Info Security

Subscribe to Info Security  feed
Updated: 1 hour 15 min ago

US Investigators Identify Russian State DNC Hackers

Fri, 11/03/2017 - 10:44
US Investigators Identify Russian State DNC Hackers

More than six Russian government officials have been identified by US investigators as involved in the hacking of Democratic National Committee (DNC) computers in a now notorious case which some believe swayed the US presidential election last year.

The Department of Justice prosecutors are now preparing an indictment case to be filed next year, according to the WSJ.

While the US intelligence community has already assessed that the Kremlin "ordered an influence campaign in 2016 aimed at the US presidential election", it has not been clear who exactly was behind the cyber-attacks which swiped a trove of politically sensitive emails, to be leaked later through WikiLeaks.

The leaks were seen as hugely damaging to the Hillary Clinton campaign; in fact, the former secretary of state has in the past blamed “Russian WiliLeaks” for her election loss.

An indictment would have little to no chance of leading to the arrest and extradition of those believed to have carried out the DNC hacks — although it would step up the pressure on the Trump administration to acknowledge the role the Russian state played in his election win.

A separate investigation led by special counsel Robert Mueller has already issued its first charges to members of the Trump campaign, as it looks to unravel possible collusion with Russia during the race for the White House.

Despite Trump tweeting this week “It's all a big Dem HOAX!”, former campaign manager, Paul Manafort and his associated Richard Gates have both received money-laundering and tax-avoidance charges.

In addition, former Trump foreign policy adviser, George Papadopoulos, has pleaded guilty to lying to FBI agents about meeting with Russian intermediaries. It's believed he has been helping investigators in return for leniency, which could spell possible bad news for other members of the campaign team if there has been any wrongdoing.

There are also reports that attorney general Jeff Sessions may have perjured himself by claiming not to have knowledge of any attempts to collude with Russian officials. According to unsealed documents Sessions and Trump were at a meeting in which Papadopoulos stated “in sum and substance, that he had connections that could help arrange a meeting between then-candidate Trump and President Putin.”

Categories: Cyber Risk News

Cybersecurity Pros Can’t Keep Pace with Threat Landscape

Fri, 11/03/2017 - 10:08
Cybersecurity Pros Can’t Keep Pace with Threat Landscape

Most (54%) cybersecurity professionals believe the threat landscape is evolving faster than they can respond, with a lack of preparation and strategic thinking endemic, according to RedSeal.

The network resilience vendor polled 600 IT and security decision makers in the UK and US to compile its RedSeal Resilience Report 2017.

It revealed that most respondents feel they are under-resourced (54%), can’t react quickly enough when an incident strikes (55%) and can’t access insight to prioritize incident response (79%).

Just 20% said they’re extremely confident their organization will be able to function as normal in the event of a breach or attack.

What’s more, there seems to be a dangerous disconnect between perceived strengths and reality.

Some 40% of respondents claimed 'detection' is their strongest capability, stating it takes an average of just six hours to spot an incident.

However, this flies in the face of many other industry reports, compiled by the likes of Mandiant (99 days) and Trustwave (49 days).

RedSeal also claimed that only a quarter of respondents test their cybersecurity incident response annually, with many saying it’s too resource intensive (29%), outside their budget (27%) or takes too long (26%).

“Their data networks are dynamic. This dynamic nature creates a risk,” RedSeal CEO Ray Rothrock told Infosecurity

“Given that they report in our research that they last created a map of their entire network on average nine months ago, there’s no way to know precisely if their most valuable assets are accessible to bad actors at the present time. The lag in knowing what the network looks like and where data lives is a crucial factor in being ready for the inevitable.”

The report also revealed that compliance rather than strategy is driving IT security planning for the vast majority (97%) of organizations.

“On the cyber front, digital resilience — the ability to contain the bad guys when they’re inside your network, and protect high value assets like customer data and content from exfiltration — will protect your networks and your vital financial assets,” concluded Rothrock. 

“So, it’s important to know your network inside out. Know what is important to your business and your customers, where it is, and make sure it’s secure. Operational resilience means not only being ready, but having a plan and procedures and then rehearsing that action plan.” 

Categories: Cyber Risk News

50K Australians Exposed in Server Misconfig Snafu

Thu, 11/02/2017 - 19:42
50K Australians Exposed in Server Misconfig Snafu

Personal details of almost 50,000 Australian employees have been compromised in the country’s largest data breach since the Red Cross leaks.

Reports state that up to 48,270 personal records from employees working in government agencies, banks and a utility have been exposed online by a third-party contractor thanks to a misconfigured Amazon S3 bucket. The files exposed include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expense; however, iTnews reported that most of the credit card numbers were out of date or cancelled.

Insurance company AMP was hit the worst, with 25,000 staff records relating to internal expenses exposed, while Aussie utility UGL had 17,000 records exposed. About 3,000 employees at the Department of Finance, 1,470 at the Australian Electoral Commission and 300 at the National Disability Insurance Agency had their details openly accessible; and, 1,500 employees at Rabobank were affected.

 “Once the Australian Cyber Security Centre became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” the Department of Prime Minister and Cabinet told iTnews. “Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements.”

Cloud server misconfigurations are increasingly common, leading to data breach after data breach. One of the worst occurred in June when US defense contractor Booz Allen Hamilton left more than 60,000 US Department of Defense files publicly exposed in an Amazon S3 repository.

"Cloud computing is an increasingly popular way for centralizing storage and data access and often provides a cheaper more elastic and secure platform for enterprises to harness; however, their configuration can often be more than simple,” said Ian Ashworth, security consultant at Synopsys, via email. “Being internet-connected and widely accessible should dictate a greater level of diligence in their setup and tailoring to ensure they appropriately manage accessibility and control. Authentication and correct levels of authorization are two such essential measures for granting user access to the most sensitive of data or services.  When especially dealing with PII and payment details, additional storage protection measures should be employed providing an overall layered security architecture."

Categories: Cyber Risk News

Just 35% of Corporate Attorneys Feel Prepared for a Data Breach

Thu, 11/02/2017 - 19:29
Just 35% of Corporate Attorneys Feel Prepared for a Data Breach

Only about a third (35%) of top corporate attorneys feel their organizations are prepared for a data breach.

That’s according to a survey from Grant Thornton LLP, which also found that 59% are very concerned about data security issues—an appropriate feeling, given the ongoing legal and organizational fallout that follows in the wake of exposure incidents. 

The 2017 Corporate General Counsel Survey, which included feedback from more than 190 corporate general counsel, also found that more than half (58%) of legal departments are highly involved in responding to organization-wide data security risks, and nearly a quarter (23%) of legal departments have a primary responsibility for cybersecurity issues.

“Proactively managing cyber threats is becoming more important each year, as businesses are estimated to lose $3 trillion to cybercrime by 2020—a figure which has tripled from $1 trillion in 2016,” said Vishal Chawla, national managing principal of Risk Advisory Services for Grant Thornton. “It’s an issue that is clearly keeping corporate attorneys up at night.”

Survey respondents cited a number of barriers to cyber-risk readiness. Most notably, more than a quarter (28%) named overburdened IT security teams as a factor, while 17% pointed to a lack of crisis management and incident response skills.

Still, most corporate attorneys report that their organizations are going on the offensive: Nearly seven in 10 report that their organizations have increased spending to improve cybersecurity.

The vast majority of organizations are adding data security policies (72%) or augmenting existing ones (62%), while 59% are implementing monitoring programs. Additionally, 47% are turning to outside advisors.

“Keeping up with the latest cyber threats is a real challenge,” added Erik Lioy, national managing partner of Grant Thornton’s Forensic Advisory Services. “Skills that are required today may or may not be sufficient tomorrow.”

He added, “The agile enterprise will be better equipped at all levels of the organization to turn risk into a competitive advantage.”

The firm also recommends that businesses move from thinking about risk in terms of management and compliance to thinking about it in terms of holistic solutions. According to Chawla: “A holistic approach aligns leadership and defines an organizations’ cybersecurity operational risks—as well as its cyber risk appetite and management plan.”

Categories: Cyber Risk News

IoT Security Concerns Loom Even as Adoption Continues

Thu, 11/02/2017 - 19:22
IoT Security Concerns Loom Even as Adoption Continues

Most (90%) of consumers lack confidence in the security of internet of things (IoT) devices. Yet, more  than half own one or more IoT devices.

According to a survey by Gemalto, the main fear of consumers (cited by two-thirds of respondents) is hackers taking control of their device. In fact, this was more of a concern than their data being leaked (60%) or hackers accessing their personal information (54%).

However, despite 54% of consumers owning an IoT device (on average two), just 14% believe that they are extremely knowledgeable when it comes to the security of these devices.

Meanwhile, businesses are realizing that they need support in understanding IoT technology and are turning to partners to help, with cloud service providers (52%) and IoT service providers (50%) the favored options. When asked why, the top reason was a lack of expertise and skills (47%), followed by help in facilitating and speeding up their IoT deployment (46%).

"It's clear that both consumers and businesses have serious concerns around IoT security and little confidence that IoT service providers and device manufacturers will be able to protect IoT devices and more importantly the integrity of the data created, stored and transmitted by these devices," said Jason Hart, CTO, Data Protection at Gemalto. "With legislation like GDPR showing that governments are beginning to recognize the threats and long-lasting damage cyber-attacks can have on everyday lives, they now need to step up when it comes to IoT security. Until there is confidence in IoT amongst businesses and consumers, it won't see mainstream adoption."

The survey also found that IoT device manufacturers and service providers spend just 11% of their total IoT budget on securing their IoT devices. When it comes to protecting devices and the data they generate or transfer, just half (50%) of IoT companies have adopted a security-by-design approach.

According to the survey, businesses are in favor of regulations to make it clear who is responsible for securing IoT devices and data at each stage of its journey (61%) and the implications of non-compliance (55%). In fact, almost every organization (96%) and consumer (90%) is looking for government-enforced IoT security regulation.

"The lack of knowledge among both the business and consumer worlds is quite worrying and it's leading to gaps in the IoT ecosystem that hackers will exploit," Hart continued. "Within this ecosystem, there are four groups involved—consumers, manufacturers, cloud service providers and third parties—all of which have a responsibility to protect the data. 'Security by design' is the most effective approach to mitigate against a breach. Furthermore, IoT devices are a portal to the wider network and failing to protect them is like leaving your door wide open for hackers to walk in. Until both sides increase their knowledge of how to protect themselves and adopt industry standard approaches, IoT will continue to be a treasure trove of opportunity for hackers."

Categories: Cyber Risk News

Quarter of Firms Allow Password-Only BYOD Security

Thu, 11/02/2017 - 12:03
Quarter of Firms Allow Password-Only BYOD Security

Over a quarter (28%) of organizations rely solely on user-generated passwords to secure BYOD, potentially exposing countless endpoints to credential guessing, cracking and theft, according to Bitglass.

The cloud access security broker polled over 200 IT and security professionals at the recent Gartner Symposium/ITxpo conference in Orlando.

It correctly pointed out that password-based authentication systems have been responsible for several major data breaches of late, including Deloitte and Zomato.

For those that do enforce usage of multi-factor authentication (MFA) on employee handsets used at work, third-party applications (42%) and SMS tokens (34%) are the most popular flavors.

However, there’s still some resistance to using biometrics: 61% said they have reservations about Apple’s new Face ID system.

That contradicts a recent study by MFA vendor Secret Double Octopus, which found that 81% of employees in medium and large companies perceive Face ID as trustworthy, and 91% think it will be easy to use.

That said, there have been reports that Apple has allowed suppliers to reduce the accuracy of Face ID to speed up iPhone X production.

Top concerns among Bitglass respondents include the accuracy of face detection (40%), prevention of unauthorized access (30%) and speed of face detection (24%).

When it came to BYOD, the top 2018 security priorities for the IT and security leaders polled were external sharing (44.5%), malware protection (40%) and unmanaged device access (39.5%).

“Enterprises often misjudge the effectiveness of traditional security solutions, many of which are readily bypassed,” said Rich Campagna, CEO of Bitglass. “The BYOD boom exposes organizations to risks that can only be mitigated with data-centric solutions that secure access.”

A poll of over 400 IT professionals earlier this year by Dtex found that BYOD was blamed for a rise in potential insider threats.

Nearly half (48%) said detecting and mitigating insider threats is one of the top two challenges facing IT security teams today, with 51% claiming the threat grew last year.

Categories: Cyber Risk News

Silence Please: New Carbanak-Like Group Attacks Banks

Thu, 11/02/2017 - 09:30
Silence Please: New Carbanak-Like Group Attacks Banks

Researchers have uncovered a new advanced threat group which has targeted at least 10 financial institutions globally using tools and techniques similar to the notorious Carbanak group.

The group, dubbed “Silence” by Kaspersky Lab, begins its attacks via classic spear-phishing attempts, made more likely to succeed because it has already compromised the target company to hijack a real internal email account.

They will then request to open an account with the bank.

However, the attachment with the email contains a Microsoft Compiled HTML Help file, compromised to run malicious JavaScript once opened.

This will download and execute an obfuscated .VBS script which downloads and executes the final dropper: a win32 executable binary file which communicates with the C&C server, sends the ID of the infected machine and downloads and executes malicious payloads.

These payloads are designed to monitor everything the victim does — via screenshots and even a “real-time pseudo-video stream” — in order to build up a picture of their daily activity.

This activity is apparently similar to that of the Carbanak gang — first discovered by Kaspersky Lab in 2015 — which is estimated to have stolen in the region of $1bn from banks and individuals worldwide.

So far, the Silence group’s victims are mostly Russian banks, but researchers also found infected organizations in Malaysia and Armenia. Kaspersky Lab said that language artifacts discovered in the process of the investigation lead it to believe the hackers are Russian-speakers.

“The Silence Trojan is a fresh example of cyber-criminals shifting from attacks on users to direct attacks on banks. We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” said security expert, Sergey Lozhkin.

“The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”

The vendor urged organizations to invest in advanced threat detection systems, conduct regular pen testing and application assessments to minimize their attacks surface and configure email systems to scan for malicious attachments and phishy characteristics.

Categories: Cyber Risk News

Internet Monitoring Platform Put Families at Risk

Thu, 11/02/2017 - 08:59
Internet Monitoring Platform Put Families at Risk

Researchers have discovered a number of vulnerabilities in popular internet monitoring platform for parents, Circle with Disney, potentially exposing countless families to malware and covert surveillance.

Cisco’s Talos Intelligence team revealed 22 flaws in the product, which pairs wirelessly with the home Wi-Fi network to manage every device including smartphones, tablets, PCs and smart TVs. The idea is that parents can monitor and control what their children access by creating user profiles via the Android/iOS app interface.

Cisco had the following:

“Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands, install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.”

The bugs include CVE-2017-2898, which allows specially crafted network packets to cause unsigned firmware to be installed on the device, resulting in arbitrary code execution.   

Another, CVE-2017-2911, means that certificates for specific domain names can cause the product to accept a different certificate than intended, while CVE-2017-2864 can cause a valid authentication token to be returned to the attacker — resulting in authentication bypass.

Despite the long list of vulnerabilities, Cisco Talos was quick to acknowledge the vendor’s willingness to resolve the issues.

“The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication,” it said. “Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.”

Cesare Garlati, chief security strategist of the non-profit prpl Foundation, argued the case is another example of why the IoT is broken from a security perspective.

“This simple reason alone should also be a warning to globally recognized companies who wish to distribute or manufacture such devices with a ‘sales-first’ mentality,” he added. “These companies need to take a step back, look at more secure alternatives such as using open source, and work security from the ground up into their products. It’s high time for security to stop being an afterthought.”

Categories: Cyber Risk News

North Korea Accused of Stealing Warship Blueprints from the South

Wed, 11/01/2017 - 19:51
North Korea Accused of Stealing Warship Blueprints from the South

North Korea has likely hacked Daewoo Shipbuilding, taking a significant number of warship blueprints, according to South Korean opposition lawmaker Kyung Dae-soo.

Kyung told Reuters that he was "almost 100% certain that North Korean hackers were behind the hacking,” adding that the classified military documents that were taken include blueprints for an Aegis-class vessel and submarines.

He said that South Korea's Ministry of Defence uncovered the incident, but that he wasn’t briefed on the attack vector. However, he revealed that the cybercrime division did say that the heist has the North’s digital fingerprints all over it, being carried out using a tried-and-true method known to be used by the country.

Meanwhile, Daewoo Shipbuilding said that it is in the process of confirming the hack.

North Korea has been busy of late when it comes to government targets. In October, reports surfaced that the DPRK had plans to hack the American power grid in a spear phishing gambit. Emails containing fake invitations to a fundraiser delivered malware in the form of attachments—however, the attack was ultimately unsuccessful and no disruptions were logged.

Also in October, a South Korean lawmaker said that in that instance, hackers from North Korea stole a large cache of military documents from South Korea in September last year, including a plan to assassinate Kim Jong-un, wartime contingency plans developed with the US, plans for the South's special forces and information on significant power plants and military facilities.

Meanwhile, British authorities said last week that North Korea was responsible for the devastating WannaCry ransomware attack that hit hundreds of thousands of victims in May, including over a third of NHS trusts in England.

Categories: Cyber Risk News

Hilton Told to Pay Up After Mishandling Data Breaches

Wed, 11/01/2017 - 19:41
Hilton Told to Pay Up After Mishandling Data Breaches

Hilton Hotels has been hit with a $700,000 fine in the United States, in the wake of two separate credit card data breaches.

The point-of-sale attacks, which were discovered by the hotel giant in 2014 and 2015, saw more than 363,000 payment cards impacted—but according to state investigators in the US, customer notifications weren’t sent until November 2015, more than nine months after the first breach and more than three months after the second.

In the first instance, the PoS malware had been detected as being active between November 18 and December 5, 2014, during which time hackers may have accessed cardholder names, payment card numbers, security codes and expiration dates. In the second incident, the same type of PoS code was active between April 21 and July 27, 2015, when an intrusion detection system alerted Hilton that malware was communicating with a C&C server.

When the hotelier finally admitted that the incidents occurred, it was two months after independent security researcher Brian Krebs reported that hackers may have compromised registers in gift shops and restaurants at a “large number” of Hilton properties.

Because of the notification gap—during which time hackers could be making fraudulent purchases unbeknownst to victims—and an array of inadequate security measures, the penalty has been imposed. The monies will be split between the states of New York and Vermont.

As part of the settlement, Hilton committed to disclosing any future breaches in a more timely manner, and said that it would beef up its ongoing security and intrusion detection efforts.  

"Hilton is strongly committed to protecting our customers' payment card information and maintaining the integrity of our systems," the company said in a statement.

The Hilton portfolio covers over 4,000 properties in more than 90 countries worldwide including Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, Curio - A Collection by Hilton, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Hampton by Hilton, Homewood Suites by Hilton, Home2 Suites by Hilton and Hilton Grand Vacations.

Categories: Cyber Risk News

The Devil Targets Japan with Bad Rabbit-like Wiper-Ransomware

Wed, 11/01/2017 - 19:03
The Devil Targets Japan with Bad Rabbit-like Wiper-Ransomware

A new family of ransomware, dubbed ONI, has been discovered being used as a wiper to cover up an elaborate hacking operation in targeted attacks against Japanese companies.

The name ONI, can mean “devil” in Japanese, and it also appears in the email address found in its ransom note. Attacks observed by Cybereason suggest that the malware lives up to its name. They generally to date have lasted between three to nine months, and all ended with an attempt to encrypt hundreds of machines at once. Aside from encrypting files on the infected machines, ONI can encrypt files on removable media and network drives—and there’s evidence that the true purpose of the attack is to exfiltrate and destroy data.

Cybereason said that the attacks started with spear-phishing emails carrying weaponized Office documents, which ultimately dropped the Ammyy Admin RAT. Using the Ammyy Admin RAT and other hacking tools, the attackers then mapped out the internal networks, harvested credentials and moved laterally, ultimately compromising critical assets, including the domain controller (DC), to gain full control over the network. From there the ONI ransomware was deployed to encrypt a large array of files, while the bootkit MBR-ONI was used on critical assets such as an AD server and file servers, and likely used as a wiper to conceal the operation’s true motive.

The MBR-ONI bootkit has technological ties to the recently discovered Bad Rabbit ransomware.

“During our investigation, Cybereason discovered a new bootkit ransomware dubbed MBR-ONI used by the same threat actor in conjunction with ONI,” said Assaf Dahan, a security researcher with Cybereason, in an analysis. “This bootkit ransomware is based on DiskCryptor, a legitimate disk encryption utility, the very same tool whose code was found in the recently discovered Bad Rabbit ransomware.”

But classifying ONI and MBR-ONI merely as ransomware leaves some open questions regarding the observed attacks.

“It is very unlikely that an attacker would not be interested in distinguishing between infected machines,” Dahan said. “That also supports our suspicion that there was never an intention to recover the encrypted disk partitions.”

Also, why spend three to nine months in the environment without a sure monetization plan?

“From a cost-effectiveness perspective, there is no guarantee the attacker will be rewarded with a ransom payment at the end of this long operation, despite sustaining an active operation and risking detection,” said Dahan. “We do not dismiss the possibility that financial gain was the motive behind these attacks. However, given the nature of the attacks and the profile of the targeted companies, other motives should not be dismissed lightly. “

While the ONI attacks are specific to Japan, Cybereason also believes they point to a concerning global trend.

“Using ransomware in targeted hacking operations is still quite uncommon compared to the popularity of ransomware in the overall cyber threat landscape,” said Dahan. “In recent years, though, there have been increased reports about ransomware and wipers used in targeted attacks carried out by cyber-criminals and nation-states [including] Bad Rabbit].”

The three- to nine-month infection window does point out the need for secondary defenses, according to Stephan Chenette, founder and CEO, AttackIQ.

"In the latest case of ONI ransomware, attackers waited a month after compromising these machines to activate the ransomware that had been installed. Defenders had more than enough time to detect and respond to the infection, which would’ve minimized or nulled any impact. To avoid mass system compromises, organizations need to have secondary detection and response controls in place after their prevention controls. They should continuously test their entire defensive security prevention and detection stack to verify each control is working effectively against the latest techniques, tactics and procedures. Anything else is pure negligence."

Categories: Cyber Risk News

Facebook Claims Kremlin-Linked Content Seen by 126 Million

Wed, 11/01/2017 - 11:11
Facebook Claims Kremlin-Linked Content Seen by 126 Million

Facebook, Twitter and Google all agreed with US intelligence reports yesterday that their platforms had been used by Kremlin agents to spread misinformation and propaganda in a bid to influence the 2016 presidential election.

According to testimony at a Senate hearing seen by Infosecurity, Facebook general counsel, Colin Stretch, went into particular detail.

He admitted that 29 million Facebook users were served ads and promoted content directly from the 80,000 posts over a two-year period connected with the infamous Russian propaganda organ the Internet Research Agency (IRA).

However, thanks to viral sharing and promotion of content, the real number may be closer to 126 million users. That’s a far cry from the 10 million users the social network originally claimed saw the ads.

Although this equals 0.004% of content in News Feed, or one out of 23,000 pieces of content, it’s still a large number of people: more than a third of the US population, for example.

These ads are said to have been focused on “divisive social and political messages from across the ideological spectrum touching on topics from LGBT matters to race issues to immigration to gun rights.”

Twitter’s acting general counsel, Sean Edgett, claimed 2752 accounts were linked to the IRA, much more than the 201 originally found.

He added that 36,746 automated accounts were identified as Russian-linked and tweeting election-related content 1.4 million times, 0.74% of overall election-related posts on Twitter at the time.

Google got away pretty lightly, having found just two Russia-linked accounts on its ads network and a little over 1000 YouTube videos with political content, most with pretty low viewing figures.

Interestingly, Facebook also claimed it identified activity from a handful of accounts it assessed as belonging to infamous Kremlin hacking group APT28 (Fancy Bear).

“This activity, which was aimed at employees of major US political parties, fell into the normal categories of offensive cyber activities we monitor for. We warned the targets who were at highest risk, and were later in contact with law enforcement authorities about this activity,” Stretch testified.

“Later in the summer we also started to see a new kind of behavior from APT28-related accounts — namely, the creation of fake personas that were then used to seed stolen information to journalists. These fake personas were organized under the banner of an organization that called itself DC Leaks. This activity violated our policies, and we removed the DC Leaks accounts.”

Categories: Cyber Risk News

Bipartisan SAVE Act Aims to Protect US Elections

Wed, 11/01/2017 - 10:21
Bipartisan SAVE Act Aims to Protect US Elections

US senators have released bipartisan legislation designed to protect the US election system and specifically voting infrastructure from foreign interference.

Republican Susan Collins and Democrat Martin Heinrich, members of the Senate Select Committee on Intelligence, argue that the Securing America's Voting Equipment (SAVE) Act will help protect voting systems, registration data and ballots from “theft, manipulation, and malicious computer hackers.”

The legislation would designate state election systems as critical infrastructure, meaning the Department of Homeland Security (DHS) would be required to work with states to establish risk mitigation measures and a federal grant would help states upgrade equipment.

The Act would also require the Director of National Intelligence (DNI) to sponsor security clearances for federal election bosses in each state, usually the secretaries of state, and then share any relevant classified info with them regarding threats to their infrastructure.

Under the new proposals the comptroller general would be required to audit elections. A “CooperativeHack the Election" program is also mooted to root out vulnerabilities in systems.

"Our democracy hinges on protecting Americans' ability to fairly choose our own leaders. We must do everything we can to protect the security and integrity of our elections," said Heinrich in a statement.

"The SAVE Act would ensure states are better equipped to develop solutions and respond to threats posed to election systems. Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation's democratic institutions will remain vulnerable."  

US intelligence has concluded that Russian hackers probed state election voting centers and state-level voter registration databases as part of wider efforts to undermine the democratic process and attempted to swing the election in favor of incumbent Donald Trump.

However, it’s not thought that these efforts at least had any effect on the election outcome.

Potentially far more serious were the propaganda moves on social media and the hacking and dissemination of damaging Democratic Party emails via Wikileaks, which Hillary Clinton has blamed in part for her loss.

Categories: Cyber Risk News

Malaysian Data Breach Could Affect Entire Population

Wed, 11/01/2017 - 09:57
Malaysian Data Breach Could Affect Entire Population

Malaysia has suffered its biggest ever data breach after the personal details of over 46 million mobile subscribers were found being traded on the dark web.

That figure represents more than the 31 million population of the country, and could include foreigners living there.

The targeted telcos include: Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.

The breached data includes customer names, billing addresses, mobile numbers, sim card numbers, IMSI numbers, handset models and ID card numbers, according to the site that first broke the news.

However, the breach gets even worse, with data from employment site and several government websites also discovered. These are: the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, the Malaysian Housing Loan Applications, the Malaysian Dental Association and the National Specialist Register of Malaysia. claimed the Jobstreet data featured records on as many as 17 million customers, including names, login names, hashed passwords, email id, nationality, address and phone number.

Over 20,000 records were stolen from the Malaysian Medical Association while 62,000 were taken from the Malaysian Medical Council which registers all doctors in the country. The data included ID card numbers, addresses and mobile numbers.

Malaysian communications and media agency MCMC said it was investigating the incident and confirmed that 42.6 million people were affected.

According to local reports officials have already met with the affected telcos, although the source of the breached data has yet to be disclosed.

Some of the data dates back as far as 2012 but it’s unclear when the breach took place.

ESET security specialist, Mark James, argued that the data could make follow-on phishing attempts highly successful.

“The user can immediately relate to the data and would in most cases follow any instructions that may be within an email, or even through a personal phone call, because in most cases we have no control over what is stored about us online, we have no choice but to comply,” he added.

“If we want the benefits of connected services and the ability for medical organizations to have all the info at hand in case of emergency, in most cases they have to have our most private details."

Categories: Cyber Risk News

Apple FaceID Confidence Runs High

Tue, 10/31/2017 - 18:50
Apple FaceID Confidence Runs High

Apple’s latest biometrics push, facial recognition for iPhone, is seen by most to be a trustworthy authentication mechanism, despite it not yet being released into the market.

The results of a survey conducted by Secret Double Octopus, found that among 522 employees of medium and large enterprises, 81% of respondents perceive FaceID as trustworthy, and 91% think it will be easy to use.

The survey, which focused on preferred authentication methods and password usage, found that 73% of employees surveyed said they prefer FaceID to passwords if given the choice, with 70% categorizing FaceID as ‘extremely or very trustworthy’—results from a technology they have never actually used.

Apple’s TouchID, deployed on iPhone 6 and iPhone 7, is the leading alternative to passwords, with respondents ranking it first in all three survey parameters: ease of use, trust and preference.

“We initiated this survey because we wanted to look past the hype to really understand what people think about the authentication methods they are required to navigate daily—anything from passwords, tokens and SMS to TouchID,” said Raz Rafaeli, CEO of Secret Double Octopus. “We also wanted to know what people are expecting from new authentication alternatives, specifically FaceID. The results demonstrate the need for organizations to seriously consider the impact FaceID will have on their security environment and explore how they can leverage the technology both as a second-factor authentication measure, as well as a way to replace passwords altogether, because that is where we are headed.”

The survey also revealed ongoing concerns around password use. Even though 91% of companies having a policy for password strength (longer passwords and frequent replacements, for example), the survey found that many employees are not adhering to even the most basic of protections, and are exposing themselves and their organizations to increased chances for malicious activity. About a quarter (23%) of employees surveyed say they rely on paper notes to remember their passwords. Further, 14% have shared their work passwords with colleagues or other people; 21% of employees use work-related passwords for non-work related online services; and 5% of employees admit they have entered their work-related passwords into fraudulent forms or web pages.

The results are interesting given the results from a survey of the hacking community, which found that facial recognition was rated as the worst tool for authentication by a fifth of respondents—six times more often than fingerprint authentication.

Categories: Cyber Risk News

Only a Third of US Office Workers Know What Ransomware Is

Tue, 10/31/2017 - 18:34
Only a Third of US Office Workers Know What Ransomware Is

The threat of ransomware is growing exponentially, yet only a third of US office workers know what it is.

Intermedia’s latest 2017 Data Vulnerability Report, which surveyed 1,000 US knowledge workers, found that even with the increased publicity and impact of global ransomware attacks like WannaCry and Petya, and emerging strains such as BadRabbit, awareness still lags behind. This is not for lack of effort among companies though, with 70% of office workers saying their organization regularly communicates about cyber threats and nearly one-third (30%) saying their organization specifically highlighted the WannaCry ransomware attack as an example.

The stakes are significant: The study shows that the average amount paid in ransom among office workers now stands at approximately $1,400.

Interestingly, the report found that employees shoulder costs of ransomware payments more often than employers: Of the office workers that have fallen victim to a ransomware attack at work, the majority (59%) paid the ransom personally, and 37% said their employers paid. About 68% of impacted owners and executive management said they personally paid a work-related ransom.

Also, more than 73% of impacted Millennial workers, often viewed as the most computer-savvy group of employees, report paying.

“Our latest report shows that, even in the face of increasing attacks, there are large gaps in overall awareness of how to handle a ransomware strike,” said Jonathan Levine, CTO at Intermedia. “Employees are willing to go to great lengths to try to get data back, including paying ransoms out of their own pockets, even though 19% of the time the data isn’t released even after the ransom is paid.”

SMBs are particularly vulnerable to ransomware attacks, the study uncovered.

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat,” Levine continued. “This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must, afford. And hackers realize this.”

Categories: Cyber Risk News

CryptoShuffler Trojan Sucks Cash from Wide Range of Crypto-Wallets

Tue, 10/31/2017 - 18:29
CryptoShuffler Trojan Sucks Cash from Wide Range of Crypto-Wallets

The CryptoShuffler Trojan is siphoning funds from cryptocurrency wallets, targeting a wide range of the most popular cryptocurrencies, including Bitcoin, Ethereum, Zcash, Dash, Monero and others.

Uncovered by Kaspersky Lab, the bad code steals cryptocurrencies from a wallet by replacing the user’s legitimate address with its own in the device’s clipboard. To date, criminals have already succeeded in lucratively attacking Bitcoin wallets, stealing equivalent to almost $140,000. The total amounts stolen from other wallets range from a few dollars to several thousands.

“Clipboard hijacking attacks like this have been previously seen in the wild, targeting online payment systems; however, experts believe cases involving a cryptocurrency host address are currently rare,” researchers said.

CryptoShuffler’s mechanism is simple yet effective, capitalizing on the common transaction process used by most cryptocurrency users: They copy a recipient’s walled ID number and paste it into the “destination address” line in the software they are using to make their transaction. The trojan simply monitors the infected device’s clipboard, and replaces the user's wallet address with one owned by the malware creator. Therefore, when the user pastes the wallet ID to the destination address line, it is already not the address they originally intended to send money to, and as a result, the victim transfers their money directly to criminals.

“CryptoShuffler’s ability to replace a destination literally takes milliseconds because it’s so simple to search for wallet addresses—the majority of cryptocurrency wallet addresses have the same beginning and certain number of characters,” Kaspersky said. “Therefore, intruders can easily create regular codes to replace them.”

To keep crypto savings safe, users should pay close attention during transactions, and always check the wallet number listed in the destination address line against the one they are intending to send coins to. Users should also be aware that there is a difference between an invalid address and an incorrect address: In the first case, the error will be detected and the transaction won't be completed; in the latter, there’s no alert.

“Cryptocurrency is not tomorrow's technology anymore. It is becoming part of our daily lives, actively spreading around the world, becoming more available for users, and a more appealing target for criminals,” said Sergey Yunakovsky, malware analyst at Kaspersky Lab. “Lately, we’ve observed an increase in malware attacks targeted at different types of cryptocurrencies, and we expect this trend to continue. So, users considering cryptocurrency investments should think about protecting their investments carefully.”

Categories: Cyber Risk News

Code Signing Certs Traded for $1000+ on Darknet

Tue, 10/31/2017 - 12:25
Code Signing Certs Traded for $1000+ on Darknet

Digital code signing certificates are being traded on the dark web for over $1000, undermining trust in the entire authentication system on which the internet is based, according to new Venafi research.

The cybersecurity vendor teamed up with the Cyber Security Research Institute in a six-month project to peel back the curtain on the shadowy underground markets used to buy and sell illegal goods and services.  

It found code signing certificates available for purchase for up to $1200, making them more expensive than some counterfeit passports, handguns and stolen credit cards.

Attackers can use these certificates to hide the malware used for attacks in encrypted channels, making them highly sought-after.

Venafi chief security strategist, Kevin Bocek, explained that the certs could be sold many times over before losing their value, ensuring they are a major money-maker for cyber-criminals.

He described the research as a “rude awakening” for the system which essentially defines trust on the web.

“With no knowledge of which certificates should really be trusted, IT teams will have to either assume they can’t trust their applications and software, or risk criminals using their certificates to slip past defenses undetected to distribute malware. Neither option is acceptable,” he told Infosecurity.

“The only way organizations can effectively protect themselves is by having complete intelligence and control over every single certificate in use and trusted. But since firms have an average of more than 16,000 certificates they’re unaware of, this is no small feat. This is why it’s so important to automate the discovery, inventory and reputation scoring of every digital certificate, and for every code signing certificate in use, it’s key must be protected and every use controlled and audited.”

The researchers claim they only scratched the surface of the illegal darknet trade in code signing certificates, explaining they believe TLS, VPN and SSH key and certificate trading is also rife.

Categories: Cyber Risk News

EU to Declare Cyber-Attacks “Act of War”

Tue, 10/31/2017 - 11:42
EU to Declare Cyber-Attacks “Act of War”

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document, said to have been developed as a deterrent to provocations by the likes of Russia and North Korea, will state that member states may respond to online attacks with conventional weapons “in the gravest circumstances."

The framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

Security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The suspected state-sponsored group known as Dragonfly has also been active of late probing US energy facilities.

That said, definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with Nato moves in the past establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense.

That states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.

Categories: Cyber Risk News

Security Alert as USB Found Containing Heathrow Plans

Tue, 10/31/2017 - 10:02
Security Alert as USB Found Containing Heathrow Plans

Heathrow airport has launched an urgent inquiry after an unencrypted USB stick containing top secret maps and other documents related to the site was found in a London street.

A man who found the 2.5GB storage device in a street in Queen’s Park plugged it into a library computer and found over 170 documents, some of which were labelled “confidential” or “restricted”.

The details included those of individuals exempt from security screening, radio codes in case of aircraft hijacking and the Queen’s route to the Royal Suite, which is located in a hidden part of the airport.

Other highly sensitive pieces of information on the USB included satellite images and operating manuals for the Doppler radar surveillance system used to scan runways and the perimeter fence, as well as the location of maintenance tunnels and escape shafts.

It’s unclear whether the storage device was accidentally left by a Heathrow employee or if the info on it was compiled by a terrorist planning an attack.

"The worry is it ends up on the dark web and used by bad guys to pick holes in airport security,” a police source told the Sunday Mirror.

Blancco Technology Group chief strategy officer, Richard Stiennon, argued that USB ports on enterprise endpoints should be strictly controlled and monitored, with only approved encrypted devices allowed to connect.  

“Another aspect to worry about when doing a complete data audit is where does the data end up? Are there copies of secret documents all over? Those should be sanitized,” he added.

“A comprehensive data santization policy and plan can address the trillions of gigabytes of so called 'dark data' that resides in organizations around the world.”

Micro Focus vice-president, Geoff Webb, also argued for encryption as standard.

“It’s simply too easy to copy information and walk out the door with it – or move it up to a cloud file sharing service – and if the information isn’t encrypted, the potential for loss is significant.”

Categories: Cyber Risk News