies and increased connectivity, it was witnessing an increase in the number and sophistication of vulnerabilities in medical devices and cyber-attacks on hospitals, although these rarely target medical devices directly.

Speaking to Infosecurity, Forescout research manager Daniel De Santos said this is the first time the company had undertaken such research at this scale, where there is a lot of available and powerful data. Looking at the details on medical and healthcare devices, De Santos said there are many types of devices, and some are directly connected and some are on the diagnosis side, and they have an impact in different ways. “It doesn’t matter about the vulnerability as the easiest action is to crash the infusion pump, but whether the vulnerability is critical enough to be able to execute the attacker’s demands,” he said.

This also impacted the medical supply chain, where De Santos said devices are connected to workstations and ultimately to patient databases and prescriptions. “They should not talk to one another and networks should be isolated and segmented so the laptop doesn’t talk to the infusion pump,” he explained.

Forescout added, according to its data sample, physical access control solutions were the most risky due to the presence of many critical open ports, connectivity with devices and the presence of known vulnerabilities. In particular, De Santos named badge readers as being a surprise, as research showed that a badge reader could be reprogramed to allow anyone to enter a building “and it is not the worst thing for an office, but think about airports, hospitals or government buildings, critical buildings.”

De Santos said he expected improvements on this type of data year-on-year, especially as awareness of the issue is growing, and with more improvements in segmentation. “We see signs of improvements and companies are more aware and know what to do and can mitigate risk,” he said.

Categories: Cyber Risk News

Firms Plan Hiring Spree to Bolster Remote Working Security

Thu, 06/25/2020 - 10:30
Firms Plan Hiring Spree to Bolster Remote Working Security

Around half (48%) of UK businesses have admitted that their cybersecurity policies aren’t fit-for-purpose in the “new normal” of mass remote working, according to Centrify research.

The access management vendor polled 200 senior decision makers in medium and large businesses to better understand their evolving security challenges during the current pandemic.

While many are aware that current policies will need to be updated, they do seem to be taking steps to try and bolster security. Three-quarters (75%) of those polled said they have issued formal guidance or training to staff on secure home working, and half are planning to hire new IT or security staff to enhance security processes.

However, this won’t be easy given current skills shortages, which are estimated at over four million positions globally, including over 290,000 in Europe. Many may have to seek outside help via managed service providers and contracting staff.

On that point, nearly three-fifths (59%) of respondents said they now treat outsourcers and other third parties as an equal cyber-risk as remote working employees, which should help to reduce the threat from the supply chain.

Half of all cyber-attacks revealed by Carbon Black in a report last year involved some form of “island hopping” from a supply chain partner.

According to Centrify, most (65%) decision makers in medium and large firms expect an increase in phishing attacks and attempts to steal sensitive data going forward. This is to be expected, as cyber-criminals look to ramp up attacks against potentially distracted employees and unpatched remote access infrastructure.

Although Microsoft has claimed that the volume of COVID-specific threats remain very small, less than 2% of all threats, it has also warned of sophisticated ransomware attacks on hospitals and other organizations during the crisis.

“Unfortunately, remote workers including third-party contractors have been deemed a desirable target by cyber-criminals, who are assuming that these employees have not been properly trained in, or protected by, the correct security measures in their transition to remote working during the COVID-19 pandemic,” said Centrify VP Andy Heather.

“However, it’s promising to see that so many businesses have adjusted security policies in response to this threat and are still considering bolstering security and IT staff.”

Categories: Cyber Risk News

Zoom Hires Former Salesforce SVP as New CISO

Thu, 06/25/2020 - 09:30
Zoom Hires Former Salesforce SVP as New CISO

Zoom has made another high-profile hire as it looks to bolster its security credentials, with the recruitment of Salesforce SVP Jason Lee as its new CISO.

Lee was previously SVP of security operations at the SaaS pioneer, where he was responsible for corporate network and system security, incident response, threat intelligence, data protection, vulnerability management, intrusion detection, identity and access management, and the offensive security team.

Prior to that role, Lee spent 15 years at Microsoft, where he rose from a position as senior manager to principal director of security engineering for the Windows Device Group.

“Our customers’ security is extremely important and is at the core of everything we do. We are excited to welcome Jason, who has deep industry experience, understands the complexity of servicing a wide variety of users, and can lead Zoom’s efforts to strengthen the security of our platform during this time of rapid expansion,” said Lee’s new boss, Zoom COO, Aparna Bawa.

The new hire comes on the back of several big-name announcements over recent weeks, as Zoom seeks to recover the initiative after some bad publicity earlier in the year.

In April it announced Luta Security as a new partner to help rebuild its bug bounty program, alongside John Hopkins cryptography expert Matthew Green, former Google privacy technology lead, Lea Kissner and cybersecurity consultancy NCC Group.

Former Facebook CSO Alex Stamos, who had been vocal on social media about the challenges facing the video conferencing firm, was hired as an advisor.

The firm is nearly at the end of a 90-day security and privacy plan which CEO Eric Yuan instigated after the platform’s massive growth due to COVID-19 seemed to catch it on the back foot. Several critical vulnerabilities were found in the software and there was criticism of its default settings and exposure to “Zoombombing.”

Most recently, the firm backtracked on an earlier decision and committed to offering end-to-end encryption for all users, not just those on its premium service.

Categories: Cyber Risk News

New Indictment Seeks to Tie Assange Closer to Hacking Conspiracy

Thu, 06/25/2020 - 08:40
New Indictment Seeks to Tie Assange Closer to Hacking Conspiracy

The US Department of Justice (DoJ) has filed a new indictment against Julian Assange which explains in more detail why the authorities believe he went beyond publishing in the public interest to get hands-on in a hacking conspiracy.

The superseding indictment adds no more counts to the 18-count indictment issued in May 2019, but it seeks to “broaden the scope” of the conspiracy the WikiLeaks founder was previously charged with.

It alleges that in 2010 he “gained unauthorized access” to a NATO member’s government IT system, and that two years later he was in direct communication with a “leader” of hacking collective LulzSec, who was an FBI informant at the time.

The indictment claims that Assange provided a list of hacking targets for LulzSec, asking the leader to look for and provide WikiLeaks with mail, documents, databases and PDFs.

“In another communication, Assange told the LulzSec leader that the most impactful release of hacked materials would be from the CIA, NSA or the New York Times,” the DOJ announcement explained.

“WikiLeaks obtained and published emails from a data breach committed against an American intelligence consulting company by an Anonymous and LulzSec-affiliated hacker. According to that hacker, Assange indirectly asked him to spam that victim company again.”

This is in addition to the original charge that Assange conspired with whistleblower Chelsea Manning to crack a password hash stored on US Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet).

The new superseding indictment appears to be an attempt by the authorities to tie Assange more closely to hacking conspiracies.

The other charges, relating to the publication of hundreds of thousands of secret diplomatic cables and other documents about US wars in Afghanistan and Iraq, have been heavily criticized. Observers claim they were done in the public interest and should be protected by the First Amendment.

Assange is currently in custody in the UK awaiting the outcome of an extradition request from Washington.

Categories: Cyber Risk News

Pages