Info Security

Subscribe to Info Security  feed
Updated: 1 hour 16 min ago

Password Security Better, Still Poses Business Risk

Mon, 10/01/2018 - 13:38
Password Security Better, Still Poses Business Risk

Today marks the start of National Cybersecurity Awareness Month (NCSAM), and LastPass by LogMeIn has released the 2018 Global Password Security Report to align with the efforts of NCSAM. While businesses have reportedly made progress with passwords, they still have a long way to go toward strengthening password security. Today’s report is an effort to continue to raise awareness about the risks of dangerous password behavior.

Analying anonymized data from more than 43,000 companies of all sizes that are using LastPass as their business password manager, the report graded businesses, awarding a password security score on a scale of 0–100. The average password security score of organizations was 52. Organizations with fewer than 25 employees averaged 50, while technology companies scored averaged 53 points, in part because 31% of businesses in the technology sector have adopted multifactor authentication.

“Passwords continue to be a challenge to cybersecurity in the workplace, and attacks continue to grow in number and complexity every year. Despite these threats, businesses have struggled to quantify their own level of password risk,” said Gerald Beuchelt, CISO at LogMeIn in a press release.

Given that an increased number of end users poses a higher risk, it makes sense that the bigger the company, the lower the score. However, when looking at the organizations included in the survey, those who were within the first year of using a password management tool saw an increase of nearly 15 points in their password security score. Yet the data revealed that the practice of password sharing still prevails, with a single employee sharing, on average, six passwords with co-workers.

“Security professionals often fail to consider the value of the first factor of enterprise authentication: the password. Despite the sophisticated security measures enterprises are putting in place, something as fundamentally simple as a password is tripping them up,” said Frank Dickson, research vice president, security products at IDC.

The report highlights two benchmarks for evaluating password security: the LastPass Security Score and the LastPass Password Strength Score. The LastPass Security Score incorporates the Password Strength Score and assessed whether passwords were vulnerable based on a variety of indicators, including whether they were duplicated. Additional security settings, such a multifactor authentication, were also considered in the overall score.

Categories: Cyber Risk News

Tesco Bank Fined £16m After 2016 Cyber Heist

Mon, 10/01/2018 - 11:01
Tesco Bank Fined £16m After 2016 Cyber Heist

Tesco Bank has been fined £16.4m by the UK’s financial regulator for deficiencies which allowed hackers to steal millions from its customers in 2016.

Online attackers bagged £2.24m in the November raid two years ago, in what the lender described as “sophisticated criminal fraud.”

Although the actual MO of the attackers is still unknown, the Financial Conduct Authority (FCA) has seen the details and decided to slap a major fine on Tesco Bank for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack.”

Specifically, the bank failed the regulator’s Principle 2, due to deficiencies in the “design of its debit card,” and its configuration of fraud detection and authentication rules.

The bank was also criticized for failing to respond to the incident with “sufficient rigor, skill and urgency.”

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” explained FCA executive director of enforcement and market oversight, Mark Steward.

“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

The fine would have been an even bigger £33.5m had Tesco Bank not provided high-level co-operation which helped to protect more customers and quickly compensate those affected. It also received a 30% discount for early settlement, the FCA said.

Categories: Cyber Risk News

Torii IoT Botnet Takes Mirai to the Next Level

Mon, 10/01/2018 - 09:39
Torii IoT Botnet Takes Mirai to the Next Level

Security experts are warning of a new IoT botnet far more stealthy, persistent and advanced than Mirai and designed to compromise a wide range of device architectures.

Researcher @VessOnSecurity first tweeted about his discovery last week after detecting the threat via a honeypot. Although it spreads via Telnet and targets weak credentials on devices, “it’s not your run-of-the-mill Mirai variant or Monero miner,” he warned.

“It does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,” explained Avast in a follow-up analysis.

“Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.”

Dubbed “Torii” by the firm, the threat first finds out the architecture of the targeted device, and downloads an appropriate payload — with MIPS, ARM, x86, x64, PowerPC, SuperH and more supported.

This payload is a dropped for the second stage. Meanwhile, Torii uses at least six methods to make sure the file remains on the device and always runs.

“The second stage payload is a full-fledged bot capable of executing commands from its master (CnC),” said Avast. “It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc.”

Sean Newman, director at Corero Network Security, said Torii is “cashing in on the rapidly expanding global pool of IoT devices.”

“Its secret could be the large number of different platforms the code can support, which gives it the diversity needed to find enough devices that still use simple default username/password pairs,” he added. “Until IoT manufacturers solve the issue of shipping devices with the same default administrator credentials, it’s going to remain child’s play for cyber-criminals to leverage them for nefarious purposes.”

Categories: Cyber Risk News

Facebook Scrambles to Provide Breach Info to Regulators

Mon, 10/01/2018 - 09:08
Facebook Scrambles to Provide Breach Info to Regulators

Facebook is racing to provide more information to European regulators about a major security breach affecting an estimated 50 million user accounts, with the threat of major GDPR fines hanging over the firm.

The social network’s lead supervisory authority in the region, the Irish Data Protection Commission (DPC), tweeted an update on Sunday that it is “awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users.”

This follows a statement posted to Twitter on Friday that it was pressing Facebook to “urgently clarify” the nature of the incident and risk to customers.

Facebook replied, saying it is "co-operating fully" and will share more information "as soon as we have it."

The UK’s privacy watchdog, instrumental in the creation of the GDPR, is also pressing the firm.

“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” said ICO deputy commissioner of operations, James Dipple-Johnstone.

"We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”

Although Facebook acted swiftly on Thursday to address the three vulnerabilities in its video uploader which hackers exploited to grab account access tokens, the bugs themselves had been left undiscovered since a July 2017 update introduced them.

With those tokens, hackers could not only access users’ Facebook accounts but also theoretically any other related app they’ve used Facebook to log-in via.

Hyperbolic headlines in many major media titles have shouted about possible fines of over $1bn for the social network, but the firm seems to be taking the right approach to incident response, according to experts.

“Following the identification of the breach, Facebook were quick to address the vulnerability, take steps to minimize the risk of further user data compromise and inform the relevant authorities,” said Hitesh Kargathra, lead security consultant at Falanx Group.

“I would expect Facebook to publish further details of the breach following a more in-depth assessment, including how long user accounts were compromised prior to the identification of the breach, the impact of the breach on users and what steps have been taken to protect user privacy in the event of future breaches of the social media platform.”

The FBI has also been called in to investigate, with some suspecting the exploitation of three vulnerabilities in a relatively sophisticated attack smacks of state-sponsored interference.

“In order to bypass Facebook’s security controls without raising alarm bells, this attack would have had to be complex, sophisticated, and stealthy. Complex attacks have many moving parts that often appear as individual, subtle anomalies hiding within the noise of the network,” argued Darktrace APAC managing director, Sanjay Aurora.

“With upcoming elections around the corner, it would be remiss not to consider the possibility of nation-state actors with political motives.”

David Atkinson, founder of Senseon, also raised the possibility of state involvement.

“What I would conclude from this is that the attack was carried out by an advanced group or likely nation state, who have the resources to constantly sweep massive and therefore attractive targets, like Facebook to spot vulnerabilities,” he said.

Categories: Cyber Risk News

Facebook Resets 90 Million User Passwords as Flaw is Discovered

Fri, 09/28/2018 - 20:00
Facebook Resets 90 Million User Passwords as Flaw is Discovered

Facebook has issued a password reset for around 90 million users, after a flaw was found in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else.

According to a statement by Guy Rosen, VP of product management at Facebook, the flaw was discovered on Tuesday 25th September, and affected almost 50 million accounts. He said that the flaw would have allowed an attacker steal Facebook access tokens which they could then use to take over people’s accounts.

“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he said.

Rosen confirmed that the vulnerability has been patched, and access tokens have been reset for the 50 million, and another 40 million as a precaution.

Rosen said: “This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

He admitted that it was not clear if the accounts were accessed, or who was behind it, but law enforcement had been informed.

He said: “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”

Oleg Kolesnikov, director of threat research and cybersecurity analytics at Securonix, said that it appears that the security issue was a result of a code change made to the video uploading feature on Facebook in July of 2017.

Sam Curry, chief security officer at Cybereason, said: “In the big picture this is just another day and another breach and once again 'privacy' is the victim. Whether 50 million, 100 million or 1 billion Facebook users were compromised is immaterial, as the real issue with any compromise is that this is another blow to our collective privacy.

“Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over. Today, consumers are reminded again to watch their identities and credit for abuse."

Tim Mackey, senior technical evangelist at Synopsys, said: “Because this issue impacted ‘access tokens’, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications,” he said.

“If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook.”

A spokesperson for the National Cyber Security Centre said: "There is no evidence that people have to take action such as changing their passwords or deleting their profiles.

“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”

The news comes at the end of a particularly bad week for Facebook, after Instagram's founders resigned from the company, and WhatsApp's founder Brian Acton criticized the company in an interview

Categories: Cyber Risk News

Mass. Gov. Announces Grants to Grow Cyber Resiliency

Fri, 09/28/2018 - 15:31
Mass. Gov. Announces Grants to Grow Cyber Resiliency

A call for new cybersecurity leadership came from Massachusetts governor Charlie Baker at yesterday’s 2018 Massachusetts Cybersecurity Forum. Hosted by Gov. Baker, the forum brought together more than 200 of the state’s foremost practitioners from the public and private sectors.

The forum included thought leaders from cybersecurity companies, universities and research and development centers to discuss ways to improve cyber resiliency in Massachusetts. To that end, Gov. Baker appointed US Navy captain Stephanie A. Helm as the first director of the MassCyberCenter at the Mass Tech Collaborative.

“The Center will play a central role to help convene discussions within state government, and with our industry and academic partners, helping move forward on a collaborative approach to address the cyber threats we face, “ said Cpt. Helm in a press release.

“I’m excited to lead this effort on behalf of the Commonwealth and to better prepare the state to manage future cyber threats. Cybersecurity is important for the well-being of our communities and I look forward to contributing to this team effort.”

Cpt. Helm brings 30 years of experience with her to the role of director. “We look forward to the work the MassCyberCenter will do under Cpt. Helm’s leadership,” said Gov. Baker. “The support and guidance the Council will provide, and the impact that our Cybersecurity Workforce Talent Challenge winners will make in support of the broader strategy to support cybersecurity in the Commonwealth and make Massachusetts’ public and private institutions more resilient to cybersecurity attacks.”

Massachusetts currently has three key cybersecurity projects through the Massachusetts Cybersecurity Workforce Talent Challenge. To fund efforts to train job seekers for entry-level cybersecurity positions, the governor also announced that the three projects will received a total of $385,868 in grants.  

Bay Path University’s Engaging Student Interns in Cybersecurity Audits with Smaller Supply Chain project will received $250,000, the largest portion of the grant funding, while STEMatch, a collaboration between community colleges and cybersecurity service and technology providers, will receive $61,178. A public-private partnership, MassHire Greater New Bedford Workforce Board, is slated to receive $74,690.

Also highlighted at yesterday’s forum was the work being done by the Cybersecurity Education and Training Consortium, driven in large part by the partnership between the Advanced Cyber Security Center (ACSC) and the University of Massachusetts.

Categories: Cyber Risk News

Users Rage Against the Dying of Skype 7.0

Fri, 09/28/2018 - 11:39
Users Rage Against the Dying of Skype 7.0

While Microsoft had announced earlier this year that it will be replacing Skype Classic (Skype 7.0) with an updated Skype 8.0, the company said yesterday that it will end support of Skype Classic in two phases beginning on November 1, 2018.

In an update to users on upgrading to the latest version of Skype, editors wrote on September 27, “As we continue to focus on and improve Skype version 8, support for Skype versions 7, and below will end on November 1, 2018 on desktop devices and November 15, 2018 on mobile and tablet devices. Although you may be able to use older versions for a little while, we encourage you to update today to avoid any interruption.”

Since announcing the roll out of the newest version, Microsoft has boasted about the features of Skype 8.0. The Skype team wrote about the simplified navigation and easy-to-discover contacts, all creating a modern, fresh look and feel; however, it continues to encourage community members to send feedback on what features they would like to see in the version 8.0.

“We looked at how people use Skype apps, performing extensive testing across global markets and building prototypes to test new concepts. We also created a UserVoice site so you can vote on the feature changes you want us to prioritize. While we have plenty of work left to do, we hope you find these changes simplify your experience and bring you closer to those who matter,” the Skype team wrote.

The "work left to do" has some members of the Skype community feeling a bit disgruntled and somewhat unprepared for the November 1 transition. “You've barely begun the feature migration at this point, and Nov 1 is one month away. It's simply not going to be ready by then, and that's based on looking at the latest Insider/Preview builds (i.e. what the public will have in November). Skype 14 doesn't even have a tray icon yet (you close the window, its gone),” one user wrote.

“'Several months' after November should be the earliest consideration for the first wave, not the last splash. You should have waited for the work to actually be largely complete before making such an announcement. This seems like an unforced error and not a lesson learned,” wrote the user.

Categories: Cyber Risk News

Security Staffing Low in Midsized and Large Orgs

Fri, 09/28/2018 - 11:05
Security Staffing Low in Midsized and Large Orgs

One of the greatest security challenges for midsized to large organizations is a function of staffing, according to research conducted by Osterman Research on behalf of ProtectWise and published in The Evolving State of Network Security.

Surveying 400 security analysts at companies with more than 1,000 employees, Osterman Research found that the number of security staff is not commensurate with the number of employees. On average, large organizations have only one security staff member for every 1,488 employees and smaller companies have only one security staff for every 189 employees.

To put that into context: The mean number of employees at the large organizations surveyed was nearly 26,000, with 17.5 of them being security personnel. The mean number of employees for midsized companies surveyed was 2,510, which translates to 13.3 security personnel.

According to the survey results, security teams are expected to significantly increase the number of hours they spend on security incidents, with the amount of time spent on identifying and remediating security incidents reportedly doubling for large organizations. However, the more mature companies that have invested in threat intelligence report fewer false positives and an overall reduction in the volume of their security alerts.

One tactic larger organizations are using to evolve in their overall security postures is becoming less reliant on endpoint security, the survey found. “Larger organizations have more sophisticated strategies that focus heavily on forensics and investigation, which are primarily centered around network communication,” said Gene Stevens, co-founder and CTO of ProtectWise.

“Larger organizations have larger attack surfaces than their midsize and smaller counterparts. Their security teams need to be able to see the numerous phases of an attack and how devices communicate with each other. Network visibility provides a straight path and is friendly to being deployed noninvasively.”

Overall, the survey suggests that larger enterprises are continuing to evolve their security strategies. The takeaway is that an endpoint-only strategy just doesn’t work for larger or more complex infrastructures, and security teams are understanding that,” Stevens said.

More than half of the analysts surveyed are using a combined endpoint and network security approach. Said Stevens, "This means they are not only establishing complete visibility but can also investigate and respond more efficiently. Specifically, endpoint detection and response (EDR) is being matched to network detection and response (NDR) and, for many organizations, a managed detection and response (MDR). These three pillars provide great coverage, strength in detection, and promote operational efficiency.”

Categories: Cyber Risk News

DEF CON Voting Village Report Calls for Standards & Fixes

Fri, 09/28/2018 - 09:56
DEF CON Voting Village Report Calls for Standards & Fixes

Congress and national security leaders have been urged to take action to address issues in voting machines.

After DEF CON’s Voting Village came under fire from the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines, DEF CON’s report on the voting village said that Congress must act, as “problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security.”

In four steps to be taken, the report claims that Congress must take action, and also fund election security as “no state or local government will ever be able to raise enough capital to defend itself from a determined nation state” and security standards must be funded and implemented.

The other points called for a “Crisis Communications Plan” as State and local government election results web pages are “the most insecure component of our election infrastructure,” and while many local election officials have advocated for Congress to act and fund robust security practices, the report said it is not enough.

“National security leaders must also remind Congress daily of the gravity of this threat and national security implications,” it said. “It is the responsibility of both current and former national security leaders to ensure Congress does not myopically view these issues as election administration issues but rather the critical national security issues they are.”

DEF CON officials said that among the “dozens of vulnerabilities identified in the last two years” of the Voting Village, the insecure supply chain, capability for remote attacks despite insistence that the machines are ‘air gapped’, the ability to hack a machine in an average of six minutes and failure to fix serious flaws all prove a persistent problem.

“The failure to fix existing, reported vulnerabilities and the disconnect between the reports of election security experts and the reactions of some election equipment vendors speaks directly to the reason Voting Village was created,” the report said.

“The Voting Village aims to increase access to election security knowledge in order to better protect American democracy and the electoral system. We believe that knowing the risks involved in how America votes is always better than sticking our heads in the sand. Although we have redacted some information from this report, it is a realistic, if pessimistic, view of how easy it is for individuals to exploit bad design and sidestep election protections. We hope that it will move the United States towards action.”

Categories: Cyber Risk News

SEC Fines Voya Financial Advisors $1m

Thu, 09/27/2018 - 15:05
SEC Fines Voya Financial Advisors $1m

In a landmark settlement case, the Securities and Exchange Commission (SEC) fined Voya Financial Advisors (VFA) for violations of the Identity Theft Red Flag Rules required of financial institutions. Though they never admitted or denied the SEC's findings, VFA has agreed to pay $1m to settle the charges for its failure to establish policies and procedures to protect against cyber intrusion.

The Red Flag Rules became effective as of January 1, 2008, though the Federal Trade Commission extended the deadline for compliance through the end of 2010. The SEC Order issued on September 26, 2018, resulted from events that took place over the course of six days in 2016 on VFA’s proprietary web portal.

One or more fraudsters was able to obtain passwords and gain access to VFA's portals by impersonating its contractors. Malicious actors successfully requested password resets via VFA’s support line, which then allowed them to create new passwords and access the personal information of thousands of the company’s customers. With that customer information, the fraudsters then created new customer profiles.

The rule, also known as the Identity Theft Rules, states “Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account."

The SEC found that VFA failed “to adopt written policies and procedures reasonably designed to protect customer records and information.” In addition, the dually registered broker-dealer and investment adviser failed to both develop and implement a written program to protect against identity theft.

Though VFA took steps to respond to the intrusion, the company did not successfully terminate the intruder’s access to the accounts, “due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.”

This is the first SEC enforcement action to charge an organization with violating the Identity Theft Red Flag Rules and will likely set a precedent moving forward. 

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Division of Enforcement, in a press release. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

Categories: Cyber Risk News

Post Attack, Aspire Health Subpoenas Google

Thu, 09/27/2018 - 14:15
Post Attack, Aspire Health Subpoenas Google

Protected patient health data was reportedly stolen in the aftermath of a phishing attack on Aspire Health, a healthcare company that offers in-home care, according to USA Today.

On behalf of Aspire Health, Nelson, Mullins, Riley & Scarborough, LLP filed a federal case against John Doe 1 in Tennessee Middle District Court on September 21, 2018. Becker’s Health IT & CIO Report (HR) said the attack originated from an IP address in Eastern Europe with Google as the registrar; thus, Aspire returned to federal court on September 25 to file a motion to subpoena Google for more information on the unidentified suspect referred to as John Doe 1 in the court documents.

"The proposed subpoena to Google should provide information showing who has accessed and/or maintains the phishing website and the subscriber of the email account that John Doe 1 used in the phishing attack," Aspire attorney James Haltom wrote, according to HR. "This information will likely allow Aspire to uncover and locate John Doe 1."

Aspire reported that on September 3, 2018, a hacker gained access to the company’s internal email system earlier this month, whereby the malicious actor was able to forward  in excess of 120 emails to an external email account. The emails reportedly contained confidential and protected patient data. No additional information on the number of patients impacted has been made public thus far, nor are there any details about the specific data included in the stolen information.

“This attack on Aspire Health is a type of email phishing attack that happens all too often. While the ultimate goal of the attacker can vary, the technique of using spear-phishing to lure an unsuspecting person to a fraudulent log-in page to then steal their email login credentials and data that flows through that account, happens regularly,” said Matthew Gardiner, cybersecurity strategist for Mimecast.

“Fortunately there are many solid defenses against this technique, including the use of multi-factor authentication, anti-phishing and email monitoring services, as well as focused user awareness training. Coupled together, these security controls can significantly reduce the risk of these types of attacks being successful.”

Categories: Cyber Risk News

Uber Fined $148m for Breach Cover-Up

Thu, 09/27/2018 - 13:23
Uber Fined $148m for Breach Cover-Up

Attempting to cover up a data breach was a failed mission for Uber, who yesterday announced that it has agreed to a $148m settlement. The fine for its 2016 data breach and cover-up sends a strong message not only to Uber but to organizations across all sectors that data breaches – whether disclosed or not – come at a hefty price.

Companies can no longer get away with poor cybersecurity and sweeping incidents under the carpet,” said Rob Shapland, principal cybersecurity consultant at Falanx Group. "I would expect many companies will have tried to hide the fact that they’ve been breached, especially given the size of the potential fines. This case, and Uber’s punishment for not revealing that the breach had occurred, will hopefully give companies further warning of the risks posed by cyber-attacks, so that they take the security of the data they hold more seriously.”

In November 2017 Uber shocked the cybersecurity community when it confessed that it had indeed attempted to hide the fact that data of 57 million users was stolen. In response to the settlement news, Tim Erlin, VP at Tripwire, said, “There’s no doubt that the cover-up behavior was impactful in how this settlement played out. It’s a good reminder to all organizations of how a good breach response plan can help avoid poor decision making in the midst of an incident.

The fine is huge, which has some commentators wondering whether it is intended to set a precedent in order to deter other organizations from attempting to cover up future breaches.

“Trying to keep [a breach] quiet will of course be an idea by some senior ranked employees. However, this is inevitably the wrong thing to do, and Uber is surely being made an example of what not to do,” said Jake Moore, security specialist at ESET.

“Being open about customer data breaches at the earliest opportunity is not only ethically the right thing to do, but helps protect people from a multitude of other attacks which could follow as a result.”

Moreover the fine speaks to the financial risks of compliance mismanagement. That a breach of such magnitude was able to happen was problematic enough, but paying the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident, was “A blatant disregard for governance and compliance, putting customers at risk,” said Pravin Kothari, CEO of CipherCloud.

“The takeaway lesson is that it is incumbent upon all of us to foster a culture in our companies such that our employees understand the ethical necessity of full disclosure and transparency. Protecting our customers and their data is not optional.”

Categories: Cyber Risk News

Google Promises Chrome Updates after Sign In Synchronization Snafu

Thu, 09/27/2018 - 11:01
Google Promises Chrome Updates after Sign In Synchronization Snafu

Google has stepped into the debate over data security in its products, saying that signing out of Google “makes your authentication cookies invalid,” and that it will “be making some product changes.”

After it launched an update in Chrome 69, which meant that every time you logged into a Google service you were automatically signed into Google without notification, Google engineers have issued statements instructing on how to turn off sync in Chrome, while Chrome head Parisa Tabriz said that “the authentication cookie behavior is how we keep things synchronized” but feedback had been “heard and appreciated.” 

This led to some privacy concerns about sharing of data between different Google services. Google’s Privacy notice states: “Chrome periodically sends information to Google to check for updates, get connectivity status, validate the current time, and estimate the number of active users.”

Cryptographer Matthew Green published a lengthy blog criticizing the update, saying that the change has “serious implications for privacy and trust” as “if you’re in a situation where you’ve already signed into Chrome and your friend shares your computer, then you can wind up accidentally having your friend’s Google cookies get uploaded into your account. This seems bad, and sure, we want to avoid that.”

Green also highlighted issues in situations such as user searching for mental health conditions, asking how comfortable would they be if their real name and picture were always loaded into the corner? “The Chrome development team says 'yes'. I think they’re wrong.”

In an update published on Wednesday September 26, Chrome product manager Zach Koch insisted that “this change to sign-in does not mean Chrome sync gets turned on” and users “who want data like their browsing history, passwords, and bookmarks available on other devices must take additional action, such as turning on sync” and the addition is intended to remind users which Google Account is signed in and better help users who share a single device.

In a planned update in Chrome 70, due in October, a control will be added which allows users to turn off linking web-based sign-in with browser-based sign-in. Users that disable this feature will not be signed into Chrome if they sign into a Google website.

“We’re also going to change the way we handle the clearing of auth cookies. In the current version of Chrome, we keep the Google auth cookies to allow you to stay signed in after cookies are cleared. We will change this behavior so that all cookies are deleted and you will be signed out.”

Categories: Cyber Risk News

Majority of Orgs Failing to Make Machine Learning Fair, Safe & Balanced

Thu, 09/27/2018 - 09:15
Majority of Orgs Failing to Make Machine Learning Fair, Safe & Balanced

New research from O’Reilly Media has revealed that almost nine out of 10 (86%) businesses are deploying machine learning technologies without considering important questions regarding data quality, consumer privacy and the quality of machine learning applications.

The firm conducted its research among 2000 senior business leaders in the EU, discovering that over half (55%) of EU businesses have not included privacy provisions in their model-building checklist, whilst 53% do not account for compliance and 62% don’t include fairness and bias.

Only 14% of those polled accounted for compliance, privacy, fairness and bias in their model-building checklist, and O’Reilly Media warned that failing to do so will result in failed results from flawed, biased and unethical applications that could also put people’s privacy at risk.

“There is much more to machine learning than just optimizing your business metrics,” said Ben Lorica, chief data scientist at O’Reilly Media and AI London Conference chair. “It’s critical that those developing these transformational applications understand the power they’re harnessing, and how small errors or omissions can lead to major problems down the line.”

Lorica argued that, too often, the task of developing machine learning technology falls to data scientists without insight from lawyers, compliance and privacy experts.

“Since the introduction of the GDPR, businesses should be on heightened alert for anything that could compromise consumer privacy,” he added. “Yet, over half of machine learning projects still fail to take this into account. This is simply storing up trouble for the future.

“Meanwhile, other failings such as bias and fairness will mean that organizations won’t get full value from their ML investment – and could even end up with applications that are fundamentally inaccurate and therefore less than useless.

“The problem with any new technology is that developers and engineers are often focused on its potential for good, rather than worrying about dangers such as privacy. To maintain public trust in these technologies, it’s critical that we address these problems before machine learning applications come online,” Lorica concluded.

Categories: Cyber Risk News

New Cyber Group Launched to Prepare Students for Cybersecurity Careers

Thu, 09/27/2018 - 08:40
New Cyber Group Launched to Prepare Students for Cybersecurity Careers

This week Fujitsu announced its partnership with University Technical Colleges (UTCs) to launch the UTC Cyber Security Group, aimed at helping to prepare students aged 14-19 for future careers in cybersecurity.

The information and communication tech provider will work with UTCs and security and private sector organizations to equip a minimum of 500 students a year with the right cyber-skills needed to succeed in information security roles and further education – helping to bridge the gap in security resource and skills currently impacting the industry.

The group will meet every quarter to agree the course content that will be delivered to cybersecurity students, and organizations involved will each commit to providing at least five days of teaching and training to UTCs annually over the next three years. What’s more, organizations will also have the opportunity to sponsor their local UTC and get to know students personally.

“It is evident that there is a shortage of talent in the cybersecurity industry at the moment, which we as a nation are struggling to circumvent,” Rob Norris, vice-president of enterprise and cyber security, Fujitsu, told Infosecurity. “As we recognize the importance of investing in the individuals who will be key in fighting cyber-criminals in the future, the UTC Cyber Security Group will help ensure that we – and other private organizations – are doing our best to develop the right cyber-skills to adequately protect the UK from future cyber-threats and attacks.”

“With cyber-threats becoming more prolific and hackers increasingly more creative and savvy in their approach to attacks and breaches, the people and skills available to protect organizations and society must respond,” added Mike Halliday, business relations manager for UTC Reading, UTC Swindon, and UTC Heathrow.

“Historically students may not have considered entering a cybersecurity profession, often meaning they missed out on a career that they could be good at, and one in which they’d find purpose and fulfilment. The UTC Cyber Group looks to connect industry to an untapped source of thinking in order to meet the current cybersecurity challenges.”

Categories: Cyber Risk News

Businesses in Arkansas Hit with Ransomware

Wed, 09/26/2018 - 17:10
Businesses in Arkansas Hit with Ransomware

According to local news provider KARK, local businesses in Conway, Arkansas, have been hit with a ransomware attack. Some of the businesses have reportedly lost thousands of dollars.

Companies impacted by the attack don’t want to go public, but KARK is reporting that multiple files have been encrypted by hackers who are demanding a ransom in exchange for the returned files. Meanwhile, Brian Fletcher, owner of Fixed by Fletcher, a local IT company, has been speaking out to try and help others prevent or recover from an attack.

One of Fletcher’s customers, whom he declined to identify, was down for a couple days after falling victim to an attack despite efforts to recover documents from its four backups.

"Another week, another ransomware attack hitting the headlines,” said Caroline Seymour, director of product marketing at Zerto. “This time it is a geographically focused series of attacks in Conway, Arkansas."

“Like many others in a recent analyst study that determined that 50% of surveyed organizations have suffered an unrecoverable data event in the last three years, companies in Conway are grappling with paying the ransom or losing valuable data.”

The FBI is encouraging victims not to pay, according to KARK, but sometimes businesses have no alternative. Having multiple backups can help companies recover their files, but it’s important that at least one of those backups is not connected to the internet.

“Regrettably, prevention of these attacks is not always possible, but diminishing the threat is. Taking a more dynamic, modern approach to business continuity and disaster recovery (DR) is critical to this. Solutions utilizing continuous data protection and hybrid cloud DR can help organizations like those in Conway better manage their IT infrastructures and achieve IT Resilience – so that downtime of more than mere seconds becomes a thing of the past – and towns like Conway won’t find themselves in the news,” Seymour said.

Categories: Cyber Risk News

Despite BOD 18-01, Fed Agencies Not at 100% HTTPS

Wed, 09/26/2018 - 16:23
Despite BOD 18-01, Fed Agencies Not at 100% HTTPS

A new study evaluating whether federal agencies are prepared to respond to Binding Operational Directive 18-01 found that less than half of all federal organizations have the tools and automation in place to respond to incidents that impact machine identities and many fail to regularly audit their Federal Public Key Infrastructure (FKPI) processes.

In 2017, the Department of Homeland Security established a measure to enhance email and web security when it issued the compulsory directive. To measure how well federal agencies are doing in adhering to the requirements of the directive, Dimensional Research, on behalf of Venafi, conducted a study of 100 IT security professionals who work in the federal government and found that few are actually prepared to comply with the statute.

BOD 18-01 requires that all US federal agency websites augment their policies for handling machine identities, including TLS keys and certificates used in public key infrastructure (PKI). In order to protect government web services, all federal agencies are mandated to comply with BOD 18-01.

However, “only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage,” said Kevin Bocek, chief cybersecurity strategist for Venafi, in a press release. “It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity protection strategies to achieve this goal.”

The survey found that only 30% of respondents have a complete certificate inventory and only 29% feel confident that their certificate inventory includes the location of all those that are installed. Because certificates are often installed on multiple devices, knowing the location of each is critical to upgrade efforts. Additionally, those agencies without a complete certificate inventory lack the visibility needed to see each certificate being used, which can potentially cause both security risks and service outages.

“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Bocek.

The survey also found that only 37% of respondents said certificate ownership information is included in their certificate inventory, yet updates require administrative access. Without ownership information, updates are delayed.

Categories: Cyber Risk News

DDoS Attack on German Energy Company RWE

Wed, 09/26/2018 - 15:37
DDoS Attack on German Energy Company RWE

Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway.

According to Deutsche Welle, unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics.

Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message.

Reports claim that a clip was posted last week by Anonymous Deutsch that warned, "If you don't immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from," DW reported.

"Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added.

DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day.

““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure].  RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security.

In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.”

Categories: Cyber Risk News

PKI Use is Main Driver for IoT Security

Wed, 09/26/2018 - 12:01
PKI Use is Main Driver for IoT Security

PKI use is increasing due to the growing impact of the Internet of Things (IoT).

According to research by Thales e-Security and the Ponemon Institute of 1688 IT and security practitioners, 44% said that IoT was the most important trend driving the adoption of applications using PKI as a core enterprise asset and a root of trust.

To secure PKI, 62% said that they use multi-factor authentication and certificate authorities, while 48% opt for a ‘physical secure location’ and 30% only use a password.

Speaking at a roundtable in London to launch the report, John Grimm, senior director security strategy at Thales eSecurity, said that there were “endless possibilities” for PKI use in IoT. He said that with IoT, security is a common concern.

He claimed that this is causing more and more enterprises to be resilient on PKI, as nothing is driving security for consumer IoT, but businesses need to know what is being allowed to access the network.

Also speaking on the roundtable was Clive Watts, senior product manager at Secure Thingz, who said that despite the uptake of PKI, there are insufficient skills and resources to enable its use. “The tipping point is on educating people on PKI and how it can be used, as there are multiple reasons on why to do it.” The research found that 48% of respondents said that insufficient skills on PKI was the main challenge to its adoption and deployment, in comparison to “no clear ownership” (70%).

Grimm commented that PKI has been used in the past for cloud and mobile, though 2018’s research showed that 45% of respondents use PKI for cloud and mobile – a drop from over 50% from the previous years’ research.

Dr Larry Ponemon, chairman and founder of The Ponemon Institute, said: “In previous years, we highlighted PKI as an established technology positioned to tackle the authentication needs and challenges to support the rise of cloud applications. Now, the C-suite is challenging its teams to leverage IoT to improve and drive business. With this comes the increased risk of more endpoints to protect, and the need to understand the role of PKI as a critical enabler.

“At the same time, this underscores the need for further advancement in skilling and resourcing related to PKI and the overall ownership within the organization.”

Categories: Cyber Risk News

New Ofcom Rules "Could Help Tackle Vishing"

Wed, 09/26/2018 - 09:39
New Ofcom Rules "Could Help Tackle Vishing"

New consumer protection rules designed to combat nuisance calls could have an unexpected bonus: helping to prevent voice phishing (vishing) scams, according to experts.

Ofcom’s latest rules come into force on October 1 and will ban phone companies for charging for the Caller ID service that helps users screen their calls. They will also mandate that any phone numbers displayed to users must be valid and can be called back, and that phone companies must block calls with invalid numbers.

After October 1, Ofcom will also be able to take back whole blocks of numbers from telcos if they’ve been used time and again to carry out nuisance calls, fraud and similar.

“It’s important that our rules keep pace with developments in the communications market, and continue to give consumers the protection they need,” said Ofcom consumer group director, Lindsay Fussell.

“Our strengthened rules will help to protect people against nuisance calls and support our work to identify and punish those companies responsible.”

Given the number of big-name fines the ICO has been levying recently on nuisance call companies, the new rules will be welcomed by consumers.

However, they could also help to tackle vishing, according to Andy Kays, CTO at security firm Redscan.

“Calling potential victims pretending to be their bank, utility provider or pension company, with the aim of obtaining payment details, is a popular money-making tactic for fraudsters. Modern technology makes it easy for criminals to hide their identity or even mimic the number of a real company or person who may be known and trusted,” he argued.

“Any protection rules that compel phone companies to help reduce the number of nuisance or criminal callers is certainly welcome, particularly as most scam victims are liable to receive no financial compensation, even if they lose their life savings. While these new measures won’t put an end to phone scams entirely, fraudsters will now find it harder to scale up their activities.”

However, consumers must continue to be vigilant when receiving unsolicited calls and never give out personal information.

“Instead, ask for the phone number needed to call the person back and if still in doubt verify this online and against any official correspondence,” said Kays. “Wait at least five minutes before returning a call — this ensures the line has cleared and you're not still speaking to the fraudster or an accomplice.”

Categories: Cyber Risk News

Pages