Info Security

Subscribe to Info Security  feed
Updated: 1 hour 29 min ago

KnowBe4 Adds Kevin Klausmeyer to Board of Directors

Fri, 09/04/2020 - 08:22
KnowBe4 Adds Kevin Klausmeyer to Board of Directors

Security awareness training and simulated phishing platform provider KnowBe4 has announced it has added Kevin Klausmeyer to its board of directors. Klausmeyer is a veteran technology financial officer and board member and joins the KnowBe4 board as an independent board member.

Klausmeyer is currently on the boards of two public companies, Cloudera and Jamf, a recent IPO, wherein he chairs their audit committees. He began his career in public accounting, with Arthur Andersen, and subsequently held senior financial positions at several companies, including BMC Software and PentaSafe Security Technologies. He graduated with highest honors from the University of Texas.

“From the moment I met with the KnowBe4 team I knew it would be a great fit,” said Klausmeyer. “The KnowBe4 culture is one of professionalism, relentless quality and focus on the customer, while at the same time being fun and collaborative. I have long been aware of the KnowBe4 offerings, and I have yet to meet a customer who is not fully satisfied with the value proposition. I am thrilled to be a part of the KnowBe4 board of directors and am quite excited about the organization’s future!”

Commenting on the announcement, KnowBe4 CEO Stu Sjouwerman, said: “Kevin has many years of experience as a board member for several software companies, making him a perfect addition as an independent member to our board at KnowBe4. Adding someone with technology financial acumen helps to round out the diverse skill-sets of our board. We welcome his ideas and contributions, as they will make a positive impact on our organization.”

Categories: Cyber Risk News

CISA Pushes Vulnerability Disclosure Policies

Thu, 09/03/2020 - 18:04
CISA Pushes Vulnerability Disclosure Policies

America's Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) requiring the development and publication of vulnerability disclosure policies (VDPs). 

A BOD is a compulsory direction to federal executive branch departments and agencies for purposes of safeguarding federal information and information systems.

BOD 20-01, officially finalized yesterday, requires most executive branch agencies to create a VDP and publish it as a public web page. Agencies have 180 calendar days after the issuance of the directive to comply.

Under the terms of the directive, the VDP must include which systems are in scope, the type of vulnerability testing allowed, and a description of how to submit vulnerability reports. 

Agencies must also state in their VDP "a commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represent a good faith effort to follow the policy, and deem that activity authorized."

The new directive is the first BOD in CISA's history to have been informed by a public comment round.

CISA asked for feedback from the public last November on an initial draft of BOD 20-01. Despite the feedback period's correlating with America's busiest holiday period, the agency received a substantial amount of feedback. 

"We’d never done a public comment round on a directive before, but since the subject matter was 'coordination with the public,' this one merited it," said CISA assistant director Bryan Ware. 

"And even though the comment round spanned every holiday from late November to early January, the quantity and quality of feedback was nothing less than stellar."

CISA received over 200 recommendations from more than 40 unique sources that included individual security researchers, academics, federal agencies, technology companies, civil society, and several members of Congress.

"Each one made the directive draft, its implementation guidance, and our VDP template better," said Ware. 

"Several submissions asked whether the mobile apps that agencies offer to the public would be in scope of agency VDPs. That was something we hadn’t considered before—and concur with."

HackerOne CTO and co-founder Alex Rice described the finalized directive as "a pivotal milestone in the mission to restore trust in digital democracy and protect the integrity of federal information systems."

Categories: Cyber Risk News

US Seizes Domains Used by Terrorists

Thu, 09/03/2020 - 17:38
US Seizes Domains Used by Terrorists

Two domain names being used unlawfully by a terrorist organization to destabilize a foreign power have been seized by the United States. 

The sites “” and “” are owned and operated by a United States company based in Scottsdale, Arizona, but were being utilized by Kata’ib Hizballah, an Iran-backed terrorist group active in Iraq.

On July 2, 2009, the US Secretary of Treasury designated Kata’ib Hizballah as a Specially Designated National for committing, directing, supporting, and posing a significant risk of committing acts of violence against coalition and Iraqi security forces.  

On the same day, Kata’ib Hizballah was designated as a Foreign Terrorist Organization by the US Department of State for committing or posing a significant risk of committing acts of terrorism.

The domains “” and “” were seized on August 31, 2020, pursuant to a seizure warrant after they were determined to be acting as the group's media arm. 

Kata’ib Hizballah used the sites to disseminate videos, articles, and photographs designed to further their political agenda. The sites also functioned as a live online television broadcast channel, Al-etejah TV.

Numerous articles published on “” and “” were written with the specific intention of destabilizing Iraq. The sites were also used by Kata’ib Hizballah for the purpose of recruiting others to their cause. 

“Once again we see designated foreign terrorist organizations turning to the internet to push their message and recruit followers for their violent causes,” said John Demers, assistant attorney general for National Security.  

“We will continue to fight terror recruitment and propaganda efforts in the digital world, as we do elsewhere.” 

US Attorney for the District of Arizona Michael Bailey said that the Grand Canyon State had no space for terrorists.

“The District of Arizona is home to many successful technology companies whose goods and services are capable of being used by individuals across the world," said Bailey. "We will not allow members of terrorist organizations to illegally use those goods and services to further their propaganda and agenda.”

This seizure was investigated by the Department of Commerce, Bureau of Industry and Security.

Categories: Cyber Risk News

US Surveillance Exposed by Snowden Ruled Unlawful

Thu, 09/03/2020 - 16:29
US Surveillance Exposed by Snowden Ruled Unlawful

A surveillance program undertaken by America's National Security Agency has been ruled unlawful.

The program involved the collection of data from the private phone records of millions of Americans. It was exposed by whistleblower Edward Snowden, whose revelations were published by the Guardian newspaper. 

Intelligence leaders who publicly defended the program have now been classed as liars following a ruling by the US Court of Appeals. 

Snowden, who faces espionage charges in the United States, fled to Russia after blowing the whistle on the program in 2013. He is currently living in exile in Moscow. 

After hearing about the court's ruling, Snowden said on Twitter: “I never imagined that I would live to see our courts condemn the NSA’s activities as unlawful and in the same ruling credit me for exposing them. And yet that day has arrived."

Senior US intelligence officials publicly denied that the NSA had ever wittingly gathered data from private phone records. Snowden's evidence, published online in 2013, proved these rebuttals to be false. 

Defenders of the surveillance program argued that the ends justified the means, since the data it had illegally collected had been critical in uncovering domestic terrorism in the United States. 

The information unlawfully gathered by the NSA led to the convictions of San Diego residents Basaaly Saeed Moalin, Ahmed Nasir Taalil Mohamud, Mohamed Mohamud, and Issa Doreh for providing aid to al-Shabab militants in Somalia.

Yesterday, the Court of Appeals for the Ninth Circuit said that the warrantless surveillance program had violated the Foreign Intelligence Surveillance Act. 

Claims that the NSA had never knowingly collected data from private phone records were deemed by the court to be "inconsistent with the content of the classified records."

“Today’s ruling is a victory for our privacy rights,” the American Civil Liberties Union said in a statement.

"It makes plain that the NSA’s bulk collection of Americans’ phone records violated the Constitution.”

The ruling will not affect the convictions of Moalin and his fellow defendants as the court ruled that the illegal surveillance program had not tainted the evidence introduced at their trial. 

Categories: Cyber Risk News

Homeland Security to Propose Biometric Collection Rules

Thu, 09/03/2020 - 11:30
Homeland Security to Propose Biometric Collection Rules

The Department of Homeland Security (DHS) is to propose a standard definition of biometrics for authorized collection, which would establish a defined regulatory purpose for biometrics and create clear rules for using the information collected.

A proposed expansion would modernize biometrics collection and authorize expanded use of biometrics beyond background checks to include identity verification, secure document production and records management.

The proposed rule would also improve the screening and vetting process and reduce DHS’ dependence on paper documents and biographic information to prove identity and familial relationships. It said the proposed rule would authorize biometrics collection for identity verification in addition to new techniques such as voice, DNA test results and iris and facial recognition technologies.

Ken Cuccinelli, senior official performing the duties of the deputy secretary for Homeland Security, said this proposed rule eliminates any ambiguity surrounding the Department’s use of biometrics, setting clear standards for how and why it collects and uses this information.

“Leveraging readily available technology to verify the identity of an individual we are screening is responsible governing,” he said. “The collection of biometric information also guards against identity theft and thwarts fraudsters who are not who they claim to be.”

Fausto Oliveira, principal security architect at Acceptto, said the use of biometrics, particularly facial recognition, has been publicized as a positive step forward, but the use of such biometric factors requires scrutiny and a legal framework. “Facial recognition is not by itself wrong, however it needs a comprehensive legal framework to protect individuals and an organization that supervises the application of this information, has a clear political mandate to supervise the agencies that deal with this type of information and the power to act to stop misuse of that information by federal entities,” he added.

“The collection of biometrics will not stop given the perceived value that it has for identification purposes. However, legislators need to intervene and create mechanisms that balance the need to know by justice departments against individual freedom, the right to be forgotten and the right to privacy.”

Joseph Carson, chief security scientist and advisory CISO at Thycotic, asked if the DHS will collect only a mathematical computation of biometrics, or if it collect the actual raw data, as this really increases both security and privacy risks. “It should also be clear on what it can and cannot be used for since limitations in scope should always be clear. It is important to note that biometrics are not a replacement for passwords but are improved and secure replacements for usernames as they are typically used for identifiers and not actual secrets. It should also be made clear on how long the data will be kept and whom it will be shared with.”

Carson said whilst biometrics improve identity proof, document verification and reduce password fatigue, they also introduce additional security risks that must be managed and secured using strong privileged access management. “It is important to protect the government, but at the same time, also protect the citizens,” he said. “When biometrics are abused, or stolen, it impacts the citizen for life and the company/government for a limited time.”

Categories: Cyber Risk News

One Year Compliance Deadline for New Children’s Code

Thu, 09/03/2020 - 10:15
One Year Compliance Deadline for New Children’s Code

Online service providers, app developers and other relevant businesses have one year to comply with a new statutory code introduced on Wednesday to help protect children’s privacy.

The Age Appropriate Design Code or Children’s Code will apply to any business providing “online services and products” likely to be used by UK youngsters under 18, according to the Information Commissioner’s Office (ICO).

Following the GDPR-enshrined principle of “security by design,” the code will outline 15 standards for developers of online services so that its users have a “built-in baseline of data protection” when they visit a website or open an app.

“A generation from now we will all be astonished that there was ever a time when there wasn’t specific regulation to protect kids online. It will be as normal as putting on a seatbelt,” argued information commissioner, Elizabeth Denham.

“This code makes clear that kids are not like adults online, and their data needs greater protections. We want children to be online, learning and playing and experiencing the world, but with the right protections in place.”

Among the requirements are that geolocation is switched off by default, only a bare minimum of data is collected on children using such services, and that it is never shared unless there’s a compelling reason to do so.

Maximum GDPR fines of up to 4% of global annual turnover could theoretically be levied if firms break the code.

However, it is risk-based, which means certain organizations will have more to do than others. The ICO said those involved in developing and providing apps, connected toys, social media platforms, online games, educational websites and streaming services that use, analyze and profile children’s data will be most affected by the new rules.

The ICO is inviting feedback to help it tailor support as organizations adapt their products before the September 2, 2021 deadline.

Concerns over the online privacy of children have also surfaced in the US, where Google and YouTube last year agreed to pay $170m to settle a case brought by the FTC and New York Attorney General alleging they illegally harvested personal data on children.

Categories: Cyber Risk News

Northumbria Uni Campus Closed After Serious Cyber-Attack

Thu, 09/03/2020 - 09:02
Northumbria Uni Campus Closed After Serious Cyber-Attack

Northumbria University is still reeling from a cyber-attack which forced it to reschedule exams and close its entire campus in Newcastle-Upon-Tyne.

Deputy vice chancellor, Peter Francis, told students on Monday that the “cyber incident” had caused “significant operational disruption” and that work was underway to restore IT systems as quickly as possible.

“For the remainder of this week, there will be no student access to campus whilst we work on restoring our network and connected services,” he continued.

“During the time it will take to restore our key systems, which we hope will be short, you will not have access to the student portal, blackboard and potentially other university platforms which you use in your day-to-day studies. We have temporarily switched these services off as a precautionary measure.”

The university also tweeted last week that exams had to be cancelled and that it was unable to take calls about clearing, a vital part of the academic calendar in which UK universities and colleges seek to fill places they still have on courses.

Although not officially named, the attack bears all the hallmarks of ransomware. Financially motivated cyber-criminals have been increasingly focusing on the education sector of late as institutions are thought to be more exposed to attacks and under tremendous commercial pressure to ensure uptime for staff and students.

Data released last month revealed that a third of UK universities have been attacked with ransomware in the past decade.

Most recently, a ransomware outage and data breach at US IT services company Blackbaud affected countless educational institutions in the UK and elsewhere. It’s not known if the Northumbria University attack also featured data theft.

Webroot senior threat research analyst, Kelvin Murray, argued that the distributed nature of many university networks makes them hard to manage and secure.

“To get to grips with cybersecurity, institutions need to engage cyber-resilience plans to protect their IT infrastructure and data, regardless of the crisis. IT teams must properly audit all machines connected to their networks and the data they hold,” he added.

“Security awareness training should be implemented for staff and students from day one, ensuring that they are vigilant in scrutinizing the emails they receive. This should be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and sensible password policies.”

Categories: Cyber Risk News

Global DDoS Extorters Demand Ransom from Firms

Thu, 09/03/2020 - 08:17
Global DDoS Extorters Demand Ransom from Firms

Security experts are warning of a new global DDoS-related extortion campaign targeting businesses operating in the e-commerce, finance and travel sectors.

Radware said it had been tracking the threat actors since mid-August, with victims in North America, APAC and EMEA. Emails are typically delivered claiming to come from state-sponsored groups such as Fancy Bear and Lazarus Group, as well as the  “Armada Collective.”

The latter group has been linked to similar extortion emails sent in previous years.

The ransom emails threaten to launch DDoS attacks against the recipient organization of over 2Tbps, if payment of anywhere between 10 and 20BTC ($113,000-226,000) is not made. They also threaten to increase the ransom by 10BTC for each deadline missed.

Also included in the messages are the Autonomous System Numbers (ASNs) or IP addresses of servers or services that the group says it will target if their demands are not met.

“In follow-up messages, threat actors underscore that the unique Bitcoin address from the initial letter is still empty and reiterate the seriousness of the threat. They also provide keywords and organization names so the target organization can search for recent DDoS disruptions, followed by the rhetorical question ‘You don't want to be like them, do you?’,” Radware explained.

“In many cases the ransom threat is followed by cyber-attacks ranging from 50Gbps to 200Gbps. The attack vectors include UDP and UDP-Frag floods, some leveraging WS-Discovery amplification, combined with TCP SYN, TCP out-of-state, and ICMP Floods.”

Recipients of the emails were urged not to pay the ransom.

At the same time, Radware claimed to have observed multiple European ISPs being hit by DNS DDoS attacks since last week, although there’s no obvious link to the ransom campaign.

A group using the name “Armada Collective” tried a similar ransom ploy back in 2016, when Cloudflare claimed that it had heard from 100 customers who had received extortion threats and demands for payment of 10-50BTC.

A year later, Infosecurity reported on a group calling itself “Phantom Squad,” which copied the same trick.

Categories: Cyber Risk News

Darknet Moderator Jailed for 11 Years

Wed, 09/02/2020 - 17:00
Darknet Moderator Jailed for 11 Years

An American who was employed to moderate disputes on an illegal darknet marketplace has been sentenced to 11 years in prison.

Bryan Connor Herrell, of Aurora, Colorado, was hired by AlphaBay to settle arguments between vendors and purchasers. 

The site operated by his employers facilitated hundreds of thousands of illicit transactions in which guns, drugs, credit cards numbers, and stolen identities were purchased along with other illegal contraband.

At the time of Herrell's involvement with AlphaBay, the site was the world's largest online marketplace for drugs.

Herrell was also hired to acted as a scam monitor, watching out for attempts by vendors to defraud AlphaBay's users. 

The 26-year-old worked for the illegal website under the names "Penissmith" and "Botah." In return for his efforts, he was paid in Bitcoin. 

Alexandre Cazes, the alleged founder of AlphaBay, was indicted by a Fresno grand jury on June 1, 2017. 

On July 5, 2017, the Royal Thai Police executed an arrest warrant for Canadian-born Cazes at his residence in Bangkok, in connection with his alleged involvement with AlphaBay.  The warrant was executed with assistance from the FBI and DEA. 

When Cazes was arrested, police found his laptop open and in an unencrypted state. A search of the laptop by law enforcement agents and officers revealed several text files that identified the passwords/passkeys for the AlphaBay website, the AlphaBay servers, and other online identities associated with AlphaBay.  

Cazes died in Thailand in the custody of the Narcotics Suppression Bureau just days after his arrest. The 26-year-old's death occurred an hour before he was due to meet with public prosecutors over proceedings relating to his extradition to the United States. 

The US indictment against Cazes was dismissed following his death; however, the Department of Justice's investigation of AlphaBay and its former administrators is ongoing.

“This sentence serves as further proof that criminals cannot hide behind technology to break the law,” said US Attorney McGregor Scott of the Eastern District of California.  

“Operating behind the veil of the darknet may seem to offer shelter from criminal investigations, but people should think twice before ordering or selling drugs online—you will be caught."

Categories: Cyber Risk News

CISA Funds SLTT Cybersecurity Project

Wed, 09/02/2020 - 16:35
CISA Funds SLTT Cybersecurity Project

It was announced today that state, local, tribal, and territorial (SLTT) government organizations in the United States are to receive extra support to improve their cybersecurity.

Help is coming in the form of a 12-month project funded by CISA that will enable SLTT security teams to boost their cyber-defenses with an additional layer of secure Domain Name System (DNS) security.

The US Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA) has joined forces with Akamai and the Center for Internet Security (CIS) to offer SLTTs fully managed proactive domain security. 

The Malicious Domain Blocking and Reporting (MDBR) service will help SLTTs to better protect their applications accessing web servers and external mail servers, and to enhance their existing network defenses.

MDBR technology acts as a blocker, limiting the risk of infections associated with malware, ransomware, and phishing by preventing IT systems from connecting to malicious web domains.

The service also staves off attacks by stopping malicious actions from communicating with their associated command and control server or domain.

"The MDBR service is based on proven, effective, and easy-to-deploy technology that is designed to quickly help SLTT security teams improve their current security defenses," said Patrick Sullivan, VP and CTO of security strategy at Akamai. 

"The real-time threat intelligence in MDBR is based on Akamai's unprecedented global visibility into web and DNS traffic, which is key to enable us to proactively defend against today's evolving threat landscape that SLTT security teams face."

Under the project, the MDBR service will be available at no cost to members of the CIS Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC®). 

"MDBR is built on top of Akamai's Enterprise Threat Protector (ETP) service, which is deployed on its platform that provides carrier-grade recursive DNS service," said Ed Mattison, CIS executive vice president of operations and security services.

"The Akamai Intelligent Edge Platform delivers up to 2.2 trillion DNS queries daily, making it a great partner for this initiative."

To use the service, an organization just has to spend a few minutes pointing its DNS requests to Akamai's DNS servers.

Categories: Cyber Risk News

NCSC Releases Cyber-Guidance

Wed, 09/02/2020 - 16:13
NCSC Releases Cyber-Guidance

The UK’s National Cyber Security Centre (NCSC) has teamed up with international allies to issue guidelines on how organizations can stay safe from malicious cyber-actors.

The joint cybersecurity advisory "Technical Approaches to Uncovering and Remediating Malicious Activity" was published today in conjunction with the US’s Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, the New Zealand National Cyber Security Centre and CERT NZ, and the Canadian Communications Security Establishment.

Contained within the advisory are a series of technical approaches that organizations can take to protect their most critical digital assets. The approaches, which are based on best practices, can help to uncover malicious activity and mitigate attacks, if followed. 

NCSC director of operations Paul Chichester described cybersecurity as a "global issue that requires a collaborative international effort."

“This advisory will help organizations understand how to investigate cyber incidents and protect themselves online, and we would urge them to follow the guidance carefully," said Chichester.

“Working closely with our allies, and with the help of organizations and the wider public, we will continue to strengthen our defenses to make us the hardest possible target for our adversaries.”

Key takeaways from the advisory include a recommendation to respond to any potential cyber-incidents by first collecting relevant artifacts, lots, and data and removing them for further analysis. 

Organizations were further advised to avoid tipping off any cyber-adversaries that their presence had been detected on the network and to contemplate seeking help from a third-party IT security organization. 

CISA director Chris Krebs said that the joint alert was the first of its kind issued by CISA since the organization was formally established in 2018 and was something that he had "aimed for since day one."

“With our allied cybersecurity government partners, we work together every day to help improve and strengthen the cybersecurity of organizations and sectors of our economy that are increasingly targeted by criminals and nation states alike," said Krebs.

“Fortunately, there's strength in numbers, and this unified approach to combining our experiences with a range of malicious actors means that we're able to extend our defensive umbrella on a global scale.”

Categories: Cyber Risk News

One-Third of Companies Put Sensitive Data at Risk Through Internet Exposure

Wed, 09/02/2020 - 14:30
One-Third of Companies Put Sensitive Data at Risk Through Internet Exposure

A third (33%) of companies in the digital supply chain expose unsafe network services to the internet, putting sensitive data at risk, according to a new report published today by RiskRecon and the Cyentia Institute.

Following an assessment of millions of internet-facing systems across approximately 40,000 commercial and public institutions, it was found that datastores, such as S3 buckets and MySQL databases, are most commonly exposed to the internet. This was followed by remote access services, which is especially concerning given the shift to home working that has taken place during the COVID-19 pandemic.

Education was the sector most likely to expose unsafe network services to the internet, with 51.9% of universities running unsafe services on non-student systems.

The study also revealed there was significant geographic variation, with the Ukraine, Indonesia, Bulgaria, Mexico and Poland having the highest rate of domestically-hosted systems running unsafe services.

Additionally, there was a correlation between exposed unsafe services to the internet and wider critical security issues in the digital supply chain. For instance, failure to patch software and implement web encryption were noted as two of the most prevalent security findings associated with unsafe services.

The study authors added that the impact is exacerbated when vendors and business partners run unsafe, exposed services used by their digital supply chain customers.

Kelly White, CEO of co-founder at RiskRecon commented: “Blocking internet access to unsafe network services is one of the most basic security hygiene practices. The fact that one-third of companies in the digital supply chain are failing at one of the most basic cybersecurity practices should serve as a wake-up call to executives’ third-party risk management teams.

“We have a long way to go in hardening the infrastructure that we all depend on to safely operate our businesses and protect consumer data. Risk managers will be well served to leverage objective data to better understand and act on their third-party risk.”

Categories: Cyber Risk News

Chinese Professor Jailed for Stealing US Trade Secrets

Wed, 09/02/2020 - 10:29
Chinese Professor Jailed for Stealing US Trade Secrets

A Chinese university professor has been handed an 18-month jail sentence for stealing IP from two US companies several years ago.

Hao Zhang was charged in 2015 along with five other Chinese nationals with economic espionage and theft of trade secrets. While the five remain at large, most likely in China, Zhang made the mistake of re-entering the US and was promptly arrested.

He is said to have met one of the co-conspirators, Wei Pang, while the two were studying doctorates in electrical engineering at a California university.

They researched DARPA-funded R&D projects into thin-film bulk acoustic resonator (FBAR) technology, which is said to have multiple military and defense applications, and then went on to work on FBAR projects at Avago Technologies and Skyworks Solutions. 

Then in around 2006-7, the two, along with four other conspirators, elicited interest in their work from state-backed Tianjin University and other organizations.

The university agreed to support their plan and in 2009 they resigned from their US roles and accepted full time positions as professors at Tianjin.

Later they formed a joint venture with the university under the name ROFS Microsystems to mass produce FBAR, according to the Department of Justice.

They were accused of stealing “recipes, source code, specifications, presentations, design layouts” and other confidential documents from Skyworks and Avago in order to build a state-of-the-art production facility and win commercial and military contracts.

The case will further bolster US suspicions that Chinese students in the country are a national security threat, whether they have been persuaded by Beijing to steal on behalf of the Communist Party, or are doing so for their own commercial benefit.

The seven-year prosecution of Zhang ended this week with the professor sentenced to a minimum security prison in California and ordered to pay $477,000 to the companies he stole from.

Categories: Cyber Risk News

TLS Certificates Now Have 398 Day Lifespans

Wed, 09/02/2020 - 10:02
TLS Certificates Now Have 398 Day Lifespans

As of September, all publicly trusted TLS certificates must have a lifespan of 398 days or fewer.

According to a statement from Apple from March, where it announced it was “reducing the maximum allowed lifetimes of TLS server certificates” as part of its ongoing efforts to improve web security.

The Apple statement claimed TLS server certificates issued on or after September 1, 2020 “must not have a validity period greater than 398 days.” Specifically, this change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.

Also, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change. “Connections to TLS servers violating these new requirements will fail,” the statement said. “This might cause network and app failures and prevent websites from loading.”

Apple recommended certificates be issued with a maximum validity of 397 days, and this change will not affect certificates issued from user-added or administrator-added Root CAs.

According to Venafi, the interval between changes in the length of certificate lifespans has been shrinking over the last decade. It found that before 2011, certificate lifespans were 8–10 years (96 months) and their lifespans were gradually reduced over the past decade, to five years and then to three years in 2015 and ultimately to 13 months, a reduction of 51% in 2020.

“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.”

He went on to claim that if the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to six months by early 2021, and perhaps become as short as three months by the end of next year.

“Actions by Apple, Google or Mozilla could accomplish this,” he said. “Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”

Categories: Cyber Risk News

CISA: No US Voter Registration Breaches This Year

Wed, 09/02/2020 - 09:15
CISA: No US Voter Registration Breaches This Year

The head of the US Cybersecurity and Infrastructure Security Agency (CISA) has been forced to deny Russian reports that US voter registration information has been circulating on the dark web.

Russian newspaper Kommersant claimed in a story yesterday that a database of 7.6 million Michigan voters was posted to the dark web, as well as millions more related to voters from Florida, Connecticut, North Carolina and Arkansas.

However, the Michigan Department of State responded swiftly to the story, reportedly confirming that the data in question was publicly available via Freedom of Information (FOI) requests.   

In a statement on Twitter a few hours ago, CISA director, Chris Krebs, joined the official debunking of the claims.

“My main takeaway: it’s going to be critical over the next few months to maintain our cool and not spin up over every claim. The last measure of resilience is the American voter,” he said.

An official statement from the CISA and FBI claimed the two “have not seen cyber-attacks this year on voter registration databases or on any systems involving voting.”

“Information on US elections is going to grab headlines, particularly if it is cast as foreign interference. Early, unverified claims should be viewed with a healthy dose of skepticism,” it continued.

“More importantly, we encourage voters to look to trusted sources of information, in this case state election officials who have correctly pointed out that a lot of voter registration data is publicly available or easily purchased.”

The incident came as Facebook and Twitter took action to remove the social media profiles associated with Russian ‘news’ site PeaceData, which has been linked to the notorious state-backed misinformation-peddler the Internet Research Agency (IRA).

In Facebook’s case it involved taking down 13 Facebook accounts and two pages.

“This activity focused primarily on the US, UK, Algeria and Egypt, in addition to other English-speaking countries and countries in the Middle East and North Africa,” it said. “We began this investigation based on information about this network’s off-platform activity from the FBI. Our internal investigation revealed the full scope of this network on Facebook.”

Categories: Cyber Risk News

CEOs Could Face Jail Time for IoT Attacks by 2024

Wed, 09/02/2020 - 08:23
CEOs Could Face Jail Time for IoT Attacks by 2024

Corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned.

The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).

Gartner defines CPSs as “engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”

In this world, cyber-attacks can lead to human fatalities rather than mere data loss or service outages. For example, a medical device could be hijacked to prevent life-saving drugs from being dispensed, or a connected car could be remotely directed to crash.

Gartner argued that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023.

“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.

“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”

However, at present, many business leaders aren’t even aware of the scale of CPS investment in their organization, often because projects have happened outside of the control of IT, said Gartner.

This is where technology leaders in the organization must step up to help CEOs understand the risks that CPSs represent, and why more budget needs to be allocated to operational resilience management (ORM) in order to secure them, argued Thielemann.

“The more connected CPSs are, the higher the likelihood of an incident occurring,” she added.

Categories: Cyber Risk News

US Jails Racist Cyber-stalker

Tue, 09/01/2020 - 16:31
US Jails Racist Cyber-stalker

A white supremacist from Florida has been sentenced to 41 months in prison for threatening an African American who announced his candidacy for city council; he was also convicted of cyber-stalking another victim.

In April 2020, Daniel McMahon pleaded guilty to using social media platform Gab to threaten a man identified in court as D.G. after learning in January 2019 that D.G. planned to run for Charlottesville City Council in Virginia.

McMahon also admitted using Facebook messaging app Messenger to cyber-stalk a female political activist described in court documents as Victim 2. 

Using a Facebook account in which he called himself "Restore Silent Sam," McMahon threatened to sexually assault Victim 2's daughter, a minor who has been diagnosed with autism. 

The convicted cyber-stalker admitted that, at around the same time that he was sending these threats to Victim 2, he was searching online for content relating to sexual contact with girls who have autism.

McMahon masked his identity while online by using the pseudonyms “Jack Corbin,” “Pale Horse,” “Restore Silent Sam,” and “Dakota Stone." Under these names, the 32-year-old actively promoted white supremacy, posted racial slurs, and expressed support for racially motivated violence. 

“Americans have the right to run for office in this country without facing racially-bigoted threats of violence,” said Assistant Attorney General Eric Dreiband for the Civil Rights Division. 

“Furthermore, no American should have to live with hateful threats of sexual violence."

Following his term of incarceration, McMahon will be placed on three years of supervised release, during which time he will be prohibited from using internet-capable devices without prior court approval.

“The hallmark of our Nation’s democracy is the right to peacefully protest and engage in an effective exchange of ideas via the political process,” said US Attorney Maria Chapa Lopez for the Middle District of Florida. 

“When either of these rights are infringed [upon], and individuals are targeted, intimidated, or threatened because of their race/ethnicity or beliefs, the cornerstone of our system is put at risk. Today’s sentence demonstrates our intent to work together to preserve our Nation’s founding principles and ensure that all citizens are protected under the law."

Categories: Cyber Risk News

Cyber-Attack on Norwegian Parliament

Tue, 09/01/2020 - 16:09
Cyber-Attack on Norwegian Parliament

A number of ministers have had their email accounts hacked in a cyber-attack on Norway's parliament, the Storting. 

The Norwegian parliament's director, Marianne Andreassen, confirmed that threat actors had targeted the parliament last week.

"This has been a significant attack," Andreassen said. 

Unauthorized individuals managed to gain access to the email accounts of several elected members of parliament and also to some accounts belonging to parliament employees. 

Speaking at a press conference earlier today, Andreassen did not specify how many accounts had been hacked but said that a "limited number" of ministers and employees had been impacted by the incident. 

Individuals whose accounts were exposed in the attack have been informed, and a report has been filed with the Norwegian police.

A spokesman for Norway's main opposition party, the Labour Party, told public broadcaster NRK that the attack had impacted several Labour Party members and staff.

After the incident was discovered, the Norwegian National Security Authority (NSA) was brought in to counter the attack and get to the bottom of what had happened

"We have been involved for a few days," said NSA spokesman Trond Oevstedal. "We are assisting parliament with analysis and technical assistance."

Andreassen said that the parliament had discovered "anomalies a little more than a week ago."

"A number of risk-reducing immediate measures were implemented to stop the attack," said Andreassen. "These measures had an immediate effect."

In a statement issued earlier today, the Storting said that the attackers had made off with an unspecified amount of information.

It read: "Burglary has been registered in the email accounts of a small number of parliamentary representatives and employees. Our analyses show that different amounts of data have been downloaded."

No information has been released regarding what kind of cyber-attack was perpetrated against the Norwegian parliament or who was responsible for it. 

"We don't know who's behind it," Andreassen told reporters.

"We take the matter very seriously, and we have full attention to analyzing the situation to get an overall picture of the incident and the potential extent of damage."

The website of the Storting, Norway's single-chamber parliament, was functioning normally on Tuesday after news of the cyber-attack was released.

Categories: Cyber Risk News

BlueVoyant Increases Cybersecurity Expertise Through New Board Appointments

Tue, 09/01/2020 - 16:01
BlueVoyant Increases Cybersecurity Expertise Through New Board Appointments

Cybersecurity services company BlueVoyant has today announced a range of high profile appointments across its board of directors and advisory board.

With immediate effect, Deborah Plunkett and Ariel Litvin have joined the firm’s board of directors while Ronald Moultrie has been made vice president of its advisory board.

The appointments are designed to add substantial extra industry knowledge and experience to the business as it looks to continue its growth.

Plunkett is currently principle of the consultancy Plunkett Associates LLC, as well as senior fellow at Harvard and a professor at the University of Maryland. In more than 30 years as a cybersecurity leader, Plunkett has previously held the post of director of information assurance as the National Security Agency (NSA) and was on the National Security Council at the White House for two administrations.

Litvin, who is the CISO of a global multi-billion dollar private manufacturing company, has expertise in addressing complex business and compliance-related issues faced by modern organizations.

Moultrie, who is joining BlueVoyant’s advisory board, is currently on the boards of Altamira Technologies Corporation, iCapital Network, the National Intelligence University, Sequoia Inc. and The Better Angels Society in addition to being senior advisor to MITRE, Pallas, and Resolute Consulting. Previously, Moultrie was a senior national security official who spent over three decades serving the US government. He has also held a senior position at the Central Intelligence Navy (CIA) and was the NSA’s director of operations.

Jim Rosenthal, co-founder and CEO of BlueVoyant commented: “We are very excited to welcome Debora and Ariel to our Board and delighted that Ron has joined our Advisory Board.

“Breadth of skills, backgrounds and experiences make us a stronger company. Because of their extraordinary talent and accomplishments, the three people joining us have many cyber-related opportunities - we are really pleased that they have chosen to join BlueVoyant.”

Categories: Cyber Risk News

Skimming Attack Hits American Payroll Association

Tue, 09/01/2020 - 15:31
Skimming Attack Hits American Payroll Association

The American Payroll Association (APA) has issued a data breach notification after being hit by a skimming attack.

Threat actors installed skimming malware on both the login web page of the APA website and the checkout section of the association's online store by exploiting a vulnerability in the APA’s content management system.

The data security incident was discovered "on or around July 13, 2020." An investigation by the APA's IT team uncovered unusual activity on the APA site dating back to May 13, 2020.

As a result of the attack, unauthorized individuals gained access to login credentials, personal information, including names and dates of birth, and individual payment card information. 

A security incident notice sent to customers by the APA in August and signed by the association's senior director of government and public relations, Robert Wagner, states: "The unauthorized individuals gained access to login information (i.e., username and password) and individual payment card information (i.e., credit card information and associated data). 

"By way of account access, the electronic fields that may have been accessed include: First and Last Names; Email Address; Job Title and Job Role; Primary Job Function and to whom you 'Report'; Gender; Date of Birth; Address (either business or personal), including country, province or state, city, and postal code; Company name and size; Employee Industry; Payroll Software used at Workplace; Time and Attendance software used at work."

Cyber-attackers were also able to access profile photos and social media username information contained in some accounts.

Since the attack, the APA has installed additional antivirus software on its servers, installed "the latest security patches from our content management system," and increased the frequency of patch implementation. 

Victims of the data breach have been offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.

"The APA is an attractive target for Magecart attackers since their members have access to tools and systems that contain payroll data for millions of individuals. The attackers can brute force other payroll systems using the same stolen credentials to find other account takeover targets," commented Ameet Naik, security evangelist at PerimeterX.

Categories: Cyber Risk News